Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Court Sets Rules For RIAA Hard Drive Inspection

Soulskill posted more than 5 years ago | from the this-far-and-no-farther dept.

Privacy 470

NewYorkCountryLawyer writes "In a Boston RIAA case, SONY BMG Music Entertainment v. Tenenbaum, the Court has issued a detailed protective order establishing strict protocols for the RIAA's requested inspection of the defendant's hard drive, in order to protect the defendant's privacy. The order (PDF) provides that the hard drive will be turned over to a computer forensics expert of the RIAA's choosing, for mirror imaging, but that only the forensics expert — and not the plaintiffs or their attorneys — will be able to examine the mirror image. The forensics expert will then issue a report which will describe (a) any music files found on the drive, (b) any file-sharing information associated with each file, and any other records of file-sharing activity, and (c) any evidence that the hard-drive has been 'wiped' or erased since the initiation of the litigation. The expert will be precluded from examining 'any non-relevant files or data, including ... emails, word-processing documents, PDF documents, spreadsheet documents, image files, video files, or stored web-pages.'"

cancel ×

470 comments

Hard Drive Inspection (0)

Anonymous Coward | more than 5 years ago | (#27863473)

Starring Buck Naked.

Re:Hard Drive Inspection (3, Interesting)

DirtyCanuck (1529753) | more than 5 years ago | (#27863547)

SONY BMG Music Entertainment v. Tenenbaum

Ya last time I checked Sony did this with illegal DRM being installed without telling the consumer.

We should be checking THEIR hard drives for malicious code.

*Head Spins Off* Who are the laws meant to protect again?

Re:Hard Drive Inspection (1)

interkin3tic (1469267) | more than 5 years ago | (#27863561)

Costarring everyone in the RIAA. I'm getting the torrent right now.

Question (2, Interesting)

Anonymous Coward | more than 5 years ago | (#27863511)

If the entire hard drive was secured with something like TrueCrypt, could you be compelled to turn over the password?

Anyway, does stuff like this matter much anymore? I thought more and more convictions were based on ISP logs instead of hard drive searches these days...

Re:Question (2, Insightful)

interkin3tic (1469267) | more than 5 years ago | (#27863667)

I thought more and more convictions were based on ISP logs instead of hard drive searches these days...

I'd bet the RIAA wants to be as invasive and punitive as possible. I'm suprised they haven't asked for daily body cavity searches of all defendants.

Re:Question (0)

Anonymous Coward | more than 5 years ago | (#27864251)

ah, but as soon as the defendants step out of the room, you can't know for certain whether they stuffed anything in there, can you?

Continuous body cavity searches, where the fun never ends!

Re:Question (1, Informative)

commodore64_love (1445365) | more than 5 years ago | (#27864357)

I'm surprised nobody's shot the RIAA CEO in the head yet. Maybe RIAA deliberately avoids known-militia users. (shrug). Really this whole thing's getting out of hand. I'm going to lose years of my life fighting a court case just because I downloaded the Hot 100 from 2008? C'mon. I have hundreds of CDs on my shelves - it's not as if I (and other fans) don't support singers we like. RIAA is blowing things totally out of proportion, and it's about time people rise-up and fight back.

http://en.wikipedia.org/wiki/Whiskey_rebellion#Consequences [wikipedia.org] - "The hated whiskey tax was repealed in 1803, having been largely unenforceable outside of Western Pennsylvania, and even there never having been collected with much success."

Re:Question (4, Informative)

JoshuaZ (1134087) | more than 5 years ago | (#27863687)

There have been contradictory rulings about this. Many courts have ruled that at least in criminal cases people can be forced to decrypt their hard drives. See for example http://arstechnica.com/tech-policy/news/2009/03/court-self-incrimination-privilege-stops-with-passwords.ars [arstechnica.com]

Re:Question (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27863789)

There have been contradictory rulings about this. Many courts have ruled that at least in criminal cases people can be forced to decrypt their hard drives. See for example http://arstechnica.com/tech-policy/news/2009/03/court-self-incrimination-privilege-stops-with-passwords.ars [arstechnica.com]

Have there been any rulings in civil cases?

Re:Question (1)

queequeg1 (180099) | more than 5 years ago | (#27863917)

I don't know the answer, but I believe that compelling decryption would be even easier in a civil matter since self-incrimination is not at issue.

Re:Question (1)

Weezul (52464) | more than 5 years ago | (#27864083)

Well, there are encryption schemes that provide fool proof plausible deniability, but none are implemented at the filesystem level. StegFS uses other block.

Re:Question (4, Insightful)

vertinox (846076) | more than 5 years ago | (#27863745)

I thought more and more convictions were based on ISP logs instead of hard drive searches these days...

Which would be more logical because how else can you tell the difference between a pirated MP3 and one I downloaded from Amazon.com or ripped from a CD?

Re:Question (3, Funny)

Aranykai (1053846) | more than 5 years ago | (#27864003)

Because its in a directory named "Miley Cyrus - Breakout [2008][CD+SkidVid_XviD+Cov]320Kbps"

Obviously.

Re:Question (2, Funny)

PIBM (588930) | more than 5 years ago | (#27864101)

What if you liked to keep a lot of information handy about what you've been ripping/scanning ?

Re:Question (1)

thewils (463314) | more than 5 years ago | (#27864093)

..and not only that, wouldn't it be germane to any litigation to have to prove that you obtained a file illegally rather than you having to explain where you got it from?

Re:Question (1)

techno-vampire (666512) | more than 5 years ago | (#27864345)

In a civil case like this, the standard of proof is "preponderance of evidence," not "beyond a reasonable doubt" as it would be in a criminal case. That means that if the RIAA's pit bulls can make the jury believe that you probably pirated the file, they win, even if they can't prove it. Thus, if they can show that you've been doing file sharing, and that you have files on your hard drive that you could have pirated, they win unless you can show the jury that it's more likely that you obtained them legally. (Having a copy of the CD in question would probably be sufficient.)

Re:Question (4, Insightful)

earlymon (1116185) | more than 5 years ago | (#27864103)

I thought more and more convictions were based on ISP logs instead of hard drive searches these days...

Perhaps more and more civil cases, but not more and more convictions.

Re:Question (1)

Hatta (162192) | more than 5 years ago | (#27864241)

If the entire hard drive was secured with something like TrueCrypt, could you be compelled to turn over the password?

Yes, but they can't compel you to turn over the password to a hidden partition that they can't even prove exists.

This can't be true... (5, Funny)

stephanruby (542433) | more than 5 years ago | (#27863529)

This makes way too much sense.

You're wrong (4, Insightful)

Zontar_Thing_From_Ve (949321) | more than 5 years ago | (#27863681)

This makes way too much sense.

Nope. Letting the RIAA pick the "forensics expert" does absolutely nothing to ensure that a fair and impartial expert is chosen. I'd think all that would do is make it very easy for the RIAA to set up a forensics lab of their own that could potentially plant evidence on the mirror copy. Then what do you do? They could always claim that your copy, which is minus the planted evidence, was "tampered with". I see no good out of this, but if NewYorkCountyLawyer disagrees, I would welcome an opportunity to be educated out of my error here.

Re:You're wrong (4, Informative)

AKAImBatman (238306) | more than 5 years ago | (#27863823)

Letting the RIAA pick the "forensics expert" does absolutely nothing to ensure that a fair and impartial expert is chose

I don't think that's the point. The point is that a trusted expert in the industry is the only one with access to the private information. He can then represents the findings on behalf of the RIAA. The defense needs to find its own expert witness to counter any arguments made by the RIAA's expert witness.

At least, that's my understanding of how the proceedings would work. (IANAL)

Re:You're wrong (0)

Anonymous Coward | more than 5 years ago | (#27864395)

Letting the RIAA pick the "forensics expert" does absolutely nothing to ensure that a fair and impartial expert is chose

I don't think that's the point. The point is that a trusted expert in the industry is the only one with access to the private information. He can then represents the findings on behalf of the RIAA. The defense needs to find its own expert witness to counter any arguments made by the RIAA's expert witness.

At least, that's my understanding of how the proceedings would work. (IANAL)

ok. soooo what is your hard drive had a boot encryption from say truecrypt WAYYYYY before the litigation started. give over your hard drive let them try and crack it.

Re:You're wrong (4, Interesting)

NewYorkCountryLawyer (912032) | more than 5 years ago | (#27863867)

This makes way too much sense.

Nope. Letting the RIAA pick the "forensics expert" does absolutely nothing to ensure that a fair and impartial expert is chosen. I'd think all that would do is make it very easy for the RIAA to set up a forensics lab of their own that could potentially plant evidence on the mirror copy. Then what do you do? They could always claim that your copy, which is minus the planted evidence, was "tampered with". I see no good out of this, but if NewYorkCountyLawyer disagrees, I would welcome an opportunity to be educated out of my error here.

No, while I think the order otherwise "makes sense", I happen to agree with you 100% on your point that the RIAA should not be able to unilaterally pick the forensic examiner. I think that is a mistake on the judge's part. As I pointed out in TFA:

Unlike the protective order [beckermanlegal.com] (pdf) in SONY BMG Music Entertainment v. Arellanes [beckermanlegal.com] , this protective order permits the RIAA to unilaterally select whatever expert it chooses, rather than an independent, mutually agreeable, expert.

I think that is unfortunate. I'm hoping the judge comes to recognize that oversight.

New defense tactic... (4, Funny)

Volante3192 (953645) | more than 5 years ago | (#27863535)

Just because my PDFs play in winamp doesn't mean they're music files!

Re:New defense tactic... (4, Funny)

Rockoon (1252108) | more than 5 years ago | (#27863589)

rename *.mp3 *.doc

Re:New defense tactic... (2, Interesting)

rodrigoandrade (713371) | more than 5 years ago | (#27863755)

Good point. Will the forensic expert just look at file extensions to determine what is copyrighted material, and what is personal/private info?? If so, your trick should work.

Re:New defense tactic... (4, Informative)

TinBromide (921574) | more than 5 years ago | (#27863897)

The expert can run an md5 hash list containing the signatures of all the copyrighted music that the RIAA has collected over the years and compare the results against the contents of the hard drive. You can name a file anything you want and its content based md5 will stay the same. Also, you can rename a jpeg to a .doc and the first 4 bits of the file will still reveal it as a jpeg. Every piece of modern forensics software is capable of doing the above, and most do them automatically.

If you take an MP3 file and rename it personal.doc, it will still show up in the media bucket and be declared as an audio file in the forensic software I am professionally experienced with.

Re:New defense tactic... (2, Insightful)

TheBig1 (966884) | more than 5 years ago | (#27863973)

So flip the last bit on all your MP3s, and the hashes will all be off. Or flip a random bit in the middle, at most you will hear a bit of hiss or something at one point in the song.

Re:New defense tactic... (1)

TinBromide (921574) | more than 5 years ago | (#27864059)

very good, but if you can do that, why weren't you running peer guardian or sharing on private trackers? (essentially, if you're smart enough to do that, why did you let yourself get caught in the first place?)

Besides, that's the reason the expert will also perform analysis on files identified as audio files. If you flip a bit in the header to thwart that, some forensics software will still be able to identify it as media, but your software won't be able to tell that you're feeding it a perfectly valid MP3.

Re:New defense tactic... (0)

Anonymous Coward | more than 5 years ago | (#27864131)

Because getting on private trackers takes time, and 3/4 of the scene aren't 'leet' enough to be bothered.

Re:New defense tactic... (3, Funny)

Bandman (86149) | more than 5 years ago | (#27864433)

Coming soon...WinAmp plugins to XOR your MP3 collection

Re:New defense tactic... (1)

Ndymium (1282596) | more than 5 years ago | (#27864051)

The expert can run an md5 hash list containing the signatures of all the copyrighted music that the RIAA has collected over the years and compare the results against the contents of the hard drive. You can name a file anything you want and its content based md5 will stay the same.

That's why you change the file in some way, for example write something random in an MP3 file's ID3 comment tag. The resulting md5 hash is now completely different and most likely is not included in their list.

Re:New defense tactic... (1)

Taibhsear (1286214) | more than 5 years ago | (#27864387)

Not saying you are lying (I'd love that you are correct) but do you or does anyone else here have a citation or proof that this works? ID3 metadata is incredibly easy to manipulate. If this is the case it should be very easy to cover your ass in this situation.

Re:New defense tactic... (1)

dotgain (630123) | more than 5 years ago | (#27864423)

... which is why there are approximately infinity different 'versions' of a particular song / movie on the p2p networks, I guess..

Re:New defense tactic... (1)

Schuthrax (682718) | more than 5 years ago | (#27864373)

Wouldn't the contents of the MP3 tag elements change the hash? If I make sure to run some batch MP3 tag editor against my files to add a comment "Ripped by me from my own personal CD collection", wouldn't that do it?

Re:New defense tactic... (0)

Anonymous Coward | more than 5 years ago | (#27864205)

Whats to stop me buying an old hard drive, installing it as a 'clean' Windows install then handing that over when required?
Boot the OS up once a week and copy a few more up to date files onto it to make it look recently used.

Do you also have to turn over (1)

joeflies (529536) | more than 5 years ago | (#27863537)

the encryption keys for the hard drive?

Re:Do you also have to turn over (1)

vertinox (846076) | more than 5 years ago | (#27863619)

Only the one they believe to be the right one.

Re:Do you also have to turn over (1)

Golddess (1361003) | more than 5 years ago | (#27863881)

Even if they do, how do they prove that you handed over all of them [wikipedia.org] ?

Re:Do you also have to turn over (1)

jasen666 (88727) | more than 5 years ago | (#27864307)

I keep all of my music on an external RAID array. They can examine the drive in my computer all they want. :)

Wiping the Hard Drive After Litigation (5, Insightful)

Anonymous Drunkard (691025) | more than 5 years ago | (#27863549)

(c) any evidence that the hard-drive has been 'wiped' or erased since the initiation of the litigation.

Just curious: Let's say someone wanted to do just that - wipe or erase the hard drive since the initiation of the litigation.

Theoretically, couldn't a person just set the BIOS clock to a date and time prior to the legislation, do multiple shreds and formats on the HDD, reinstall the OS with the BIOS clock still 'in the past', and have it seem as though nothing changed since the initiation of the litigation?

It would seem to me that if the BIOS clock was set to a prior point, that everything else on the HDD would follow. The BIOS clock has no intuitive knowledge of time, it only knows what it's told.

All theoretical, of course. No one would actually do such a thing, of course...

Re:Wiping the Hard Drive After Litigation (4, Insightful)

t00le (136364) | more than 5 years ago | (#27863699)

The simplest thing to do is to have a second disk in your computer, one for bad things and the second as a legal spare. Some truck drivers keep multiple log books, so something like that would be easier.

That way you could show use on the second boot disk. If you get sued simply remove the illegal disk and bury it somewhere, like a neighbors yard. start using your legal hdd as you would minus the piracy piece.

Re:Wiping the Hard Drive After Litigation (3, Insightful)

Ucklak (755284) | more than 5 years ago | (#27863927)

Use a USB drive for `personal` stuff. Let them take the OS drive and mirror it to hearts content.

Re:Wiping the Hard Drive After Litigation (1)

kpainter (901021) | more than 5 years ago | (#27863929)

The simplest thing to do is to have a second disk in your computer, one for bad things and the second as a legal spare. Some truck drivers keep multiple log books, so something like that would be easier.

This is what Firewire was made for ;) What drive? Just be sure to dust off the area where that drive sat.

Re:Wiping the Hard Drive After Litigation (3, Informative)

vertinox (846076) | more than 5 years ago | (#27863705)

Theoretically, couldn't a person just set the BIOS clock to a date and time prior to the legislation, do multiple shreds and formats on the HDD, reinstall the OS with the BIOS clock still 'in the past', and have it seem as though nothing changed since the initiation of the litigation?

You could, assuming that the computer was still in your possession which I doubt at this point.

Re:Wiping the Hard Drive After Litigation (4, Insightful)

Qzukk (229616) | more than 5 years ago | (#27863877)

Even then, it'd show an awful lot of work having been done on the computer in 1998, then absolutely no new files or system log entries until 2009, which would be quite remarkable.

Re:Wiping the Hard Drive After Litigation (1)

GryMor (88799) | more than 5 years ago | (#27863769)

I don't see anything stopping them from using file system information. In your file system, this sort of thing stands out like a sore thumb as recording activity inconsistent with you having actually used the drive.

Re:Wiping the Hard Drive After Litigation (1)

Archangel Michael (180766) | more than 5 years ago | (#27863785)

Windows automatically updates clock settings, when it connects to a network. I suggest that you make sure when you do it, that you don't put it on the net until you have it the way you want it.

Re:Wiping the Hard Drive After Litigation (0)

Anonymous Coward | more than 5 years ago | (#27864223)

Windows automatically updates clock settings, when it connects to a network. I suggest that you make sure when you do it, that you don't put it on the net until you have it the way you want it.

Or, you know. Just disable it.

Re:Wiping the Hard Drive After Litigation (4, Interesting)

Todd Knarr (15451) | more than 5 years ago | (#27863811)

They could, but it's easy to get tripped up. For instance, one of the default settings in Windows XP is to synchronize time to a network time server belonging to Microsoft. If you weren't careful to keep the machine isolated during the install and all patching, you'd end up with a big discrepancy in timestamps as the clock jumped forward to the correct time during the last part of the install process. It'd also show up in the timestamps on patches, they might show as having been installed before they were issued or they'd be all lumped together at the very end when they should've been installed in a steady stream starting at the claimed install date and getting progressively more recent as patches were applied automatically. It might be hard to prove exactly when the drive was wiped, but it'd be easy to show that the fingerprint of the timestamps doesn't match what it'd be if the drive was as old as it claimed to be and had aged at 1 second per second since then.

Although it sounds plausible (5, Insightful)

joeflies (529536) | more than 5 years ago | (#27863817)

I would guess the penalties for the destruction of evidence and the manufacturing of new evidence would land you in significantly more trouble, no?

Re:Wiping the Hard Drive After Litigation (5, Informative)

Anonymous Coward | more than 5 years ago | (#27863853)

Posting anonymously because, well, you'll see.

I have personally nailed people for trying such a thing. One guy had to pay my fees and the fees of the attorney, another I believe spent a month in jail (the destruction was just the straw that broke the camel's back). In civil matters, destroying evidence means that whatever was there was far worse and far more damaging than anything currently residing on the drive. Lawyers can get away with that because they can say whatever they like and you have no way of proving them wrong.

As for your question, a wiped drive is fairly obvious, unless you set your bios clock 100's of times and do stuff incrementally, create a range of files with chronological creation/modification/access times, populate the event logs with a smooth span of times, and not leave any smoking guns (windows xp pro on a dell?), you're probably gonna get nailed if the forensics expert is worth his paycheck. By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over.

The forensics expert is allowed to look at file system data and registry data as long as he can justify that its to detect just the kind of scenario you've stated, and its within the domain of his orders. Hell, he theoretically can click through every picture, document, and file on the drive if he creates a new forensic case aside from the official one and doesn't tell anybody about it. (thats bad, don't do that).

By the way, if I was ever faced with such a situation, I'd plug my hard drive is as an external, scrub the offending files, blow away the registry, destroy the file system, and take a soldering iron to the circuit board so that they have to do a clean room recovery which will result in a partial image for analysis. I'd present that drive along with a new drive, repaired and what not to the court and say my hard drive crashed and that they can have at it if they like.

Re:Wiping the Hard Drive After Litigation (1)

dgatwood (11270) | more than 5 years ago | (#27864233)

No, a soldering iron would be pretty obvious destruction of evidence. You'd have to do something more subtle like shake the drive vigorously to scar the heck out of the drive surface and shred the drive heads while randomly seeking all over the disk. If you are still in possession of the machine, of course.

Or you could just do a security erase of the offending files, ending by renaming them to a long string of garbage characters followed by renaming it to something short and innocuous (but the sort of thing that you would legitimately need to do a secure erase on, e.g. something with a work-related name) to thoroughly obliterate any trace of the offending directory entry. Oh, and if your OS records actual creation dates, be sure to set the creation dates on the files to something different from the original dates just in case they are comparing file creation dates to some server log somewhere....

Re:Wiping the Hard Drive After Litigation (1)

nine-times (778537) | more than 5 years ago | (#27864375)

s for your question, a wiped drive is fairly obvious, unless you set your bios clock 100's of times and do stuff incrementally, create a range of files with chronological creation/modification/access times, populate the event logs with a smooth span of times, and not leave any smoking guns

What about a disk image? Like if I had access to a second computer with no offending files, and I imaged the contents of that drive over? Is that detectable?

Just curious.

I call bull on the above statement! (2, Interesting)

Mycroft_514 (701676) | more than 5 years ago | (#27864391)

"By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over."

Not on a Windows system it doesn't. The only time you get a new date on it is when you download from an external system, or you manually change the date/time stamp.

Now me? All my music files (all legal, btw) are already on a USB portable drive anyway, because it takes 15GB off the active drive I need the space on. And my wife's machine? Re-loaded with WIN XP PRO over the top of WIN XP Home about a month ago. Memory chip went bad, and garbled part of the registry - right after I got a full backup of the files.....

So, how are we going to certify Forensics experts? Obviously the Anonymous Coward above wants to be one, but certainly doesn't qualify, if he makes such a basic mistake. (And to double check, I tried it just before I posted this message. Copied a file to another dirve and it retains the 2008 creation date).

Re:Wiping the Hard Drive After Litigation (1)

Hatta (162192) | more than 5 years ago | (#27864425)

By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over.

There is no creation time on ext3. GNU tar will preserve atime, ctime(inode Change, not creation time), and mtime with the appropriate flags.

Re:Wiping the Hard Drive After Litigation (2, Interesting)

vux984 (928602) | more than 5 years ago | (#27864171)

Theoretically, couldn't a person just set the BIOS clock to a date and time prior to the legislation, do multiple shreds and formats on the HDD, reinstall the OS with the BIOS clock still 'in the past', and have it seem as though nothing changed since the initiation of the litigation?

Yes, theoretically it can be done.

So, right out of the gate, there would be evidence that the drive had been formated and shredded just prior to the litigation. That's not 'criminal', but its suspicious enough to maybe look into it, and try and determine if it was in fact done before or after. And in practice most people, especially regular people, will make mistakes.

Ok... so the OS and installation logs etc proudly proclaim they were all insalled before such and such a date. But hmmm... what's this strange 4 month gap in the time stamps in the event log, starting 2 days after the OS was reinstalled.... or maybe our genius thought of that, but then why was the machine booted up and down each 'day' yet did nothing else...and it did this for 4 straight months... that looks a LOT more like someone rebooting, advancing the bios date, rebooting, advancing the bios date...etc than actually using it.

And then on top of that, why does the java auto update log show that the latest Java Update was installed 2 months before it was released... and this folder here... it contains mp3s with file creation dates before they were even recorded.

So they might come back and say, clearly someone was messing around with the clock and doing strange things with the PC. Couple that with the evidence the PC was wiped and shredded... we, of course, can't PROVE, the defendant tampered with the drive to destroy evidence... there are other possible explanations. But this is evidence of tampering, we think the jury will agree that the drive was tampered with, as opposed to being conveniently afflicted by a bizarre set of circumstances that make it merely look like it was tampered with.

Like anything digital, yes, your perfect crime is theoretically possible, but its probably much harder than you think.

Re:Wiping the Hard Drive After Litigation (1)

Maximum Prophet (716608) | more than 5 years ago | (#27864355)

So we should all keep a machine around for Y2010 testing that we constantly move the clock around, creating and deleting files in the past and future?

Re:Wiping the Hard Drive After Litigation (1)

lordcorusa (591938) | more than 5 years ago | (#27864203)

I don't know what the protocol is for civil litigation, so I do not know whether some officer would seize your equipment at the time of service of litigation, as happens in criminal matters.

But assuming that you are able to retain control of your machines and autonomy in their use for some time after being served, then it would actually be quite difficult to securely wipe them and reinstall them without leaving behind some evidence that could be discovered by a forensics expert. Other posts in this thread do a good job of going into detail about specific ways of telling that such a wiping happened, such as looking for evidence of massive patching, or unusually large timestamp jumps. If you are caught, which is likely, then even assuming that you are not subject to criminal penalties for evidence tampering, you can still be nailed by a default judgment against you in the civil matter (where the evidence has merely to be more likely than not, rather than beyond a reasonable doubt).

So, trying to wipe a drive is a losing strategy.

Your best bet to handle this situation requires some fore-planning and regular updating of planning. You must have a brand new hard drive available *before* you get served. Them your best bet is, assuming you retain control of your computer for some time, to *immediately* remove your hard drive and destroy it, and replace it with a brand new hard drive. Then you claim in your affidavit in response to request for discovery that your old hard drive died *before* you were served, and you destroyed the old hard drive *before* you were served. You have to have bought the new hard drive *before* you were served, because they can track when the hard drive was manufactured and possibly even sold, and if the records say it was sold *after* you were served, you get nailed for perjury. Also, the hard drive should be reasonably recent, as one would be unlikely to install a 5 year old "new" hard drive in case of a failure, rather than buying a newer hard drive at the time of failure. Note that some forensics analyses can identify a specific instance of an operating system install based solely on network port scans and other traffic analysis; even though it is currently unlikely that the opponent would have used such a scan on you before serving you, to protect yourself against potential proof that your operating system instance remained the same up until the time of discovery, you should *always* have a hardware firewall between your computer and the Internet.

Of course, the above paragraph details a theoretical method to attempt to subvert the legal system. I do not support perjury and my advice to you is to not to tamper with evidence or lie about evidence.

So then they'll just have a pocket expert (0)

Anonymous Coward | more than 5 years ago | (#27863579)

I suppose the same could be said if the defendant got to choose. Seems like they should have to pick from a list of approved providers, as determined by the ruling judge.

Hiding music (0)

Anonymous Coward | more than 5 years ago | (#27863593)

The expert will be precluded from examining 'any non-relevant files or data, including ... emails, word-processing documents, PDF documents, spreadsheet documents, image files, video files, or stored web-pages

So I should be OK if I put my music collection in my CP folder?

Can I embed MP3s in PDFs? (0)

Anonymous Coward | more than 5 years ago | (#27863599)

So if I change the name from file.mp3 to file.pdf, they won't find it?
What if I attach all my mp3 files as email attachments and send them to myself and delete the originals?

Embedded (1)

SoundGuyNoise (864550) | more than 5 years ago | (#27863611)

From now on, all of my MP3s will be embedded into PDFs.

Re:Embedded (1)

GryMor (88799) | more than 5 years ago | (#27863797)

Just because they are embedded in PDFs doesn't make them stop being music files, neither does it magically turn them into PDFs.

This makes my blood boil (5, Insightful)

Smidge207 (1278042) | more than 5 years ago | (#27863631)

While I admire people fighting the good fight, this is EXACTLY what makes court so dicey. If you get some judge with his head up the RIAA's ass and you are going to lose no matter how good your case is. The PROPER thing to do in a case like this is to have both parties agree on who examines the drive. One more thing, five days doesn't seem like a lot of time to examine a tech report for improprieties.

=Smidge=

Re:This makes my blood boil (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27863787)

I thought you weren't posting anymore.

I liked that, and you lied to me!

Re:This makes my blood boil (4, Insightful)

evanbd (210358) | more than 5 years ago | (#27863791)

I was of the impression that it was fairly common to let the party doing the discovery select their own expert examiner. If the defense believe the examiner is for some reason inappropriate, for example overly biased or unqualified, they can object -- but requiring the two parties to a lawsuit to agree on *anything* is doomed to failure.

This actually seems quite sane to me.

(IANAL, of course.)

Re:This makes my blood boil (3, Insightful)

Golddess (1361003) | more than 5 years ago | (#27864277)

requiring the two parties to a lawsuit to agree on *anything* is doomed to failure.

In a trial by jury, both sides must accept a juror in order for them to be on the jury.

(cue jokes about jury failure or something)

Uh... (0)

Anonymous Coward | more than 5 years ago | (#27863647)

"computer forensics expert of the RIAA's choosing"

Oh, so we're in safe hands then.

"of the RIAA's choosing" (3, Insightful)

elrous0 (869638) | more than 5 years ago | (#27863671)

The "forensics expert of the RIAA's choosing" pretty much negates all other protections in this order. That's like telling me "You can't peak into my email" then saying "But you can have any one of your best friends peak, with no supervision."

Re:"of the RIAA's choosing" (1)

hamburgler007 (1420537) | more than 5 years ago | (#27863895)

The judge should have at least have an expert of the defense choosing to audit the examination with a recording of the activity.

Re:"of the RIAA's choosing" (2, Insightful)

TubeSteak (669689) | more than 5 years ago | (#27864043)

The "forensics expert of the RIAA's choosing" pretty much negates all other protections in this order.

The expert can secretly (an in contempt of court) tell the RIAA whatever it wants, but if the RIAA tries to use anything outside the scope of the report, the both of them will be in a boatload of trouble with the Judge.

Beyond the contempt of court and violations of professional ethics, there's undoubtedly at least one federal or state privacy law that would be violated.

Re:"of the RIAA's choosing" (1)

shentino (1139071) | more than 5 years ago | (#27864261)

Especially considering RIAA's involvement with a shady MediaSentry, I wouldn't trust the RIAA to pick a good expert.

A virtual environment then. (3, Interesting)

AgTiger (458268) | more than 5 years ago | (#27863683)

> (c) any evidence that the hard-drive has been 'wiped' or erased since the initiation
> of the litigation.

So as long as you wipe or erase the hard drive before litigation begins, or before you become subpoena'ed (aware of the litigation), you're protected if you destroyed any evidence of your activities?

Perhaps a VMWare or other virtual operating system is in order then. Download, burn to optical, revert the guest image.

Perhaps NewYorkCountyLawyer could confirm the viability of this method?

Something about not being forced to testify against yourself. No sense in leaving your equipment capable of testifying against yourself either.

Perfuming a Skunk (1)

AB3A (192265) | more than 5 years ago | (#27863697)

This is like setting limits on how strip searches should be conducted, or defining what limits one should use for "aggressive" interrogation.

The best approach is not to go there in the first place.

If you outlaw stealing (0)

Anonymous Coward | more than 5 years ago | (#27863707)

Only outlaws will steal

Slashdot system failure (0, Offtopic)

Frank T. Lofaro Jr. (142215) | more than 5 years ago | (#27863813)

Error: "It's been 1 hour, 3 minutes since you last successfully posted a comment"

Re:Slashdot system failure (1)

TinBromide (921574) | more than 5 years ago | (#27863951)

Post more often. Simple enough.

Our laws are not even wrong (4, Insightful)

earlymon (1116185) | more than 5 years ago | (#27863827)

Court orders to search hard drives aren't right - they're not even wrong.

If you get a warrant to search my house, you search my house.

No court believes that it would issue a single warrant to search part of my home, part of my business and parts of my friends' and family's homes.

But a warrant to search my hard drive is exactly that.

Restricting this search to the forensics expert of the MAFIAA's choosing but not allowing irrelevant info to pass on to them is exactly offensive and ridiculous. I'm frustrated my own following hyperbole, but I am so angry, this is the only metaphor that I can find - the beat cop gets to exercise the right to search everyplace you've been with a single warrant, but don't worry, he'll only tell the detectives about the stuff he found that's relevant.

The fucking MAFIAA's cases isn't one of governmental high crimes or misdemeanors, neither is it one involving a criminal case - it's a fucking civil case. How dare any court in the land grant such a mind-numbingly offensive violation of one's constitutional protection of privacy in a fucking civil case?

Re:Our laws are not even wrong (5, Insightful)

earlymon (1116185) | more than 5 years ago | (#27864033)

Fuck me, I'm not done. Even Judge Judy knows better than this.

Plantiff: "You honor, she stole my CDs when she moved out. A friend saw her carrying out boxes plus who else would have done it?"
Judge Judy: "Ms. X, did you take his CDs?"
Defendant: "No, judge. I did not."
Judge Judy: "I'm sorry, Mr. Z, but you have no proof. Under the law, there's nothing that I can do."
Plaintiff: "Your honor, please - how about a warrant to search her home, business and all of her friends' and family's home - then I'll have proof."
Judge Judy looks at Bert, narrows her eyes, admonishes the idiot to get a life because he's clueless and the law doesn't exist for him to conduct witch hunts and we fade to commercial.

Tell me how my point isn't any simpler than that. How in the fuck did we come to this as a people? Why in the fuck are any of us laying down for this?

My anger may be getting the better of me, but maybe that anger helps fuel my weak brain. How did we condone Gitmo? How did we let the Patriot Act and Warrantless Wiretapping go on?

How does the fucking camel get into the tent? He sticks his nose in first. Civil warrants to search hard drives have existed for more years than I can recall. That could very well be the camel's fucking nose.

Now - how in fuck do we fix this?

Re:Our laws are not even wrong (1, Informative)

Anonymous Coward | more than 5 years ago | (#27864179)

Dude,

Learn something about the law. This is a CIVIL case. This isn't a search from a warrant, this falls under DISCOVERY, which is the process whereby each side in a civil suit can force the other to show what evidence they have about the case.

This is common, and allowing each side to choose the investigator they use for such specific tasks as computer forensics is the norm.

IANAL, but I was a computer forensics tech a long time ago.

Re:Our laws are not even wrong (1)

earlymon (1116185) | more than 5 years ago | (#27864349)

Fine, first kindly see my comment to my own post - I know it's a civil case.

Thank you, I mean that, for teaching me how to start looking up DISCOVERY.

So, given that you do know the law - how does discovery allow you to violate privacy to the extent that I identify, because it is most certainly that extensive a violation of privacy.

And where do you exercise your computer forensics expertise? In civil discoveries? And if so, just because the law is on your side, how do you rationalize this, morally?

Makes me feel warm and cozy. (1)

Controlio (78666) | more than 5 years ago | (#27863845)

After all, it is already illegal for Best Buy employees to search my hard drives for software, music, images, porn, etc. and make copies of said information to keep them on a centralized file server in their store for all the techs to peruse at will. But wait, it happened anyways en masse, didn't it?

So this provides legal protection from authorities "stumbling across" other illegal files (child porn, warez, etc) but it does little to protect privacy beyond that (trade secrets, private/original music and/or speech recordings and the like). And I find it wonderful that the RIAA gets to select the parties that peruse said information, as opposed to a neutral third party. Smells like an arrangement that could easily be abused.

It's funny... (4, Insightful)

smooth wombat (796938) | more than 5 years ago | (#27863863)

As I read various comments, people are suggesting ways to thwart the attempt of a forensics expert to determine if certain files are present on a person's drive.

Which is amusing because numerous posters make the claim that they are doing nothing wrong when they get a piece of music for nothing.

So, if they're doing nothing wrong, why all the suggestions on ways to hide what you're doing?

Re:It's funny... (2, Insightful)

Myji Humoz (1535565) | more than 5 years ago | (#27863997)

So, if they're doing nothing wrong, why all the suggestions on ways to hide what you're doing?

Moral != legal
Immoral != illegal
Hiding possibly illegal activities != Hiding possibly immoral activties
Hint: People of both the innocent and guilty variety dislike going to jail.

Two Words. (2, Funny)

DarthVain (724186) | more than 5 years ago | (#27863879)

Thurr and Mite! :)

But... (0)

Anonymous Coward | more than 5 years ago | (#27863885)

What if I'm pirating music videos?

simple solution (3, Interesting)

FudRucker (866063) | more than 5 years ago | (#27863891)

get some thermite, glue it to the top of your harddrive with a fuse connected to the cover on your PC case, if not opened properly the harddrive melts...

Re:simple solution (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27864129)

You can do hard time for putting a trap on something...

Re:simple solution (0)

Anonymous Coward | more than 5 years ago | (#27864165)

Yup. I do the same thing with my safe. If it's not opened properly, all the money inside are burnt.

Re:simple solution (1)

mikael (484) | more than 5 years ago | (#27864213)

Some "high security" hard drives would have a thermal oxidiser as a layer between the glass platters and the magnetic media. If a plug on the front of the hard drive was removed, oxygen would enter the enclosure, cause the oxidiser to react, heat up and disintegrate the binding of the magnetic particles. Complete and guaranteed permanent wipe.

rename (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27863939)

1. download music, movies
2a. rename all media files to doc or xls
OR
2b. zip files (possibly encrypt)
3. beat court case b/c forensics find no mp3,mp4,aac,wma,wmv,mov,avi,etc
4. profit

seriously?

A 'forensics expert' (1)

Aladrin (926209) | more than 5 years ago | (#27863995)

I see a lot of 'The RIAA will cheat if they get to pick!' posts. But the order says a 'forensics expert' and not just any random person the RIAA picks. I would -hope- this means someone with a license that can be revoked if they are found to be corrupt. If so, it doesn't really matter who the RIAA picks because the person would soon be out of work if they didn't hold to the law.

Maybe the courts are starting to get it (4, Insightful)

bzzfzz (1542813) | more than 5 years ago | (#27864005)

I see this as good news.

The best news here is that this shows that the court system and the judges understand what computers are and how they are used and are at least making an effort to deal with the case in a balanced way. Sure, computer forensic evidence has become routine in the last few years but there have still been plenty of RIAA cases where the handling of the defendant's property is remarkably cavalier.

The RIAA, despite their myriad flaws, are entitled to their day in court. If procedures are balanced and remedies are fair, then I believe that the RIAA's corporate sponsors will quickly decide that the game isn't worth the candle.

The copyright statutes and the discovery procedures are the law of the land whether we like them or not. The injustice and unfairness early in the RIAA campaign came from the lack of due process, the flimsy evidence and weak cases, and the threats of draconian penalties. It's getting better, and every positive step brings us that much closer to closing this dark era in the history of the legal system.

Re:Maybe the courts are starting to get it (4, Insightful)

russotto (537200) | more than 5 years ago | (#27864287)

The RIAA, despite their myriad flaws, are entitled to their day in court. If procedures are balanced and remedies are fair, then I believe that the RIAA's corporate sponsors will quickly decide that the game isn't worth the candle.

When it's Juggernaut (RIAA) vs. Pipsqueak (average Joe), nothing is EVER balanced or fair, except in the Fox News sense. It can't be.

1) Juggernaut's expenses to run its offense are insignificant compared to its size. Pipsqueak's legal costs are significant, perhaps even crushing, to him.
2) Juggernaut has nothing at risk. Pipsqueak is at the risk of bankruptcy if he loses.
3) Juggernaut has played this game before and knows all the moves. It's probably Pipsqueak's first experience with the system
4) This is Juggernaut's job. Pipsqueak is forced to divert time and effort from his life and work to deal with it.

And that's before any cheating by Juggernaut.

if it works for bush (3, Informative)

circletimessquare (444983) | more than 5 years ago | (#27864061)

http://en.wikipedia.org/wiki/Bush_White_House_e-mail_controversy [wikipedia.org]

why can't it work for you?

of course, wiping your disk after start of litigation opens you up to destruction of evidence

so all you have to is structure your attitude towards the courts, and the nature of how you wipe according the RNC playbook, and you can should be able to give yourself enough plausible deniability to let yourself off the hook. "whoops! how'd that happen?"

pirates should learn from the best crooks, the past administration, when it comes to the destruction of electronic evidence

or i suppose there exists some sort of double standard between the elites and the commoners in a country supposedly standing for western liberal ideals about fair play and equality? naahhhh...

Simple Solution (0)

Anonymous Coward | more than 5 years ago | (#27864095)

If they're not allowed to analyze PDF or DOC files, then just store the MP3 files with a PDF or DOC extension, or conversely develop a PDF or DOC wrapper around the audio data.

The easiest thing would be to drop the files into a Word document as an embedded binary attachment.

VMware? (0)

Anonymous Coward | more than 5 years ago | (#27864141)

Why not run all your P2P in a VMware image that's been encrypted with Truecrypt. This image could be placed on an external drive. When the RIAA shows up, just disconnect and bury the vmware drive.

Secondly, is it considered destruction of evidence if I run a registry cleaner, temp files cleaner (like CCleaner), use the free space wipe features of CCleaner, and defrag my drive via a scheduled task?

Meanwhile... (1)

fredbox (207869) | more than 5 years ago | (#27864159)

while prohibited from examining other files, an anonymous tip of CP is called into the police, who do their own full investigation, which is then subpoena'd by the RIAA ...

or better still, the forensics experts leave some CP behind, return the hard drive, THEN call in the tip..

Illegal MP3s (2, Interesting)

Nekomusume (956306) | more than 5 years ago | (#27864409)

How would the forensics expert know any given MP3 he finds is illegal? Between online music stores and CD-Ripping, he could very well find 1000 MP3s, and every last one of them be legal.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...