“sheepishly”

Wow. You really are off on it today, aren’t you Mike?

Was it one of their own terror plots that the fbi was instigating?

Not sure where I read it now, but another theory was it was all about disrupting the May Day Occupy protests…

Removed, April 18th 2012
Re-installed, May 4th 2012

Just-Saying

You can read the warrant on the EFF’s web site: https://www.eff.org/sites/default/files/May%20First%20Server%20Search%20Warrant.pdf

First, IANAL. Second, I also have doubts and criticisms of how the FBI handled this.

But now then the question becomes – are they allowed to seize property and not even have an idea of what’s on it?

The FBI did not ask for a warrant to browse the files on the server to see what was there. The FBI went to the judge with evidence of an e-mail bomb threat sent to the University of Pittsburgh that bore the originating IP address of the May First/People Link/Riseup server.

BTW, the bomb threats began in February: http://www.huffingtonpost.com/2012/04/24/pitt-bomb-threats-finished_n_1448956.html

So they can just grab whatever – look at it, and if there’s nothing on it, just return it and act as though nothing has happened? That’s what this seems to indicate.

My limited understanding is that the unfortunate answer is yes.

What about probable cause now?

My understanding is that probable cause was established with the bomb threat e-mail sent from the May 1st server.

Can and will this company now sue them – after all, they have potentially (like so many copyright claims) lost revenue due to this.

I don’t know. I am not saying its right, but running the MixMaster mail relay would most likely not help their cause. If you use TOR as an exit node you risk the police kicking your door down because someone was browsing something that is illegal and it traces back to your IP. If you run TOR as an exit node you face that risk. If you run MixMaster re-mailer … Again, I’m not saying its right.

But the big part is – anyone in IT should well know that the physical disks in an array are meaningless really. An image is all you really need.

You are correct, but law enforcement and prosecutors always want to present best evidence. The physical media is the best evidence not the image.

If that server was using any type of RAID 0, 5, 6, etc – array, all of those physical disks could be swapped out, but the data would remain, assuming they were given time to rebuild the array between swaps – what good are the physical disks then?

This is true, but as has been pointed out so many times on TechDirt our courts struggle mightily to understand IT and ofter get it very wrong. The prosecution gains nothing by making an image and returning the original drives/best evidence then have to explain parity, checksums, RAIDs, etc to a judge that can’t work their iPhone.

Unless there is suspicion that data is being deleted to cover any evidence – but even then, a sector-by-sector image would still capture that, unless they are meaning to put the platters under an electron microscope – then the physical disks (assuming they haven’t been swapped with other drives in the recent past) might be helpful, but really – only then.

You are correct, if the data exists on the original evidence then it will exist on the image.

I did not realize it was possible to read data from a hard drive using electron microscopy. Would you please post a link?

The point is – if the FBI had a clue, they could have made an image of the server and only the operators of the facility would have known. The server would never have been offline, RiseUP wouldn’t have lost any uptime or even known the image was taken.

Live acquisition involves altering the evidence. An agent has to be placed on the server or an exploit utilized to obtain access. This method does not ensure a total acquisition of data the way the imaging of drives that have been removed from the server does. Live acquisition also involves a risk of detection followed by possible interference and/or destruction of data.

The point is – if the FBI had a clue, they could have made an image of the server and only the operators of the facility would have known. The server would never have been offline, RiseUP wouldn’t have lost any uptime or even known the image was taken.

It’s both an IT fail and a police work Fail.

I disagree that the best course of action is imaging the drives in the facility because you do not have best evidence or chain of custody and you risk detection/interference. The methods you propose are valid but result in increasing the burden on law enforcement and the prosecution. From their perspective none of what you propose justifies the increased effort and burden that results.

Now.. they have returned the server, without notifying the owner that is was ever being taken – which obviously means there was no warrant. In all likelihood – the right lawyer would have gotten that evidence tossed right out of court due to improper procedures in evidence gathering anyway.

A warrant was obtained and it appears to have been legally served.

Would seem to me, the best way to do this would be to – get a warrant – contact the data center facility – image the server (without Riseup knowing) – then if any potential evidence was on there – get a warrant to seize the server.

Off line imaging in the lab ensures non-intereference and obtaining a complete capture of all data. Live acquisitions risks detection and destruction of data.

Hoping the employees of the data center maintain secrecy is just not realistic.

So the first warrant would allow the FBI to search for “any potential evidence”? I don’t think that’s a good idea …

But the FBI doesn’t really seem to be all to concerned with following the law from the start anymore.

I can’t agree without knowing whether or not there were other e-mail threats from other servers within the US. If there were and they were not also seized then I would ask why not.

If you don’t think the gov’t controls the media, ask yourself why this story isn’t on CNN.

Be fair, he might be ignorant and Mike might be narrowminded, I for one have no knowledge of his attitude to threesomes.

You act like these people are going to spend more than they’re making trying to get away with a potential crime that someone else is performing.

I said nothing of the kind. I stated that the imaging of hard drives from a siezed server results in obtaining best evidence and that attempting live acquisition could result in mistakes that result in data loss, including activation of programs that destroy data.

Nowhere did I say that May 1st, et al, had such programs, would use such programs, or had done anything wrong. I do not like the fact that any speach on the server was censored (via lack of availability) during the time it was off line.

This was a very bad example of how the government should handle a situation. The people hosting this server are not the enemy, they aren’t running some wild conspiracy to get away with allowing bomb threats to continue. If they really wanted to do all that you say for some reason, as if that would even help them get away with anything, they could have easily designed the device to destroy all relevant data upon being unplugged. Have a small battery in the device so that when it loses power and everything else gets unplugged, everything gets automatically deleted. Then when the feds raid the device everything gets quickly deleted by the time it reaches the station.

How should the government have handled it then?

Again, I never said anyone was “the enemy”.

You would actually need a large battery to power a server. Servers are not like a laptops, they consume a lot of power.

Deleting a file does not destroy it, it simply marks an entry in the file system letting the OS know that the sectors on which the file resided are now available for use. The data remains until it is overwritten. In some instances data can reside in “file slack” even after it has been overwritten by a new file. In order to truly destroy the data it needs to be wiped. Wiping a 250 GB SATA hard drive with one pass can take up to 8 hours. There have been instances where warrants are served and law enforcement finds that a suspect is deleting files, formatting the drive, or is wiping a drive. Some data will be lost but the vast majority will still be present.

If you assume that the people here being raided are the enemy and that they will go through all of the very expensive effort you mention in your post to get away with allowing someone else to engage in such illegal activities (whereby they have absolutely nothing to gain from it and they’re spending a ton of money on this endeavor to run their servers) then there are much simpler ways for them to get away with it. The device can store all of the relevant information in RAM only so that when it gets unplugged everything gets deleted. Software for that would be easy enough to write and these servers can easily have 32 GB ram (or more). It would be simple enough to hide stuff.

First you state “they will go through all of the very expensive effort” then you state “Software for that would be easy enough to write”. So is it expensive or not? Here’s a hint, it is the latter.

Its possible that software can be specifcally written to load into RAM only but you fail to consider that it is possible to perform forensic analysis on RAM and that the contents are RAM are often written temporarily to the hard drive in a “swap” file.

No, what the feds should have done (first), and what the common sense approach is, is for them to request to work with the anonymizer admins to catch the culprits. Chances are they would have been more than happy to work with the feds on the matter.

“anonymizer admins”? You have no idea how a multi-node anonymity tool functions do you? Do you honestly beleive that May 1st would have allowed the FBI to monitor the traffic flowing through their server?

Either you are a brilliant troll or you are profoundly naive. I sincerely hope its the former, if so I congratulate you and will heartily LOL at myself.

You hit it – the mail coming from that server is more than enough probably cause to seize the server to try to identify who the email is coming from. The group should consider themselves lucky that they didn’t convince the judge to take everything they had – instead of just one server.

I think it’s too bad that Mike has no understanding of what it takes to get this done.

There is one possibility I did not see mentioned. They could have taken the server to clone it. Having a clone of a production server from a farm of similar servers would be a very good way to develop attacks to gain access later regardless of if the server was left in operation or not. Kinda like buying a lock from the hardware store to figure out how to pick every lock alike it.

somebody’s gotta feel this

and I think this might be a good example where bureaucracy gets in the way of common sense. In other situation, where there is reasonable suspicion that the server admins might be in on it, it might make more sense to simply unplug the server first. but in this situation, where no such reasonable suspicion exists, it’s probably much better to work with the server admins on the case.

(and, better yet, could help catch the culprits in the act).

may be a disservice to the country.

So the risks are, server admins doing something nefarious if you work with them vs losing important data in ram by unplugging the machine first. In this situation, the later is a much bigger risk being that the risk here of the server admins attempting to conceal the bomb threats is almost zero.

G Thompson is right, you know absolutely nothing about digital forensics. Almost all systems are siezed by pulling the power on the machine. You keep saying there are smarter ways to do it. OK, what are these smarter ways of analyzing the contents of the drives?

Do you really beleive that the placing trust in persons unknown to the FBI justifies the risk and threat of loss of the data?

Placing trust = risk and threat of action by bad actor
No trust = far less risk and threat

Fair enough, you make some good points. Thanks for the insight.