Are there any real life cases where software such as DBAN (to securely erase disks) has beaten government/law enforcement agencies?
I found this online which lists each time encryption has beaten investigators, but nothing for secure deletion.
Asked
Active
Viewed 1,878 times
8
-
2Check out Fail #1 - you can detect that the disk has been overwritten (you have something to hide) https://www.youtube.com/watch?v=NG9Cg_vBKOg – Dog eat cat world Apr 05 '16 at 11:09
-
But that doesn't let you see what was there. And you could overwrite with data that looks like what was originally on the disk so it might not always be the case you can detect it was overwritten. If the data is really overwritten, that's all that's needed with modern hard disks. More details - http://security.stackexchange.com/questions/89994/why-is-writing-zeros-or-random-data-over-a-hard-drive-used-when-writing-all-on/92402#92402 You mention encryption beating investigators... overwriting is effectively the same as solid encryption and losing the key (apart from the data that's left). – Datarecovery.com MK Apr 05 '16 at 14:22
-
_You can detect the disk has been overwritten_ would apply to any case where law enforcement knew you were using disks and found an empty disk (no recoverable data) that wasn't still in the manufacturer's sealed antistatic. The final DBAN run should be a zero fill. Does DBAN time stamp the disk somehow after doing that? – Fiasco Labs Apr 05 '16 at 16:34
-
@ Fiasco Labs I'd like to know that too. @Datarecovery.comMK The question is for articles where it has prevented investigators, like news reports. – k1308517 Apr 06 '16 at 08:38
-
2I'd be interested to see that as well. I don't have any. We work with law enforcement fairly often but not on possibly overwritten evidence that I can remember. I am sure it has happened though for the same reasons as encryption. – Datarecovery.com MK Apr 06 '16 at 13:23
1 Answers
5
The reason DBAN or such erasure software, wont beat the investigators, is that when they find out a drive is erased (zero:ed), this will count as destruction of evidence, which is punishable.
Thus, its enough that the investigators prove that the drive has been intentionally erased. It depends on country, but in most countries that employ the "forbidden fruit" scheme, do also make it illegal to destroy evidence, even "own" evidence. In countries that employ a "free evidence usage" policy in court, does normally make it legal for the suspect to erase his own evidence (its up to the police to catch the evidence before it gets erased), to balance everything out, but in those countries, erased disk is same as someone putting a letter in the fireplace, eg something that usually don't make it out to the headlines.
And they can find out if a device is used after it has been taken out of fresh packaging, as there is a log in the disk, normally called SMART, that will log different charactericts of the disk, as power on hours and other similiar metadata, thus a investigator can see roughtly how much a disk has been used, which means a investigator can see if a disk is just zeroes because its unpacked but not yet used, and a disk that is zeroes because it has been intentionally erased.
And even if that log is erased via firmware commands (may not always be possible), its possible for a investigator to look at the wear of the flash chip where SMART data is stored, and see that the content of the flash chip is altered, as a unused disk will have a zero SMART table with a zero wear.
Thus, a encryption means that the investigator is stuck, as its the same as hiding evidence, which isn't illegal. In the real life world, hiding evidence could be taking that murder knife and putting under the floor planks. Even if the investigators wont find it, they cant convict you. However, if you put that knife in the fireplace, the investigators can use the burnt out knife as evidence that you did destroy evidence, and thus you will get punishment anyways.
Forgetting a password don't count as destroying evidence.
So actually, erasing the disk by encrypting it with a random password, is safer, than erasing it with DBAN, when it comes to legal issues. Same with DBANing a disk, and NOT do a final zeroization. But a completely random disk can also be taken as destroyed evidence, why it can be a good idea to put a real truecrypt boot loader or boot loader from some other encryption software, to give a plausible reason to why data is random, when you have erased it.
sebastian nielsen
- 8,779
- 1
- 19
- 33
-
That was a great reply, never knew about SMART. I don't think using DBAN without 0ing is a good idea if there is an encryption bootloader as they might want me to decrypt the drive (which I can't as it's not encrypted LOL explain that to a court). Anyway, what I was looking for is a case where someone DBANed a HDD because they were going to sell it and investigators were unable to recover anything as the software works properly. – k1308517 Jun 20 '16 at 09:37
-
@k1308517 If you live in a country where they can demand the encryption keys legally, theres a another situation. Then it can be better to destroy the data (and make it clear that you destroyed the data) depending on the laws of destruction of evidence. If both are illegal, you have to weight the punishment of refusing a encryption key, against the punishment of destruction of evidence, and then either zeroize, or not zeroize after DBAN and just put a fake encryption bootloader, and just claim to have encrypted the drive and just refuse the password. – sebastian nielsen Jun 20 '16 at 14:14
-
I'm sorry but the destroy data and make it look encrypted idea is suicidal, I can't name any country where that wouldn't be like hanging yourself by your testicles. – k1308517 Jun 20 '16 at 14:26
-
@k1308517 USA and Sweden can't legally demand encryption keys. Sweden does allow you to destroy own evidence. USA does NOT allow you to destroy your own evidence (eg: DBAN=jail). UK can legally demand encryption keys, but im not entirely sure if they do allow you to destroy own evidence. So the laws differ very much. So in some cases it can really be better to make it look like encrypted data. Then they will propably try to crack it, but they can't convict you as they can't prove you did destroy evidence. – sebastian nielsen Jun 20 '16 at 20:58
-
A guy will be in solitary confinement in America until he gives up the keys. If someone kicks open door you won't have long enough to DBAN, but if you use DBAN like a week before how can they prove it's destruction of evidence and not you trying to sell your old computer? – k1308517 Jun 21 '16 at 08:54
-
@k1308517 It doesn't matter WHY you DBAN it. The only thing they need to prove, is that there was potential evidence on the computer, for example there is "things pointing in your direction" and that you destructed the evidence. They however need to prove that the destruction happened after you had a suspicion that there could be evidence on the computer. For example, if your neightbor says "Gonna police report you for fraud!" its actually destruction of evidence to DBAN your computer for sale. In such a case, you should turn in your computer to the police and let them image it, and then DBAN. – sebastian nielsen Jun 21 '16 at 18:58
-
Yes, but if you have no idea you're going to get a knock on the door then it's not destruction of evidence? – k1308517 Jun 22 '16 at 08:22
-
1@k1308517 true. But the threshold before you are considered knowing this, is very low. Its enough for example that you think the previous owner of your computer did a crime or whatever. If they can prove you had the smallest suspicion that the files could become evidence in future, its a crime to destroy them. And it don't need to be crime evidence, it could be evidence in a dispute that is resolved in court, evidence related to bankrupty or whatever. – sebastian nielsen Jun 22 '16 at 16:20