Monday, November 23, 2009

Fail-Safe Argument

A Mississippi court recently addressed what, as far as I can tell, was a novel computer forensics argument. The case is Renfrow v. State, 2009 WL 3740656 (Mississippi Court of Appeals 2009).

We’re really not concerned with the facts in this case. Suffice it to say that Rubin Renfrow was charged with possessing child pornography after children who were related to him and had visited his home said he had touched them inappropriately and shown them child pornography. Renfrow v. State, supra. The county sheriff’s department got a warrant to search his home and seize his computer; the sheriff’s deputies who seized the computer delivered it “to the Mississippi Attorney General’s Cyber Crime Unit (the Cyber Crime Center), where forensic investigators Sherita Sullivan and Keith Leavitt examined” it. Renfrow v. State, supra.

Prior to trial, Renfrow filed several motions to suppress evidence obtained from the hard drive of his computer; the trial court denied all of them. Renfrow v. State, supra. Renfrow went to trial on the child pornography charge and was convicted. On appeal, he argued that the trial court erred when it denied his motions to suppress evidence. Renfrow v. State, supra. We’re only going to focus on one of those motions.

Prior to trial and again on appeal, Renfrow argued that the trial court “should have suppressed the evidence that was obtained from his computer because the Cyber Crime Center did not have adequate fail-safe systems to protect the integrity of his original hard drive.” Renfrow v. State, supra. From what?, you ask. Well, in related motions to suppress Renfrow claimed that (i) his original hard drive “might have been exposed to virus contamination while it was in the State’s custody” and (ii) Leavitt found “two `bad sectors’ on Renfrow’s original hard drive”. Renfrow v. State, supra.

The Court of Appeals found that the trial court correctly denied the “virus contamination” motion because while there was “some testimony that there were viruses, spyware, adware or `Trojan’ programs” on the hard drive, “there was no evidence that those items first appeared on the original hard drive while it was in the State’s custody.” Renfrow v. State, supra. The Court of Appeals therefore held that the “only reasonable inference” was that “those items were on Renfrow’s oringal hard drive” when the sheriff’s deputies seized it. Renfrow v. State, supra. The Court of Appeals also noted that the “State’s expert witnesses testified that their use of a `write-blocker’ prevented any alternations to Renfrow’s original hard drive” and he did not present any evidence to the contrary. Renfrow v. State, supra.

The Court of Appeals reached essentially the same conclusion with regard to Renfrow’s “bad sectors” motion to suppress. The court found there was “no evidence that the `bad sectors’ were damaged during the time Renfrow’s hard drive was in the custody of the . . . Sheriff’s Department or the Cyber Crime Center”. Renfrow v. State, supra. It also noted that the two Cyber Crime Center analysts (Sullivan and Leavitt) testified that the Center’s “first priority was to maintain the integrity of the original hard drive”. Renfrow v. State, supra. The court found that “Renfrow’s claim under this heading is entirely meritless” and upheld the denial of his motion to suppress. Renfrow v. State, supra.

And that brings us back to what we’re really concerned with: the fail-safe motion to suppress. On appeal, Renfrow argued that the trial court

should have suppressed the evidence that was obtained from his computer because the Cyber Crime Center did not have adequate fail-safe systems to protect the integrity of his original hard drive.

Renfrow v. State, supra. I wish I could give you more details about Renfrow’s argument here, but I don’t have access to the appellate briefs in the case (via Westlaw or the Court of Appeals’ website) so this is all I know about the factual and technical bases of the argument. It looks, as I noted earlier, like this argument may have been the omnibus claim that encompassed and attempted to justify the “bad sectors” and “virus” claims. But that’s just speculation on my part.

What I do know is that this argument failed, just like the “bad sectors” and “virus” claims. This is what the Court of Appeals had to say about it:

Investigator Gunter [the Sheriff’s Department investigator who executed the warrant at Renfrow’s home and seized his computer] testified that Renfrow's computer was off when he first encountered it in Renfrow's home. Investigator Gunter simply unplugged Renfrow's computer when he seized it. He did not turn on Renfrow's computer to prevent the possibility of any alterations to Renfrow's hard drive. He placed evidence tape over the plug ports to the computer to prevent anyone from hooking the computer up and turning it on.

Sullivan and Leavitt testified in great detail regarding the Cyber Crime Center's fail-safe systems. They described how each aspect of the Cyber Crime Center's fail-safe systems and the investigative process were designed specifically to protect the integrity of an original hard drive. Sullivan removed the original hard drive and placed a write-blocking device on it to prevent any alterations to the original hard drive. Sullivan made an exact copy of the hard drive and examined the copy. The intended purpose behind examining the copy was to protect the integrity of the original hard drive. Leavitt made a similar duplicate copy for Renfrow's expert to examine. Again, the specific purpose of making a copy was to protect the integrity of the original evidence. Renfrow's attorney wanted to boot up the original hard drive so his expert could examine it. The State opposed Renfrow's request and explained that booting up the original hard drive would destroy the integrity of the original evidence. Suffice it to say, every step of the State's procedure to gather evidence from the original hard drive was designed to protect the integrity of the evidence. This issue, like the other two under this heading, is meritless.

Renfrow v. State, supra.

I haven’t seen any other reported cases that raise the “bad sectors” and “fail-safe” claims (the Trojan horse/virus stuff has, of course, been around for quite a while). I thought the claims might be interesting when I first ran across this case, but they seem to have been thrown out almost randomly.

As the Court of Appeals noted, Renfrow never pointed to any specific evidence showing that the investigators were responsible for the bad sectors and/or for the malware on his hard drive. In other words, he never linked either to the officer who seized his computer or the forensics analysts who examined it at the Cyber Crime Center. And he never explained how either had anything to do with the child pornography on his hard drive; basically, the virus and bad sector arguments seem to have been purely “might have” arguments, the kind of murky, technology-conspiracy-theory stuff that might work with a jury, especially a jury that wasn’t particularly tech-savvy. Here, though, it seems to have been pretty much a waste of time.

I don’t know if Renfrow can, or will, appeal to the Mississippi Supreme Court. I suspect the case is over. I don’t see anything that would justify appealing to the U.S. Supreme Court or that court’s taking the case if Renfrow were to try.

And fyi, maybe: On May 2, 2008 Renfrow was sentenced to serve 15 years in prison for the conviction on the child pornography charge. According to the Mississippi Attorney General’s press release, he was then 72 years old and a retired teacher; the press release says he “taught school for 30 years in the Pearl and Jackson Public Schools.” I assume he was out on bond pending outcome of the appeal but is or will soon be starting to serve his prison sentence.


Tony Patrick said...

The examiner's use of a write blocker pretty much kills any argument of alteration, but the use of evidence tape over the power port to prevent it being turned on before reaching the crime lab was a stroke of genius.

I've seen a lot of cases where the defense wanted to call everyone in the chain of custody trying to find a hole, but this approach was pretty novel, and not in a good way. Not altering the evidence is the first thing you teach an examiner, and probably the most documented aspect of computer forensics.

Anonymous said...

I really have to wonder what awful things Renfrow might have gotten away with during his 30 years as a teacher.

Anonymous said...

Or you could just save your time and not wonder about all the awful things he may or may not have done and live your own life perhaps.