Agent's Testimony Shows FBI Not All That Interested In Ensuring The Integrity Of Its Forensic Evidence

from the bad-things-are-good-if-done-for-the-'right'-reasons dept

Security researcher Jonathan Zdziarski has been picking apart the FBI’s oral testimony on the NIT it deployed in the Matish/Playpen case. The judge presiding over that case denied Matish’s suppression request for a number of reasons — including the fact that Matish’s residence in Virginia meant that Rule 41 jurisdiction rules weren’t violated by the FBI’s NIT warrant. Judge Morgan Jr. then went off script and suggested the FBI didn’t even need to obtain a warrant to deploy a hacking tool that exposed end user computer info because computers get hacked all the time.

He equated this to police peering through broken blinds and seeing something illegal inside a house, while failing to recognize that his analogy meant the FBI could let themselves inside the house first to break the blinds, then peer in from the outside and claim “plain sight.”

The oral arguments [PDF] — using FBI Special Agent Daniel Alfin’s testimony — were submitted in yet another case tied to the seizure of a child porn website, this one also taking place in Virginia and where the presiding judge has similarly denied the defendant’s motion to suppress. The DOJ has added the transcript of the agent’s oral testimony in the Matish prosecution as an exhibit to this case, presumably to help thwart the defendant’s motion to compel the FBI to turn over the NIT’s source code.

Many assertions are made by Agent Alfin in support of the FBI’s claim that its hacking tool — which strips away any anonymity-protecting efforts put into place by the end user and sends this information to a remote computer — is not malware. And many of them verge on laughable. Or would be laughable, if Alfin wasn’t in the position of collecting and submitting forensic evidence.

There’s so much wrong in here, it’s probably best to just start at the top.

1. A MAC address is a unique identifier that can never be altered.

THE WITNESS: Yes, Your Honor. MAC is an acronym that stands for media address control.

THE COURT: Is that different than IP address?

THE WITNESS: Yes, Your Honor. A MAC address is unique and does not change. So you can look at the MAC address in the matter at hand from Mr. Matish’s computer, and that MAC address is always the same. It is the one that was identified by the government. It was also the one that was seized by the government. A MAC address is hard-wired or burned into the card.

[Compared with this, from the same agent, roughly 30 pages later…]

Q. Are any of those items — I believe you testified to the MAC address. Can that be changed?

A. It can be —

2. The FBI didn’t need to encrypt the data collected by the NIT because, hey, Tor is secure and can’t be compromised.

Q: In one of the declarations that was submitted on behalf of Mr. Matish by Dr. Soghoian, it is alleged that because the NIT sent data over the regular Internet and not encrypted that the authenticity of the data could not be verified.

A: This is incorrect. It also fails to acknowledge that the NIT was, in fact, sent to Mr. Matish’s computer over the Tor network, which is encrypted.

3. Encryption would ruin the integrity of the collected evidence.

Q. Would encryption of the data as it was transmitted from the computer to the government — what effect, if any, would that have had on the utility of the data going forward?

A. It would have not completely made the network data useless, but it would have hurt it from an evidentiary standpoint. Because the FBI collected the data in a clear text, unencrypted format, it shows the communication directly from Mr. Matish’s computer to the government. It can be read; it can be analyzed. It was collected and provided to defense today, and they can review exactly what the FBI collected.

Had it been encrypted, it would not have been of the same value, because the encrypted data stream itself could not be read. In order to read that encrypted data stream, it would have to first be decrypted by the government, which would fundamentally alter the data. It would still be valid, it still would have been accurate data; however, it would not have been as forensically sound as being able to turn over exactly what the government collected.

4. The FBI’s malware is not malware because “mal” means “bad” and “FBI” means “good.”

Q. And, finally, would you describe the NIT as malware?

A. No. The declaration of Dr. Soghoian disputes my point from my declaration that I do not believe the NIT should be considered malware, but he fails to address the important word that makes up malware, which is “malicious.”

“Malicious” in criminal proceedings and in the legal world has very direct implications, and a reasonable person or society would not interpret the actions taken by a law enforcement officer pursuant to a court order to be malicious. And for that reason I do not believe that the NIT utilized in this case pursuant to a court order should be considered to be malware.

5. The defense has all the data it needs to examine the FBI’s NIT.

Q. Okay. And you’re aware that the first time that the government agreed to produce that particular data was in its response to this motion to compel?

A. I assume that’s the case. I don’t know exactly what date it was provided on, but I know it was turned over.

Q. And then you talked about a data stream being made available, right?

A. Yes.

Q: And you’re aware that the first time that the government agreed to produce that data was in its surreply to the motion to compel.

A. I don’t recall the first time that that data was made available, but I know it has been made available and has been turned over.

Q. As of —

A. As of today.

Q. — 20 minutes ago, correct?

A. Yes. To the best of my knowledge, it was not turned over prior to that.

7. The NIT is like a set of burglar’s tools…

Q. You say the exploit would shed no light on what the government did. The government deployed this exploit, correct?

A. The government used the exploit to deploy the NIT.

Q. And I believe you used the analogy that this exploit is like a way of picking a lock, right?

8. … except that sounds really bad and not something the “good” FBI should be doing. So, now it’s an open window.

A. Yes. A more accurate analogy may be going in through an open window. As I’ve stated in my declaration, there was a vulnerability on Mr. Matish’s computer. The FBI did not create that vulnerability. That vulnerability can be thought of as an open window. So we went in through that open window, the NIT collected evidence, and then left. We made no change to the window.

There’s plenty more to read through and Zdziarski’s Twitter stream contains several highlights and some incisive analysis. Matish’s lawyer also makes a very good point about the problems with using insecure data — transmitted in unencrypted form — as forensic evidence.

To prevent tampering with the evidence. I mean, this is analogous to — I mean, there’s a crime scene. Certain evidence is collected, and rather than bagging and labeling it and following established techniques for how evidence is to be collected and transferred back to, you know, the server, which is like an evidence locker, they just threw everything in the back seat of the cruiser and drove back. Oh, and, by the way, they won’t tell us whether on the way back they also picked up someone else who rode in the back of the cruiser.

Or as Zdziarski puts it:

He also points out that the FBI’s refusal to allow Matish to examine the NIT is not at all aligned with normal evidentiary practices.

We’ve set out through our expert declarations exactly why this information is critical, and the government is saying, no, we’ve looked at it, we’ve analyzed it; our experts say you wouldn’t be able to make a meaningful trial defense based on this information. But in some ways, Your Honor, that’s the same as saying, we’re not telling you who our confidential informant is. You don’t need to talk to him, because we’re telling you he’s believable and everything he’s saying is true. You don’t need to look at the DNA tests from the lab, because we’re telling you it’s a match, and we’re telling you the tests were fine.

Despite this, the court decided to deny the motion to suppress and Matish will be dealing with the evidence collected against him. According to this testimony, it isn’t much — some images found in unallocated space, suggesting they had been deleted. That’s not much but it may be enough to secure a conviction.

But the testimony gives us greater insight into the FBI’s handling of forensic evidence and its perception of the exploits at its disposal. And what’s on display here is far from encouraging.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Agent's Testimony Shows FBI Not All That Interested In Ensuring The Integrity Of Its Forensic Evidence”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Stunning

This is why I think anyone believing anything the government says is a fucking fool!

People erroneously think that the government has no reason to lie, but the people that work in law enforcement have their own ego’s, motivations, and reasons to lie to put people behind bars. A persons innocence means fucking shit to them!

As long as they get their pound of flesh they are happy, it matters not if it comes off a hardened criminal (bonus) or an innocent child.

Anonymous Coward says:

Re: Stunning

As always the answer is: They are a little of both.
But the real reason is they are strongly biased, coupled with the mind-set that they are the good guys and can do no wrong. I would compare them with a criminal insane person that sees no error in his doing and rationalises everything he did as good and correct. He is simply asking himself why nobody can see it correctly, they must all be crazy.

Anonymous Coward says:

Re: Re: Like an open window

Not in the least. Vulnerabilities are flaws in design that permit unintended use or access. Exploits are the code or techniques to leverage the vulnerability. Burglar tools are the right analogy.

A window left unlocked is an error or a choice, not a vulnerability. No exploit required. This is the same as leaving a password on a sticky note. You still have access, but you did not use an exploit.

A window that is locked, but there is a way to unlock it from the outside has a vulnerability. A piece of metal fashioned to fit that vulnerability is an exploit.

The FBI didn’t go through an open window. They used a tool (exploit) to gain access to the computer by means of a vulnerability. “Burglar tools” may not sound so good because they are the ‘Good Guys’, but they still used custom tools to gain surreptitious access to a computer that the user reasonably believed to be private and secured against unauthorized use.

Anonymous Coward says:

Number 4 seems pretty egregious. They’re literally admitting that they can intentionally use words in ways that are not intended in their common usage and pretend that that’s what others are saying.

“When you say you’re innocent, we hear you saying you’re guilty, so we’re just going to skip the trial and go straight to the sentencing, because…words!”

Anonymous Coward says:

a reasonable person or society would not interpret the actions taken by a law enforcement officer pursuant to a court order to be malicious

So all those times that the police wrecked a property (sometimes even the wrong property!) because they were executing a court order were not malicious. They could not possibly have conducted the search in a less destructive manner. They wrecked the property because they cared so much about the property owner that they just had to destroy the property so that it could be rebuilt, at the owner’s expense, of course.

John Fenderson (profile) says:

Re: Re:

We don’t even have to go that far to shoot down that statement, because the statement is literally nothing more than word games.

In the computer security world, something is “malicious” if it is attempting to bypass your security measures. The ultimate intent, and whether or not the people doing it are “bad guys” is irrelevant to the meaning of the term.

But the government and large corporations had started playing that particular word game many years ago. It certainly didn’t start here. Avoiding that game is one of the major reasons why security companies started preferring the term “PUP” (potentially unwanted program) instead of “malware” — it’s a weird kind of political correctness.

Paul Renault (profile) says:

The sloppiness was designed in, it wasn't a bug.

Considering how they used to ‘record’ interrogations, I’m not surprised, one bit: one agent would ask the questions, the other would hand write down questions and your answers.

No possibility of abuse there, eh.

Quoting from a May 2014 AZCentral article:
Put simply, in the absence of recorded interviews, defense lawyers have been able to undermine honest testimony by some FBI agents while, in other cases, agents misremembered, distorted or lied about suspect statements.

In 2006, the New York Times uncovered another explanation for the DOJ policy, spelled out in an internal FBI memorandum. Basically, it argued that jurors might be offended, possibly to the point of acquitting defendants, if they observed the deceit and psychological trickery legally employed by agents to obtain information and confessions.

The 2006 FBI memorandum below – relevant section page 4, item 3).

Groaker (profile) says:

The FBI laboratories have always been held up as a shining example of outstanding forensic work. Having spent my career in the sciences, I am ashamed of what these mendacious reprobates do in the pursuit of convictions. Time after time their methods and “invented” tests could not survive a Daubert challenge were it not for the FBIs ability to force publication in journals.

Their perjuries at trial are pathological, and performed even when there was no reason to add to the mountain of evidence. The FBI claimed that its laboratories could discriminate between fertilizer lots at the trial of McVeigh. And that analysis of the residuals found at the scene tied to the lot that was purchased. Yet the test that was used could not distinguish between urine and fertilizer, nevermind lots of fertilizer.

Other tests have been “invented” and used at trial, when at least one of then could have been refuted by a high school algebra student a month or two into the course.

Anonymous Coward says:

The NIT put the images there

Since the defense can’t even get access to the NIT to verify what it can and can’t do, we have to assume it loaded the images onto the computer in the first place. That would be like the FBI walking into someones home after they picked the lock and searched it. No warrant specifying who or where this would take place.

That Anonymous Coward (profile) says:

And this is why we need Judges who have some knowledge of the subjects. While each side can put on experts, it seems that Judges go with the offical narrative even as everyone else is staring at them going WTF are you saying you moron.

This is another case where it appears the ends, busting CP weirdos, justified the means, deploying malware – violating rights – lying in court.

Everyone wants those who traffic in CP to end up away from children before bad things happen, but if we keep turning a blind eye to them being screwed over the odds of it happening to a ‘Good Person ™’ tick up to 100%.

That One Guy (profile) says:

Bad and worse

While it’s bad enough that the FBI’s agent feels confident in lying and/or making misleading statements to the court, it’s perhaps even more worrying that the judge seems willing to buy those lies and absurd claims.

Expecting honesty from the FBI is like expecting honesty from a politician; sure you might get it, but only rarely, and only when it serves their interests. However you’d like to think that a judge would be a little more practiced at spotting rubbish like that, and willing to call the one making it out for presenting conflicting or flat out wrong assertions. That they seem willing to just accept the FBI’s testimony at face value is troubling to say the least.

Anonymous Coward says:

MAC randomization on iOS, Win10, etc.

MAC randomization already exists, but not in a standard

The feature exists for some time for Linux, Windows, OS X, iOS and Android, but currently it is not included in IEEE’s 802 standards.

Anonymous Coward says:

7. The NIT is like a set of burglar’s tools…

Q. You say the exploit would shed no light on what the government did. The government deployed this exploit, correct?

A. The government used the exploit to deploy the NIT.

Q. And I believe you used the analogy that this exploit is like a way of picking a lock, right?

This is putting words into the mouth of the FBI agent. A much better quote would be to include the earlier lock picking analogy that the questioner is referring to.

Anonymous Coward says:

> some images found in unallocated space, suggesting they had been deleted.

… like would happen if someone encountered an image through their browser, then deleted the browser history?

So… someone can, with a drive-by image load, put evidence on your computer sufficient to get you convicted of child porn.

Richard Robertson (user link) says:

Re: Re:

Sadly this has happened. I’m directly familiar with a case where a guy had a relative using his computer. The relative downloaded CP through some form of automated means. The original person got hit with an electronic search of a file-sharing programming running on his system. He was about to do a virus check on suspicious activity on his system when the cops came knocking. The relative actually admitted to doing the deed later but the guy still took a plea deal on a misdemeanor. I saw much the same lies by a state level cop as here and actually wrote up an expert analysis for his public defender. Actual innocence is apparantly not a defense on CP any more. God help you if you get a machine as a rental!

Ryunosuke (profile) says:

I think the bigger issue is that the US govt can do no wrong, it is a god.

It *claims* to be good, without looking to see if what it is, truly is, good. For some unfathomable reason, it thinks that it cannot be corrupt, with all that money pouring into it. Point is, it derides nations that do THE EXACT SAME THING, WITH THE EXACT SAME REASONS, but no, it is good because…. US govt is good(?)

so I asked in a chat i frequent, and “Sounds like the FBI has a case of the stupid” – German citizen.

A question though, why in the hell does this NOT run afoul of the CFAA?!? It DID access a computer without the user… owner’s permission. That should carry a minimum of 20 years in prison.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...