Merely Cloaking Data May Be Incriminating?

n0g writes "In a recent submission to Bugtraq, Larry Gill of Guidance Software refutes some bug reports for the forensic analysis product EnCase Forensic Edition. The refutation is interesting, but one comment raises an important privacy issue. When talking about users creating loops in NTFS directories to hide data, Gill says, 'The purposeful hiding of data by the subject of an investigation is in itself important evidence and there are many scenarios where intentional data cloaking provides incriminating evidence, even if the perpetrator is successful in cloaking the data itself.' That begs the question: if one cloaks data by encrypting it, exactly what incriminating evidence does that provide? And how important is that evidence compared to the absence of anything else found that was incriminating? Are we no longer allowed to have any secrets, even on our own systems?"

Let me get this straight...

[nonsequitor]

If I encrypt my financial data, and am unable to unlock it for the FBI because I lost the smart card I used to encrypt it, does that make me guilty of . When asked why I didn't delete it, I could say I hoped to one day find the smart card. Does that mean they can ship me off to gitmo?

Of course the difference between this scenario and one where someone merely claims to be unable to decrypt the data is irrelevant.

I thought that we were innocent until proven guilty in this country, not vice versa.

It's called a "warrant".

[khasim]

So I'm guessing innocent until proven guilty doesn't apply to a person's data, just a person.

The cops go to a judge and get a warrant based upon whatever evidence they have that a law was broken.

So if any information(data) hidden from government view in incriminating, then does that give "probable cause" to anything not already in plain sight?

They'd have to have access to it already to see that it was encrypted. And that access should require a warrant.

This would seem to be the death blow to already suffering 4th Amendment- "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Again, see the word "warrants" there?

Encrypt EVERYTHING to protect yourself from regular criminals.

But if you are accused of a crime, you have to decide whether the encrypted data will help your case or harm it. And if it will harm your case, will it do more or less harm than refusing to decrypt it?

But there has to be a warrant. Focus your complaints on situations where there aren't any warrants.

I agree

[HitekHobo]

For many years I've run hard crypto on my workstations (CFS). Beyond that I keep various files individually encrypted and use encrypted email and even remailers on occasion. Even if I were to hand the feds the keys to some of these systems, they'd be stuck wading through a system with several years of cryptic notes to self, experimental code, temporary data and encrypted files I've just plain forgotten to password for because they aren't important. How do I know they won't grab some random fragment of a random file, take it completely out of context and present it as evidence that I was up to no good? Do you really want a prosecutor presenting fragments of your browser cache and forcing you to explain why you were investigating say... the chemical reaction involved in creating bio-diesel 5 years ago? And if he only presents a fragment of that, are you going to know it was bio-diesel or will the jury draw their own conclusions based on the 'meth' in methyl alcohol? So go ahead and run hard crypto and refuse to give out the keys. If it's between the constitution and a prosecutor who is judged on his conviction rate, I'll stand on the 4th and 5th.

Re:What about a physical safe?

[Anonymous Coward]

If you have a physical safe in your house, are you legally required to open it if the cops ask you to?

No, of course you don't have to if they ask. If they have a warrant, they will tell, and you will rot in jail until you do.

If you don't, can the cops use that as evidence against you?

No, the cops can't. But the jury sure can.

Re:Why even ask?

[irtza]

What's significant here is that you are suggesting that there is a reason and that you are treating all data the same in which case it can be said that the data is not really hidden. You merely have a ton of encrypted data. What would be significant and incriminating is selected encryption and "hiding" of data. For example, if all customer information is encrypted, but a select set of customer files for whom you illegally handled funds are kept separately with their own password and login then there is knowledge gained. What is learned is that you took the time and effort to separate those select files from the rest and went to the trouble to make them more difficult to access. It can then be inferred that you had cause independent of all factors other than that these files had evidence of illegal action.

My experience

[RKenshin1]

I was once on the other side of this debate... I was a network administrator at a large High School. One day, a teacher brought a [school] laptop to me for some work, and I saw that he had installed a data erasing tool, the kind that's meant to zero out data after you delete a file in Windows.

This immediately prompted me to look at the system closer, and I found evidence, mostly in the form of thumbnails, that the teacher had been downloading and viewing child porn on the laptop. This was definitely a probable cause for me to investigate the laptop, since we owned it. I often wondered how this would hold up if it were a private laptop, or if the police could use that as an excuse to investigate a computer.

Re:The Matter of Privacy

[urulokion]

Sheesh. Don't schools teach Social Studies nowadays? We do have a Right to Privacy. And it IS in the Constitution. Read the 9th Amendment in the Bill of Right. It's out spelled in there. If you can't understand it's meaning, there is nothing I can say to make you get it.

However I will agree that it had been ground down a lot in the past few decades.

Re:Why even ask?

[kestasjk]

In cases like that you can just give the investigators your key/passphrase, so they can verify your innocence. I think the issue is about cases where the person being asked doesn't surrender the key/passphrase, or says they lost/deleted it.

Copyright all your data now.

[Torodung]

intentional data cloaking provides incriminating evidence, even if the perpetrator is successful in cloaking the data itself.

That sounds very much like the DMCA prohibition against DRM circumvention methods, with one very important difference: your data is yours, and what you do with it is your business. In the DMCA, circumvention utilities are suspect because they can only be used to take the locks off someone else's data. In this case, Mr. Gill is arguing that you aren't allowed to circumvent his software, and doing so is suspect, if not criminal.

I wonder if he realizes that if a person has data to which he holds copyright on his hard disks, and then hides it, Gill's recovery software is then in violation of the DMCA anti-circumvention clause? His software is DMCA Grade-A illegal if anyone stores anything, no matter how trivial, that is his own copyright, is legal, and is deliberately hidden from this program.

Anyone with a legal background want to send this guy a "cease and desist" letter? }:^>

--
Toro
(c) 2007 *all rights reserved*

Re:Easy solution

[cortana]

Has that ever been shown in a court?

Can't prove hidden partition doesn't/does exist

[KWTm]

It could be presumed that you chose that software specifically for the well-known "hidden partition" option (police departments hire geeks too, you know). As such, prove that the incriminating evidence ISN'T locked away in the hidden partition and that you're not refusing to comply with the warrent.

The point of a hidden partition is that you can't prove it either way, unless you actually unlock it with the key. So, without the key, I could say, "Yes, there's a hidden partition within this conventional TrueCrypt partition, but I'm not giving you the key!" or I could say, "No, there's no hidden partition," and you wouldn't be able to tell either way.
So, then, you *could* presume that there is a hidden partition --but then that would be on the same order as just presuming that I have something to hide just because I'm using TrueCrypt in the first place. If I don't actually have a hidden partition, and you go looking for one, you're going to spend a pretty long time looking. There's nothing more frustrating than looking for something to prove that it doesn't exist (bug-checking programming sessions, anyone?).
As a matter of course, I do set up TrueCrypt volumes at standard sizes that happen to be much bigger than I need --my usual is 680MB so I can burn the whole thing to a CD. I think all my financial files add up to about 100MB within the 680MB TrueCrypt volume. If you want to go looking in the remaining 580MB for some incriminating evidence --hey, knock yourself out.

Re:Guilty until proven innocent

[NoOneInParticular]

A jpeg is a compressed file. In order to compress it all redundancy needs to be removed. When all redundancy is removed, the bitstream is for all practical purposes random. When it is random it can be used as a one-time-pad. Notwithstanding the fact that you would need a quantum source for a truly random pad, I dare you to propose a method that will defeat this approach reliably.

Re:Why even ask?

[irtza]

It is not the lock itself that is implicating a crime, but more to show intent. If there was a dead body in that other room that was locked then locking that door would show there was extra effort to hide it - IE knowledge of crime. A locked door in and of itself is not the issue. What I had said was that data with evidence of fraud had extra encryption. This reduces possible deniability. If the data were mixed together, they may state it was secondary to error or something to that liking. If someone has child pornography on a computer, they may claim there computer was hacked and it was placed there. on the other hand, if this said pornography were encrypted and the password for this encrypted file were on this persons palm or written somewhere in this persons house, then yes that would show two things. One the person had intent on hiding this data and two that the data did indeed belong to this person. I never said that encryption in itself was a crime or should raise suspicion, but its use definitely implies something.

Re:Why even ask?

[mlts]

This is something that I wonder about too. The reason why most people end up using backup systems without encryption is because very few backup programs offer it. For example, bru at best uses encryption between network nodes, but I saw no mention of it using encryption to store the data on the backup media. The only real commercially available solutions that sport encryption are high end solutions like TSM, Networker, or ArcServe, and a relative few Windows based programs like Retrospect and Backup Exec offer it. There are a few programs on the Linux side like Amanda/Zmanda that offer it, but it seems to be not an integral part, just passing data to gpg.

Of course, one can roll their own solution by piping tar or dd through some utility that takes stdin, encrypts it, and passes it to stdout, but in a number of businesses (especially ones subject to SOX, HIPAA, and other regs), one needs to have solutions that are commercial, mainly for CYA/"due diligence" reasons, so one can point fingers at a vendor should something go wrong. gpg is an excellent program and highly secure, but in a lot of environments, programs like that have to pass certifications (FIPS, Common Criteria) to make auditors (and sometimes the SEC) happy, and regardless of how really secure an app is, if it doesn't have the certifications, it is legally risky to use.

I think every backup program from GNU tar on up should have some facility built in for at least AES-128 encryption, and preferably AES-256. However, since this isn't the case, the next best thing is to use something like EncFS so filesystems can be dumped to tape exactly as they are present on the hard disk, but still be encrypted securely. (There is block/device level encryption obviously, but when backing up, one still ends up with plaintext files unless one backs up the whole encrypted image). On the Windows side, at least there are a few utilities like Retrospect available that have had encryption built in for 15+ years. (Retrospect originally started out as a backup program for the Mac in 1989, and was the only one at the time that offered true DES encryption.)