Friday, January 08, 2010

Encryption and the Execution of Computer Search Warrants

This post is about a recent decision from a federal court in Texas: U.S. v. Kim, 2009 WL 5185389 (U.S. District Court for the Southern District of Texas 2009).

This opinion contains the court’s ruling on the arguments Steven Kim made in support of his motion to suppress evidence found on computers and hard drives seized from his home in Houston. We’re not going to examine all of his arguments; we’re only going to focus on one. First, though, I need to outline the facts in the case.

From 2006 until February 5, 2008, Kim was a Senior Database Administrator for GEXA Energy (GEXA), a subsidiary of Florida Power and Light Group (FPL). U.S. v. Kim, supra. GEXA maintains the GEXA Energy Management System Application and Database (GEMS), which “houses the customer and billing information of GEXA’s customers in Houston”. U.S. v. Kim, supra. Kim had “administrative rights and passwords to access the GEMS system” but lost his right to access the system when he was “suspended from employment on January 17, 2008.” U.S. v. Kim, supra. On May 2, 2008,

the Director of Security for FPL advised United States Secret Service agents `that an individual, without authorization, accessed the `GEXA Energy' . . . system in Houston. . . .’ On May 6, Sergio O. Guzman, a forensic investigator for the FPL group, advised USSS agents that between April 28 and May 1, 2008, . . . the company discovered `several unauthorized attempts to access the GEXA . . . network, via Virtual Private Network (VPN).’ GEXA told the . . . agents that the . . .unauthorized access appeared to be directed at [accessing] and compromising the integrity and availability of the GEMS . . . Database.

On June 2, the Government applied for a search warrant. . . . Agent Jimmy Mance submitted his Affidavit in Support of the Application for Search Warrant. . . . Mance stated that on August 16, 2007, Kim and other GEXA employees learned the GEMS database could be corrupted if large amounts of data were loaded onto the system. . . . Mance contended that, on October 24, 2007, Kim demonstrated his expertise of the GEMS database system in an e-mail directed to the GEXA database developer. Mance asserted Kim was suspended on January 17, 2008, pending a Human Resources Investigation. During this . . . suspension, Mance stated Kim no longer had access to the GEXA building, the GEXA network, or the GEMS database. . . .

Mance alleged that the GEXA [VPN] logs reflected that from January 17, 2008 through February 5, 2008, during Kim's suspension, the Internet Protocol address of made twelve failed log-in attempts to access the GEXA VPN network; two failed login attempts through the GEXA general administrator account; and one failed login attempt using another general administrator account. Mance contended that, throughout these dates, that particular IP address was assigned to Kim at his known address.

Mance alleged that on February 17, 2008, two intrusion attempts were made from a different IP address, . . .[A]lthough the first attempt was unsuccessful, the second succeeded in [accessing] the GEXA network system. This IP address allegedly belonged to Kim during the time that he was employed with the company.

Mance asserted that severall subsequent attempts to access . . . the database were made from a third IP address, 76.199.73 .177. On May 1, 2008, the logs reflected that this third IP address viewed the usernames and encrypted passwords of all GEMS database users. Based on information from the Internet service provider, Mance alleged that this . . . address belonged to Kim at his residential address.

U.S. v. Kim, supra. In the affidavit, Agent Mance requested a search warrant authorizing agents to seize the following items from Kim’s home: “`all computer hardware; software; related computer devices; and any items obtained as a result of fraud and related activity in connection with computers.’” U.S. v. Kim, supra. Mance’s affidavit also stated that the “investigation concerned the violation of 18 U.S. Code § 1030 (Computer Intrusion)." U.S. v. Kim, supra. As Wikipedia notes, § 1030 is the general federal computer crime statute.

On June 2, a federal magistrate issued a warrant authorizing a search of Kim’s resident for the items described above. U.S. v. Kim, supra. It authorized agents to access (i) “information relating to any records . . . that refer to or relate to GEXA or GEMS” and (ii) “records of . . . activities relating to the operation of a computer, such as telephone records, notes, books, diaries, and reference materials, including evidence in photographic form.” U.S. v. Kim, supra. Agents executed the warrant, seizing “several external hard drives, laptop and desktop computers”, all of which were taken to a “forensic laboratory for forensically imaged analysis.” U.S. v. Kim, supra.

The examiners searched Kim’s property “from June 3, 2008 through January 24, 2009 . . . for evidence of Computer Intrusion.” U.S. v. Kim, supra. On June 6, they “came across encrypted files and folders. These files were allegedly labeled, `ForbiddenFruit,’ `Illegal_Loli # ,’ `Loli# ,’ and other similar names.” U.S. v. Kim, supra. Agents applied for a warrant to search the encrypted files for child pornography on the basis that the file names plus the use of encryption to conceal the contents of the files established probable cause to believe they contained child pornography. U.S. v. Kim, supra. The agent who sought the warrant stated that the files “were encrypted with `CryptaPix’ software,” which `is designed to secure . . . image files”. U.S. v. Kim, supra.

The magistrate denied the application for the warrant, “reasoning that the file names were not necessarily indicative of child pornography.” U.S. v. Kim, supra. Despite that, examiners “spent two months decrypting the files” and eventually “discovered over eight hundred and forty child pornography images.” U.S. v. Kim, supra. The prosecution “state[d] that subsequent examination revealed digital evidence of Computer Intrusion.” U.S. v. Kim, supra.

On June 3, 2009, Kim was indicted on one count each of computer intrusion, possession of child pornography and aggravated identity theft. U.S. v. Kim, supra. He moved to suppress the evidence against him, making several arguments as to why his motion should be granted. U.S. v. Kim, supra. As I noted, we’re only going to deal with one of Kim’s arguments – the one that focused on the encrypted files.

Kim claimed “the Government’s search of the encrypted files allegedly containing child pornography exceeded the permissible scope of the search authorized by the warrant.” U.S. v. Kim, supra. He argued (i) that the examiners could “not have reasonably have believed the encrypted files contained evidence of computer intrusion” and (ii) that the government’s applying for a warrant to search for child pornography showed that the government believed the files contained child pornography (not evidence of computer intrusion). U.S. v. Kim, supra. The government claimed the (i) child pornography was discovered “in plain view” during a “valid search for evidence” of computer intrusion and (ii) agents “reasonably believed” the files contained evidence of computer intrusion when they decoded them. U.S. v. Kim, supra.

In ruling on the arguments, the judge noted that the issue was not whether “the Government discovered the files in plain view pursuant to a warrantless search”, but “whether the. . . warrant to search for evidence related to computer intrusion allowed the Government's agents to decode and search the encrypted files.” U.S. v. Kim, supra. She found the government’s claim that the agents believed the files contained evidence of computer intrusion was “unpersuasive” because in his affidavit Agent Mance stated that the

folder labels were suggestive of child pornography. Nowhere in the application for a search warrant did Mance state that the encrypted files could also contain evidence of Computer Intrusion. . . . . Additionally, child pornography is a much more serious crime, with more serious consequences than Computer Intrusion. If the Government's contention were true, Defendant would be a competitive contestant on World's Dumbest Criminals. The Government's witness, Agent Symeonidis, testified that, in his career as a computer forensic examiner, he has never seen a case where a defendant hid evidence of another crime in files with labels suggestive of child pornography.

U.S. v. Kim, supra. The judge then took up Kim’s argument that the search could have been “tailored to find only information with in the scope of the warrant”:

Defendant's witness, David McGrody, testified the search could easily have been limited by date. The Government's witness, Symeonidis, testified that the government chose to decode the encrypted files because the files were last accessed during the period of alleged Computer Intrusion, in May of 2008. However, Defendant proved . . . that the last access to the encrypted files that occurred in May 2008 was clearly the result of a massive backup. . . . [O]n the date of last access, over two thousand files, including the encrypted files, were accessed in less than one minute. Defendant illustrated that this rate of access was the result of an automated program, not human access. . . .

McGrody stated the government could have limited the search by using the file created or last modified date. The Defendant argued that these dates would reflect the last time the files were actually manipulated by a non-automated process. The files in the encrypted folder were created five years before the alleged Computer Intrusion and last modified three years before [it]. Symeonieis testified that the government did not rely on the created or last modified dates because the agents thought the dates could have been changed or altered. McGrody testified that changing the dates would have taken . . .hundreds of hours. He stated that the . . .files which allegedly illustrate Defendant's involvement with Computer Intrusion were on a different computer, were not encrypted and none of the dates on those files were altered. Given these facts, McGrody testified it would not make sense for Defendant to spend the time changing the dates on the files.

U.S. v. Kim, supra. After considering all this, the judge found that the search “in this case was clearly not conducted in accordance with the narrow guidelines promulgated in Comprehensive Drug Testing”. U.S. v. Kim, supra.

Finally, she addressed the government’s argument that the child pornography was “in plain view” and therefore the discovery was valid under the plain view doctrine. The judge held that the doctrine did not apply because no images of child pornography were in plain view in this case. U.S. v. Kim, supra.

[T[he files were encrypted through a means so complicated . . . it took the agents two months to decode the files. Therefore, it is clear that when the agents decided to decode and to open each of the over eight hundred image files, the agents had abandoned their search for evidence of computer intrusion and had commenced a warrantless search for child pornography.

U.S. v. Kim, supra. The judge therefore granted Kim’s motion to suppress “all of the alleged evidence of child pornography discovered in the encrypted folders”. U.S. v. Kim, supra.

1 comment:

Tony Mann said...

While I don't know much about the law, I believe that if a warrant was issued for something specific then evidence obtained of other illegal activities is inadmissible. Am I correct?

Webmaster -