Wednesday, May 19, 2010

Malware and Search Warrant

A recent decision from a federal district court addresses an issue I hadn’t seen before: whether searching malware on the suspect’s computer was outside the scope of the search warrant issued for that computer. It seems a narrow issue, and unfortunately the opinion issued in the case doesn’t tell us a whole lot about what happened; but I thought the issue was worth writing about, if only to note that it arose.


It arose in U.S. v. Kernell, 2010 WL 1491873 (U.S. District Court for the Eastern District of Tennessee 2010). As you may know, this investigation of David C. Kernell arose from his “alleged access of the Yahoo! email account of then Governor Sarah Palin in September 2008.” U.S. v. Kernell, supra. This, according to the court, is the context from which the malware search issue arose:


On September 20, 2009, Special FBI Agent Andrew M. Fischer sought a search warrant to search [Kernell’s] bedroom and the common areas of the apartment in which [he] resided in Knoxville, Tennessee, in connection with his investigation of [Kernell’s] alleged unauthorized access of an email account belonging to Governor Palin. The . . . United States Magistrate Judge found probable cause and issued the search warrant (`the first search warrant’) that evening. Neither the search warrant and attachments, nor the supporting affidavit contained a search protocol limiting the way in which the computer would be analyzed. The search warrant was executed at 11:55 p.m., on September 20, 2008, and an Acer laptop computer was among the items seized from [Kernell’s] bedroom. Federal agents subsequently conducted a forensic analysis of the . . . computer.


U.S. v. Kernell, supra. The government later obtained and executed a second search warrant for the laptop, but we’re not concerned with it . . . we’re only concerned with the first search warrant.


As a result of the investigation, on


October 7, 2008, [Kernell] was charged by indictment with a single count of felony unauthorized access of a computer. On February 3, 2009, [he] was charged in a four-count Superseding Indictment with identity theft, wire fraud, computer fraud, and anticipatory obstruction of justice.


U.S. v. Kernell, supra. (Basically, anticipatory obstruction of justice encompasses someone’s destroying or tampering with what might become evidence in a civil or criminal case; therefore, unlike traditional obstruction of justice crimes, it doesn’t require that the evidence be destroyed while a case is pending, i.e., already exists. See Dana E. Hill, Anticipatory Obstruction of Justice, 89 Cornell Law Review 1519 (2004)]).


In January of 2009, Kernell filed a motion to suppress evidence obtained as a result of executing the first search warrant. U.S. v. Kernell, supra. On July 27, 2009, he filed his second motion to suppress “Evidence Obtained as Result of Government’s Unauthorized Access of the Laptop Computer,” U.S. v. Kernell, 2009 WL 2337075 (2009) (hereinafter, “Second Motion to Suppress”). This motion essentially argued that after the government seized Kernell’s laptop, its agents “exceeded the scope of [their] authority [under the first search warrant] by examining all of the computer’s contents without the prior judicial approval to do so.” Second Motion to Suppress, supra.


So Kernell was making a scope argument. As I’ve noted in earlier posts, the 4th Amendment protects us from “unreasonable” searches conducted by the government; as I’ve also noted, a search is “reasonable” if it’s conducted pursuant to a validly-issued search warrant. And, as I noted in other posts, a search conducted pursuant to a search warrant is “reasonable” only as long as the search stays within the scope of the authority conferred by the warrant. So, for example, if police got a search warrant to search your house for a stolen flat screen TV, they could legitimately search your house wherever the TV could be until they find it; once they find it, their search authority is extinguished. And since the warrant authorizes a search for the stolen flat screen TV, they couldn’t look in places where such a TV could not conceivably be, such as dresser drawers. If they did either of these things, their search would have exceeded the scope of their warrant and would be unreasonable under the 4th Amendment.


Getting back to Kernell. . . he raises the scope of the search issue in his second motion to suppress, but doesn’t mention malware. That emerges in his Reply to Government’s Response to Second Motion to Suppress. U.S. v. Kernell, 2009 WL 2474734 (2009) (hereinafter, “Reply”). (As I think I’ve noted, the motion dynamic is that one side files a motion, the other files a response to the motion and then the movant, the party that filed the motion, can file a reply, which ends the dynamic.)


The malware issue comes up in the section of the Reply in which Kernell is again arguing that the government exceeded the scope of the first search warrant when it searched his laptop:


Mr. Kernell's position has been that the warrant did not authorize the extensive searching evidenced by the forensic reports, meaning that the files were obtained outside the scope of the warrant. . . . [B]ased on the way the examiners understood their assignments, the searching was not limited to the items listed in Attachment B to the first search warrant. See . . . (06/26/09 Supplemental Technical Analysis Report) `“determine if any malware caused outbound communication attempts or provided remote access to the imaged hard drive’). By analysis of the sophisticated malicious code that was somehow installed on the computer before Mr. Kernell possessed it, or otherwise, the government has obtained the following information outside the scope of the authority of the first warrant:

(1) The citibank.com username and password created in March 2008 by Mr. Kernell's aunt and uncle;

(2) Mr. Kernell's aunt's MasterCard account information used to donate to the Narcolepsy Network in April 2008;

(3) Personal emails to which Mr. Kernell was not party, including emails sent from Mr. Kernell's uncle to Mr. Kernell's aunt, from Mr. Kernell's aunt to Mr. Kernell's cousin;

(4) Mr. Kernell's aunt's PayPal log-on and password information . . . ;

(5) Messages from Facebook account dated September 4, 2008. . . ;

(6) Information that Mr. Kernell downloaded software for Zune on September 11, 2008, a program manufactured by Microsoft to listen to music . . . ;

(7) The results of `[a]n examination for the term ‘Blackberry’ . . . ;

(8) Information related to the allegation of obstruction of justice rather than the charges listed in the first Warrant. . .


Reply, supra. According to the Reply, the


CART report informs that `[t]he hard drive contained a file . . . Activity of the computer user was appended to this file in a chronological progression best described as a log file.’ . . . This . . . `log file’ is actually a malicious computer code. Id. at 4. See also (05/13/09 IAU Report at 2) (describing this malicious code as `an extremely complicated root kit capable of allowing virtually undetected and untraceable access to the hard drive’).


Reply, supra. So that’s the malware issue Kernell raised as one of the arguments in support of his motion to suppress evidence found on the laptop during the execution of the first warrant. On March 31 of this year, the U.S. Magistrate Judge who was assigned this case issued a ruling on Kernell’s second motion to suppress. U.S. v. Kernell, supra.


In ruling on the motion, the Magistrate Judge noted that Kernell was arguing that the agents “examined `malware’ . . . and obtained” the eight items listed above “outside the scope of the first search warrant.” U.S. v. Kernell, supra. He noted that while the prosecution had not filed a reply to the malware allegations, a prosecutor at the hearing on the motion a prosecutor told the court that the items at issue were


seized pursuant to the search warrant as evidence of hacking activities. It argued that the emails and credit card information relating to [Kernell’s] aunt and uncle were relevant to who owned the computer at the time of the offense. It contended that the evidence suggested that more than one person was involved in the commission of unauthorized access of Governor Palin's account, thus it was important to establish who owned the computer and when. [Assistant U.S. Attorney] Goldfoot explained that the agents investigated malware, a program that created and disseminated a log of user activity, in order to rule out the possibility that someone other than [Kernell] gained control of [his] computer and committed the unauthorized access. While admitting that Zune files related to music, Mr. Goldfoot stated that metadata linked to the individual who accessed Governor Palin's account revealed that Zune was installed on the computer used by that individual. He asserted that the fact that Zune files were installed on [Kernell’s] computer and the date of their installation were relevant to proving that his computer was the one communicating with the relevant websites and, thus, was used to conduct the hacking activities.


U.S. v. Kernell, supra. The Magistrate Judge agreed with the prosecutor. He found that the “examination of the malware . . . was proper to establish the identity of the individual conducting the hacking activities.” U.S. v. Kernell, supra. (He also found that the seizure of the eight items at issue was lawful under several different theories.)


As Wikipedia explains and as you may already know, Kernell went to trial and on April 30 of this year was convicted on the obstruction of justice and unauthorized access counts. The jury deadlocked on the identity theft count and acquitted him on the wire fraud count. Wikipedia says he conceivably faces up to 20 years in prison but the sentencing guidelines call for a sentence of 15-21 months and allow for probation.

No comments: