Police Say No Evidence Of Value Was Lost In Ransomware Attack, Except Maybe Some Stuff Defense Lawyers Might Find Useful

from the all-good-on-THIS-side,-assume-same-for-others,-etc. dept

Ransomware is everywhere. And it's affecting everything, including critical systems. Sure, it's kind of humiliating to be locked out of your smart TV, but hospitals are being locked out of patient records and --in a new twist -- hotel guests are being locked out of their rooms.

Then there's something like this, where the chain of evidence is disrupted by ransomware purveyors.

The Cockrell Hill Police Department lost video evidence and a cache of digital documents after hackers invaded the department’s computer system last month.

Stephen Barlag, Cockrell Hill's police chief, said the incident was not the work of hackers, but acknowledged that the incident included a computer-generated ransom demand.

"This was not a hacking incident," Barlag said in a news release Wednesday evening. "No files or confidential information was breached or obtained by any outside parties."

[Rather entertaining to note WFAA's opening sentence is immediately contradicted by the Police Chief's statements. #journalism]

While it's reassuring no evidence was obtained by outside parties, it's not that much more reassuring to hear the owner of the data couldn't access it either. The PD consulted with the FBI before coming to conclusion that the files might still be inaccessible even if it did pay the $4,000 ransom.

The department, however, is not being all that upfront about the possible negative effect this might have on criminal defendants, who might want to challenge the evidence against them or look through it for anything exculpatory. The department -- despite admitting its backup was similarly infected -- claims this is no big deal.

Barlag said of the lost files, “none of this was critical information.”

Define "critical."

"Well, that depends on what side of the jail cell you're sitting," said J. Collin Beggs, a Dallas criminal defense lawyer who has a client charged in a Cockrell Hill felony evading case involving some of the lost video evidence.

This would be video evidence Beggs has been asking for since last summer -- well before the PD's files were wiped out by ransomware. It could be very critical information, despite Police Chief Barlag's assertion to the contrary. What's useful to a defendant is seldom viewed as useful by law enforcement. Hence the difference of opinion.

But even while stating nothing of (subjective) value was lost, Chief Barlag did admit there was a possibility that defense lawyers might be interested in finding out what evidence might no longer be available. And the department may not have made this loss public if it hadn't needed to speak to defendants about its inability to secure relevant evidence.

Barlag said he didn’t know how much of of the digital material lost was evidence in pending criminal cases, but acknowledged that some of it was. He said no cases have been dismissed that he knows of because of the losses.

Well… yet. The infection wasn't discovered until December 12th and the department didn't go public until more than a month after that. So, news that evidence needed in prosecutions may not be available has spread very slowly. And the details of what's recoverable makes it clear that the department values narrative over less-biased documentation. The police reports are retained in hard copy. Any recordings of incidents detailed in these reports are apparently backed up in a more haphazard fashion.

Some of the videos were backed up on CDs, but those that were not are lost.

No police reports, nor any criminal history information, was lost, Barlag said.

Comforting… for the police department. Not so much for criminal defendants, who are going to have an even harder time arguing against "our word vs. yours" assertions -- which cops can back up with police reports while giving defendants nothing at all to push back with.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 2 Feb 2017 @ 3:16am

    Simple: if the evidence is lost then there's no case, the accused walk free and the cops are shamed and some heads cut (figuratively) for the incompetence. What are the chances of it happening? My educated guess is zero for the punishment and very low for the dismissals.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Feb 2017 @ 4:19am

    Police Say No Evidence Of Value Was Lost In Ransomware Attack, Except Maybe Some Stuff Defense Lawyers Might Find Useful

    Is this the new way of losing inconvenient evidence?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Feb 2017 @ 4:31am

    Maybe the police department need to fire their IT guys?

    If you are handling sensitive evidence like this you should have a very secure system to do it and to safely store it (otherwise how can you prove chain of custody?).

    reply to this | link to this | view in chronology ]

    • identicon
      PRMan, 2 Feb 2017 @ 7:49am

      Re:

      I used to write software for police departments. Security truly was all or nothing.

      Some departments were so secure I had to send them blind SQL statements to update their database which I could never view. These SQL statements would be, of course, gone over with a fine-toothed comb prior to execution. And you could never hook a computer up to their network. You had to use theirs with a secure remote desktop to your own machine that couldn't transfer files. If you wanted to deliver software, it had to be done in a prescribed way to be scanned first. And you had to have a background check first or you never even got to do any of that.

      Others would beg us to come in on a remote desktop with a single shared password that never changed and that everyone who ever worked there knew. And they would just let us do anything we wanted with full admin rights, even though we were just contractors.

      It was stunning how all or nothing it was.

      reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 2 Feb 2017 @ 4:43am

    Adverse inference -- How convenient you lose all the exculpatory evidence!

    I certainly hope the defense lawyers use this loss to get adverse inferences against the police department and release their clients.

    What I don't get is why police (and the FOP) don't seem to need to convict criminals "by the book". All this sloppiness!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Feb 2017 @ 4:58am

    "This was not a hacking incident" So it was caught by somebody looking at russian porn on a Police computer, probably during work hours. Nice to see taxpayer money well spent.

    “none of this was critical information.” It wasn't drug money so who cares, besides defendants are guilty as soon as they're charged, no?

    /s

    reply to this | link to this | view in chronology ]

  • identicon
    peter, 2 Feb 2017 @ 5:07am

    "No files or confidential information was breached"

    If I were a defence lawyer my first question would be, "for any evidence presented in court that was held on this system, how can you prove it was not altered in any way?"

    reply to this | link to this | view in chronology ]

  • identicon
    spodula, 2 Feb 2017 @ 5:47am

    Erm...

    This sounds not entirely unlike:
    Defendant: Theres a disagreement between what the defendant says and the police officer. As such, We need your Bodycam footage please
    PD: Erm, we lost it all. Ransomware, Yes, Rensomware, that was it. Damn shame.

    reply to this | link to this | view in chronology ]

  • icon
    killthelawyers (profile), 2 Feb 2017 @ 6:27am

    Chain of Custody

    The overarching problem here, beyond what was directly lost, is the breach in chain of custody. Had they paid the ransom, there would still be a significant breach in the chain of custody of the evidence because an outside actor has taken control of the documents and it would be difficult to prove that nothing has been altered. Taken broadly, this is a problem for *all* documents, whether they were captured by the ransomware or not, because it shows that someone else at least had access to the files, although there is not the same evidence they were compromised.

    Suffice to say, I'm glad I'm not the Department's IT staff or the prosecutor who is going to have to convince a judge that the evidence should be admitted.

    reply to this | link to this | view in chronology ]

  • icon
    TheResidentSkeptic (profile), 2 Feb 2017 @ 6:41am

    Easy equation to understand

    Exonerating Evidence = No Value
    Incriminating Evidence = HIGH value.

    As only "Exonerating" evidence was lost, the statement is therefore true.

    Q.E.D.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Feb 2017 @ 6:44am

    Note to self: never hire brother in law bricklayer as police it guy.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Feb 2017 @ 6:44am

    It's doubtful that the suspect would simply walk free. But it does create a major problem for the police department involved in the case. The police department and the prosecutor are required by law to preserve all evidence in a trial, even exculpatory evidence that may exculpate the defendant and that the evidence MUST be turned over to the defense attorney. When this doesn't occur, and it doesn't matter how it happened, it's considered in a court of law to be a Brady violation.

    The prosecutor may dismiss the case rather than deal with the headache but then they have to deal with the fallout over the police losing the evidence in the first place. The fact that the only evidence that was unrecoverable was evidence crucial to the defense speak volumes as to the shenanigans of the police department and offer a clue as to their motives.

    The judge may even find that the evidence destroyed penalizes the client and violates his constitutional right to due process. The police department surely made backups of this evidence. I find it hard to believe they didn't back up this evidence, even if it was embarrassing to the department.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Feb 2017 @ 8:12am

      Re:

      The police department surely made backups of this evidence.

      Per the article, they have backups, and those backups are likewise compromised (except for the backups written to CD, which apparently are not comprehensive). This leads to one of a few possibilities, none of them good:

      1. Backups are managed in a way that a privileged process on the infected system can delete or damage previously created backups, and the ransomware zapped the backups when it zapped the primary copies. (Solution: backups should be driven by a computer that is locked down in a way that makes infection by ransomware far less likely than your daily-use desktop operated by a non-technical user.)
      2. Backups are expired so frequently that the IT department, following standard procedure, had destroyed all backups that predated the compromise before anyone reported the compromise. (Solution: a tiered backup scheme, possibly augmented by good delta-compression. Going farther back in time becomes more trouble than recovering from the latest full backup, but stays within acceptable size limits.)
      3. Backups are conducted so infrequently that there is a large window of time between the most recent good backup and discovery of the compromise. Everything entered into the system during that window is missing from every known backup. (Solution: conduct more frequent backups, especially on resources that are important to legal process. Losing transcriptions of hardcopies that can be re-entered is annoying. Losing the sole copy of incriminating or exculpating evidence is a big deal.)
      4. Backups are incomplete. Some portion of the system is not archived at all, and cannot be recovered from backup even when the backup is recently made and in perfect condition. (Solution: clearly document which areas are archived. Implement technical measures to make it difficult for users to accidentally store important work (or, if necessary, any work whatsoever) in areas that are not archived.)

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Feb 2017 @ 6:49am

    You wouldn't have been arrested in the first place...

    if you weren't guilty. Right?
    /s

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Feb 2017 @ 6:50am

    not lost, destroyed

    The PD should be charged for destroying evindence. Maybe some PDs would learn how to store evidence properly from that.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Feb 2017 @ 7:05am

    Let me point out something: Police Departments never get charged with anything related to destruction of evidence. The most that happens is that an individual officer may get suspended for a short time with pay or the court may admonish the police department, but nothing ever happens.

    It's up to either the courts or the prosecutor to determine whether to dismiss a case. But, there's no penalty for it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Feb 2017 @ 7:39am

    Could that have been why I could not get into my hotel room once on a Disneyland trip. I eneded up having to sleep in my car until the office openeed next morning.

    I always thought the key might have been demagnetized by something on the park. I wonder now if some kind of malware could have screwed up the lock, as the office had to make a new key card for me next morning.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Feb 2017 @ 8:44am

      Re:

      The answer you're looking for is no. Also, I really hope this is an example of Poe's law.

      1. If your lock was infected, every other lock in the building would also be infected, since the likelihood of every lock being on a separate system with separate malware protection is infinitesimally small.

      2. If the lock was infected with malware, making a new key card would have done exactly nothing.

      reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 2 Feb 2017 @ 8:46am

      Re:

      "I went to my first computer conference at the New York Hilton. When somebody there predicted the market for microprocessors would eventually be in the millions, someone else said, "Where are they all going to go? It's not like you need a computer in every doorknob!" Years later, I went back to the same hotel. I noticed the room keys had been replaced by electronic cards you slide into slots in the doors. There was a computer in every doorknob."
      - Danny Hillis

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 2 Feb 2017 @ 11:45am

    rule #1

    ALWAYS KEEP 3 COPIES...
    never ever is there 1 copy...
    Original copy, computer copy, OFFSITE COPY....
    PERIOD..NO IF, OR, AND, BUT, coulda/woulda/mighta///

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Feb 2017 @ 1:52am

      Re: rule #1

      In a decent backup system, there is more than one offsite and offline backup, so that you never write the last offsite backup..The last system I worked with kept 7 + 12 offsite and offline copies, rotating weekly, and rotating monthly copies. Also, a test restore, or at least consistency check is required on a regular interval, just to check the system.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 2 Feb 2017 @ 1:54pm

    Seems simple enough

    If hackers had access to the evidence then none of it should be admissible, as it's not possible to prove that it wasn't tampered with. While that's certainly a pain for the police and defense lawyers(more the former than the latter I'd imagine) it's their own damn fault for not keeping backup copies of such important data in multiple format beyond gorram CDs of some of the data.

    Maybe having every single current case undermined will give them the incentive they need to practice better security and data backup going forward.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.