FBI Quietly Returns Anonymizing Server It Seized... Without Telling Anyone
from the but-the-whole-thing-was-caught-on-video dept
You may recall the uproar a few weeks ago when the FBI seized a server used by activists to keep their information anonymized. The server was used by Riseup Networks and May First/People Link. The FBI claimed it needed it as a part of an investigation into bomb threats at the University of Pittsburgh, but it was quite disruptive for lots of legitimate users. And, of course, seizing the server did nothing to stop the bomb threats, which kept coming.However, the story is now getting more bizarre, as the FBI appears to have simply put the server back in the cabinet without telling anyone -- but the whole thing was caught on video (found via Slashdot).
The feds seem to be getting into a bit of a habit of seizing things through cluelessness and then sheepishly returning them later. Still, the folks who own the server are quite reasonably uncomfortable about using it again:
May First/People Link has removed the server from the facility and is in the process of analyzing it. The server will not be put back into production.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bomb threats, fbi, seizure, university of pittsburgh
Companies: may first/people link, riseup networks
Reader Comments
Subscribe: RSS
View by: Time | Thread
Will not be put back in to production ...
[ link to this | view in chronology ]
Re: Will not be put back in to production ...
[ link to this | view in chronology ]
Re: Re: Will not be put back in to production ...
you designed the hardware and know every component AND
you designed the firmware and know every line of code.
That's why it wont go back to use.
Watch : Jacob Appelbaum (Digital Anti-Repression Workshop - April 26 2012
http://www.youtube.com/watch?v=HHoJ9pQ0cn8
http://www.youtube.com/watch?v=s9fByRmAHgU
[ link to this | view in chronology ]
C'mon smile!
[ link to this | view in chronology ]
Wow. You really are off on it today, aren't you Mike?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Cause you are right they are far too brazen to be sheepish, I was thinking more dickish.
[ link to this | view in chronology ]
You are so narrow minded.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: JCF!!
Anybody with a brain can tell you that's exactly where it will go--spoof up a "I'm from the FBI" ip address and use a user name and password you got from Robert Hackerton's phone calls and ta-da!, you're the gott-damm FBI and can look at anybodys' data in any company...
*Grrr!...*
[ link to this | view in chronology ]
Re: Re: Re: Re: JCF!!
No need. Easier to just take advantage of their generosity: FBI lost 160 laptops in the last 44 months.
Anybody want to guess how many more they've lost since?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: JCF!!
[ link to this | view in chronology ]
Re: Re: Re:
I can see that reason and discourse has no place in the US any longer. I think its about time for pitchforks and torches.
And a hearty welcome to today's troll overlord.
N.
[ link to this | view in chronology ]
FBI meets DRM
There will be sites dedicated to removing it since everyone will have to know about it.
Not only that, but it also doesn't affect open source apps (are they really going to show us the source code too?), especially those with international production/collaboration because there will be no requirement to include it.
I guess stupid criminals would be the target of this, because it won't catch anyone else.
[ link to this | view in chronology ]
Re:
Why seize the server?
[ link to this | view in chronology ]
Re: Re:
But if their only concern is data, they certainly wouldn't need the whole machine, right?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
ftfy
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
copied?
[ link to this | view in chronology ]
Re: Re: Re:
http://www.buzzfeed.com/rosiegray/fbi-nypd-made-visited-occupy-activists-in-advance
[ link to this | view in chronology ]
Re: Re:
Considering the wide variety of methods for writing to disk, and the existance of everything from raid to mirrors, to custom striped writing, taking the disks alone would be a serious no-no. The only way to get data reliably off a server is to the use the server (or full configuration) that wrote the data to start with.
Otherwise, you end up with a serious waste of time and effort, as you fight to try to figure out which disk goes where, which one is the mirror, and so on.
You also have to assume that they ran a deleted file recovery program, to get back anything that had been deleted recently, adding more data to the pot. You can't generally do that in an hour.
[ link to this | view in chronology ]
Re:
He did not consider, for example, that the server was part of skynet, and was about to become self aware and launch missiles at Russia in an effort to wipe out humanity. Thank God we averted that disaster, and how dare Mike besmirch the names of our heroes!!!
[ link to this | view in chronology ]
Re: Re:
They took the server, convinced it that it wanted to take over the US' arsenal of nuclear weapons to blow up Russia in an attempt to destroy humanity when in reality it just wanted to play a game of chess. With this information the FBI took the server and claimed they thwarted another "cyberthreat" proving the need for CISPASOPAPITAPATASATA
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
Mike is not narrow minded, you are ignorant.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Seeing as I am one of those 'forensics" people. I NEVER use windows based systems to analyse anything unless that is just to write up affidavits and/or case files because the *nix boxes are used for something else..
LEO's use Win based systems like Encase etc because they are sadly not as trained as they need to be (or want to be in some cases).
*nix is the only way to look at Windows (and Mac) systems without changing or destroying the original source. This is true on both live and non-live systems.
[ link to this | view in chronology ]
Re:
Well if thats the case, the evidence they have is now totally worthless since it is not probable, can not be authenticated, can not be analysed by opposing side, and is pure fruit of purloined/poisoned tree.
You see if they are using it as evidence in a criminal investigation (and this applies to civil also) under rules of Evidence the original digital source has to be preserved in its original state. Giving it back to someone whilst investigation and any/all proceedings still underway is absolutely the wrong thing to do.
Also I'd like to know if the FBI had authority to re-enter and replace the item in question. You know like in a warrant, court order, etc.
This whole removal and giving back system in this sort of way leads me to suspect ulterior quasi legal motives by the FBI. I would never allow that server to be re-used ever and just destroy it. This also would further frustrate the FBI's criminal investigation too. Well unless they have an order to not destroy it, though that might be a secret.
[ link to this | view in chronology ]
Still, it's good because it's exposing how they are abusing their power and stretching the laws in their own benefit.
[ link to this | view in chronology ]
The future of techdirt
I'm'a miss techdirt when it's taken down as a "homegrown terrorist" site--due to pointing out clueless/malicious government actions.
[ link to this | view in chronology ]
It doesn't say whether ECN was notified, but they must have been, if only to indicate which rack was MF/PL's colo. They were probably ordered not to tell their customer anything on the removal. But on the reinstallaion, that's just bizarre.
Also, what's the FBI doing in Italy? There must be more to that story as well.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Killer Scientists
[ link to this | view in chronology ]
Re: Killer Scientists
[ link to this | view in chronology ]
Re: Killer Scientists
[ link to this | view in chronology ]
Re: Killer Scientists
Keep drumming! We're on to you and soon our armies of nano clones will modify your RNA so that you love us and accept us as your technocratic overlords!!!
The time draws nigh!
MUAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHA!!!
[ link to this | view in chronology ]
Not to cross over, but @Ninja
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Who holds the FBI accountable to its employers?
p.s.: LOL. Read comment #14 carefully.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
That's sad, if you think about it.
Millions may use it a day for web surfing - and they are ok with that, but let the FBI mess with it a couple days and the trust goes out the window.
That's basically saying, 'we trust the general population at large, more than the FBI'.
Can't blame them.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Trust us.
[ link to this | view in chronology ]
But if their only concern is data, they certainly wouldn't need the whole machine, right?"
Good point and they wouldn't even need the disks, I'm thinking too. Just an image would do, I would think, since the only concern was the data/logs - I'm guessing.
Perhaps this speaks to their ability... but maybe there's some other reason they would need all of the hardware.. heh...
[ link to this | view in chronology ]
You are so narrow minded.
They could have used Symantec System Restore - for instance, and wouldn't have even had to take the server offline.
USB hard disk - run SSR - get image - go. No downtime. It's done all the time where I work - daily as a matter of fact, for DR.
[ link to this | view in chronology ]
Re:
I mean I'm sure your awesome idea covers all those pesky details like chain of custody and post image modification.
You're really onto something there son...most people don't take the time to think thru things before they just throw out some half-assed idea, but you...wait I see what (I hope) you did there.
Well played, I almost fell for it and assumed your were a world class nit-wit.
[ link to this | view in chronology ]
Re: Re:
and learn how to misspell, you fucking nOOb.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
When they arrive on site they take picutes of the front and back of the rack and chasis then pull the power on the server. All of the connections (video, network, USB, keyboard, mouse, etc) are logged.
They want to get the evidence back to the lab in order to ensure that the evidence is not tampered with. If you image the drives on site you run the risk of someone attempting to damage or destroy them.
Chain of custody needs to be maintained and you want to have the best evidence possible, the original hard drives will always be better evidence than an image.
Evidence may also be found in other locations like the BIOS. The BIOS clock time is needed because it may effect file time stamps. You do not want to reboot with the drives present because the prompt to view BIOS may be set so that it does not display, the OS boots and then a pre-existing program installed by the suspect is run that destroys data. The BIOS may be logging events not captured by the OS.
The hard drives must be connected to a devices that prevents any data being written to them, see Tableau (www.tableau.com).
The warrant, available on EFF's site, specifically referenced a MAC address. It is easier for the procecution to prove that the FBI seized the correct server by providing evidence of the physical device, that can be verified by a court appointed third party, then to prove it via the MAC address data present on the drives.
[ link to this | view in chronology ]
Re: Re:
This was a very bad example of how the government should handle a situation. The people hosting this server are not the enemy, they aren't running some wild conspiracy to get away with allowing bomb threats to continue. If they really wanted to do all that you say for some reason, as if that would even help them get away with anything, they could have easily designed the device to destroy all relevant data upon being unplugged. Have a small battery in the device so that when it loses power and everything else gets unplugged, everything gets automatically deleted. Then when the feds raid the device everything gets quickly deleted by the time it reaches the station.
If you assume that the people here being raided are the enemy and that they will go through all of the very expensive effort you mention in your post to get away with allowing someone else to engage in such illegal activities (whereby they have absolutely nothing to gain from it and they're spending a ton of money on this endeavor to run their servers) then there are much simpler ways for them to get away with it. The device can store all of the relevant information in RAM only so that when it gets unplugged everything gets deleted. Software for that would be easy enough to write and these servers can easily have 32 GB ram (or more). It would be simple enough to hide stuff.
No, what the feds should have done (first), and what the common sense approach is, is for them to request to work with the anonymizer admins to catch the culprits. Chances are they would have been more than happy to work with the feds on the matter.
[ link to this | view in chronology ]
Re: Re: Re:
I said nothing of the kind. I stated that the imaging of hard drives from a siezed server results in obtaining best evidence and that attempting live acquisition could result in mistakes that result in data loss, including activation of programs that destroy data.
Nowhere did I say that May 1st, et al, had such programs, would use such programs, or had done anything wrong. I do not like the fact that any speach on the server was censored (via lack of availability) during the time it was off line.
This was a very bad example of how the government should handle a situation. The people hosting this server are not the enemy, they aren't running some wild conspiracy to get away with allowing bomb threats to continue. If they really wanted to do all that you say for some reason, as if that would even help them get away with anything, they could have easily designed the device to destroy all relevant data upon being unplugged. Have a small battery in the device so that when it loses power and everything else gets unplugged, everything gets automatically deleted. Then when the feds raid the device everything gets quickly deleted by the time it reaches the station.
How should the government have handled it then?
Again, I never said anyone was "the enemy".
You would actually need a large battery to power a server. Servers are not like a laptops, they consume a lot of power.
Deleting a file does not destroy it, it simply marks an entry in the file system letting the OS know that the sectors on which the file resided are now available for use. The data remains until it is overwritten. In some instances data can reside in "file slack" even after it has been overwritten by a new file. In order to truly destroy the data it needs to be wiped. Wiping a 250 GB SATA hard drive with one pass can take up to 8 hours. There have been instances where warrants are served and law enforcement finds that a suspect is deleting files, formatting the drive, or is wiping a drive. Some data will be lost but the vast majority will still be present.
If you assume that the people here being raided are the enemy and that they will go through all of the very expensive effort you mention in your post to get away with allowing someone else to engage in such illegal activities (whereby they have absolutely nothing to gain from it and they're spending a ton of money on this endeavor to run their servers) then there are much simpler ways for them to get away with it. The device can store all of the relevant information in RAM only so that when it gets unplugged everything gets deleted. Software for that would be easy enough to write and these servers can easily have 32 GB ram (or more). It would be simple enough to hide stuff.
First you state "they will go through all of the very expensive effort" then you state "Software for that would be easy enough to write". So is it expensive or not? Here's a hint, it is the latter.
Its possible that software can be specifcally written to load into RAM only but you fail to consider that it is possible to perform forensic analysis on RAM and that the contents are RAM are often written temporarily to the hard drive in a "swap" file.
No, what the feds should have done (first), and what the common sense approach is, is for them to request to work with the anonymizer admins to catch the culprits. Chances are they would have been more than happy to work with the feds on the matter.
"anonymizer admins"? You have no idea how a multi-node anonymity tool functions do you? Do you honestly beleive that May 1st would have allowed the FBI to monitor the traffic flowing through their server?
Either you are a brilliant troll or you are profoundly naive. I sincerely hope its the former, if so I congratulate you and will heartily LOL at myself.
[ link to this | view in chronology ]
Re: Re: Re: Re:
You absolutely did. For example, you said
"You do not want to reboot with the drives present because the prompt to view BIOS may be set so that it does not display, the OS boots and then a pre-existing program installed by the suspect is run that destroys data. "
This argument is based on the premise that the server admins are likely enough to be intentionally facilitating the undesired activity and expending a lot of effort to hide said activity. Otherwise, what's the point of your sentence?
"You would actually need a large battery to power a server."
Depends on how long it needs to be powered and how much of the server needs to be powered for things to get deleted.
But you're still missing the point. My argument isn't that my suggestions would be easy, on the contrary, the argument is that they are difficult and require a whole lot of sophisticated coordination. My point is that your suggestions are about just as difficult to conspire and also require a whole lot of coordination.
"Wiping a 250 GB SATA hard drive with one pass can take up to 8 hours."
Who said anything about them whipping the entire data. Only the potentially incriminating data needs to be whipped. Again, the argument isn't that it'll be easy to implement, just that if the server admins were determined enough to allow those making these bomb threats to get away with them, as your post seems to suggest based on the amount of effort they would have to expend to avoid getting caught, there are ways that it can be done that can just as well circumvent what the feds did here.
"Its possible that software can be specifcally written to load into RAM only but you fail to consider that it is possible to perform forensic analysis on RAM and that the contents are RAM are often written temporarily to the hard drive in a "swap" file."
Not if the software is designed to load the data into ram only. Truecrypt already does this with unencrypted data, for example. Yes, the contents in ram are often written to the hard drive in the form of swap unless software is specifically written to prevent potentially incriminating content from being written. Again, you're the one assuming the possibility that these people are attempting to expend a lot of effort to conceal incriminating data and my point is that, if they really want to expend all of the effort that you suggest, there are smarter ways to do it than the ways that you suggest. Just because you can think of a narrow situation in which unplugging the server first might prevent potentially incriminating data from being deleted doesn't mean that those willing to expend all the effort you suggest can't find a smarter way to do it.
"it is possible to perform forensic analysis on RAM"
and find what, exactly? Nothing? If it were possible to extract a significant amount of useful information from unpowered ram ... we wouldn't have this problem of needing to re-load ram every time the computer undergoes a cold boot.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
and find what, exactly? Nothing? If it were possible to extract a significant amount of useful information from unpowered ram ... we wouldn't have this problem of needing to re-load ram every time the computer undergoes a cold boot.
This comment and the others above show you have no knowledge of what modern Digital Forensic techniques are nor about what they can find. Whatever you find whether that be contextually valid to what the investigators are searching for or that nothing whatsoever is found is what forensics is all about. It is the science of what IS not of what you wish or don't wish to find
And if you really think un-powered RAM doesn't or cannot hold anything of value than keep thinking that, makes our jobs seem much more magical and gives us the Ooooo factor when we show what we actually can analyse.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
"If you image the drives on site you run the risk of someone attempting to damage or destroy them."
and if you unplug the machine much of the information in ram invariably does get lost. So the risks are, server admins doing something nefarious if you work with them vs losing important data in ram by unplugging the machine first. In this situation, the later is a much bigger risk being that the risk here of the server admins attempting to conceal the bomb threats is almost zero.
There are much easier and more reliable methods to extract the data than to simply unplug everything first, better methods that apply here, like working with the server admins. If the server admins wished to conspire to make sure the data is not recoverable as stated above they could find ways to make sure all important data does get deleted from ram first. Ram alone doesn't take much to power and having some internal battery-system quickly scramble it upon being unplugged maybe difficult but feasible for someone determined enough (as the original post suggests).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
It is a case of correct procedures when dealing with criminal investigations getting in the way of how you think the world should operate.
Chain of Custody aside, you do not rely on non authorised parties to 'help' unless they are willing under orders/oath to suffer any and all consequences for any untoward situations that may develop.
The investigation not only has to be seen to be unbiased it needs to be unbiased otherwise the spectre of impropriety can and will be raised by any opposing counsel.
I agree that a live system is preferable to one that is powered off, but there are means of reducing the loss of volatile data that you can perform before turning off any device, and I can assure you the FBI High Tech Units know all about those methods.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
G Thompson is right, you know absolutely nothing about digital forensics. Almost all systems are siezed by pulling the power on the machine. You keep saying there are smarter ways to do it. OK, what are these smarter ways of analyzing the contents of the drives?
Do you really beleive that the placing trust in persons unknown to the FBI justifies the risk and threat of loss of the data?
Placing trust = risk and threat of action by bad actor
No trust = far less risk and threat
[ link to this | view in chronology ]
Seriously, guys
Separate issue, how exactly do they get into the server room on two separate occasions without anyone being notified? Someone had to see a Gorram warrant the first time, at least? Or did Agent Coulson there work his magic on the janitor to get the keys?
[ link to this | view in chronology ]
Re: Seriously, guys
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Who watches...
[ link to this | view in chronology ]
Re: Who watches...
[ link to this | view in chronology ]
Mike is not narrow minded, you are ignorant.
But now then the question becomes - are they allowed to seize property and not even have an idea of what's on it?
So they can just grab whatever - look at it, and if there's nothing on it, just return it and act as though nothing has happened? That's what this seems to indicate.
What about probable cause now?
Can and will this company now sue them - after all, they have potentially (like so many copyright claims) lost revenue due to this.
Obviously - there was no good evidence on the server that would be needed in court since they have returned the server. And if they did image it, and will later use the image in court - why take the server in the first place?
But the big part is - anyone in IT should well know that the physical disks in an array are meaningless really. An image is all you really need.
If that server was using any type of RAID 0, 5, 6, etc - array, all of those physical disks could be swapped out, but the data would remain, assuming they were given time to rebuild the array between swaps - what good are the physical disks then?
Unless there is suspicion that data is being deleted to cover any evidence - but even then, a sector-by-sector image would still capture that, unless they are meaning to put the platters under an electron microscope - then the physical disks (assuming they haven't been swapped with other drives in the recent past) might be helpful, but really - only then.
The point is - if the FBI had a clue, they could have made an image of the server and only the operators of the facility would have known. The server would never have been offline, RiseUP wouldn't have lost any uptime or even known the image was taken.
It's both an IT fail and a police work Fail.
Now.. they have returned the server, without notifying the owner that is was ever being taken - which obviously means there was no warrant. In all likelihood - the right lawyer would have gotten that evidence tossed right out of court due to improper procedures in evidence gathering anyway.
Would seem to me, the best way to do this would be to - get a warrant - contact the data center facility - image the server (without Riseup knowing) - then if any potential evidence was on there - get a warrant to seize the server.
But the FBI doesn't really seem to be all to concerned with following the law from the start anymore.
[ link to this | view in chronology ]
Re:
what if the FBI was told by the NSA or CIA that they HAD to put the sever back else how will OUR spies be able to contact us.
Could this have been an inter-service fuck up??
Food for (the very paranoid) thought.
Also, the reason is Obvious why they didn't just copy it, FBI is not a bunch of freetards, that would be Copyright infringement, and that's a hanging offense in DC doncha know.
(this is mostly sarcasm,{or irony} mostly)
[ link to this | view in chronology ]
Removed, April 18th 2012
Re-installed, May 4th 2012
Just-Saying
[ link to this | view in chronology ]
First, IANAL. Second, I also have doubts and criticisms of how the FBI handled this.
But now then the question becomes - are they allowed to seize property and not even have an idea of what's on it?
The FBI did not ask for a warrant to browse the files on the server to see what was there. The FBI went to the judge with evidence of an e-mail bomb threat sent to the University of Pittsburgh that bore the originating IP address of the May First/People Link/Riseup server.
BTW, the bomb threats began in February: http://www.huffingtonpost.com/2012/04/24/pitt-bomb-threats-finished_n_1448956.html
So they can just grab whatever - look at it, and if there's nothing on it, just return it and act as though nothing has happened? That's what this seems to indicate.
My limited understanding is that the unfortunate answer is yes.
What about probable cause now?
My understanding is that probable cause was established with the bomb threat e-mail sent from the May 1st server.
Can and will this company now sue them - after all, they have potentially (like so many copyright claims) lost revenue due to this.
I don't know. I am not saying its right, but running the MixMaster mail relay would most likely not help their cause. If you use TOR as an exit node you risk the police kicking your door down because someone was browsing something that is illegal and it traces back to your IP. If you run TOR as an exit node you face that risk. If you run MixMaster re-mailer ... Again, I'm not saying its right.
But the big part is - anyone in IT should well know that the physical disks in an array are meaningless really. An image is all you really need.
You are correct, but law enforcement and prosecutors always want to present best evidence. The physical media is the best evidence not the image.
If that server was using any type of RAID 0, 5, 6, etc - array, all of those physical disks could be swapped out, but the data would remain, assuming they were given time to rebuild the array between swaps - what good are the physical disks then?
This is true, but as has been pointed out so many times on TechDirt our courts struggle mightily to understand IT and ofter get it very wrong. The prosecution gains nothing by making an image and returning the original drives/best evidence then have to explain parity, checksums, RAIDs, etc to a judge that can't work their iPhone.
Unless there is suspicion that data is being deleted to cover any evidence - but even then, a sector-by-sector image would still capture that, unless they are meaning to put the platters under an electron microscope - then the physical disks (assuming they haven't been swapped with other drives in the recent past) might be helpful, but really - only then.
You are correct, if the data exists on the original evidence then it will exist on the image.
I did not realize it was possible to read data from a hard drive using electron microscopy. Would you please post a link?
The point is - if the FBI had a clue, they could have made an image of the server and only the operators of the facility would have known. The server would never have been offline, RiseUP wouldn't have lost any uptime or even known the image was taken.
Live acquisition involves altering the evidence. An agent has to be placed on the server or an exploit utilized to obtain access. This method does not ensure a total acquisition of data the way the imaging of drives that have been removed from the server does. Live acquisition also involves a risk of detection followed by possible interference and/or destruction of data.
The point is - if the FBI had a clue, they could have made an image of the server and only the operators of the facility would have known. The server would never have been offline, RiseUP wouldn't have lost any uptime or even known the image was taken.
It's both an IT fail and a police work Fail.
I disagree that the best course of action is imaging the drives in the facility because you do not have best evidence or chain of custody and you risk detection/interference. The methods you propose are valid but result in increasing the burden on law enforcement and the prosecution. From their perspective none of what you propose justifies the increased effort and burden that results.
Now.. they have returned the server, without notifying the owner that is was ever being taken - which obviously means there was no warrant. In all likelihood - the right lawyer would have gotten that evidence tossed right out of court due to improper procedures in evidence gathering anyway.
A warrant was obtained and it appears to have been legally served.
Would seem to me, the best way to do this would be to - get a warrant - contact the data center facility - image the server (without Riseup knowing) - then if any potential evidence was on there - get a warrant to seize the server.
Off line imaging in the lab ensures non-intereference and obtaining a complete capture of all data. Live acquisitions risks detection and destruction of data.
Hoping the employees of the data center maintain secrecy is just not realistic.
So the first warrant would allow the FBI to search for "any potential evidence"? I don't think that's a good idea ...
But the FBI doesn't really seem to be all to concerned with following the law from the start anymore.
I can't agree without knowing whether or not there were other e-mail threats from other servers within the US. If there were and they were not also seized then I would ask why not.
[ link to this | view in chronology ]
Re:
I think it's too bad that Mike has no understanding of what it takes to get this done.
[ link to this | view in chronology ]
Re:
The warrent clearly indicates taking the drive or any other storage devices that the information is on, so a lot of the complaints in this thread are therefore moot.
Putting the drive back covertly instead of giving it back is a little weird though.
[ link to this | view in chronology ]
Re: Re:
Fair enough. If a court warrant authorized the property be confiscated then maybe it wasn't so bad. But I still think this could and should have been handled a little better and there are more effective ways to catch the culprits by working with the server admins which would
A: be more likely to catch the culprits
B: Would result in no (or less) unnecessary server downtime.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I do not like that May 1sts server was off line for so long and I hope that they are able to seperate the MixMaster to another server that does nothing other than e-mail relay.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Our Wonderful Government
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not using the server
[ link to this | view in chronology ]