Police Say No Evidence Of Value Was Lost In Ransomware Attack, Except Maybe Some Stuff Defense Lawyers Might Find Useful
from the all-good-on-THIS-side,-assume-same-for-others,-etc. dept
Ransomware is everywhere. And it’s affecting everything, including critical systems. Sure, it’s kind of humiliating to be locked out of your smart TV, but hospitals are being locked out of patient records and –in a new twist — hotel guests are being locked out of their rooms.
Then there’s something like this, where the chain of evidence is disrupted by ransomware purveyors.
The Cockrell Hill Police Department lost video evidence and a cache of digital documents after hackers invaded the department’s computer system last month.
Stephen Barlag, Cockrell Hill’s police chief, said the incident was not the work of hackers, but acknowledged that the incident included a computer-generated ransom demand.
“This was not a hacking incident,” Barlag said in a news release Wednesday evening. “No files or confidential information was breached or obtained by any outside parties.”
[Rather entertaining to note WFAA’s opening sentence is immediately contradicted by the Police Chief’s statements. #journalism]
While it’s reassuring no evidence was obtained by outside parties, it’s not that much more reassuring to hear the owner of the data couldn’t access it either. The PD consulted with the FBI before coming to conclusion that the files might still be inaccessible even if it did pay the $4,000 ransom.
The department, however, is not being all that upfront about the possible negative effect this might have on criminal defendants, who might want to challenge the evidence against them or look through it for anything exculpatory. The department — despite admitting its backup was similarly infected — claims this is no big deal.
Barlag said of the lost files, “none of this was critical information.”
Define “critical.”
“Well, that depends on what side of the jail cell you’re sitting,” said J. Collin Beggs, a Dallas criminal defense lawyer who has a client charged in a Cockrell Hill felony evading case involving some of the lost video evidence.
This would be video evidence Beggs has been asking for since last summer — well before the PD’s files were wiped out by ransomware. It could be very critical information, despite Police Chief Barlag’s assertion to the contrary. What’s useful to a defendant is seldom viewed as useful by law enforcement. Hence the difference of opinion.
But even while stating nothing of (subjective) value was lost, Chief Barlag did admit there was a possibility that defense lawyers might be interested in finding out what evidence might no longer be available. And the department may not have made this loss public if it hadn’t needed to speak to defendants about its inability to secure relevant evidence.
Barlag said he didn’t know how much of of the digital material lost was evidence in pending criminal cases, but acknowledged that some of it was. He said no cases have been dismissed that he knows of because of the losses.
Well… yet. The infection wasn’t discovered until December 12th and the department didn’t go public until more than a month after that. So, news that evidence needed in prosecutions may not be available has spread very slowly. And the details of what’s recoverable makes it clear that the department values narrative over less-biased documentation. The police reports are retained in hard copy. Any recordings of incidents detailed in these reports are apparently backed up in a more haphazard fashion.
Some of the videos were backed up on CDs, but those that were not are lost.
No police reports, nor any criminal history information, was lost, Barlag said.
Comforting… for the police department. Not so much for criminal defendants, who are going to have an even harder time arguing against “our word vs. yours” assertions — which cops can back up with police reports while giving defendants nothing at all to push back with.
Filed Under: cockrell hill police department, evidence, hack, police, ransomware, stephen barlag
Comments on “Police Say No Evidence Of Value Was Lost In Ransomware Attack, Except Maybe Some Stuff Defense Lawyers Might Find Useful”
Simple: if the evidence is lost then there’s no case, the accused walk free and the cops are shamed and some heads cut (figuratively) for the incompetence. What are the chances of it happening? My educated guess is zero for the punishment and very low for the dismissals.
Re: Re:
And that is what going to happen. They blew their own case. Few more times, and cops will learn to make backup.
Is this the new way of losing inconvenient evidence?
Re: Re:
It’s a sad state of affairs when this is in the realm of possibility.
Re: Re:
That was my thought as well
Maybe the police department need to fire their IT guys?
If you are handling sensitive evidence like this you should have a very secure system to do it and to safely store it (otherwise how can you prove chain of custody?).
Re: Re:
I used to write software for police departments. Security truly was all or nothing.
Some departments were so secure I had to send them blind SQL statements to update their database which I could never view. These SQL statements would be, of course, gone over with a fine-toothed comb prior to execution. And you could never hook a computer up to their network. You had to use theirs with a secure remote desktop to your own machine that couldn’t transfer files. If you wanted to deliver software, it had to be done in a prescribed way to be scanned first. And you had to have a background check first or you never even got to do any of that.
Others would beg us to come in on a remote desktop with a single shared password that never changed and that everyone who ever worked there knew. And they would just let us do anything we wanted with full admin rights, even though we were just contractors.
It was stunning how all or nothing it was.
Adverse inference -- How convenient you lose all the exculpatory evidence!
I certainly hope the defense lawyers use this loss to get adverse inferences against the police department and release their clients.
What I don’t get is why police (and the FOP) don’t seem to need to convict criminals “by the book”. All this sloppiness!
"This was not a hacking incident"
So it was caught by somebody looking at russian porn on a Police computer, probably during work hours. Nice to see taxpayer money well spent.
“none of this was critical information.”
It wasn’t drug money so who cares, besides defendants are guilty as soon as they’re charged, no?
/s
"No files or confidential information was breached"
If I were a defence lawyer my first question would be, “for any evidence presented in court that was held on this system, how can you prove it was not altered in any way?”
Erm...
This sounds not entirely unlike:
Defendant: Theres a disagreement between what the defendant says and the police officer. As such, We need your Bodycam footage please
PD: Erm, we lost it all. Ransomware, Yes, Rensomware, that was it. Damn shame.
Chain of Custody
The overarching problem here, beyond what was directly lost, is the breach in chain of custody. Had they paid the ransom, there would still be a significant breach in the chain of custody of the evidence because an outside actor has taken control of the documents and it would be difficult to prove that nothing has been altered. Taken broadly, this is a problem for *all* documents, whether they were captured by the ransomware or not, because it shows that someone else at least had access to the files, although there is not the same evidence they were compromised.
Suffice to say, I’m glad I’m not the Department’s IT staff or the prosecutor who is going to have to convince a judge that the evidence should be admitted.
Easy equation to understand
Exonerating Evidence = No Value
Incriminating Evidence = HIGH value.
As only “Exonerating” evidence was lost, the statement is therefore true.
Q.E.D.
Note to self: never hire brother in law bricklayer as police it guy.
It’s doubtful that the suspect would simply walk free. But it does create a major problem for the police department involved in the case. The police department and the prosecutor are required by law to preserve all evidence in a trial, even exculpatory evidence that may exculpate the defendant and that the evidence MUST be turned over to the defense attorney. When this doesn’t occur, and it doesn’t matter how it happened, it’s considered in a court of law to be a Brady violation.
The prosecutor may dismiss the case rather than deal with the headache but then they have to deal with the fallout over the police losing the evidence in the first place. The fact that the only evidence that was unrecoverable was evidence crucial to the defense speak volumes as to the shenanigans of the police department and offer a clue as to their motives.
The judge may even find that the evidence destroyed penalizes the client and violates his constitutional right to due process. The police department surely made backups of this evidence. I find it hard to believe they didn’t back up this evidence, even if it was embarrassing to the department.
Re: Re:
Per the article, they have backups, and those backups are likewise compromised (except for the backups written to CD, which apparently are not comprehensive). This leads to one of a few possibilities, none of them good:
You wouldn't have been arrested in the first place...
if you weren’t guilty. Right?
/s
not lost, destroyed
The PD should be charged for destroying evindence. Maybe some PDs would learn how to store evidence properly from that.
Let me point out something: Police Departments never get charged with anything related to destruction of evidence. The most that happens is that an individual officer may get suspended for a short time with pay or the court may admonish the police department, but nothing ever happens.
It’s up to either the courts or the prosecutor to determine whether to dismiss a case. But, there’s no penalty for it.
Could that have been why I could not get into my hotel room once on a Disneyland trip. I eneded up having to sleep in my car until the office openeed next morning.
I always thought the key might have been demagnetized by something on the park. I wonder now if some kind of malware could have screwed up the lock, as the office had to make a new key card for me next morning.
Re: Re:
The answer you’re looking for is no. Also, I really hope this is an example of Poe’s law.
1. If your lock was infected, every other lock in the building would also be infected, since the likelihood of every lock being on a separate system with separate malware protection is infinitesimally small.
2. If the lock was infected with malware, making a new key card would have done exactly nothing.
Re: Re:
“I went to my first computer conference at the New York Hilton. When somebody there predicted the market for microprocessors would eventually be in the millions, someone else said, “Where are they all going to go? It’s not like you need a computer in every doorknob!” Years later, I went back to the same hotel. I noticed the room keys had been replaced by electronic cards you slide into slots in the doors. There was a computer in every doorknob.”
– Danny Hillis
rule #1
ALWAYS KEEP 3 COPIES…
never ever is there 1 copy…
Original copy, computer copy, OFFSITE COPY….
PERIOD..NO IF, OR, AND, BUT, coulda/woulda/mighta///
Re: rule #1
In a decent backup system, there is more than one offsite and offline backup, so that you never write the last offsite backup..The last system I worked with kept 7 + 12 offsite and offline copies, rotating weekly, and rotating monthly copies. Also, a test restore, or at least consistency check is required on a regular interval, just to check the system.
Seems simple enough
If hackers had access to the evidence then none of it should be admissible, as it’s not possible to prove that it wasn’t tampered with. While that’s certainly a pain for the police and defense lawyers(more the former than the latter I’d imagine) it’s their own damn fault for not keeping backup copies of such important data in multiple format beyond gorram CDs of some of the data.
Maybe having every single current case undermined will give them the incentive they need to practice better security and data backup going forward.