Home Invasion Search Warrant: Two Knocks is One Too Many

April 20, 2017

Screen Shot 2017-04-20 at 12.02.57 PM(United States v. Juan Olaya, D-2, Case No. 15-cr-20200, EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION)

On December 5, 2014 a group of 6 that was attached to a spree of home invasions was finally broken after arrests were made in a home-invasion in Flower Mound, TX. The group was attributed to home invasions in New Jersey, Michigan, and Texas and charges varied from federal racketeering to weapons, kidnapping and violent assault.

In Texas, one of the group’s members left a cell phone in a vehicle that was found to be associated with the crimes. According to court documents (linked below), Texas’ officer Mark Esparza obtained a warrant to examine the Samsung phone and photo documented a number of text messages and other evidence related to the crimes. The phone did not, however, have a full forensic acquisition.  After photo documenting the evidentiary information, officer Esparza returned the warrant. Nine months after Esparza’s search, the FBI, without obtaining a new warrant, searched the cell phone again and this time they did a full forensic acquisition of the phone.

This final acquisition of the phone brought the number of searches of the phone to three: Pre-warrant search for IMEI and phone number, warranted search for the phone evidence, and Federal search through the acquired phone image. Presumably, the search through a forensically acquired phone would yield additional information, and reading between the lines I am guessing this was the case for the evidentiary Samsung phone. Certainly it would assist in authenticating the evidence.

Defendant Jaun Olaya, the owner of the phone and one of the group members charged, moved to suppress the results of all three searches.  Mr. Olaya argued that “even if the screenshots that Esparza obtained should not be suppressed, the results of the more comprehensive FBI search should be.” On 4/19/2017 the Eastern District of Michigan, Southern Division court agreed with Olaya: The FBI’s acquisition of the phone and subsequent search was found to be warrantless and a violation of Olaya’s 4th amendment.  Pages 14 through to the end of the Court’s opinion and order contain the Court’s reasoning on this point.

What would be interesting to me (and potentially to criminal defense attorneys) is whether the same logic of the court could be applied if officer Esparza HAD done a full forensic acquisition of Olaya’s phone: Under those conditions, would the government’s use of Esparza’s acquisition required a second warrant?  The fact is, there is a lot of data in a phone acquisition that has nothing to do with specific crimes so I am guessing that the argument could be made.  If any criminal attorneys know of some good cases to answer the question, feel free to post below!

 

United States v. Juan Olaya, D-2, Case No. 15-cr-20200, EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION

 

 

 

Leave a Comment » | Admissibility, Cases, Uncategorized | Tagged: , , , , , , , , | Permalink
Posted by inforensics

It’s a Trap!! Infected Microsoft Word Files Exploiting Unpatched Vulnerability

April 11, 2017

itsatrap.jpegA new virus is ‘in the wild’ that exploits a ‘zero-day’ vulnerability to infect or, worst case, wipe computers. The only known mitigation is to not download or view the infected files.  One may also view the files using ‘Protected View’, which has been reported to work in this case. Opening the file outside of Protected View will infect the system, however.

Note: Disabling ‘Macros’ does not protect against this exploit. The exploit bypasses most system protections, including the tools built into Windows 10.

The infected word document arrives via email.  Once opened, it downloads malicious code from a remote site, and installs various malware payloads. The virus actually opens a ‘decoy’ Word document in an attempt to cover its behavior.

A patch is expected today, but patches are useless if they are not applied. The patch will likely be issued only for Windows 7,8,10.  Older Windows versions will likely still be vulnerable.

At a Glance:

Threat Level:     HIGH
Delivery Method:     Email
Infection Vector:     MS Word Document:  .doc, .docx, .rtf
Infection Type:     Various malware libraries
Vulnerable:     All Windows Versions. All Office versions.

Actions:

1- Communicate and Educate: Make sure ALL users are aware

2- Until patch is applied:  Utilize Protected View to view documents

You (or IT support) may also change registry files to automatically open documents in Protected View.

3- Pay attention to patch cycle. MicroSoft’s standard patch day is today. Make sure patches are applied and operational.

Outside Links:

Ars Technica

Leave a Comment » | Inforensics News, Uncategorized | Tagged: , , , | Permalink
Posted by inforensics