Merely Cloaking Data May Be Incriminating?

n0g writes "In a recent submission to Bugtraq, Larry Gill of Guidance Software refutes some bug reports for the forensic analysis product EnCase Forensic Edition. The refutation is interesting, but one comment raises an important privacy issue. When talking about users creating loops in NTFS directories to hide data, Gill says, 'The purposeful hiding of data by the subject of an investigation is in itself important evidence and there are many scenarios where intentional data cloaking provides incriminating evidence, even if the perpetrator is successful in cloaking the data itself.' That begs the question: if one cloaks data by encrypting it, exactly what incriminating evidence does that provide? And how important is that evidence compared to the absence of anything else found that was incriminating? Are we no longer allowed to have any secrets, even on our own systems?"

Other types of cloaking...

What about using a rare file system? If I want to put all of my stuff on ZFS and the FBI can't read it will they ship me off to Gitmo?

Re:Other types of cloaking...

Offtopic? I think this is a perfect question to ask. Why is it incriminating simply to have something in a format that investigators might not understand? What if I decide to keep all of my documents in Mandarin instead of English? Is that incriminating?

Also, The linked article is on local vulnerabilities in two common forensic software packages and doesn't even mention data "cloaking" techniques. If anything is offtopic here, it's the article or the headline.

Guilty until proven innocent

"I think this is a perfect question to ask."

I agree, technically speaking all data is "encrypted", it's the strength of the encryption that varies. Are we to assume that if forensics can't understand it then it is automatically incriminating? - That's nothing short of "guilty until proven innocent", under that policy the suspect can be locked away until he gives the investigators the non-existant key to unscramble the random sequence of bits found in the free sectors of his HDD.

"Also, The linked article...."

As is the custom on /. I didn't RTFA before shooting my mouth off.

Re:Guilty until proven innocent

technically speaking all data is "encrypted", it's the strength of the encryption that varies.

Really good point. Any compression system might be viewed as encryption if you don't know how to decompress it.

I actually had to throw together an encryption system today to store some archival material online. I wrote a one time pad in python where my pad was just a jpeg of a mountain I had lying around. I contend that my ciphertext is art, a picture of a mountain combined with some literature. Who's to say it isn't?

When it gets to he point where you can blame other people for your inability to understand what they are saying when they weren't speaking to you, the deaf and mentally disabled will rule the world.

Re:Guilty until proven innocent

These people are selling products and services to prosecutors. Defense attorneys only need to be aware of flaws in forensics software and practices that can result in false positives.

Pleading the fifth in front of a jury when you're the defendant is tantamount to an admission of guilt. But there was an encryption/steganography system called Rubberhose ( http://iq.org/~proff/rubberhose.org/ [iq.org] ) that allowed you to create an arbitrary number of encrypted volumes in one disk segment, where each volume took up a random sequence of blocks. You could have four or five encrypted volumes, one of which contained the incriminating material and the rest of which contained plausibly embarrassing and private material. Then you can comply; nobody can prove that you haven't decrypted everything, since the entire disk segment is filled with random-seeming data.

TrueCrypt does almost as well as Rubberhose, and it's maintained. It allows you to create nested encrypted volumes, but defaults to two volumes deep, and I'm not sure whether it supports any more than that.

Re:Other types of cloaking...

No, they're just cloaking the replies.

Easy solution

Just set up a triple truecrypt partition and in the middle one put some cheap porn files. The real stuff goes in the third one.

[ standard truecrypt [ deacoy porn ] [ hidden truecrypt [ deacoy gay porn ] [ doubly-hidden true crypt [ secret spy stuff muahahahaha ] ] ] ]

Re:Easy solution

Why go to all that trouble? If my understanding of TC is correct, shouldn't you just need a hidden partition within a regular one? I thought the whole thing about the hidden partition is that it can't be mathematically proven to even exist. I mean, if you have empty space in a TC partition, it will be indistinguishable from random data. Some of that random data could feasibly be the super secret stuff you're trying to hide, and without a key, there would be no way to prove it.

Man, if that's not true, I think many slashdotters will have to rethink how they hide their porn from their wives... Ok, from their mothers.

Can't prove hidden partition doesn't/does exist

It could be presumed that you chose that software specifically for the well-known "hidden partition" option (police departments hire geeks too, you know). As such, prove that the incriminating evidence ISN'T locked away in the hidden partition and that you're not refusing to comply with the warrent.

The point of a hidden partition is that you can't prove it either way, unless you actually unlock it with the key. So, without the key, I could say, "Yes, there's a hidden partition within this conventional TrueCrypt partition, but I'm not giving you the key!" or I could say, "No, there's no hidden partition," and you wouldn't be able to tell either way.
So, then, you *could* presume that there is a hidden partition --but then that would be on the same order as just presuming that I have something to hide just because I'm using TrueCrypt in the first place. If I don't actually have a hidden partition, and you go looking for one, you're going to spend a pretty long time looking. There's nothing more frustrating than looking for something to prove that it doesn't exist (bug-checking programming sessions, anyone?).
As a matter of course, I do set up TrueCrypt volumes at standard sizes that happen to be much bigger than I need --my usual is 680MB so I can burn the whole thing to a CD. I think all my financial files add up to about 100MB within the 680MB TrueCrypt volume. If you want to go looking in the remaining 580MB for some incriminating evidence --hey, knock yourself out.

Why even ask?

"Are we no longer allowed to have any secrets, even on our own systems?"

Why do you even have to ask? As private citizens we arent allowed to hide anything from the government. Its labeled as obstruction of justice and we get tossed in the can if we dont cough up the keys. Even if we have nothing to hide.

Re:Why even ask?

Rock on, Hyde!

I'd just like to point out, that if creating loops in NTFS is incriminating, does having an encrypted file system mean we have something to hide? Or, for that matter, wouldn't DRM be an obstruction, since it prevents access to content? Oh, right, DRM isn't bad, because it has large, multi-national corporations giving large campaign contributions-- err, I mean, supporting it.

Hooray for capitalism!

Re:Why even ask?

does having an encrypted file system mean we have something to hide?

Of course you have something to hide. You have your tax returns, financial statements, personal journals, and other private files to hide from malicious hackers and people who might run off with your laptop. If you are in the financial industry, you have other people's private information to hide (or, at least, that's what you should do). The problem is the absurd assumption that, since we are using encryption, we have something illegal to hide.

Re:Why even ask?

I use encryption for exactly what the parent poster described. On my laptop, why allow what would be "just" a hardware theft with use of encryption turn into a hardware, data, and possibly identity theft? This is why I use some form of whole disk encryption (BestCrypt Volume encryption, PGP WDE, WinMagic MySecureDoc, etc.)

There is a definite need for encryption, and more than just the tired (and flawed) logic of "hiding from forensics", or "hiding illegal stuff" that a lot of people state.

For most companies, physical theft of equipment or media is a valid concern. For example, if someone steals a backup tape that is part of an encrypted backup set (or storage pool, depending on the terminology of the backup system), the company owning the tape can hire some private investigators to quietly hunt down the tape. Without encryption, it can mean serious losses (or prison time)if the info on the tape was any way sensitive, and SOX, HIPAA, or other corporate regulations get violated.

Re:Why even ask?

What's significant here is that you are suggesting that there is a reason and that you are treating all data the same in which case it can be said that the data is not really hidden. You merely have a ton of encrypted data. What would be significant and incriminating is selected encryption and "hiding" of data. For example, if all customer information is encrypted, but a select set of customer files for whom you illegally handled funds are kept separately with their own password and login then there is knowledge gained. What is learned is that you took the time and effort to separate those select files from the rest and went to the trouble to make them more difficult to access. It can then be inferred that you had cause independent of all factors other than that these files had evidence of illegal action.

Re:Why even ask?

Hey, *I* didn't encrypt my data. I just performed a reversible transformation on it. It's not my fault if you're a fuckin' slowpoke at factoring large prime numbers!

It's called a "warrant".

So I'm guessing innocent until proven guilty doesn't apply to a person's data, just a person.

The cops go to a judge and get a warrant based upon whatever evidence they have that a law was broken.

So if any information(data) hidden from government view in incriminating, then does that give "probable cause" to anything not already in plain sight?

They'd have to have access to it already to see that it was encrypted. And that access should require a warrant.

This would seem to be the death blow to already suffering 4th Amendment- "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Again, see the word "warrants" there?

Encrypt EVERYTHING to protect yourself from regular criminals.

But if you are accused of a crime, you have to decide whether the encrypted data will help your case or harm it. And if it will harm your case, will it do more or less harm than refusing to decrypt it?

But there has to be a warrant. Focus your complaints on situations where there aren't any warrants.

Re:It's called a "warrant".

The cops go to a judge and get a warrant based upon whatever evidence they have that a law was broken.

Yeah. Except when the authorities just break down your door, or tap your|everyone's phone, or search your vehicle, or take your property, or freeze your assets, just because that's what they've decided they want to do. Warrant, my ass. Wake up.

that access should require a warrant.

Yes, it should. But it doesn't. So... now what?

But there has to be a warrant.

No. There doesn't. There doesn't have to be a trial, either. Or access to representation. Or even a phone call. You can be tortured. Welcome to the USA. Papers, please.

Re:Why even ask?

Yep, there you have it. Police are allowed to look at anything in plain sight but need probable cause to look at anything else. Of course, that means nothing when simply having something not in plain sight is considered probable cause.

Encrypt random noise. Lose the keys.

I encrypt everything just so if they ever investigate me, for whatever stupid reason they might decide to, they can demand the key and I can refuse. It's the principal of the thing. Why should we give up our privacy? What if I just want to encrpyt files by a random one time key and then erase the key? Maybe that constitutes digital art to me.

I encourage everyone to generate files containing nothing but random noise, encrypt those files, and throw away the key. If everyone does this then they can't tell what is a real encrypted file and what isn't. For good measure email some of these random files back and forth with suspicious subject lines.

Begs the question

No it doesn't. It raises the question. Begging the question [wikipedia.org] is a logical fallacy, much like circular reasoning.

Zonk should know better by now.

While languages DO evolve over time, simply using a phrase incorrectly is not evolution, even if the mistake is common.

Furthermore, when you start multiplying the meanings that a word or phrase can have, you start reducing its usefulness. When it cannot make a specific idea clear, in contexts where the meaning may be ambiguous one now has to use even more words to get their idea across.

Anyway, this specific mistake has been pointed out many times on slashdot. Zonk really should know better by now.

Re:4th Amendment

Yes, the 4th applies until you are ordered to by a judge. ( you cant just turn down a search warrant when the cop is at the door waving it at you ). Once the judge hands down the order you dont have a choice, unless perhaps you try to plead the 5th, and i still bet that wont apply if you refuse to hand over 'documents' that were authorized to be seized by the warrant..

But Comrade...

If you have nothing to hide, then you have nothing to fear!

Good luck...

If the one and only bit of evidence on hand is the fact that someone uses an encrypted filesystem, good luck getting a conviction in criminal trial, especially if the defendant has a credible (-sounding) reason for doing so (e.g. "I've been bitten by viruses enough to want to protect myself from identity theft and I certainly don't trust a prosecutor that is obviously persecuting me right now, etc")

Absent any other damning evidence (other concrete evidence found at the defendant's house, financial records at banks and such pointing straight to the suspect, witness testimony, etc), the prosecutor is pretty much fscked if he thinks a jury (dumb as they may be) is going to buy any counter-argument to even a halfway cogent alibi. Everyone knows that Windows is insecure. Everyone knows someone who got a virus. Everyone knows that identity theft is a Bad Thing(tm).

Sorry, but I somehow don't see how a whole case could hinge on just one bit of evidence: "well, he has an encrypted filesystem, and he keeps invoking the 4th/5th amendments(?) in order to not unlock it, so you must convict..."

Then there's the whole "evidence of absence is not absence of evidence" bit.

Not much left to be useful after all that...

/P

The police mindset

One has to take account of the police mindset. The police will not trust anyone at all . Period.

And the police expect total control of any given situation. Whenever one does not cooperate with the police, the police no longer is in total control and will take whatever measures are necessary to regain total control.

Adding those two points simply will make that anyone who hides stuff from the police is automatically an ennemy that has to be controlled at once.

As a matter of fact, one cannot never win against the police. In a courtroom, yes, maybe, but not against the police.

So the obvious solution is that everyone should perform maximum obfuscation/encrypting of data, the idea being that one cannot jail a whole country.

Re:The police mindset

Great point.

One has also to keep in mind that policemen are not policemen because they all have PhD's in Quantum Physics and refused tenure-track faculty positions at top universities to go and "serve and protect". To put it more bluntly, many of them are not very bright. And when people with guns who are not very bright lose control, it's not pretty (regardless on which side of the law they are). The trick is then not to only encrypt data but to encrypt it hide it altogether -- yes, steganography. Want to hide your data, then really "hide" it, don't just put it in super secure "safe" but leave the safe right in the middle of the living room. The not-so-bright people with guns have many ways of "persuasion" where they will make you give them the key eventually.

Let me get this straight...

If I encrypt my financial data, and am unable to unlock it for the FBI because I lost the smart card I used to encrypt it, does that make me guilty of . When asked why I didn't delete it, I could say I hoped to one day find the smart card. Does that mean they can ship me off to gitmo?

Of course the difference between this scenario and one where someone merely claims to be unable to decrypt the data is irrelevant.

I thought that we were innocent until proven guilty in this country, not vice versa.

What baloney

There are plenty of legitimate reasons to encrypt personal data.

legal issue but technical commentator

First off, the linked article doesn't actually contain the quote given in the article summary. But, assuming what the article summary says is accurate...

The relevance, admissibility, or incriminating character of the mere fact that a defendant hid something (i.e., as separate from the hidden content) is a legal question. In general, the absence of evidence is irrelevant with a few exceptions (obviously it's highly relevant to charges of destroying evidence!). The most important one is that of an absence of regularly kept business records. So, if a business regularly kept records of, say, who entered a building, and an employee were suspected of stealing something from the business, and the records for that night were missing, then perhaps that could be used as evidence against the employee on the theory that the employee had erased the record to cover his or her tracks. The same would be true if the record, rather than being deleted, had been encrypted when the others were unencrypted or encrypted in a different way/with a different key.

This is a very glossed over view of a complicated topic, but on the narrow question of the mere fact of the use of encryption, I would tend to say that would generally not be incriminating. Certainly the prosecution cannot simply point to your TrueCrypt or FileVault encrypted drive and say "look! everything on that computer is encrypted, therefore we can't know what it is, therefore it could be evidence of wrongdoing." That is tremendously weak circumstantial evidence and falls far, far below the reasonable doubt standard.

Note: I am not a lawyer and this is a layman's opinion, not legal advice.

Encrypt everything, and provide for deniability

This is why you need to encrypt everything as a matter of course: the valid argument is privacy in the face of all the data theft reports coming out nearly daily, you don't know where stuff is stored all the time, so just encrypt everything.

Anything you *do* want hidden, needs to be done in such a way that there's nothing that indicates that there *is* anything hidden, ala Truecrypt's multiple volumes. "I don't need to *hide* anything, so I'm not using that feature, it's just a good encryption tool"

Deniability is what matters

Encryption itself is only useful for preventing data theft by clandestine means. Authorities with a warrant can threaten you with jail to make you give up the keys, and even less scrupulous forces can beat them out of you. You can destroy the keys, but then you'll really piss them off.

What you need is deniability, as in a steganographic filesystem [wikipedia.org]. No one can ever prove that there is even anything there -- "Oh, I was just playing with it, I can reformat it if you want." Even better, embed data steganographically in standard data formats, like images.

It woul