Police Say No Evidence Of Value Was Lost In Ransomware Attack, Except Maybe Some Stuff Defense Lawyers Might Find Useful

from the all-good-on-THIS-side,-assume-same-for-others,-etc. dept

Ransomware is everywhere. And it’s affecting everything, including critical systems. Sure, it’s kind of humiliating to be locked out of your smart TV, but hospitals are being locked out of patient records and –in a new twist — hotel guests are being locked out of their rooms.

Then there’s something like this, where the chain of evidence is disrupted by ransomware purveyors.

The Cockrell Hill Police Department lost video evidence and a cache of digital documents after hackers invaded the department’s computer system last month.

Stephen Barlag, Cockrell Hill’s police chief, said the incident was not the work of hackers, but acknowledged that the incident included a computer-generated ransom demand.

“This was not a hacking incident,” Barlag said in a news release Wednesday evening. “No files or confidential information was breached or obtained by any outside parties.”

[Rather entertaining to note WFAA’s opening sentence is immediately contradicted by the Police Chief’s statements. #journalism]

While it’s reassuring no evidence was obtained by outside parties, it’s not that much more reassuring to hear the owner of the data couldn’t access it either. The PD consulted with the FBI before coming to conclusion that the files might still be inaccessible even if it did pay the $4,000 ransom.

The department, however, is not being all that upfront about the possible negative effect this might have on criminal defendants, who might want to challenge the evidence against them or look through it for anything exculpatory. The department — despite admitting its backup was similarly infected — claims this is no big deal.

Barlag said of the lost files, “none of this was critical information.”

Define “critical.”

“Well, that depends on what side of the jail cell you’re sitting,” said J. Collin Beggs, a Dallas criminal defense lawyer who has a client charged in a Cockrell Hill felony evading case involving some of the lost video evidence.

This would be video evidence Beggs has been asking for since last summer — well before the PD’s files were wiped out by ransomware. It could be very critical information, despite Police Chief Barlag’s assertion to the contrary. What’s useful to a defendant is seldom viewed as useful by law enforcement. Hence the difference of opinion.

But even while stating nothing of (subjective) value was lost, Chief Barlag did admit there was a possibility that defense lawyers might be interested in finding out what evidence might no longer be available. And the department may not have made this loss public if it hadn’t needed to speak to defendants about its inability to secure relevant evidence.

Barlag said he didn’t know how much of of the digital material lost was evidence in pending criminal cases, but acknowledged that some of it was. He said no cases have been dismissed that he knows of because of the losses.

Well… yet. The infection wasn’t discovered until December 12th and the department didn’t go public until more than a month after that. So, news that evidence needed in prosecutions may not be available has spread very slowly. And the details of what’s recoverable makes it clear that the department values narrative over less-biased documentation. The police reports are retained in hard copy. Any recordings of incidents detailed in these reports are apparently backed up in a more haphazard fashion.

Some of the videos were backed up on CDs, but those that were not are lost.

No police reports, nor any criminal history information, was lost, Barlag said.

Comforting… for the police department. Not so much for criminal defendants, who are going to have an even harder time arguing against “our word vs. yours” assertions — which cops can back up with police reports while giving defendants nothing at all to push back with.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Police Say No Evidence Of Value Was Lost In Ransomware Attack, Except Maybe Some Stuff Defense Lawyers Might Find Useful”

Subscribe: RSS Leave a comment
PRMan (profile) says:

Re: Re:

I used to write software for police departments. Security truly was all or nothing.

Some departments were so secure I had to send them blind SQL statements to update their database which I could never view. These SQL statements would be, of course, gone over with a fine-toothed comb prior to execution. And you could never hook a computer up to their network. You had to use theirs with a secure remote desktop to your own machine that couldn’t transfer files. If you wanted to deliver software, it had to be done in a prescribed way to be scanned first. And you had to have a background check first or you never even got to do any of that.

Others would beg us to come in on a remote desktop with a single shared password that never changed and that everyone who ever worked there knew. And they would just let us do anything we wanted with full admin rights, even though we were just contractors.

It was stunning how all or nothing it was.

Christenson says:

Adverse inference -- How convenient you lose all the exculpatory evidence!

I certainly hope the defense lawyers use this loss to get adverse inferences against the police department and release their clients.

What I don’t get is why police (and the FOP) don’t seem to need to convict criminals “by the book”. All this sloppiness!

killthelawyers (profile) says:

Chain of Custody

The overarching problem here, beyond what was directly lost, is the breach in chain of custody. Had they paid the ransom, there would still be a significant breach in the chain of custody of the evidence because an outside actor has taken control of the documents and it would be difficult to prove that nothing has been altered. Taken broadly, this is a problem for *all* documents, whether they were captured by the ransomware or not, because it shows that someone else at least had access to the files, although there is not the same evidence they were compromised.

Suffice to say, I’m glad I’m not the Department’s IT staff or the prosecutor who is going to have to convince a judge that the evidence should be admitted.

Anonymous Coward says:

It’s doubtful that the suspect would simply walk free. But it does create a major problem for the police department involved in the case. The police department and the prosecutor are required by law to preserve all evidence in a trial, even exculpatory evidence that may exculpate the defendant and that the evidence MUST be turned over to the defense attorney. When this doesn’t occur, and it doesn’t matter how it happened, it’s considered in a court of law to be a Brady violation.

The prosecutor may dismiss the case rather than deal with the headache but then they have to deal with the fallout over the police losing the evidence in the first place. The fact that the only evidence that was unrecoverable was evidence crucial to the defense speak volumes as to the shenanigans of the police department and offer a clue as to their motives.

The judge may even find that the evidence destroyed penalizes the client and violates his constitutional right to due process. The police department surely made backups of this evidence. I find it hard to believe they didn’t back up this evidence, even if it was embarrassing to the department.

Anonymous Coward says:

Re: Re:

The police department surely made backups of this evidence.

Per the article, they have backups, and those backups are likewise compromised (except for the backups written to CD, which apparently are not comprehensive). This leads to one of a few possibilities, none of them good:

  1. Backups are managed in a way that a privileged process on the infected system can delete or damage previously created backups, and the ransomware zapped the backups when it zapped the primary copies. (Solution: backups should be driven by a computer that is locked down in a way that makes infection by ransomware far less likely than your daily-use desktop operated by a non-technical user.)
  2. Backups are expired so frequently that the IT department, following standard procedure, had destroyed all backups that predated the compromise before anyone reported the compromise. (Solution: a tiered backup scheme, possibly augmented by good delta-compression. Going farther back in time becomes more trouble than recovering from the latest full backup, but stays within acceptable size limits.)
  3. Backups are conducted so infrequently that there is a large window of time between the most recent good backup and discovery of the compromise. Everything entered into the system during that window is missing from every known backup. (Solution: conduct more frequent backups, especially on resources that are important to legal process. Losing transcriptions of hardcopies that can be re-entered is annoying. Losing the sole copy of incriminating or exculpating evidence is a big deal.)
  4. Backups are incomplete. Some portion of the system is not archived at all, and cannot be recovered from backup even when the backup is recently made and in perfect condition. (Solution: clearly document which areas are archived. Implement technical measures to make it difficult for users to accidentally store important work (or, if necessary, any work whatsoever) in areas that are not archived.)
Anonymous Coward says:

Let me point out something: Police Departments never get charged with anything related to destruction of evidence. The most that happens is that an individual officer may get suspended for a short time with pay or the court may admonish the police department, but nothing ever happens.

It’s up to either the courts or the prosecutor to determine whether to dismiss a case. But, there’s no penalty for it.

Anonymous Coward says:

Could that have been why I could not get into my hotel room once on a Disneyland trip. I eneded up having to sleep in my car until the office openeed next morning.

I always thought the key might have been demagnetized by something on the park. I wonder now if some kind of malware could have screwed up the lock, as the office had to make a new key card for me next morning.

Anonymous Coward says:

Re: Re:

The answer you’re looking for is no. Also, I really hope this is an example of Poe’s law.

1. If your lock was infected, every other lock in the building would also be infected, since the likelihood of every lock being on a separate system with separate malware protection is infinitesimally small.

2. If the lock was infected with malware, making a new key card would have done exactly nothing.

Roger Strong (profile) says:

Re: Re:

“I went to my first computer conference at the New York Hilton. When somebody there predicted the market for microprocessors would eventually be in the millions, someone else said, “Where are they all going to go? It’s not like you need a computer in every doorknob!” Years later, I went back to the same hotel. I noticed the room keys had been replaced by electronic cards you slide into slots in the doors. There was a computer in every doorknob.”
– Danny Hillis

Anonymous Coward says:

Re: rule #1

In a decent backup system, there is more than one offsite and offline backup, so that you never write the last offsite backup..The last system I worked with kept 7 + 12 offsite and offline copies, rotating weekly, and rotating monthly copies. Also, a test restore, or at least consistency check is required on a regular interval, just to check the system.

That One Guy (profile) says:

Seems simple enough

If hackers had access to the evidence then none of it should be admissible, as it’s not possible to prove that it wasn’t tampered with. While that’s certainly a pain for the police and defense lawyers(more the former than the latter I’d imagine) it’s their own damn fault for not keeping backup copies of such important data in multiple format beyond gorram CDs of some of the data.

Maybe having every single current case undermined will give them the incentive they need to practice better security and data backup going forward.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...