Forensic Analysis Of Geohot’s Hard Drives In Dispute

[GH0ST]

Forensic Analysis Of Geohot’s Hard Drives In Dispute

In the latest around of Sony vs. Geohot legal wrangling, court documents obtained by PSX-SCENE reveal that there is now a dispute as to how Geohot’s hard drives are being handled by TIG, the third-party company designated to analyze them.

The original court order only called for the drive(s) to be delivered to a third party “for the purpose of isolating, segregating and/or removing the information on persons devices correlated to Defendant Hotz’s circumvention of the TPMs in the PS3 system.”

Now the company doing the analysis wants to make TWO FULL IMAGES of the drive(s), in both decrypted and encrypted form!!! According to Geohot’s attorneys, “SCEA is not entitled to inspect the impounded drives under the impoundment order, nor is it allowed to make and preserve additional copies of the impounded drives, but this is precisely what it seeks to do.”

For SCEA, Mr. Hotz?s proposal is unacceptable. First and foremost, basic forensic evidence protocol dictates that images of the storage devices be made before any search or analysis is performed so that the storage device is preserved in its original form...
/... Mr. Hotz claims that neither the original impoundment order or his latest proposal require imaging. However, under either scenario, an examination of the storage devices is still necessary to verify the existence of the circumvention devices or information relating to the circumvention and to determine whether any such information has been deleted or transferred to other storage devices. Prior to conducting any of this analysis, imaging of the storage devices is required.

Source PSX-Scene
Source Consoledemon

 

[Rydian]

Okay, so when we buy something from them we don't own it and aren't allowed to research it...

But when they get hold of our stuff they have the right to dive into it and make copies?

 

[KingVamp]

If Sony made those hard drives it isn't his.

But seriously.



By Sony yes. "You violated our stuff(Sony Made Stuff).Your rights are lost." :/

 

[Jamstruth]

Pretty sure they're not allowed to hold onto backups. I understand they're allowed to inspect the data but once the court case is over they shouldn't be allowed access to his HDDs unless they've won. Even then its a bit off.

 

[Giga_Gaia]

All of this is assuming there is something left on his hardrive for them to find. Any sane person would have made a secure backup somewhere and just deleted everything off his hardrive. They took a while to get TRO granted, so Geohot is pretty stupid if he didn't do that.

No matter what kind of thing they would try to use to recover files, it's pretty easy to leave no trace behind.

 

[shakirmoledina]

lol its copyright all over again... like the request for acquiring info from twitter and youtube, i think the court will rule against sony

 

[Jamstruth]

All of this is assuming there is something left on his hardrive for them to find. Any sane person would have made a secure backup somewhere and just deleted everything off his hardrive. They took a while to get TRO granted, so Geohot is pretty stupid if he didn't do that.

No matter what kind of thing they would try to use to recover files, it's pretty easy to leave no trace behind.

If he hid it he'd be signing his own defeat. He's hidden files he's saying are legal. He's known to have been working on this stuff so it would be surprising to find a wiped HDD. Even then HDDs can have a LOT of data recovered even after being completely formatted etc. Innocent men don't run.

 

[Eckin]

That sounds a little bit fcked up.

 

[TheDarkSeed]

well weather or not they get permission, sony will try and find some loophole to try and get the images.

besides, sony already has the drives, they probably already have the images but aren't saying anything about it.

 

[Giga_Gaia]

If their little forensic can't get around a little encryption themselves, then Sony don't deserve what's inside.

 

[Law]

The reason behind having to make an image before analysing the drive is so Geohot can't turn around and say "They planted that there".

Standard fucking procedure.


edit: and note that it's the third party company. Not Sony themselves.

 

[Veho]

besides, sony already has the drives, they probably already have the images but aren't saying anything about it.

Well yeah. It's not about what they can find there, it's about how much of it is admissible in court.

 

[_Chaz_]

All of this is assuming there is something left on his hardrive for them to find. Any sane person would have made a secure backup somewhere and just deleted everything off his hardrive. They took a while to get TRO granted, so Geohot is pretty stupid if he didn't do that.

No matter what kind of thing they would try to use to recover files, it's pretty easy to leave no trace behind.

You do know that deleting something doesn't erase it from the drive, right?
How do you think file restore programs work?

 

[twiztidsinz]

All of this is assuming there is something left on his hardrive for them to find. Any sane person would have made a secure backup somewhere and just deleted everything off his hardrive. They took a while to get TRO granted, so Geohot is pretty stupid if he didn't do that.

No matter what kind of thing they would try to use to recover files, it's pretty easy to leave no trace behind.So rather than being charged with just what he's being charged with... then they'd add TAMPERING WITH EVIDENCE.
Learn basic law (hell, this is even basic in TV Law) before you start making suggestions of what people should or shouldn't do.

If their little forensic can't get around a little encryption themselves, then Sony don't deserve what's inside.Uh.. first off, it's not Sony.
Second off, the people who have the drives do this professionally, it's essentially their job to be able to get into encrypted files to find evidence.
http://en.wikipedia.org/wiki/Cryptanalysis



QUOTE(TheDarkSeed @ Mar 1 2011, 02:01 PM)

well weather or not they get permission, sony will try and find some loophole to try and get the images.

besides, sony already has the drives, they probably already have the images but aren't saying anything about it.

Sony doesn't have them, a 3rd party named TIG does.
It would be a HUGE conflict of interest if the party who was accusing someone was also the ones searching for and providing evidence.

 

[M[u]ddy]

All of this is assuming there is something left on his hardrive for them to find. Any sane person would have made a secure backup somewhere and just deleted everything off his hardrive. They took a while to get TRO granted, so Geohot is pretty stupid if he didn't do that.

No matter what kind of thing they would try to use to recover files, it's pretty easy to leave no trace behind.

You do know that deleting something doesn't erase it from the drive, right?
How do you think file restore programs work?

There are enough programs, that can overwrite the empty disk space with random numbers.

 

[Oveneise]

Greedy, greedy, greedy! Just get what info you want and leave it at that.

 

[_Chaz_]

ddy]

All of this is assuming there is something left on his hardrive for them to find. Any sane person would have made a secure backup somewhere and just deleted everything off his hardrive. They took a while to get TRO granted, so Geohot is pretty stupid if he didn't do that.

No matter what kind of thing they would try to use to recover files, it's pretty easy to leave no trace behind.

You do know that deleting something doesn't erase it from the drive, right?
How do you think file restore programs work?

There are enough programs, that can overwrite the empty disk space with random numbers.

That information can still be retrieved by professionals.

 

[twiztidsinz]

ddy]

All of this is assuming there is something left on his hardrive for them to find. Any sane person would have made a secure backup somewhere and just deleted everything off his hardrive. They took a while to get TRO granted, so Geohot is pretty stupid if he didn't do that.

No matter what kind of thing they would try to use to recover files, it's pretty easy to leave no trace behind.

You do know that deleting something doesn't erase it from the drive, right?
How do you think file restore programs work?

There are enough programs, that can overwrite the empty disk space with random numbers.

That information can still be retrieved by professionals.

There are secure removal tools, that either completely remove all the information or make it so corrupted you couldn't recover it even knowing what should be there. While the data would be gone, it would be obvious what happened, so there's that whole "Tampering with Evidence" thing...

 

[Giga_Gaia]

All of this is assuming there is something left on his hardrive for them to find. Any sane person would have made a secure backup somewhere and just deleted everything off his hardrive. They took a while to get TRO granted, so Geohot is pretty stupid if he didn't do that.

No matter what kind of thing they would try to use to recover files, it's pretty easy to leave no trace behind.

You do know that deleting something doesn't erase it from the drive, right?
How do you think file restore programs work?

Of course I know. By deleting something, I mean make it impossible to restore it in any way. It's pretty easy.

 

[Laughing Stock]

Wow. Is Geohot being a chunky monkey again? This is why I don't support him.