back to article Accused hacker Lauri Love loses legal bid to reclaim seized IT gear

"Mr Love, you're not the victim in this. You brought this on yourself; you're the victim of your own decisions," District Judge Margot Coleman told accused hacker Lauri Love in court today as she refused to return computers seized from him by the National Crime Agency. Love, 34, had asked for the return of computers and …

  1. JimmyPage Silver badge
    Black Helicopters

    Something not ringing true here ...

    The NCA copied the drive's contents through the use of a so-called "harvest drive", which the judge said "allows data to be seen and preserved". The NCA slurped 124GB of data; however, "before that process could be finished an encryption process cut in to the devices themselves".

    One of the commandments of forensic data analysis is that the suspect machine, once acquired, is never powered on.

    So how could an "encryption process cut in" when a raw data drive is being read, unless the drives firmware has been hacked ? And if that were a possibility (I have no idea about Mr. Loves talents) then why didn't it kick in immediately, and prevent any data recovery ?

    The UKs intense reluctance to allow the US to prosecute this case may be related to the above issues. Someone, somewhere hasn't played ball, or has lied to the court.

    1. doublelayer Silver badge

      Re: Something not ringing true here ...

      I suppose one possibility is that the drive could not be read when powered down, and needed a machine to access it. That machine, in turn, could identify that a lot of data was being accessed rather than a standard use, and locked down. That's the most logical option I can think of right now. Maybe they were able to get data from a running machine which timed out as well, denying further access to the drives. Either way, this ambiguity doesn't seem very related for the reasons not to extradite.

      1. Anonymous Coward
        Anonymous Coward

        Re: Something not ringing true here ...

        It's no secret (well it probably is, but WTH) that any storage device is removed from its host computer before imaging.

        Ostensibly the reason extradition was denied was due to LLs "mental and physical condition" - a catchall fig leaf to obscure the tainted evidence snafu.

        The FBI had a phase of trying to seize machines "live" - that is powered up, in case the crafty hackerz had booby trapped the power-down sequence. Not sure how that fared for them. I do know there were online discussions about code to wipe the HDD if a WiFi point could not be found.

        Of course, if you were really up to no good, and you weren't a complete moron, there are myriad ways to insulate yourself from your crimes. However the two tend not to play nicely ...

      2. Anonymous Coward
        Anonymous Coward

        Drive could not be read when powered down?

        For forensic purposes, drives are always removed and imaged, the images then being investigated.

        So I'm afraid the scenario you suggest is not relevant.

        Perhaps I'm failing to read you correctly, in which case, apologies in advance.

        1. Anonymous Coward
          Anonymous Coward

          Correction

          See tmz's post further down on how modern hdd firmware is partially stored on the platters. The hdd rom or eprom need then only hold a boot-loader to allow it to access the disk sectors where that literally disk operating system is held.

          This poses a choice to anyone doing forensic investigation of a hdd. Either go the cheap route, ie power it up and clone it, then look at that, or the presumably much more expensive route of disassembling the drive in a clean room and cloning the platters on a mechanically similar / identical drive.

          This may evoke bad memories in those lucky enough to have been responsible for Compaq desktops where bios firmware was stored on the hdd and programs for altering bios data had to be booted from floppy disk.

          That saved a 50c eprom chip on each pc, and massively increased the suport costs of most of them.

        2. MrReynolds2U

          Re: Drive could not be read when powered down?

          That may well be the case now but I was at a company where due to a legal dispute, a third-party came in and imaged all the HDDs by attaching an external drive and booting each PC from a CD running imaging software.

      3. katrinab Silver badge

        Re: Something not ringing true here ...

        This is 2012 era hardware. We didn't have SSD chips soldered to the motherboard back then. You can take the drive out, connect it to a SATA / IDE port on another computer and read it without executing any software that is stored on the drive.

        1. MrReynolds2U

          Re: Something not ringing true here ...

          Sure, so long as it's not connected to a proprietary RAID system, without which, the data is meaningless nonsense.

      4. Prst. V.Jeltz Silver badge
        IT Angle

        Re: Something not ringing true here ...

        @doublelayer

        What??

        1. doublelayer Silver badge

          Re: Something not ringing true here ...

          "What?"

          I suggested two reasons the drive could be encrypted in the middle of an access. They were these:

          1. "I suppose one possibility is that the drive could not be read when powered down, and needed a machine to access it. That machine, in turn, could identify that a lot of data was being accessed rather than a standard use, and locked down."

          For example, someone modified the drive, and it could not be read without a controller. It couldn't be imaged correctly without disassembly, but if you connected it to the controller, it would show a filesystem that could be read. However, the controller would be programmed to notice anomalous read patterns and lock itself down, blocking further access. This controller could be at various levels, including at the drive firmware level, in a separate hardware device connected to the drive, or in a computer that reads the drive (although the mechanics of getting a computer to do that and boot to it would be painful).

          2. "Maybe they were able to get data from a running machine which timed out as well, denying further access to the drives."

          For example, the computer was found running, with the drive accessible. They knew or expected that the drive was encrypted, so copied the files from the drive from the running machine. The machine noticed, timed out, or otherwise caused the drive to be locked before they could get all the data.

          Was I really that unclear? Are either of these that unreasonable? I do not understand the confusion.

    2. Snake Silver badge
      Facepalm

      Re: Something not ringing true here ...

      I was wondering about this very thing myself, as I was reading the quoted record. A raw-drive copy, and 'encryption process cut in'? How exactly did they manage THAT during, what should have been, an independent machine hardware-based copy?

      Icon, for apparent NSA screwup yet having the 'justice' systems' inherent constructs cover their butt.

      1. Anonymous Coward
        Anonymous Coward

        Re: Something not ringing true here ...

        When you are taking a forensic image of a hard drive you take it out of the host system and connect it to your imaging hardware. This then copies each block of the hard drive to an image file on another hard disk(s). It also generates a hash and you verify the data to provide a solid evidence trail before sealing it in an evidence bag. (BTW - it is a mind numbingly slow and boring process that is only bearable if you are doing lots in parallel). All subsequent work is done on a copy of the image.

        If you were particularly motivated and skilled you could modify the firmware of your hard drive to zap all the data on the disk if a particular block was ever accessed. The particular block would be mapped out on the users computer O/S to ensure that it could never be used by the file system so the only reason it would ever be accessed would be if it was out of it's host computer and being imaged.

        1. rcxb Silver badge

          Re: Something not ringing true here ...

          "you could modify the firmware of your hard drive to zap all the data on the disk if a particular block was ever accessed."

          SMART self-tests by the drive controller and automatic read-ahead in the SATA controller would be likely to trigger that trap, too. Not to mention OS, disk utilities, or the BIOS/UEFI probing the disk and just getting lucky once in a while.

          1. John Sturdy
            Joke

            Re: Something not ringing true here ...

            Maybe get some firmware from Volkswagen / Bosch to detect the non-normal usage?

          2. Anonymous Coward
            Anonymous Coward

            Re: Something not ringing true here ...

            Normal POST SMART self-test don't go reading random blocks in the middle of a big disk. At a simple level the boobytrapped block could be in an unused partition or even in an unused area between partitions where the O/S is never going to approach so any normal O/S access and controller read-ahead will venture nowhere near it. Yes if you specifically probe it with disk utilities it will go bang, but if you have gone to the trouble of setting it up this would be a deliberate and expected act. Forensic imaging tools however need to read every block of data and care nothing about partitions and file systems. That's all done by the offline forensic tools you use on a copy of the raw disk image. They work that way as often interesting information is recovered from files and even partitions that have been deleted.

    3. Anonymous Coward
      Anonymous Coward

      Re: Something not ringing true here ...

      He booby trapped an auto play so when forensics plugged it into a windows machine to copy the files using explorer it kicked in.

      Disclaimer: Even though this is clearly sarcasm I can actually believe they could be using windows.

      1. Anonymous Coward
        Anonymous Coward

        Re: I can actually believe they could be using windows.

        So can I ...

        depends on whether LL was using Windows or Linux, possibly. There are some tools which are Windows only - especially low level stuff from Seagate and WD

        1. katrinab Silver badge

          Re: I can actually believe they could be using windows.

          Well image the drive first, then use the windows software on the image.

      2. Anonymous Coward
        Anonymous Coward

        Re: Something not ringing true here ...

        Some people just don't know what they're doing. For example, a company where I used to work had a client's system infected with ransomware. We wanted to decrypt the drives if we could because workstations weren't backed up and some data was on the workstations (problem number 1). I was asked to find a solution, and I found that a) the ransomware was buggy and kept a plaintext copy of the password on disk before it completed and b) we had a disk where the encryption process was noticed and a worker at the client pulled the power on it, so that file was probably on the disk. Victory. At least I thought so as I went to get that drive from a colleague who knows more than I do according to my then boss.

        "Here it is," replied the person who should never have had the drive in the first place, "I hope you can recover data of this one because it didn't do anything useful when I booted it up. Just sat there for a while before showing me a ransom note."

        The client never got their data back. I left.

        Anonymous because the colleague who booted a drive with ransomware still works there.

        1. Anonymous Coward
          Anonymous Coward

          Re: Something not ringing true here ...

          In your colleague's defence (I work in a no-blame industry), the way you tell the story it doesn't look like he had been properly briefed.

          Do not assume that the guy should have known (even though I agree with you that it is obvious, but I have formal training in computer forensics) and that he would be on your same page concerning what you were actually trying to do.

          Again, because of my industry and because sometimes the logistics involved mean we only get one shot, we basically work on the basis that sensitive tasks should be briefed and practised in such a way that you could then send your average ten year old and he would be able to successfully complete the task.

          1. Anonymous Coward
            Anonymous Coward

            Re; No blame work practices and the use of procedures

            No blame practices are hated by most people, IME because most people are not particularly competent and hide that by blaming others and when possible other individuals.

            Which is why I'm surprised you didn't get more downvotes.

            IME no-blame practices have been shown to be most effective when the results are objective or have to do with "things" rather than people. No blame practices tend to make groups rather than individuals look good. When a certain outcome really has to be achieved or avoided no blame shines.

            That isn't most work or workplaces.

            If everyone follows procedure and something goes wrong there are no goats and of course if everyone follows procedure and everything goes right there can be no Hero.

            People die everyday because they are supposed to be experts in the dangerous work they are doing and most people are fine with that.

            Those that survive get to claim expert status and will continue to argue against procedures and other no blame practices.

            Of course if those mistakes and deaths start to cost real money someone might suggest changes to prevent death and waste but usually only to the point of making the losses acceptable.

            IMO the fact that there are so many questions around how the evidence against the accused has been gathered shows that the legal system also dislikes procedures.

            With open procedures it would be easy to see if the evidence being claimed should be accepted by the courts and public.

            Without open procedures for gathering evidence we can have what we have, justice based on the whims of police, courts, even an individual judge on a given day, even the whim of the mob.

            People like it that way, until one of them personally feel the consequences but that's a cost all other people are fine with.

            IME well run no blame systems tend to separate those who can make procedures and those who can only follow them, who should get pay raises and who does not deserve the pay they are getting. That seems very unfair to the majority who were so successful in playing the blame game.

            Which is why I wouldn't suggest anyone advocate changing to a no blame system, unless you are the one paying for the failures of the current system. Otherwise it isn't worth the effort.

      3. BigBear

        Re: Something not ringing true here ...

        One would hope than anyone doing forensic analysis would know to disable any type of autoplay system, but alas, you never know...

    4. Boris the Cockroach Silver badge

      Re: Something not ringing true here ...

      I agree.

      I've done HDD recovery for work and after relatives passed away.... plug the suspect drive into my spare linux box, copy the entire disk to a new clean one, play with the contents of the disk copy until you can retrieve data.

      But then it could be that the plod (with truecrypt/GCHQ help) have decrypted the entire disk , but to advertise the fact means no one will ever use truecrypt again.....

    5. Anonymous Coward
      Anonymous Coward

      "the suspect machine, once acquired, is never powered on."

      It may mean the machine was powered on when the data acquisition was done - probably when it was sized, to avoid that after being turned on disk access could be hindered by an encrypted file system requiring a boot password.

      "a surveillance team member comes over, grabs the laptop, pulls out a power cord and plugs it in" [emphasis mine] - why? To avoid it turns off or blocks, and becomes no longer accessible.

      https://www.theregister.co.uk/2019/01/29/how_i_caught_silk_road_mastermind/?page=2

      If you think the disks are unencrypted you can acquire them without booting them.

      If he had a "time bomb" which encrypted the disks, it could be they could only acquire part of the contents - but if what the judge listed is true (and why shouldn't be?) - there are good reasons the equipment is not returned to him. Maybe they're still trying to crack it....

      1. BigBear

        Re: "the suspect machine, once acquired, is never powered on."

        "Acquisition of computer" (i.e., seizure) versus "acquisition of data" (ideally, perfect forensic copying of data without interference from local operating system): two different concepts being conflated, it may seem.

        But perhaps you intentionally changed concepts — but, if I may nitpick with your writing style, neglected to highlighted it — given that you linked to that fascinating story about the Silk Road case where "live" data copying may have been necessary. It is always very risky; you can always check to see if EFS is enabled on the drive [in Windows, that is]). In the Silk Road case, it was presumably useful to seize the machine powered up at least to capture images of the screen as it was in mid-chat to verify identity.

        Power-on (boot) passwords in those days (< 2013) were usually easy to defeat, sometimes requiring the use of a pin jumper or perhaps advice from the computer manufacturer. It depends on whose BIOS is involved or whether there's UEFI (don't recall when that rolled in).

        Nowadays, "smart" criminals will want to use UEFI boot drives, boot passwords, and encrypted file systems. If such a system is seized by law enforcement powered on and kept powered on, they have a chance to perform an unencrypted copy of all disks (that could be challenged in court, perhaps). If such a system is not powered on when seized, their forensic copy will be an entirely encrypted disk image — good luck with that.

        1. Anonymous Coward
          Anonymous Coward

          "useful to seize the machine powered up at least to capture images of the screen"

          Not only, evidently, although it was important to arrest him on the spot, as he had the chat open.

          "On the laptop we found an enormous amount of evidence, said Der-Yeghiayan" - it would be interesting to know how they obtained that.

          Today you don't have to care only about BIOS/UEFI password and Windows EFS, but other types of disk encryption. You'll have to weight if is more important to gather data from a powered on machine while data are still accessible, knowing that it could be challenged in court, or risk to lose all if the disk is strongly encrypted. Evidently, you have to adapt to new criminal uses of technology.

    6. Anonymous Coward
      Anonymous Coward

      Re: Something not ringing true here ...

      In fact the UK was very keen to see the case prosecuted in the US and supported the extradition request. It was LL, his lawyers and his supporters that successfully fought the process on medical grounds.

      People wishing to comment on this case could with profit read the actual judgement: https://www.judiciary.uk/judgments/love-v-national-crime-agency/

      1. Muscleguy

        Re: Something not ringing true here ...

        If the case was tight enough for the US courts then they could have prosecuted him here, where the crimes actually took place. The New Zealand courts have done that with their hackers who the US has tried and failed to extradite. The NZ legal system is based on English common law.

        It seems, from the outside that defeated in the attempt to extradite these people the authorities then throw their hands up the CPS most likely says in effect 'can't be bothered'.

        I would really like proper informed legal opinion on why these people have not been prosecuted here.

    7. smallseo

      Re: Something not ringing true here ...

      Yes that struck me as odd. I've not heard the term 'harvest drive' before, but when i was arrested in 2002 they (as someone already mentioned) removed the drives, imaged them and then use the images for analysis.

      Encruyption doesn't suddenly 'cut in' it's either working constantly in the background or it's an on-demand process. Judging by the encrypted file names on the drive he was using TrueCryp and that certainly doesn't work in that way.

      TrueCrypt is no longer supported since MS stopped supporting WinXP and later versions of Windows had inbuilt encryption (haha).

      The Police are always cocking up when it comes to IT processes :

      https://www.theguardian.com/law/2018/may/15/police-mishandling-digital-evidence-forensic-experts-warn

      Why on earth did Laurie represent himself, i email him but no longer get replies since he won the case against extradition, the boy doesn't do himself any favours the way he behaves in court etc, humble pie needs to be eaten sometimes.

    8. NonSSL-Login

      Re: Something not ringing true here ...

      Personally I think it's a screw up of language somewhere along the line and the reality is that some of the drive was readable and the rest was encrypted in a trucrypt volume.

      Rather than encryption kicking in, they meant to say that they couldn't read the encrypted part. That is my best guess anyway.

      Firmware for hard drives probably needs to be signed(?) so not straight forward to do even if you could modify it to delete content on a certain sector or block read.

      1. Lotaresco

        Re: Something not ringing true here ...

        "Personally I think it's a screw up of language somewhere along the line and the reality is that some of the drive was readable and the rest was encrypted in a trucrypt volume."

        I agree with you.

        This is a judge's summary. I don't expect a judge to know much about disk forensics. I used to belong to a group that existed to raise awareness of technical issues between forensic analysts, IT practitioners and the legal profession. Even though we were dealing with intelligent, motivated people it's difficult to ram several years of knowledge of IT and forensics into someone with limited time.

        Given that it's decent enough summary. The problem for the black helicopter/tinfoil hat brigade is that they imagine there is one unexpected trick that will cause a legal case to collapse, as it does on TV. That's rarely so.

        In this case - "We recovered this information from the unencrypted disk, it contained some encrypted containers some of which we could access and others we couldn't." is a charitable take on what probably happened.

        BTW, based on what has been recovered, Love's "Poor little innocent me." claims aren't looking too good.

    9. Prst. V.Jeltz Silver badge

      Re: Something not ringing true here ...

      Goddam thats a lot of replies all explaining to each other how incredibly simple it is to access data on a seized drive without it deleting itself!

      I'm sure the police forensics can do this schoolboy difficulty task.

      So how could an "encryption process cut in" when a raw data drive is being read, unless the drives firmware has been hacked ?

      My guess is the drive was in the process of getting encrypted when his door got kicked in and the plug pulled. Or maybe shortly after that when forensics turned up and said "FFS unplug those computers!"

    10. Anonymous Coward
      Anonymous Coward

      Encryption login timeout script?

      If the machine was, as seems to be the case, seized whilst ON, it may be that Mr Love had a script running, requiring some action to be taken regularly to prevent a watchdog timer timing out and logging out of the encryption.

      That sort of lower tech procedure seems more likely than a hdd firmware hack?

  2. Anonymous Coward
    Anonymous Coward

    Moral

    Do not represent yourself in court. Especially if you have a personality disorder.

    1. macjules
      Happy

      Re: Moral

      Ah, but if you have multiple personalities there is always a chance that one of them might be a QC.

      1. Anonymous Coward
        Anonymous Coward

        Re: Moral

        There are only two people in this world sane enough to conduct my defence....and both of them are me.

    2. joeldillon

      Re: Moral

      It's not like he could afford a lawyer either, though.

      1. John G Imrie

        Re: Moral

        Actually on Income support he should be able to get a lawyer on legal aid

        1. Anonymous Coward
          Anonymous Coward

          Re: Moral

          Should vs Can

          Legal Aid is quite restricted in what it's available for these days, though consult a lawyer for reliable info......

          1. Anonymous Coward
            Anonymous Coward

            Re: Moral

            FTR Legal aid in the UK these days isn't about access to justice...

          2. Steve Knox

            Re: Moral

            Legal Aid is quite restricted in what it's available for these days, though consult a lawyer for reliable info......

            But would that be covered by Legal Aid...?

            1. Anonymous Coward
              Anonymous Coward

              Re: Moral

              @Steve Knox: most lawyers give a 30 minute initial consultation for free.

              1. ridley

                Re: Moral

                Don't believe the hype, I went to one for my divorce, he was half cut ran over the half hour and charged me £750 for the privilege.

        2. Anonymous Coward
          Anonymous Coward

          Re: Moral

          "Actually on Income support he should be able to get a lawyer on legal aid"

          It was a civil case, which, IIRC, precludes legal aid.

        3. Anonymous Coward
          Anonymous Coward

          Re: Moral

          In a child custody hearing I was refused legal aid, as it was "only a custody hearing", even though there were concerns about abusive behaviour and child cruelty against my ex raised by the childs GP.

          My ex, also supposedly on legal aid, turned up with FIVE barristers; and THREE lawyers to carry paperwork for the barristers.

    3. Anonymous Coward
      Anonymous Coward

      Re: Moral

      Upvote, I quite agree with the sentiment, though his problems probably impact on dealing with many third parties.

      The thing I have to take issue with is that Mr Love has not been diagnosed with a personality disorder, but an autistic spectrum disorder.

      Psychiatry has its own set of technical jargon and personality disorder has a very specific meaning as it covers a set of types of disorder, some of which are very bad news and sometimes imply that the sufferer could be very dangerous.

      1. Korev Silver badge

        Re: Moral

        I should point out that the vast majority of people with these conditions are no risk to anyone.

    4. Anonymous Coward
      Anonymous Coward

      Re: Moral

      Indeed.

      Without the details of the case, it is difficult to come to a categorical conclusion but the principle (I have studied forensics) is that you can only access what the court order says you can access and you can only keep what the court order says the court wants¹.

      In this case, they could and should have returned to him a sanitised image of his data. I don't know if it's just because of the tone of this article, but that judge sounded like a bit of a twat.

      Ok, the guy may not have put forward the most eloquent and persuasive argument in the world because he ill-advisedly decided to represent himself instead of doing a crowdfunding round as everyone does these days, but I still believe the judge was being callous and, especially, unprofessional (a judge should not show exasperation just because an untrained member of the public is unskilled at presenting his case).

      ¹ In one real case that I attended, a forensic expert reviewed the security video in a murder case, where the assassin had intentionally pulled out the tapes before committing his crime; giving evidence, the expert was asked by one of the parts (can't remember which) about the earlier contents of the tape. He replied that his court order only authorised him to review the tapes between two specific points in time and that's what he did. Therefore he could not, legally or materially, answer the question.

  3. Blockchain commentard

    If he had to pay the legal costs, would the plod ask for him to pay their salaries whilst attempting to gain access to his data?

  4. Semtex451

    Does he not have a point?

    "The property as we identified it at the hearing is in two parts. One is the computer equipment itself and the other is the data you can take on it."

    So take the drives out or return them wiped?

    1. John Sturdy
      Big Brother

      Re: Does he not have a point?

      In his situation, I wouldn't want the hardware back, except to do a bit of post-forensic forensic examination of my own. I would assume keyloggers or similar would have been planted at a low level in the systems. (It might be interesting to examine the machines to see what has been done to them on behalf of the state, but I wouldn't trust them for real use.)

      It also seems odd (although not implausible) for someone of his learning not have kept important files backed up, so perhaps there is something more complicated to this.

      1. DavCrav

        Re: Does he not have a point?

        "It also seems odd (although not implausible) for someone of his learning not have kept important files backed up, so perhaps there is something more complicated to this."

        He did. They took all of his hardware. You want him to have an off-site backup as well? There are trust issues with off-site backups.

        1. Muscleguy

          Re: Does he not have a point?

          Or his backups are on site and plod did not find them.

        2. John Sturdy

          Re: Does he not have a point?

          "You want him to have an off-site backup as well? There are trust issues with off-site backups."

          Yes, definitely. Especially if he's doing something that he's aware may "come to the attention of the authorities". And, assuming the backup is encrypted to the same level as the original, I'd trust an offsite USB stick or SD card that the authorities won't find more than a drive that they will find. It doesn't have to be left with a person who knows him; it could be under a stone somewhere in the countryside around his village, for example.

    2. Velv
      Headmaster

      Re: Does he not have a point?

      Read the article!

      Love, who wore his usual tieless black suit with a neatly pressed white smart-casual shirt, argued that his computers contained data of "inestimable sentimental value" to him

      So it is the data he is really after, contradictory to his statement offering not to access it. Something doesn’t run true, as the Judge surmised.

      1. WolfFan Silver badge

        Re: Does he not have a point?

        That would also be my opinion.

    3. Jellied Eel Silver badge

      Re: Does he not have a point?

      I think he has a point, or it's a point TPTB need to address. Most of us have a lot of personal, or even sentimental data stored on our computers. At some point, we could be accused of a crime, and all that gear seized as potential evidence.

      That happens a lot, and it could be a malicious accusation. The police have limited resources, not helped by forensics being outsourced. So probably tonnes of potential evidence sitting waiting to be analysed, and possibly getting knocked back in the queue by higher priority investigations. We also have a general principle that we should have timely access to justice, ie charge, or don't. Some of that's defined in law, ie how long we can be detained without charge. I think the same should also apply to our property.

      Not sure what the solution should be though. More resources for forensics would be one step, but AFAIK one issue with Love was encyrpted data on his drives, and a refusal to decrypt it. Assuming I had the keys and could decrypt it, I'd do it so I could get my stuff back. If I couldn't, that could be a different problem. Where there's 'stolen' data on the drives, I guess that gets more complicated, ie having to go through all the data and determine what's legal, what isn't, and delete any unauthorised stuff. If the police retain a copy of the entire contents, presumably that could still be used as evidence.

      1. The First Dave

        Re: Does he not have a point?

        Never mind sentimental info, I have details of my mortgage, bank accounts etc. on my computer - without it I would struggle to deal with everyday life.

        1. dnicholas

          Re: Does he not have a point?

          If it's not backed up, save yourself the future hassle and delete it now

      2. BigBear

        Re: Does he not have a point?

        I think you may be spot on. He probably has actual personal information on there (numbers of Swiss bank accounts holding profits from his hacking? /s), mixed with hacked data. The judge is dismissing this possibility out of hand, it seems. Or, he may be bluffing and simply wants to get back the valuable hacked data.

        The problem is, as you say, separating the two. If you give back the hardware, complete with not-yet-cracked encrypted data, you're giving him the spoils of his hacking, to sell or whatever, without even knowing what you've done. If you (the police) know that certain data is stolen, you could delete it (securely) from the drive prior to its return. You could delete everything that's encrypted, but that may include his personal data. Doing all of this could be extremely time-consuming, depending on how the files/folders are named and organized — or intentionally disorganized.

        If HE were to assist in this effort (provably identifying hacked vs personal data), he'd be admitting to — and providing evidence of — his crimes, so he's not about to do that.

        Furthermore, if the police were to return even wiped drives, he could later (at criminal trial) try to claim that the copies were not authentic. Without the original, how do they prove otherwise? In theory, they could give him *new* hard drives with only non-hacked data copied to them (fat chance!).

        The judge's decision (www.judiciary.uk/wp-content/uploads/2019/02/lauri-love-v-nca.pdf) says that at least one of the computers was seized while it was powered on and he was logged in. The police attempted to copy the drives' data "live". That's the computer where the judge said an "encryption process cut in to the devices themselves". That system had a TrueCrypt volume. I presume that the TrueCrypt process held the TrueCrypt volume locked, preventing it from being copied as a single file.

        According to that document, the police obtained what they claim to be quite a lot of readily-identifiable hacked data. Whether that assertion is based on reading the data or just filenames is another question.

        The document also states that the police found two TrueCrypt volumes. They claim that they know the contents of one of them in detail (without saying that they decrypted it) and it is hacked data. (I wonder if that TrueCrypt volume was already open with its password when his home was raided.) The other TrueCrypt volume apparently has unknown content.

        He may also have used an OS-based encrypted file system to encrypt drives on each system, turning them into bricks unless you can boot up and log in. The document from the judge suggests that the police have a lot of seemingly hacked data, but also suggests that they've been stymied elsewhere and seek assistance from US law enforcement specialists. I seriously doubt anyone in the US is going to give the UK a bunch of supercomputer time to crack this guy's drives or TrueCrypt volume. I've seen nothing to suggest that he did anything nefarious with that hacked data.

  5. Anonymous Coward
    Anonymous Coward

    He's telling prospective employers he's a big troublemaker...

    ... good luck in getting more than 120 a week....

    1. Anonymous Coward
      Anonymous Coward

      Re: He's telling prospective employers he's a big troublemaker...

      Rubbish, he's a talanted resource....clever companies have teams to support people like him...they view the texch world in a gifted way that is valuable....he's worth a six to seven figure sum in annual booked work with the right support.

      However he has beaten the extradition system so MIx NSx et al will be fuckers just be cause they lost.

      1. jmkni

        Re: He's telling prospective employers he's a big troublemaker...

        If he was that talented he would already have a job.

      2. Anonymous Coward
        Anonymous Coward

        "he's a talanted resource"

        Right now he's showing a talent for grandstanding - not usually what a security company likes.

        Moreover, there is an interesting paradox - to show he's a talented hacker worth a lot of money, he should admit he actually did what he's been accused of, and show he did in an innovative way - i.e. discovering vulnerabilities, writing new exploit and tools, etc. - not using existing tools made by others and using existing vulnerabilities. Otherwise, if he didn't it, he's not talented at all - maybe he's just taking credit for someone else's work?

  6. Aladdin Sane

    Rule #1 - Don't piss off the judiciary.

  7. DropBear

    I do not appreciate the apparent tendency to judge a claim's merit strictly on its merit as it pertains to the case and question being judged alone, as opposed to "this is your fault and you're despicable so we don't really care whether those you accuse are in the wrong or not - you don't deserve to win either way". But that's just the impression I get after reading this - the claim may well be meritless on its own...

    1. David 18

      Yep, without knowing all the facts it seems like colossal prejudice, not a quality one wants to see in the judiciary.

    2. Anonymous Coward
      Anonymous Coward

      He's also never been tried and convicted so the judge is out of order treating him as if he has been tried and convicted.

      Someone on the bench clearly takes the line the disabled are scroungers and that he's too lazy to find a job....

      Shameful to be honest, politicised judiciary by the back door.

      1. the spectacularly refined chap

        He's also never been tried and convicted so the judge is out of order treating him as if he has been tried and convicted.

        The judge made a finding of fact that the machines contain data that doesn't belong to Love. She is then perfectly correct to use that as a basis for the conduct of the rest of the case. The courts would be paralysed with a neverending merry-go-round of hypoethetical arguments if that wasn't the case. The court explores an issue, the judge makes a determination and then the case proceeds on that basis.

        1. The First Dave

          But there was then no mention (in the article at least) of the possibility that those drives also contained data that was personal/private/essential property of Love.

          Rather like saying that because his wallet contained a counterfeit bank note, that he wasn't entitled to have the wallet back.

          1. Lotaresco

            "Rather like saying that because his wallet contained a counterfeit bank note, that he wasn't entitled to have the wallet back."

            If you follow your analogy to its logical conclusion, as a judge would, that means that he could have the metal case back and the rest would be sequestered because he is not able to establish that the data he is requesting belongs to him.

        2. Intractable Potsherd

          The determination of the facts is a separate issue to the way the verdict is given. The DJ's comments and phrasing are completely inappropriate - I would say that it undermines any credibility in the judgment. There is enough here to say that she is not impartial, and that the case should be reheard. However, LL can't afford to appeal, so it will probably have to stand.

          I won't be surprised to find the DJ elevated to the next level of judiciary very promptly in recognition of her "services", though.

          1. the spectacularly refined chap

            The determination of the facts is a separate issue to the way the verdict is given.

            That wasn't part of the verdict but the proceedings. The judge was essentially saying "We've covered that, don't waste our time rehashing an argument that has already been rejected."

  8. sisk

    Is it just me or does the "You brought this on yourself" statement reek of a guilty until proven innocent mindset? I'm not at all familiar with the UK legal system, but I was under the impression that it was an innocent until proven guilty system.

    1. Anonymous Coward
      Anonymous Coward

      I suspect context is important here, she's also talking about the fact he's representing himself in court and doesn't have a scooby what to do. He also has a personality disorder which probably isn't helping him.

      I'm sure he could have found someone to do this pro bono if he wanted to.

      "you brought this on yourself" more than likely is within the context of "you are shit out of luck mate, you should have prepared an argument" - not about innocence/guilty of the alleged offense.

      1. DavCrav

        ""you should have prepared an argument" - not about innocence/guilty of the alleged offense."

        But that is his argument. I have not been charged with any crime, why have you stolen my stuff? And apparently that wasn't good enough for the magistrate, but it'd be good enough for most people. So since she decided his perfectly reasonable point was unimportant because she decided he did it even though she's not supposed to make that judgment, now it moves on to whether the system can screw some cash out of him for having the temerity to ask for his stuff back.

        1. Anonymous Coward
          Anonymous Coward

          "I have not been charged with any crime, why have you stolen my stuff?"

          If you happen to be found with illegal or stolen goods, they could be sized even if charges aren't pressed against you. If they found data he couldn't legally own, probably they may have a legal reasons to keep its hardware.

    2. msknight

      From what was detailed in the article, I believe that the judge thinks there is plenty in the file names, etc. to believe that the hard drives contain the digital equivalent of a loaded firearm. Given that, I can understand why they don't believe him entirely innocent and don't want to let him have the hardware back.

      1. Kane

        "From what was detailed in the article, I believe that the judge thinks there is plenty in the file names, etc. to believe that the hard drives contain the digital equivalent of a loaded firearm. Given that, I can understand why they don't believe him entirely innocent and don't want to let him have the hardware back."

        Then the NCA should press charges.

        1. Anonymous Coward
          Anonymous Coward

          Maybe they are just waiting for the right time...

    3. Lee D Silver badge

      There isn't a legal system in the world that's entirely innocent-until-guilty. Failing to provide a breath specimen if suspected of drink-driving sees you arrested on a separate offence of doing just that, for example. With harsher penalties. Though the police can't *prove* that you were over the limit because you did that, they have a specific offence for that exact action of failing to co-operate with them. It's not the only example - all kinds of anti-terror legislation and even much more mundane matters have an element of guilty-until-innocent (think bailiffs coming to cart your stuff away... they will happily tag everything, even if it doesn't belong to you, until the person whose property it is comes and proves it... all sanctioned by a court and pre-dating any modern political manoeuvring whatsoever).

      In this case, the court has evidence that it says (paraphrased) "may be used in a criminal proceedings" in its possession, i.e. they're not done with it as they may still convict him. He wants that evidence back, before then. And he's still under US indictment, which is why they can still hold that evidence. Legal maneuvering is slow.

      The "You brought this on yourself" is because he had failed to co-operate with any form of accessing that data, presumably. If he was innocent, he could co-operate, the courts get the evidence, he gets his kit back and the matter would be over. But he's not co-operating and instead demanding the evidence back from the courts itself, because - basically - his not-co-operating has slowed everything up.

      Though you are not required to incriminate yourself, failing to co-operate with the courts is never going to end well.

      As I said before, you don't represent yourself in court because this is what happens. Any lawyer trying to same argument would be laughed at and quite possibly sanctioned. It's like a murderer demanding his bloody knife back from the court, before it could be analysed. Except in this case, the only reason the evidence can't be properly analysed is because he refuses to unlock it.

      There's a reason no lawyer would touch him, even via legal aid. And he's not accustomed to arguing in court and instead working on "principles" like "innocent-until-guilty". The law is much more specified than that. And a defendant in a criminal case demanding his own evidence-against-him back while simultaneously preventing the prosecution from accessing it is not something that any court in the world would allow.

      This is a plain rebuke from the court for even attempting that line of reasoning. You can be sure any lawyer instructed to argue that would a) refuse or b) be sanctioned for doing so. There may well be several dozens legal paths you could try, but not like this.

      And on £120 a week, you better hope that you can hire a legal genius for nothing in order to discover them.

      1. Anonymous Coward
        Anonymous Coward

        FTR it's "innocent unless proven guilty".

        It's not "until" - if you can wait long enough, anyone will be proven guilty.

        Just ask Prince Philip ;)

      2. VulcanV5
        Flame

        and another upvote from me

        By far the most cogent response on this thread, where it seems too many have either not read the Reg article or cannot get to grips with the simple fact that it's precisely because no criminal trial has yet been held that no Judge in her / his right mind can allow the return of relevant evidence to someone potentially facing such a trial. A shrewd lawyer might attempt the strategy that untested evidence is just that, and what the judge in this case is actually doing is pre-empting that test.

        But then the judge merely has to cite the defendant's record of evasion and obstruction -- her words, in support of which she referenced the record -- to demonstrate that by virtue of that behaviour sufficient grounds exist for presuming that the defendant does indeed have something to hide, i.e., evidence of an incriminating nature.

        In every respect then, Love is the architect, not the victim, of the present situation.

        I agree with everyone who believes that Justice delayed is no kind of Justice at all, and lament the fact that no criminal trial has occurred in this case. But that actually has no bearing upon Love's conduct to date. Then again, I'm fed up with the frequency of cases where mitigating circumstances are advanced such as to argue that though someone is perfectly fit enough to break the Law, they are not fit enough to face the consequences. Such situations can and will occur, and in the name of humanity they should, and must, be recognised. But only a fool would contend that every situation is the same, and that every mitigating factor is of equal validity.

        Despite the volume of criticism from others in regard to decisions taken by the judges in this case and t'other one in Las Vegas, I'm actually heartened by the behaviour of both. . .

    4. Joe Gurman

      Innocent, guilty not relevant

      This was a civil action, not a criminal one. And one brought by someone with an admittedly unfocused personality, whose friends and admirers can spare the time (off work? not working?) to attend the hearing and make obscene comments, but not to sit down with Mr. Love and advise him to seek legal counsel.

      1. Steve Knox

        Re: Innocent, guilty not relevant

        ...whose friends and admirers can spare the time (off work? not working?) to attend the hearing and make obscene comments, but not to sit down with Mr. Love and advise him to seek legal counsel.

        What does the nature of his friends have to do with the merits of his case?

        "Guilt by association" seems an all-too-relevant description of your argument here...

    5. Wilseus

      "I was under the impression that it was an innocent until proven guilty system."

      So was I, but laws in this country have moved in a rather frightening direction in recent years. Freedom of speech doesn't really exist any longer, for example.

      1. jaywin

        Freedom of speech doesn't really exist any longer, for example.

        We've never had full freedom of speech in the UK, there have always been restrictions and repercussions if you decide to engage mouth before brain e.g. libel.

        1. Anonymous Coward
          Anonymous Coward

          Freedom of speech in the UK used to include the right not to speak.

          Now our glorious leaders have taken away that right and labelled anyone who dares to remain silent as guilty until proven innocent.

          More great British justice...

          1. Lotaresco

            "Freedom of speech in the UK used to include the right not to speak."

            It still does. You still have the right to remain silent. And a jury has the authority to make inferences from your silence and the circumstances that pertain to that silence.

            1. Anonymous Coward
              Anonymous Coward

              "And a jury has the authority to make inferences from your silence"

              What, you mean like: he's remaining silent, therefore he must be guilty, because only guilty people don't verbally defend themselves?

              Perhaps if the prosecution focused a little more on real evidence rather than what people said, there might be a little more justice.

        2. Wilseus

          "We've never had full freedom of speech in the UK, there have always been restrictions and repercussions if you decide to engage mouth before brain e.g. libel."

          I am categorically NOT talking about things like libel and slander, which are civil matters, not criminal. I am also not referring to things like incitement to violence, or actual, genuine hate speech.

          I'm referring to the fact that, just as an example, you can be slapped with a fine, or even a prison sentence, and end up with a criminal record for criticising a religion for its stance on things like homosexuality.

          A more specific example is Count Dankula and his dog. The prank was in very poor taste, but it was a joke nevertheless, and no way should that have resulted in a fine and criminal record. There are plenty of people who are far more liberal than I am who agree on that point.

    6. Jason Bloomberg Silver badge

      Is it just me or does the "You brought this on yourself" statement reek of a guilty until proven innocent mindset?

      It's not just you though I say that only from reading the article and I wasn't there. If it is how it's reported then I would concur with some of the views expressed from the public gallery.

      I'm not at all familiar with the UK legal system, but I was under the impression that it was an innocent until proven guilty system.

      Mostly, but that doesn't mean one cannot come up against a judge who is having a bad day or, for whatever reason, isn't treating someone before them fairly and justly. That's why we have appeal courts.

      The bottom line is that justice in the UK is far better than some places, in the overwhelming cases is fair and justice is done, but there are cases where it can be that it isn't.

      I've noticed it is usually high profile cases, where the authorities, police, security services or government are involved, when it feels to me justice hasn't been served. Maybe that is the case or maybe I am imagining it.

    7. Stuart Halliday

      A often thought assumption by the general public but not true.

  9. David 18

    Is this how far we have sunk?

    Disclaimer: I have not followed all the intricacies of his troubles.

    From the content of this article, no presumption of innocence, not even charged with any crime yet treated as a criminal.

    A simple magistrate ruling on what a hard drive contains, without any evidence one way or another.

    A magistrate chastising an autistic man for not being able to get a job, not only autistic which makes it hard enough, but one living under a cloud of suspicion but never charged with anything so unable to prove his innocence in a real court of law. Then further belittling him because the tax payer has to fund his court appearance to get his equipment back. I hope some right-thinking brief offers to take up his case pro-bono and reams that magistrate a new one!

    I used to think we had the best judiciary in the world (probably still do if you exclude the magistrates).

    Charge him with something, or give his stuff back. We are not a police state yet.

    1. John Sturdy
      FAIL

      Re: Is this how far we have sunk?

      I think they may have sunk a bit further, with the smear contained in "Private data, including photographs of vulnerable children, from an autism charity and Treehouse School" --- if he's picked up data about autism-related education, it's likely to include information about schools at which the children may be classed as "vulnerable", and if he's done "wget" on a school website, it's likely to include photos with some of the pupils in them. But the way they've mentioned it looks to me like they're hoping the Daily Mail will pick up on that and infer that the photos were indecent.

    2. DavCrav

      Re: Is this how far we have sunk?

      "because the tax payer has to fund his court appearance to get his equipment back."

      It didn't. It funded Plod's defence as to why they are still keeping hold of his stuff despite him being innocent. You know, as in innocent unless (not until) proved guilty.

    3. Anonymous Coward
      Black Helicopters

      Re: Is this how far we have sunk?

      With the latest widening of what can be construed as terrorist related online activity - yes we are.

      As someone innocent who HAS had all their computer gear seized and torn apart by the police, the suggestion that an innocent person would co-operate raises a hollow laugh.

      If it ever happens again I will fight tooth and nail before I let then gut my house fishing for evidence of a crime I had no motive, or opportunity to commit.

      Even though I was released after a couple of hours interrogating, and all charges dropped a few days later - it took a year for them to return my broken and dismembered equipment.

      1. Down not across

        Re: Is this how far we have sunk?

        Even though I was released after a couple of hours interrogating, and all charges dropped a few days later - it took a year for them to return my broken and dismembered equipment.

        Criminal Damage Act 1971 should apply there. Whilst they may be entitled to disassemble, surely they would need to return (especially since charges were dropped) anything they confiscated, in same condition they were when confiscated.

        I know. Wishful thinking.

        1. Martin-73 Silver badge

          Re: Is this how far we have sunk?

          Indeed, I was thinking the exact same thing. And if a single screw is missing, the home sec itself should be on a theft charge. Bastards, hanging's too good for 'em

        2. MonkeyCee

          Re: Is this how far we have sunk?

          "surely they would need to return (especially since charges were dropped) anything they confiscated, in same condition they were when confiscated."

          Not in NZ, and not in the Netherlands.

          If the Dutch police search your car for drugs (ie take it to pieces) and don't find any, they will return the car in pieces.

          As long as they had legal grounds for a search, and they followed the rules for evidence preservation, then they are covered.

          If they only do it to you every three months it also doesn't meet the threshold for harassment.

          1. Anonymous Coward
            Anonymous Coward

            Re: Is this how far we have sunk?

            AFAIK

            UK Customs and Border Control staff have the same powers, get antsy and they will take your car apart, then fine you for littering (or something).

            1. Anonymous Coward
              Anonymous Coward

              Re: Is this how far we have sunk?

              Spiteful little hitlers. Yep that fits the stereotype.

              And they wonder why people depsise them.

          2. Eltonga

            Re: Is this how far we have sunk?

            If the Dutch police search your car for drugs (ie take it to pieces) and don't find any, they will return the car in pieces.

            As long as they had legal grounds for a search, and they followed the rules for evidence preservation, then they are covered.

            Don't you have the right to ask for compensation in such cases?

    4. Anonymous Coward
      Anonymous Coward

      Re: Is this how far we have sunk?

      You have confused magistrates court with Magistrates. The case was heard by a District Judge ( a paid position) as opposed to a bench of 3 lay magistrates.

      In my experience magistrates try very hard to be fair to litigants in person and would never be rude to them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Is this how far we have sunk?

        Re: "magistrates try very hard to be fair"

        LOL

        This is not Scandinavia - the British system is adversarial, and certainly not necessarily based on justice. It's winners vs losers. And the State does not take losing lightly.

        1. Anonymous Coward
          Anonymous Coward

          Re: Is this how far we have sunk?

          @AC: Well, I used to work with a magistrate, and I know another. The comment about them trying to be fair, and giving latitude to people representing themselves is entirely correct.

        2. A K Stiles

          Re: Is this how far we have sunk?

          Adversarial between the prosecution and the defense.

          The lay magistracy are neither and are not paid for it. They have some regular training in the law (but not qualifications) and sets of strict guidelines to follow with regards behaviour and sentencing.

        3. Cederic Silver badge

          Re: Is this how far we have sunk?

          The judiciary however win by being fair and delivering justice, not by convicting people.

          Magistrates often allow extraordinary leeway to idiots. Sadly they also send you to jail if you rightfully call them a cunt.

          source: a relative is a magistrate

    5. CountCadaver Silver badge

      Re: Is this how far we have sunk?

      Habeas Corpus seems to be a distant memory in the UK. Many magistrates for example let their right wing political bias show constantly.

      Locally a suicidal man was jailed after trying to throw himself off a bridge, not only did the judge ignore the mental health crisis but subjected a very vulnerable person to an offensive tirade about "silly and stupid behaviour" "wasting police time" and "endangering the lives of others who had to come and get you"

      The fiscal service ignores and wilfully so police officers threatening members of the public, ignore any complaints and refuse to answer why they claim "not enough evidence" despite multiple witnesses to what amounted to threatening behaviour and breach of the peace by a uniformed and serving police officer.

      But hey its ok to berate and ridicule a vulnerable person.

    6. Anonymous Coward
      Anonymous Coward

      Re: Is this how far we have sunk?

      "A simple magistrate ruling on what a hard drive contains, without any evidence one way or another."

      Civil case, so "balance of probabilities" is the burden of proof...

    7. Lotaresco

      Re: Is this how far we have sunk?

      "Charge him with something, or give his stuff back."

      One of the things that the judge determined, beyond reasonable doubt, is that it's not all his stuff and that there is stuff there for which ownership cannot be determined without his co-operation. The judge is saying that until Love choses to decrypt the information in order to make a decision if the content belongs to him or someone else he can't have it. He is being asked to prove that he owns the data he claims to own.

      Love is in the situation of someone being in a hotel where someone has stolen a diamond. He wants to take a sealed container in his possession out of the hotel, stating that there is nothing in it other than stuff he owns. But he's refusing to open the box. Forensics show that the box had been at the scene of the crime. Police are therefore not willing to let him leave with the box unopened. He can leave the box in custody or he can open it and prove it contains no diamonds then he can leave.

      Actually it's worse than that, because the evidence to-date shows he was in possession of "quite a bit" of other people's "stuff" like credit card details and personal data. He certainly not entitled to have continuing access to that "stuff".

      1. Anonymous Coward
        Anonymous Coward

        "Love is in the situation of someone being in a hotel where someone has stolen a diamond."

        nope, equipment was not taken from a hotel or other place where ownership would be confused and it is possible to rip media you own for your own use.

        The state has had access to the data for some time and presumably has retained copies, if at some point in the future they are able to decrypt their copy so as to prove some crime then access to the original copy makes no difference other than to verify that the copied image is actually the same as the original.

        To me the whole thing reeks of state IT incompetence, they dropped the ball and are desperate to punish this guy regardless of proof

  10. adam payne

    So you've not charged him with anything but he can't have his stuff and needs to get a job.

    Either charge him or give him his stuff back.

    1. whoseyourdaddy

      What sane IT manager would implore someone with that particular "gift" to connect to the company LAN from personal equipment?

      I'd be soldering the USB ports shut on everything short of his phone.

  11. chivo243 Silver badge
    Flame

    Fire extinguisher

    I am not a big follower of this case.

    1. He should already have his gear back according what I've recently read about UK law

    2. District Judge also wants to be the executioner, they seem to be grinding the axe.

    3. I'm really confused about the so-called data recovery on an encrypted drive? LL didn't give any keys, did he? Then the recovery goes egg shaped? Hmm....

    4. Someone's pants are on fire.

  12. tmz

    HDD forensics

    Modern HDDs contain a portion of their firmware stored on the platters. This is loaded into the HDDs controller processor/memory at startup to complete the firmware image. If any of this 'soft' firmware has been changed by the owner, in order to defeat the disk being simply bit-copied, then there is pretty much zero chance of reading the data without resorting to 'clean room' HDD recovery-style operations (removing individual platters to a donor HDD, for example). This operation alone could call in to question the forensic veracity of the resultant data extracted before decryption comes in to the picture. I would expect that the NCA have access to expertise to handle all this, even if not quite routine. I wonder why they have failed?

    1. Adrian 4

      Re: HDD forensics

      Recall the error made by the PD in that apple phone case where they shut down the phone, thereby making it necessary to know the password ?

      1. Officers sometimes do stupid things

      2. Officers are not always up to date

      3. Officers sometimes choose the wrong action (stopping a remote wipe vs. needing a password)

      4. Nobody likes being honest when it shows up their mistakes

      It's fairly unlikely that we have the full story from either side.

      1. tmz

        Re: HDD forensics

        I don't doubt that any of what you posit could be true.

        But my question remains - why does it appear that the NCA do not have the appropriate level of skills available to them to handle this case? If they are screwing this one up then how many others go the same way?

        1. MadDrFrank

          Re: HDD forensics

          In a way we are to blame.

          We elect politicians;

          politicians have decided ("on our behalf") to reduce police funding;

          police forensic services cut, https://www.theguardian.com/law/2018/may/15/police-mishandling-digital-evidence-forensic-experts-warn

      2. Anonymous Coward
        Anonymous Coward

        Re: HDD forensics

        5. Officers lose things occasionally and don't like having to admit it. Chance this gear is lost in a warehouse somewhere.

  13. Agent Tick

    Flawed Judgement indeed..

    ... maybe the data is stolen but it does not justify to refuse handing him his hardware equipment back - if not at least reimbursing the value of the hardware!

  14. Anonymous Coward
    Anonymous Coward

    Is the delay because they haven't managed to upload some dodgy pictures onto his hardware yet?

  15. STOP_FORTH
    FAIL

    Cloning fail

    Does dd no longer work on modern disks?

    1. tmz

      Re: Cloning fail

      Not if the firmware may have been tampered with.

  16. ukoperator

    Hmmm the chain of custody seems to have broken down somewhere, total agreement that nothing at anytime should be powered on once in custody, or turned off during or after a raid until examined. A disk should not even be placed in a caddy for general read purposes, it should be copied at bit level on a duplicator to an exact copy of the disk it is coming from and if known the same firmware.

    The mention of TrueCrypt means nothing, we now it was broken by a US agency which is why many branches of the software where created, so someone in the NCA who work with GCHQ could easily have accessed a disk. Encryption kicking in half way through copy, highly unlikely unless custom firmware was written in which case why is he not being groomed into a government role if they keep saying they are low on talent.

  17. Anonymous Coward
    Anonymous Coward

    Re. Truecrypt

    Actually its a bigger problem than folks think.

    The difficulty with TC is that its possible to hide N where N is a *very* large number of TCPs on one drive.

    Its also possible that depending on the setup changing one can render the others unrecoverable thus spoiling the evidence

    however this is a "Mutually assured destruction" approach as it renders it unrecoverable by anyone including the owner.

    Re. hard drive firmware, I actually sent some chips off for analysis as its feasible that some drive failures leave the actual data

    in these intact and potentially useful for diagnostics purposes.

  18. Version 1.0 Silver badge
    Happy

    Let's crowdfund him

    He seems to be annoying all the right people - I'd kick in a couple of quid to get him going again.

    1. Anonymous Coward
      Anonymous Coward

      Re: Let's crowdfund him

      He is already begging .... https://freelauri.com/donate

  19. Anonymous Coward
    IT Angle

    I read this headline as "Accused hacker Lauri Love loses legal bid to rectum."

    I am also aware that this says a lot about me.

  20. Jake Maverick

    thieving bastards :-(

  21. Loatesy

    "The state has had access to the data for some time and presumably has retained copies, if at some point in the future they are able to decrypt their copy so as to prove some crime then access to the original copy makes no difference other than to verify that the copied image is actually the same as the original."

    Rather, and I suspect deliberately, missing the point. The NCA are holding onto his gear because they have actual reason to believe some of the contents are not his. That's why they can't risk giving it back to him, irrespective of how many copies they've made. Giving him back the data will allow him to do whatever he wants with it. He won't allow the encrypted data to be decrypted to prove his innocence and show all the data is his.

    Why?

  22. Aodhhan

    Pitty the English

    Just another example of someone who willingly jumps off a cliff--in hopes the world sees them as a victim.

    What's equally moronic, is how people buy into it.

    The "woe is me" attitude of the English. So self-absorbed, they have no idea just how good their life actually is.

    The press and politicians have the general population believing the worst. So much so, that they once again control the people.

    The country's wealth is being squandered--making the people and country over all weaker. All while, making the press and politicians more powerful.

    Look at yourselves. Blaming everyone else--while becoming too lazy to effect change.

    What's next, you call out to the USA for help (yet again)? Don't be silly... do you help someone who wrongly points fingers at you?

    1. Anonymous Coward
      Anonymous Coward

      Re: Pitty the English

      And they say yanks don't do irony: Pitty the English

      LOL

  23. Anonymous Coward
    Anonymous Coward

    Thank yous

    Thanks to BigBear for his link to the pdf of Judge Coleman's decision, (https://www.judiciary.uk/wp-content/uploads/2019/02/lauri-love-v-nca.pdf)

    Also thanks to tmz for his information on hdd firmware being stored on the platter.

    With regard to the question he posed, regarding why the NCA apparently haven't done clean room platter cloning and analysis on the drives seized from Mr Love, I'd hazard a guess that regardless of whether or not it's done in house or contracted out that it's likely very expensive. They possibly feel that so long as the data isn't returned to Mr Love, he simply isn't worth it.

    The US government won't want to bear the cost if they can't have the corpus, and the UK government don't want the odium of either letting the yanks have him, or possibly even jailing him themselves. He's in the cyber naughty corner now, so his opportunities for mischief will be watched by the grownups, likely permanently.

  24. M.V. Lipvig Silver badge
    Headmaster

    The simple solution

    If they aren't going to prosecute him, buzz his hard drives with a degauser until they are wiped beyond recovery, then give him his gear back and close the case. Over and done. Advise him they found data that wasn't his on the drive so they took steps to remove the data that wasn't his, and since he wouldn't coperate and decrypt the drives they were unable to differentiate between data belonging to him and data belonging to others. Yes, he'll get away with whatever he did but he won't profit from it and will learn a lesson about keeping sentimental, personal stuff on a machine that he is committing crime on. Maybe he'll straighen up and fly right going forward. If he doesn't, the law will get another crack at him.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like