how long to wait fo...
 
Notifications
Clear all

how long to wait for password-protected files?

17 Posts
9 Users
0 Likes
2,014 Views
(@randomaccess)
Posts: 385
Reputable Member
 

On the other side of that If you already have a good case what benefit (if any) will adding another charge bring? if it's a CP case and you've got 5000 images what more can you bring? Maybe you might get lucky and crack some serial killer or something, but I don't have experience doing that.

I'm aware of cases where an encrypted volume was broken into and what was previously just a possession offence was upgraded to a contact or grooming offence. Sometimes you hit a goldmine I suppose.

Overall, it's a difficult line to walk because on one hand it's just easier to let it go, and on the other, what if you let the person go and they do something.

 
Posted : 05/08/2016 12:18 pm
Red1
 Red1
(@red1)
Posts: 19
Active Member
 

@randomaccess I totally agree, Its a fine to walk, and there's no easy answer, especially when you throw supervisors and deadlines into the mix.

 
Posted : 08/08/2016 7:31 pm
(@jmundy)
Posts: 25
Eminent Member
 

I'm going to have to agree with Jaclaz,

I can't tell you how many cases I've let go (computer cases or otherwise) because that evidence was not there and we don't have the time to build the perfect case. Sometimes its more efficient to catch them on the next one. Habitual offender laws help my office in that regards, because sometimes catching the criminal on the big case is just not going to happen.

On the other side of that If you already have a good case what benefit (if any) will adding another charge bring? if it's a CP case and you've got 5000 images what more can you bring? Maybe you might get lucky and crack some serial killer or something, but I don't have experience doing that.

So I guess I'll say for me it's a balancing act. Effort vs reward. (and caseload)

I agree Red. If there's enough known evidence to charge it would seem to be a poor use of resources to keep hammering away at encrypted files. What do the rest of you think?

 
Posted : 05/02/2020 5:25 pm
(@rich2005)
Posts: 535
Honorable Member
 

Happens all the time.
If you can't get in you can't get in.
At the end of the day it's a resource issue and resources are finite.
Majority of the time you can build a successful case without even getting into the encrypted item.
You can only try (with all the various tricks at your disposal), then flag up you couldn't get into it, and leave/suggest others to go down any legal avenue if applicable (i.e. RIPA pt3 if warranted).
But hey, if your powers that be want to keep paying for you (in time/money) to keep trying to crack it, that's THEIR choice.
As an examiner, it's not for you to worry about (I think often the newer you are the more you worry), and you can only do what's possible, or more importantly what's instructed within the allotted time/funding.

 
Posted : 05/02/2020 9:33 pm
(@jmundy)
Posts: 25
Eminent Member
 

@rich2005

 

"then flag up you couldn't get into it, and leave/suggest others to go down any legal avenue if applicable (i.e. RIPA pt3 if warranted)".

If the suspect was to then claim they had "forgotten" their password, I'm guessing we could look at the following to throw doubt on that......

Time the encrypted files were last decrypted, evidence of the "recent use" of those files, use of a "password manager".

Any other areas we could look at to indicate they had not "forgotten" the password? 

 
Posted : 02/09/2020 4:27 pm
(@rich2005)
Posts: 535
Honorable Member
 
Posted by: @jmundy

@rich2005

 

"then flag up you couldn't get into it, and leave/suggest others to go down any legal avenue if applicable (i.e. RIPA pt3 if warranted)".

If the suspect was to then claim they had "forgotten" their password, I'm guessing we could look at the following to throw doubt on that......

Time the encrypted files were last decrypted, evidence of the "recent use" of those files, use of a "password manager".

Any other areas we could look at to indicate they had not "forgotten" the password? 

Things you could suggest are logical if you can identify any of that (obviously you might not know the contents, or even the filenames, if you can't decrypt it). So you might be looking at showing evidence of access of the contents of a mounted volume being recently accessed and/or indications (if there are any) that the mounted volume appears to be an encrypted volume perhaps, or that it's not one of the standard drives or USBs etc.

It's very often going to impossible to "prove", barring exceptional circumstances, that someone hasn't forgotten the password, and probably going to come down to the opinion of the judge. So if that route is taken, any extra weight you can give to shed doubt on the forgetfulness, the more chance of a favourable decision. And whilst not a direct factor, the strength of the other evidence, might also sway the decision (i.e. a case with limited incriminating info is probably going to be a lot less likely to get a RIPA decision than one with strong evidence to suggest guilt). You can count on the fingers of one hand the number of successful section 53 convictions each year (although the number of actual attempted prosecutions is low too - so the percentage isn't actually totally tiny):

https://wiki.openrightsgroup.org/wiki/Regulation_of_Investigatory_Powers_Act_2000/Part_III#Cases

 
Posted : 02/09/2020 4:57 pm
(@jadams951)
Posts: 37
Eminent Member
 
Posted by: @yunus

Hello,

While examining a digital device, e.g hard drive for a crime, you come across password-protected files like doc, xls, rar files. And you have no idea about the password. So you start password-cracking and brute-forcing, however your examination finishes e.g in a week, but password cracking still continues, and will have to continue for an unknown period of time, and you will have to just wait, and you will never know will it ever be completed in a reasonable amout of time, it will probably months or years depending on the complexity of the password.

So, you can't finalize your report as you are still waiting for the password-cracking without knowing when to finish or ever finish. However, you can't keep the completed examination in the lab for months just because you have a password-protected file which is unknown in terms of ever being cracked.

However how much time should you wait? How much time would be reasonable to wait for the password-cracking to complete.

Law says forensic examination in general should be delivered in 1 month and could be extended up to 3 months if extra time needed, and could still be extended for another 3 months if still extra time needed.

But in password cracking, nobody can give fixed set of time period and noone can say "ok, we will crack this in 6 months time". so you can't ask for a fixed time extension from prosecutor.

And if you keep the case for months just becuase of password-cracking, new cases will pile up.

So my question is, if you have such an examination which was completed except for waiting for password-protected files- how long you should you wait and keep the case for those files at most? 1 month, 3 months, 9 months,…..?

What do you think?

What jurisdiction is this law that you have to have the forensic exam done in a month.  We have cases that we usually don't get to for several months.  

 
Posted : 03/09/2020 1:50 am
Page 2 / 2
Share: