Between law school and the CISSP, CSOXP and CHFI exams, I guess I must not be doing a good job keeping up with current events. If I had, I would’ve known about this November decision from the the U.S. Court for the Middle District of Pennsylvania, where a judge is characterized in an article by Dan Goodin as saying, “a hard drive is comprised of many platters, or magnetic data storage units, mounted together,” and, therefore each platter constitutes its own separate container and the lawful acquisition of one didn’t breach the others.” What?!
Indeed, that genius bit of reasoning was the basis of a suppression order, finding that a landlord’s eviction of a tenant and subsequent discovery of child pornography would have given way to a valid gov’t seizure under the private search doctrine if prosecutors had limited their activities to the same file search employed by the landlord rather than a file-signature inventory.
I’m all for the Exclusionary Rule –which is on the brink of abolishment– as a deterrent for police misconduct, but the problem with this reasoning is that the separate internal platters of a hard-drive are certainly not separate containers. Individual files are stored in sectors and often span across several platters. A Windows file search would access the same sectors that an EnCase hashing routine (discussed in the opinion) would access. The judge’s reasoning would have been valid if there was more than one hard-drive in the computer and the landlord’s search was confined to one, but the Government had accessed the others [without a warrant].
Whereas Goodin didn’t pick up on this, I was relieved to discover that another blogger, Rich Cannata did. In his December 11, 2008 post, Rich wrote:
Wow. While the Judge deserves some recognition for an attempt at technical savvy, this analogy falls quite short. Under the guise of this analogy, the geometry of the hard drives platter’s determined what is searchable and what is not. If the target is a 500GB Seagate drive with four platters and eight read/write heads, is less data is to be considered within the scope of the search than if the exact same information were stored on a 500GB Samsung drive with one platter and two read write heads? If the data is stored on a RAID array, how do you determine which platters in which drives are within the scope of the search? The judge also skips over the fact that even in the Runyan case, there were two recording surfaces for each floppy disk. Since the introduction of MS-DOS 1.1, the Microsoft operating system has used both sides of a diskette, these are distinctly two separate recording surfaces of a floppy disk, yet it appears to the computer user as a single “container”. Using the single platter logic, in the Runyan case, they would have only been within bounds to search the side of the floppy disk that contained the file that the third party found/viewed. In this context, it appears that a logical volume should be the boundary for a container, but, with the advances in drive density, considering this as a boundary is disconcerting.