Home Invasion Search Warrant: Two Knocks is One Too Many

April 20, 2017

Screen Shot 2017-04-20 at 12.02.57 PM(United States v. Juan Olaya, D-2, Case No. 15-cr-20200, EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION)

On December 5, 2014 a group of 6 that was attached to a spree of home invasions was finally broken after arrests were made in a home-invasion in Flower Mound, TX. The group was attributed to home invasions in New Jersey, Michigan, and Texas and charges varied from federal racketeering to weapons, kidnapping and violent assault.

In Texas, one of the group’s members left a cell phone in a vehicle that was found to be associated with the crimes. According to court documents (linked below), Texas’ officer Mark Esparza obtained a warrant to examine the Samsung phone and photo documented a number of text messages and other evidence related to the crimes. The phone did not, however, have a full forensic acquisition.  After photo documenting the evidentiary information, officer Esparza returned the warrant. Nine months after Esparza’s search, the FBI, without obtaining a new warrant, searched the cell phone again and this time they did a full forensic acquisition of the phone.

This final acquisition of the phone brought the number of searches of the phone to three: Pre-warrant search for IMEI and phone number, warranted search for the phone evidence, and Federal search through the acquired phone image. Presumably, the search through a forensically acquired phone would yield additional information, and reading between the lines I am guessing this was the case for the evidentiary Samsung phone. Certainly it would assist in authenticating the evidence.

Defendant Jaun Olaya, the owner of the phone and one of the group members charged, moved to suppress the results of all three searches.  Mr. Olaya argued that “even if the screenshots that Esparza obtained should not be suppressed, the results of the more comprehensive FBI search should be.” On 4/19/2017 the Eastern District of Michigan, Southern Division court agreed with Olaya: The FBI’s acquisition of the phone and subsequent search was found to be warrantless and a violation of Olaya’s 4th amendment.  Pages 14 through to the end of the Court’s opinion and order contain the Court’s reasoning on this point.

What would be interesting to me (and potentially to criminal defense attorneys) is whether the same logic of the court could be applied if officer Esparza HAD done a full forensic acquisition of Olaya’s phone: Under those conditions, would the government’s use of Esparza’s acquisition required a second warrant?  The fact is, there is a lot of data in a phone acquisition that has nothing to do with specific crimes so I am guessing that the argument could be made.  If any criminal attorneys know of some good cases to answer the question, feel free to post below!

 

United States v. Juan Olaya, D-2, Case No. 15-cr-20200, EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION

 

 

 

Leave a Comment » | Admissibility, Cases, Uncategorized | Tagged: , , , , , , , , | Permalink
Posted by inforensics

It’s a Trap!! Infected Microsoft Word Files Exploiting Unpatched Vulnerability

April 11, 2017

itsatrap.jpegA new virus is ‘in the wild’ that exploits a ‘zero-day’ vulnerability to infect or, worst case, wipe computers. The only known mitigation is to not download or view the infected files.  One may also view the files using ‘Protected View’, which has been reported to work in this case. Opening the file outside of Protected View will infect the system, however.

Note: Disabling ‘Macros’ does not protect against this exploit. The exploit bypasses most system protections, including the tools built into Windows 10.

The infected word document arrives via email.  Once opened, it downloads malicious code from a remote site, and installs various malware payloads. The virus actually opens a ‘decoy’ Word document in an attempt to cover its behavior.

A patch is expected today, but patches are useless if they are not applied. The patch will likely be issued only for Windows 7,8,10.  Older Windows versions will likely still be vulnerable.

At a Glance:

Threat Level:     HIGH
Delivery Method:     Email
Infection Vector:     MS Word Document:  .doc, .docx, .rtf
Infection Type:     Various malware libraries
Vulnerable:     All Windows Versions. All Office versions.

Actions:

1- Communicate and Educate: Make sure ALL users are aware

2- Until patch is applied:  Utilize Protected View to view documents

You (or IT support) may also change registry files to automatically open documents in Protected View.

3- Pay attention to patch cycle. MicroSoft’s standard patch day is today. Make sure patches are applied and operational.

Outside Links:

Ars Technica

Leave a Comment » | Inforensics News, Uncategorized | Tagged: , , , | Permalink
Posted by inforensics

Texas CoA Addresses Electronic Community Property and Invasion of Privacy

August 5, 2016

Reference:

Miller v. Talley Dunn Gallery LLC, 2016 Tex. App. LEXIS 2280

(Tex. App. – Dallas March 3, 2016) (mem. opinion)

(Cause No. 05-15-00444-CV)

Relevant Documents:

Memorandum Opinion:  March 3, 2016, Cause No. 05-15-00444-CV

Texas Penal Code 33

In this case, part of the original trial court’s decision determined that Talley Dunn and the Tally Dunn Gallery LLC had “established a probable right to recover on their claims under the HACA. [Harmful Access to Computers Act]”  [March 3, 2016, Cause No. 05-15-00444-CV, pg. 19]

In his appeal, Bradley B. Miller argues that, while he admits that he took screenshots of information contained on the phone, the screenshots do not qualify as “access” and that he had effective consent to do so because the cell phone was community property.  [March 3, 2016, Cause No. 05-15-00444-CV, pg. 21-22]

Texas Penal Code § 33.01(1) defines access as:

“to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer software in, or otherwise make use of any resource of a computer, computer network, computer program, or computer system.”

Neither party disputes that a cell phone is a computer, and the appellate court found that in order to take the screen shots Miller necessarily HAD to access the the computing device, within the definition of the penal code.  [March 3, 2016, Cause No. 05-15-00444-CV, pg. 22]

Regarding his argument that he had effective consent to access the cell phone because it was community property, the CoA relied upon the penal code definition of ‘owner’ as:

“a person who:

(A) has title to the property, possession of the property, whether lawful or not, or a greater right to possession of the property than the actor;

(B) has the right to restrict access to the property; or

(C) is the licensee of data or computer software.”

Dunn used the cell phone on a daily basis, had the right to place a password on it (and had), and the court determined Dunn had a ‘greater right to possession of the cell phone’.[March 3, 2016, Cause No. 05-15-00444-CV, pg. 23]  Further, the CoA notes earlier in the opinion that “[N]othing in the Texas Constitution or our common law suggests that the right of privacy is limited to unmarried individuals.”  [March 3, 2016, Cause No. 05-15-00444-CV, pg. 20]

Interestingly, the court does not address the multiple licenses that are part of the software and operating system that users have to acknowledge and accept to use a modern cell phone.  I would expect that will start coming up as another layer to the definition of ‘owner’, though.

Accordingly, the CoA concludes that “the trial court did not abuse its discretion by determining appellees established a probable right to recover on their claims under the HACA.”  [March 3, 2016, Cause No. 05-15-00444-CV, pg. 23]

Leave a Comment » | Admissibility, Cases, Inforensics News, Inforensics Opinion, Production, Uncategorized | Tagged: , , , , , | Permalink
Posted by inforensics

‘Dangerous’ iPhone exploit code goes public – Computerworld

August 13, 2010

‘Dangerous’ iPhone exploit code goes public – Computerworld.

This was actually predictable.

A proof of concept demonstration demonstrated an ability to “Jailbreak” iPhones over the web, with no intervention of a computer,etc. but rather through surfing to a website directly on the iPhone. The reports are that this exploit is performed through a vulnerability within Adobe PDF handling on IOS platforms (the software that iPhones, iPads, etc. use to run).

The originator of the exploit, a software hacker named “Comex”, did not initially release the code.

Throngs of people proceeded to jailbreak their iPhones in this way.  Those of us in the security and forensics world knew that an exploit would not be far behind.

On Wednesday Apple released a patch to fix the issue that enables this to happen.  Minutes later Comex released his code to the internet-at-large.

What does this all mean?

I know a large number of attorneys that use iPhones- I do too.  I also know a large number of attorneys that use PDF documents (most, if not all, of them).

Because of the complexity of the code I would give this about two, maybe three, more days before there are active attempts to inject malicious code into iPhones.  This could hit attorneys that haven’t patched especially hard because of the PDF angle.

The answer is simple:  Patch your iPhone, iPad, etc.  The patch works. I have only done limited testing, but even Comex notes that the patch stops the exploit.  Comex sent a Tweet yesterday after apple released the patch that says it all:

That was fun while it lasted. Hope you saved your SHSH. Remember that 4.1 rhymes with fun.”

(4.1 is the vulnerable version of the iPhone IOS, 4.2 is the patched version)

Leave a Comment » | Uncategorized | Permalink
Posted by inforensics