Fifth Amendment Rights and Encrypted Hard Drives

sky_wire's Avatar
FYI. Supreme Court, here we come.

Eleventh Circuit Finds Fifth Amendment Right Against Self Incrimination Protects Against Being Forced to Decrypt Hard Drive Contents

We hold that the act of Doe’s decryption and production of the contents of the hard drives would sufficiently implicate the Fifth Amendment privilege. We reach this holding by concluding that (1) Doe’s decryption and production of the contents of the drives would be testimonial, not merely a physical act; and (2) the explicit and implicit factual communications associated with the decryption and production are not foregone conclusions.

First, the decryption and production of the hard drives would require the use of the contents of Doe’s mind and could not be fairly characterized as a physical act that would be nontestimonial in nature. We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.

We are unpersuaded by the Government’s derivation of the key/combination analogy in arguing that Doe’s production of the unencrypted files would be nothing more than a physical nontestimonial transfer. The Government attempts to avoid the analogy by arguing that it does not seek the combination or the key, but rather the contents. This argument badly misses the mark. In Fisher, where the analogy was born, and again in Hubbell, the Government never sought the “key” or the “combination” to the safe for its own sake; rather, the Government sought the files being withheld, just as the Government does here. Hubbell, 530 U.S. at 38, 120 S. Ct. at 2044 (trying to compel production of documents); Fisher v. United States, 425 U.S. at 394–95, 96 S. Ct. at 1572–73 (seeking to access contents possessed by attorneys).

Requiring Doe to use a decryption password is most certainly more akin to requiring the production of a combination because both demand the use of the contents of the mind, and the production is accompanied by the implied factual statements noted above that could prove to be incriminatory. See Hubbell, 530 U.S. at 43, 120 S. Ct. at 2047. Hence, we conclude that what the Government seeks to compel in this case, the decryption and production of the contents of the hard drives, is testimonial in character.

Moving to the second point, the question becomes whether the purported testimony was a “foregone conclusion.” We think not. Nothing in the record before us reveals that the Government knew whether any files exist or the location of those files on the hard drives; what’s more, nothing in the record illustrates that the Government knew with reasonable particularity that Doe was even capable of accessing the encrypted portions of the drives. . . .

To be fair, the Government has shown that the combined storage space of the drives could contain files that number well into the millions. And the Government has also shown that the drives are encrypted. The Government has not shown, however, that the drives actually contain any files, nor has it shown which of the estimated twenty million files the drives are capable of holding may prove useful. The Government has emphasized at every stage of the proceedings in this case that the forensic analysis showed random characters. But random characters are not files; because the TrueCrypt program displays random characters if there are files and if there is empty space, we simply do not know what, if anything, was hidden based on the facts before us. It is not enough for the Government to argue that the encrypted drives are capable of storing vast amounts of data, some of which may be incriminating. In short, the Government physically possesses the media devices, but it does not know what, if anything, is held on the encrypted drives. Along the same lines, we are not persuaded by the suggestion that simply because the devices were encrypted necessarily means that Doe was trying to hide something. Just as a vault is capable of storing mountains of incriminating documents, that alone does not mean that it contains incriminating documents, or anything at all.
LE will always overreach and let the courts sort it out. Even when they know they are crossing theline or outright breaking the law in their search for evidence they don't care since courts have a long and tarnished history of giving unwarranted credence to LE testimony even when conflicting data refutes the LE's testimony.
jframe2's Avatar
I found and read this case.

Here are some links on this case-
1- Article in the American Bar Association Journal
http://www.abajournal.com/news/artic...ock_hard_driv/

2- the full opinion in pdf, http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf

The specific area on this is-
"that the government had no definite knowledge there was anything on the hard-drive that was illegal, and as a result, production can’t be compelled under the “foregone conclusion” doctrine, the appellate opinion (PDF) said."

There are rulings for both sides of this in all Federal Circuits. I do not see how this will go to the Supreme's as it really does not plow new ground. It just re-enforces that there are some limits even for a federal grand jury subpoena for records.
Thanks to those brainy Russian motherfuckers at Elcomsoft, the point is rather moot if you are using one of the more popular commercial products. All they have to do now is successfully obtain a warrant: http://www.informationweek.com/secur...ruec/240145127
jframe2's Avatar
This still has a weakness-
Quoted from the website-
"But there's one big caveat when grabbing the needed memory dumps: The targeted encryption containers must be mounted to the computer. "It's important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password," said Katalov."

There is a workaround that will nullify this, if you setup your Tech/Comm Security correctly. The clues are in the above paragraph.

One also needs to keep in mind, that most of the Computer Forensic work is done for high profile types of crimes by the Fed Govt, not for a pissed-off wife/SO that wants to know what is on a drive. Also, I do not think this product has been vetted by the Computer Forensic world quite yet.

The world of the Hobbiest is fairly low on the priority list for the Feds to spend time and resources on a full on computer forensic exam. And I do not think that local LE will see a solo Hobbiest as worthy of such intentions (assuming LE can get a warrant). Pimps, low-life sexually depraved MF's or human trafficking, maybe worth LE time, however.

But Information is king, so it is good for people to read and think about their individual situations.

Happy Holidays,
Irish Blessings to All
I am not 100% certain but I think if the drive is encrypted they cannot compel you to give up the unlocker code.. However, they can try to crack it but then your lawyer can argue that if they have the skill to crack it, they can modify evidence... in other words your lawyer can cast doubt.

I did find a neat way add a layer of protection... a virtual machine on a machine.

Use the VM to do all your naughtiness and yes you can encrypt/password the VM file

the more layers you add the harder it will be to crack but if you are doing all this, then you have some SERIOUS stuff to hide.
jframe2's Avatar
If LE has enough probable cause they will ask a Judge to compel you to give up the password. If you refuse, it is "refusal to follow the judge's order" or "Contempt of Court", whatever the local jurisdiction calls it. Then it is up to you to see if you can take the punishment from the Judge, X days in jail and X amount of $fine.

A properly conducted Forensic Exam has procedures in place to prevent the manipulation of evidence, this is basically running Hashtags before and after the copying of the data. These procedures have been scientifically vetted for use in criminal courts across the land at the Fed and State levels.

As to VM, data can be retrieved from the VM environment. But not as easily and not all the time.

However, Spirit is correct, layers is the way to go if you feel the need to store items.

My procedures are to not store anything, and I mean ANYTHING, on a media device; hard drive, thumb drive, SD card, etc. Anything that needs storing, I use a Cloud-based account and I always, always delete everything afterward.

Keeping trophies/records is the weakness in this world of ours.

Get sloppy in your Tech/Comm Security and you will end up in trouble.
sky_wire's Avatar

My procedures are to not store anything, and I mean ANYTHING, on a media device; hard drive, thumb drive, SD card, etc. Anything that needs storing, I use a Cloud-based account and I always, always delete everything afterward.
Originally Posted by jframe2
I attended a computer forensics talk a few months back. The speaker summed it up this way. “If it’s on your computer screen, it’s on your hard drive.” Deleting stuff doesn’t do anything. It just edits the computer’s file allocation table.

I don’t want to start another debate about residual magnetization, but file scrubbers do a pretty good job when used correctly. They are certainly more effective than simply “deleting” a file.


[Does anybody know how to change the font size?]
Skywire,

Changing font size should be easy. In the window where you are typing, go up to the drop down bar and change the size. Everything you type after you change size will be adjusted as such. If you hit the big "B" it will bold, if you hit the "I" it will italicize, if you hit the "U" it will underline. Reclicking on any of those letters will stop the nonsense.

Another avenue: Highlight the text, then choose your poison the same way
jframe2's Avatar
@Skywire- you are correct in saying to use a "file scrubber" instead of deleting.

I religiously use a file scrubber for a variety of reasons in my use of tech/computers and tend to use the word "delete" interchangeably.

It is a habit and does not provide the correct information when I use it with a wide audience with many levels of tech skills.

Thanks for the clarification to my post.

To All-
what I have found is using Linux and when you install it encrypt your HOME directory (its the My Documents or USERS of Linux so all your data is encrypted) and you gen the key which is mated to your password. You then choose a very long non dictionary password (for me it is a chorus of my favorite song, no spaces and ends up being about 60+ characters long)

Then install VirtualBox on Linux and install a passworded VM on it, again run a Linux install for the VM and again encrypt the HOME directory.

Now you have the following, a physical drive that is well encrypted and protected by a very STRONG password, then a VM File that is password protected just to boot up, the log in is strongly passworded and the HOME directory on the VM is encrypted.

Advantages: even if they remove the drive and slave it up to a pc, they have to contend with your data being encrypted under a Linux environment, deal with trying to crack a long non dictionary password, then deal with a passworded VM file to run it, a long non dictionary log in pw, on yet another encrypted Home directory...

Cons, forget / lose any pw and you start from scratch.

I will not say this is 100 % fool proof but I will say that it will make it so tricky they might just give up..... or think you have some homeland security info on your laptop (grin)
ck1942's Avatar
All of the above is very interesting and from my pov valuable for myself indeed.

For ordinary hobbying purposes, however, some very simple security measures are all a hobbyist/provider needs. Ordinary LE is highly unlikely to go to court to obtain computer access for what usually amounts to only misdemeanors.

Ordinary security:

-- password protect your computers and password protect/encrypt any portable media

-- restrict/guard anyone's access to your computer and all of your online/cloud based other accounts -- email, P411, etc.

-- never use anyone else's computer to access any of your online/cloud accounts unless you know how well-protect that other computer might be

-- try not to use the exact same or similar password for various accounts or computers or handheld units, such as tablets, phones, etc.

-- do not open emails from anyone you don't know

-- for Gawd's sake, install, use and daily update some solid computer security software, Kaspersky, AVG, Macafee, etc.
sky_wire's Avatar
@ Tigercat....

Thanks for the FONT info, but there is no drop down menu to increase/decrease the font size when I use "Quick Reply". There are two increase/decrease arrows on the right, but these change only the size of the text box, not the font?!?!

"However," I have discovered that once posted, I can adjust the font using the advanced editing features. Yeah! Life is good again!
sky_wire's Avatar
@Skywire- you are correct in saying to use a "file scrubber" instead of deleting.

I religiously use a file scrubber for a variety of reasons in my use of tech/computers and tend to use the word "delete" interchangeably.

It is a habit and does not provide the correct information when I use it with a wide audience with many levels of tech skills.

Thanks for the clarification to my post.

To All- Originally Posted by jframe2
Given that you’re interested in computer security, here’s another bit of trivia that I learned at my computer forensics talk that you might find interesting.

Do you (or anybody reading this) like to store their passwords on their computer? If so, the average time it takes to crack any password protected file is 8 seconds! An FBI-type agency has software that simply tests every word stored on your hard drive as a password. Presto! Yep, it takes only 8 seconds.

The guy giving the talk noted that they are frequently given test passwords to see how well their password breaking software works. One password that he was willing to disclose took 3 days. It consisted of the following simple, 3 key sequence: control alt return.

This shows you the value of using alternative characters in your passwords. It’s a shame that many banks, credit card companies, and other presumably “secure sites” won’t let you use half the characters on the keyboard in your password. \{Sk1/2,>&a|b::C&%_=~
jframe2's Avatar
The level of computer/smartphone/forensic exam possibilities go a lot further than most people are aware of.

I have consulted on some interesting things related to computers over my 30+ years in the industry.

Knowledge is Power!