An FBI agent has brought up an interesting question about the nature of digital evidence: Does decrypting encrypted data "fundamentally alter" it, therefore contaminating it as forensic evidence?
According to a hearing transcript filed last week, FBI Special Agent Daniel Alfin suggested just that.
The hearing was related to the agency's investigation into dark web child pornography site Playpen. In February 2015, the FBI briefly assumed control of Playpen and delivered its users a network investigative technique (NIT)—or a piece of malware—in an attempt to identify the site's visitors.
That malware grabbed suspects' IP address, MAC address, and other technical information, and then sent it back to a government computer. None of that evidence was encrypted, however.
"That claim holds no water at all."
According to experts called by the defense in the affected case, the fact that the data was unencrypted means there is a chance that sensitive, identifying information of people who had not been convicted of a crime was being sent over the internet, and could have been manipulated. (Alfin paints this scenario as unlikely, saying that an attacker would have to know the IP address the FBI was using, have some sort of physical access to the suspect's computer to learn his MAC address, and other variables.)
Had that data been encrypted, "It would still be valid, it still would have been accurate data; however, it would not have been as forensically sound as being able to turn over exactly what the government collected," Alfin said.
Nicholas Weaver, senior researcher at the International Computer Science Institute, says that encrypted data could maintain evidential value, but it depends on how the FBI implemented it.
"It adds complication without meaningfully increasing the security," of the data, he told Motherboard in a Twitter message. Similar to Alfin's point about the unlikelihood of this data being altered, Weaver added, "Any adversary who can tamper with the forensic value of this request has to be in the path between the target and the FBI, and know what is going on, know the particular random value the FBI is using for this target, and other such information."
But forensics expert Jonathan Zdziarski strong disagreed with Alfin's argument.
"That claim holds no water at all. In fact, any data sent across a network is going to undergo a number of transformations, and will probably be encrypted and decrypted over various trunks without the recipient even knowing it. The data is also going to be split into packets, encapsulated with headers, labeled, compressed, deccompressed, stripped of headers, and reassembled into a complete file," he told Motherboard in an email.
"If the FBI truly considers any evidence that has been encrypted and then decrypted to be forensically unsound, then a vast majority of any content coming off of a computer or an iPhone, or sent across the Internet, should be thrown out," he added.
"It would seem that the FBI is unaware of how the Internet works."