EDIT: I have found some clarification about the “controller cards”, seemingly confirming what I have posted, and have added thoughts to the end of this post

Today, on the Wired Threat Level blog, there is a story that covers Sony’s allegations that George Hotz (“geohot”), who they are suing for DMCA violations involving a PlayStation 3 jailbreak, sabotaged hard drives provided for discovery, and skipped town.

Skipping town to South America is not in my area of expertise, so I’m not commenting on whether or not that is happening, but forensic acquisition and analysis of hard drives happens to be my current bread-and-butter. The Wired article states that, regarding the hard drives, Sony claims that Hotz provided the hard drives in a non-functional state. This includes a link to a PDF from the case’s filings which includes the exact wording of Sony’s complaint on page 22:

Despite Judge Spero’s orders, Hotz continues to frustrate all attempts to complete jurisdictional discovery.  In yet another attempt to avoid his deposition and a limited inspection of his impounded hard drives, on March 17, 2011, Hotz filed a motion for protective order on issues already decided by Judge Spero.  (Docket No. 100.)  On the same day, TIG discovered that prior to delivery, Hotz had removed integral components from his impounded hard drives, rendering them completely non-functional.  Bricker Decl., ¶21, Exh. S.  When SCEA echoed TIG’s request that the components of the hard drives be delivered immediately, Hotz’s counsel responded that Hotz was in South America.

Hotz’s attorney’s quote to Wired in response to this was the following:

They didn’t have the controller card attached. That’s it

The attorney, I assume, does not have an extensive technical background, and likely gave this comment off the cuff (or as “off the cuff” as any attorney will allow themselves to be). Therefore, this is going to take some interpretation. The first question is what do they mean by “controller card”. When it comes to hard drives, two things come to my mind:

  • The interface between the chipset of the motherboard and the hard drive. For most motherboards the SATA or IDE interface is integrated into the board. If it’s an older computer that an end-user has added a SATA drive to, a SATA “controller card”, in the literal “card” sense, may be slotted into the motherboard to interface with the newer drive.
  • The circuit board attached to the drive that handles ATA commmunications on one side, and interacts with drive’s electrical and mechanical internals on the other side. To illustrate, it’s the part facing the camera in this image:

The Underside of a Hard Drive

The latter is what I assume is meant, for the following reasons:

  • It’s something that could be removed from a drive, as the filing states
  • Controller cards in the sense of a slotted card on a motherboard aren’t very common right now. Most computers have the interface they need on the motherboard.
  • Even if it was a SATA, IDE, or even SCSI controller card meant to be slotted into a motherboard, not providing this card would not render the drive unreadable to a well-outfitted forensics lab that TIG (the third party forensic examiner Sony is using) would have.

Now, I do not support Sony’s lawsuit against George Hotz, but it seems to me that if he did remove those controller boards from the drives, this is a case of needlessly antagonizing the opposing counsel, examiners, and the judge. I really don’t think it’s a good idea to intentionally do this when providing evidence under a court order.

Those boards don’t just fall off, and the absence of them is not something that is as easy to overcome as Hotz’s attorney implies. To read a drive that has had this board removed, you would need an identical board. Those who do data recovery in cases where this board has been damaged know that extreme care needs to be taken in finding a replacement. Even drives of the same model and capacity can have different revisions of these boards, and it’s crucial to get a match. Even a forensics firm such as TIG is not likely to maintain a stockpile of various controller boards from drives, as it would be prohibitively expensive to buy and file “one of everything”. The absence of the board (not just the failure of it) makes it even more difficult, as it may or may not be possible to determine the right revision of the board to use to replace it, without the original to compare.

While I disagree with the basis of the lawsuit and support the opening of electronic devices (all of my and my spouse’s Apple iPods, iPhones, and iPads are jailbroken), if this is the method being used to stall the plaintiff and case progress, I see that as being in bad form for Hotz, and a bigger issue than his attorney lets on. Hopefully not. Don’t make it hard for me to like you, geohot! Take the high road.

EDIT: I found the exhibit with the discussion of the missing hard drive parts at Groklaw:

This pretty much confirms the above with the following quotes from an examiner at TIG:

This controller card is  installed at the factory and not normally removed or handled by an end user.

We took the drives out of our evidence locker and the evidence bag to image them in their current encrypted state as stated in the order and agreed to on our phone call yesterday.   We have determined that the controller cards which are screwed onto the hard drives were removed prior to them being given to us.   Therefore we are unable to operate the hard drives in their current state.  Keep in mind that we need two days to image these drives as we have to image two 1TB drives.

It’s difficult to imagine a reason Hotz would have had to remove the circuit boards from the drives he was ordered to turn over. It will be very interesting to see why he did this. From my position, I can’t see this as being productive for anything other than antagonizing the opposing party and, more importantly, the judge.

  10 Responses to “Geohot Antagonizing Sony's Forensic Examiners?”

  1. I agree, removing the “controller card” from the the hard drive is probably just going to upset everyone. Really childish. But that is to be expected. Hotz – though I think he didn’t do anything wrong – has been acting pretty childish the entire time, including releasing some rap video.

    So… I am curious – what if the hard drives had been encrypted? In a civil case like this are you required to divulge your password?

  2. I haven’t dug into the filings very carefully, but it’s my understanding from coverage surrounding the case that the hard drives are encrypted and that Hotz is supplying the passphrase.

    I’m not sure about the rules surrounding divulging passphrases in a civil case. It’s difficult to establish the difference between refusing to give up a password and simply having “forgot” a password. If it seems likely that you’re just being difficult, the judge may hold you in contempt for some time. In a criminal case, this might be preferable to divulging your evidence and facing the consequences of that. It’s hard to imagine that it’d be worth fighting it in a civil case, though, where the standards of evidence are less stringent.

    Given Hotz’s track record so far in the case, I hope he isn’t pulling some other stunt like giving them the wrong passphrase intentionally, or giving a passphrase for an obviously separate hidden volume (as with TrueCrypt’s deniable encryption).

    I totally agree that he has acted childish during this case, which is sad because it really hurts the cause which many would otherwise support.

  3. Also, IGN reports (and is quoted here: http://www.computerandvideogames.com/295086/geohots-lawyer-responds-to-sonys-court-dodging-claims/ ) that Hotz’s lawyer is still playing down the significance of removing these controller boards.

    He claims they are “stock” components, which, while true (they come bolted on the drives when you buy them), avoids the main point: that these boards are a critical component to the drive, and that they are extremely specific to the make/model/capacity/revision of that specific drive. Without a board to compare with to establish you have the correct one, one cannot take the risk of damaging the drive in a case like this by attempting to fit another board on it by “best guess”. It also completely avoids commenting on why these boards would be removed in the first place (I really can’t imagine a reason why).

    The boards have now been supplied to the examiners.

  4. All they have to do is ebay for an identicle model drive and make a purchase and transfer the firmware card, Ive dont it a few times for clients who had chips explode or go up in smoke on the firmware cards, its not that hard to do, I imagine sony can figure it out.

  5. I’ve done it too, but even for the same model drive, you can have several different revisions of the board. When you have a damaged board, as you and I have seen, you at least have the board in your possession, so you can make sure you’re getting a board marked as being the same revision. If the board has been removed, you don’t have that luxury, and you’re down to hoping that the board you pull from another drive is the same revision.

    In that case, it may work, it may not, and it has the potential to corrupt data on the drive. That’s a risk a forensics company (TIG, it’s not Sony’s place to “figure it out”, small point) is not willing to take, unless there is no other option. In this case, there’s definitely no need to take the risk of mismatching boards, when it’s simply due to a party in the case being immature and not fully complying with the court orders.

    This case boils down to a lot more than just one guy. It’s about others’ rights to do what they please with their own hardware as well. For him to do something intentionally that would antagonize the examiners, opposing party, and judge doesn’t help his case for him, or anyone else. For no good end either–as you pointed out, in a pinch this can be worked around, and he’s turned over the boards anyway.

  6. I think more often than not, generally speaking, the board revision is irrelevent when matching it up so long as the model number of the disk matches up. Of course thats not to say being wrong and putting the wrong firmware card onto the wrong disk doesnt result in random disk writes on your drive on spinup! But it sure is funny to think that might happen, bwhahahaah

  7. It varies. There’s a good chance of it screwing up.

    This is where the related fields of data recovery for clients in a consumer or IT context and digital forensics in the context of a case diverge. Board-swaps may have attractive odds when you’re looking at a disk that is toast otherwise, a client willing to take the gamble to get their data back, and no other option (as the board is toast). In this case, though, there’s simply no reason to risk damaging a terabyte of crucial evidence, when you can hold off until the owner is required to turn over the boards (as in this case), or it is confirmed that the boards have been destroyed.

    The only thing working in Hotz’s favor right now is that he didn’t dispose of the boards. It’s a pretty serious matter if you’re doing that sort of thing to tamper with the evidence or impede investigation after being informed that you’re going to get sued (same if you’re going to be facing criminal charges).

    Removing the boards is a strange move though. It doesn’t change the outcome: TIG still acquires/examines the data. So, it doesn’t really buy him anything. All it does is make him look bad, and potentially hurt his case.

  8. Fascinating. Well, you probably have an inside track on this. So while were discussing this, please allow me to ask you a few related questions. Arent there firms, who have specialized equipment to extract data from a disks platters, Im sure that its a LOT more expensive than “normal” forensics work on functioning hard drives. And I also assume that this sort of procedure and equipment isnt found in most lower level forensics facilities.

  9. Yes, anytime you start dealing with the mechanical/moving parts inside the drive, you’re assuming a LOT of risk. Everything (arms, heads, platters, etc) has to be aligned perfectly or it won’t read the sectors the same way. We have put a couple of guys through training on this at the NFTC and we can handle some common/simple issues (single platter swaps, “stuck” mechanicals, etc).

    There are companies (most well known one is probably Ontrack) that specialize in platter swaps and other mechanical issues. They’re very expensive, even by normal data recovery and forensics standards. For your money, you’re getting a lot more capability than we have for recovering data.

  10. The statement that the hard drives were encrypted is interesting. Likely the hard drives were locked through the BIOS, requiring a hard drive password to access the drives. Sony is known for using this technology. The password is stored within a process that hard codes the password to the system. You remove the hdd from the computer and you cannot image it. ( I’ve tried.) Removing the controller card and replacing with an identical one could bypass this protection allowing access to the data which is technically not encrypted just protected. Changing the boards could have been an attempt to bypass this protection, or changing them with the wrong board could prevent the examiner from replacing the controller card with the correct one, thus preventing the examiner from imaging the drive, since the examiner would then not be able to match the controller board. The other option either some kind of container encryption or something like bit locker could not be bypassed through controller card replacement.

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

   
© 2012 McGrew Security Suffusion theme by Sayontan Sinha