Digital Forensics Resources, Deleted Secret Service Texts, Pole Cameras, Encryption & More
Vol. 3, Issue 8
August 1, 2022
Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. In this issue, Shane Ferro looks at the Secret Service erasing data related to the June 6 insurrection. Jerome Greco recommends ten newsletters and blogs you should follow. Benjamin Burger discusses a recent federal case on pole cameras. Finally, Brandon Reim explains how encryption can be defeated with forensic tools.
The Digital Forensics Unit of the Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal legal system. Consisting of attorneys and forensic analysts and examiners, the Unit provides support and analysis to the Criminal, Juvenile Rights, and Civil Practices of the Legal Aid Society.
In The News
The Secret Service’s Deleted Coup-Day Texts
Shane Ferro, Digital Forensics Staff Attorney
The big news this month in the ongoing January 6 Congressional Hearings is that the U.S. Secret Service seems to have, well… misplaced all of their text messages from the day of the attempted insurrection, and claims that they are unrecoverable.
The Secret Service falls within the Department of Homeland Security. On July 14th, the Intercept reported that DHS’s Inspector General had sent a letter to Congress informing them that the Secret Service had erased texts from January 5th and January 6th. The Secret Service only provided a single text exchange in response to a request for messages from two dozen officers for a month-long period between December and January. According to the Intercept, the Secret Service said that “the text messages were lost as a result of a ‘device-replacement program,’” which conveniently happened right after the oversight committed asked them to produce their electronic communications from the period surrounding January 6th.
It has come out in the hearings that as the riot started in the Capitol on the 6th, the Secret Service tried to get Vice President Mike Pence to go with them to a secure location, which functionally would have prevented him from certifying the election results. Pence refused, potentially stymieing the success of an attempted coup. Meanwhile, President Trump allegedly tried to take over a Secret Service car to go show up at the riot himself. (Personally, I cannot imagine that Trump knows how to drive, but that’s neither here nor there).
Obviously, the communications of the agents around both VP Pence and President Trump during that period are likely to shed more light on what happened that day, and could be explosive evidence for the committee. A July 20th Washington Post story fanned the flames when it reported that the DHS Inspector General’s office knew of the deleted text messages since at least February—and was having trouble getting the Secret Service to cooperate with document production back into the fall of 2021—and failed to notify Congress in a timely manner.
The major question hanging over this story (at least for us at the Digital Forensics Unit) is what does “deleted” mean, and are those messages really unrecoverable?
The Zero Day newsletter dug into all of the claims surrounding this hoopla last week and came to the conclusion that we still don’t have quite enough information to know if the texts still exist in some form or not, but from the public statements coming out of the Secret Service and DHS, something seems fishy.
It seems like what DHS is claiming happened is it did a factory reset on all the phones. That doesn’t erase the data on the phone per se, but it overwrites the master encryption key for the phone, so all the data is scrambled and would be so hard to decrypt as to almost be impossible. (If any entity would actually be able to decrypt such data, it might be the U.S. government, but no one interviewed seems to be holding their breath.)
Still, you would assume that a government law enforcement agency doing a full reset on communications devices would think ahead and make backups to preserve their data. According to Zero Day, the Secret Service told each individual agent that they were responsible for backing up their own phone manually.
Zero Day spoke to former FBI digital forensics examiner Robert Osgood, who said of that plan, “If that did happen, the IT manager that’s responsible for that should be censured. Something should happen to that person because that’s one of the dumbest things I've ever heard in my life.”
Newsletter and Blog Roundup
Jerome D. Greco, Digital Forensics Supervising Attorney
Technology changes rapidly and it can be difficult to keep up, even for people who work in the digital forensics and electronic surveillance fields. A great way to stay informed is to sign up for relevant newsletters and blogs. There are numerous options, but below I have highlighted ten that members of the Digital Forensics Unit and I have found to be useful. They are listed in alphabetical order and vary in their technical sophistication.
1. Ball in your Court - the blog of Texas lawyer and forensic computer examiner, Craig Ball, which focuses on electronic discovery.
2. The Binary Hick - a digital forensics practitioner sharing their own research.
3. Elcomsoft Blog - Elcomsoft is a digital forensics company and their blog often features very technical discussions or walk-throughs of digital forensics tools and techniques.
4. Electronic Frontier Foundation Newsletter - the EFF has been defending digital privacy for over 30 years. Their newsletter features articles and resources related to issues involving technology and privacy.
5. The Justice Tech Download - Jason Tashea’s newsletter for “news, events, and opportunities in justice tech and science.”
6. National Litigation Support Blog for Federal/Community Defenders and CJA Practitioners - a blog aimed at federal defense attorneys, “highlight[ing] how people are taking advantage of different types of litigation support software programs and services, to share interesting articles and case law, as well as making available short, step-by-step guides and videos on how to use common applications...”
7. Schneier on Security - the blog of respected public-interest technologist, Bruce Schneier, which includes a mix of technical and policy entries.
8. Tech Policy Press - a nonprofit media outlet focusing on tech policy.
9. This Week in 4n6 - a weekly roundup of digital forensics and incident response (DFIR) news.
10. Upturn Newsletter - Upturn “advances equity and justice in the design, governance, and use of technology.” Their newsletter includes summaries and commentaries on recent articles and issues involving social justice and technology.
In the Courts
First Circuit Deadlocks on Pole Cameras; Possible Supreme Court Case on the Horizon
Benjamin S. Burger, Digital Forensics Staff Attorney
Pole cameras are relatively simplistic technology. Police attach surveillance cameras to utility poles, fences, or any other vantage point that allows for non-stop surveillance of the outside of a person’s home (known in the legal world as “curtilage”). However, as has been previously discussed in this newsletter, the Supreme Court’s decision in Carpenter v. United States, 138 S. Ct. 2206 (2018), potentially changed the legal framework surrounding the use of pole cameras and other types of surveillance technology. Now, a new decision [PDF] from the United States Court of Appeals for the First Circuit highlights the changes wrought by Carpenter, and the potential for a Supreme Court decision clarifying the reach of the Fourth Amendment.
In 2017, Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) agents setup a digital video camera on a utility pole across the street from Nia Moore-Bush’s home. They did not have a warrant. Over the next eight months, the camera recorded every person who entered and left the house. Eventually, Moore-Bush was indicted on firearms and narcotics charges. Prior to trial, she moved to suppress the pole camera video and any resulting “fruits” of the surveillance. The trial court granted the motion to suppress, finding that Carpenter had overruled prior First Circuit precedent that allowed for warrantless video surveillance of the exterior of a person’s home. See United States v. Moore-Bush, 381 F.Supp.3d 139, 144-45 (D.Mass. 2019). However, a subsequent three-judge panel of the First Circuit reversed the lower court’s decision, and held that, despite Carpenter, the Circuit’s prior precedent remained good law. See United States v. Moore-Bush, 963 F.3d 29, 31 (1st Cir. 2020). In an unusual step, a majority of First Circuit judges voted to hear the case en banc, or before all the active judges on the Court, to determine if Carpenter did prohibit the warrantless use of pole cameras. See United States v. Moore-Bush, 982 F.3d 50 (1st Cir. 2020).
In June, the First Circuit reached a decision and . . . deadlocked on whether the Fourth Amendment requires a warrant to deploy a video camera to surveil a person’s home.1 See United States v. Moore-Bush, 36 F.4th 320 (1st Cir. 2022). Three judges held that Carpenter required a warrant to deploy a pole camera. The judges determined that Carpenter held that an individual retains a privacy interest in data shared with a third-party or data collected by the government. They then applied Carpenter by explaining that pole cameras can provide an “intimate window” into a person’s life, especially when the footage consists of eight month’s worth of data. Furthermore, the amount of footage captures was all encompassing in its “depth, breadth, and comprehensive reach.” Individuals do not voluntarily disclose their movements to a pole camera. The very nature of the digital camera means that human beings cannot prevent their image from being captured. From a policy perspective, the opinion noted that warrantless video recording of people’s homes would allow law enforcement “continuous video footage of every home in a neighborhood, or for that matter, in the United States as a whole.”
Three other judge’s rejected this interpretation, holding that Carpenter did not apply to “conventional surveillance techniques and tools, such as security cameras.” Additionally, the judge’s determined that people lack a reasonable expectation of privacy in the curtilage of their home, because they can be observed and tracked by nosy neighbors.
The two decisions in Moore-Bush represent both the traditional view of the Fourth Amendment (you have no expectation of privacy in what you expose to a third-party) and the more “modern” view (surveillance technology has become so effective so as to require courts to re-balance what people consider private information). The Supreme Court began this conversation in Carpenter and will have the ability to expand or contract this doctrine over the next few years.
Ask an Analyst
Do you have a question about digital forensics or electronic surveillance? Please send it to AskDFU@legal-aid.org and we may feature it in an upcoming issue of our newsletter. No identifying information will be used without your permission.
Q. My client’s laptop computer was vouchered for evidence; however, they say that the laptop is encrypted. What can the prosecution obtain from the encrypted laptop?
A. “Encryption” is the method by which information is converted into secret code for the purpose of hiding that information’s true meaning. Conversely, “decryption” is the opposite: the conversion of encrypted data into its original form. There are a number of software programs that will encrypt a hard drive. Most of the programs rely on a password or pin code to decrypt the data on the hard drive after it has been encrypted. Most hard drives are not encrypted by default. This is because it takes time to decrypt the drive once the password has been entered.
Typically, you cannot access the data on an encrypted computer by normal means. However, there are specialized forensic tools that can “crack” the password to an encrypted drive. When cracking an encrypted hard drive, there are a number of factors that determine whether the forensic tool will be able to determine the password and how long it will take. In this scenario, we cannot determine whether law enforcement will be able to crack the password and decrypt the laptop. We do know that law enforcement can use custom generated word lists to crack the password. For example, if the police searched the client’s home, they can look for written down passwords. They can also use important dates, such as birthdays, anniversaries, and graduations. Unfortunately, people are not very good at creating strong and unique passwords. It is also possible for only part of a hard drive to be encrypted. In this case, if the client saved data on the unencrypted portion of the drive, it would be visible to anyone searching the laptop.
Generally, it is a good idea to encrypt your hard drive for security. However, like any other security measure, there are countermeasure that can be used to circumvent encryption and access sensitive data.
Brandon Reim, Digital Forensics Analyst
Upcoming Events
August 11-14, 2022
DEF CON 30 (Las Vegas, NV)
August 15-16, 2022
DFIR Summit 2022 (SANS) (Austin, TX and Virtual)
August 18, 2022
Accident Reconstruction Part 2: Electronic Vehicle Data (NYSACDL) (Virtual)
September 7, 2022
Intro To Artificial Intelligence (AI) Part 2: AI As A Litigation Tool (NYSBA) (Virtual)
September 15, 2022
Accident Reconstruction Part 3: Event Data Recorders (NYSACDL) (Virtual)
September 23-25, 2022
D4BL III (Data for Black Lives) (New York, NY)
October 10-12, 2022
Techno Security & Digital Forensics Conference (San Diego, CA)
Small Bytes
Cryptocurrency Titan Coinbase Providing “Geo Tracking Data” to ICE (The Intercept)
Alleged Hunter Biden Leak Shows iCloud Can Be iPhone Security’s Weak Link (vice.com)
Amazon gave Ring videos to police without owners’ permission (Politico)
ShotSpotter and the Misfires of Gun Detection Technology (S.T.O.P.)
DHS made extensive use of location data from mobile devices, records show (Politico)
The FBI Forced A Suspect To Unlock Amazon’s Encrypted App Wickr With Their Face (Forbes)
Robot Dog Not So Cute With Submachine Gun Strapped to Its Back (vice.com)
ShotSpotter held in contempt of court (Chicago Reader)
Who Is Collecting Data from Your Car? (The Markup)
All six judges agreed that because of the prior appellate case, the good faith exception (bane of any federal criminal defense practitioner) precluded Moore-Bush from succeeding on her motion to suppress. See David v. United States, 564 U.S. 229 (2011).