THE HARD DRIVE TRAP
As Published On
→ The Out-Lawyer’s Blog: http://www.jaygaskill.com/blog1
And
The Policy Think Site: http://www.jaygaskill.com
All contents, unless otherwise indicated are
Copyright © 2005, 2006, 2007 and 2008 by Jay B. Gaskill
Permission to publish, distribute or print all or part of this article (except for personal use) is needed. [Permission for use in group discussions is almost always routinely given.]
Please contact Jay B. Gaskill, attorney at law, via e mail at law@jaygaskill.com
THE HARD DRIVE TRAP
Please contact Jay B. Gaskill, attorney at law, via e mail at law@jaygaskill.com
The last minute focus on Reiser’s hard drives was a predictable consequence of the attempt to hide them for a year and a half. I am persuaded that Hans was naïve enough to believe that the drives might be secure in his lawyer’s hands. Their late disclosure will give a sort of “TaDA!” effect to the end of evidence, something that would never have occurred had they been in police hands from the first. As I explain below, that last minute emphasis could cut either way, depending on what is actually found.
Advice to Criminals with HARD DRIVES:
Never give your suspicious hard drives to the same law firm that you choose to represent you in the related criminal case, because you can be sure that eventually the material will be discovered by the prosecution. And you risk damage to the credibility of your own legal team when you put them in this position, especially if it turns out that the evidence has been altered in some way. Instead, give the drives to another law firm not related to the criminal case and ask them to keep the entire transaction confidential, and please, please don’t be naïve enough to tell them that there is incriminating information on them. And do not reveal to your criminal defense team that you have done this. Oh… And do not take the witness stand if you really intend to conceal evidence.
Okay?
Here’s the trap. After all this fuss, it actually helps the defense if it turns out after all the fuss that the drives contain nothing but innocuous, business-related files AND there is no evidence of any September 3, 2006 or post September 3, 2006 file deletion or erasure. It helps the defense because it reinforces the defense portrayal of a slightly paranoid geek who, though innocent, manages to make himself look guilty because of his personal quirks.
I’ve already indicated that there is no chance the DA’s team will find a “Dear dairy, this is how I killed Nina” entry. But at a minimum, the DA’s expert might hope to uncover copies of threatening e-mails addressed to Nina in which Hans made reference to his martial arts training. But they might be stale, in effect capturing a much more volatile period in the divorce. That should not impair their admissibility, but might diminish their forensic impact somewhat.
Ah, but an e-mail along those lines within a few weeks prior to September 3rd 2006? That could actually lose the case for the defense, given the enhanced last minute attention.
But the hard drive mother lode, if it exists, would consist of any case pertinent files that were written, downloaded or modified by Hans on September 3, and in the immediately following days. This would give everyone a window into what Hans was most concerned about during those critical evening hours when only the killer knew that Nina was dead. For example, a downloaded map of the Oakland Hills around the time of Nina’s disappearance could be damning.
Hans might have told DuBois, “Don’t worry, there is nothing on those drives to worry about. They won’t find a thing.” Hans is just clueless enough that he might not realize until, too late, that he has left something truly incriminating behind in those drives. This is why, in spite of any reassurances from Hans, that Bill DuBois can’t rest easy until he knows everything that has been discovered on the hard drives.
JBG
Addendum:
A correspondent who might know, wrote me today:
Hans Reiser is one of the foremost geniuses about file systems. He was working for the US government on a DARPA funded project. He was also working with the Russians. To put it another way, he could add or delete any information he wanted to with whatever date he wanted to at any time and it would be totally and completely untraceable.
Comments
You may well be right. The real question is whether there any traces of deletions on or about 9-3-06 and following. I added a comment at the bootom of this post from someone who e-mailed me today about this issue. Any ordinary person who has killed on impulse will be under huge stress immediately afterwards, & might not be at the top of his game. Mistakes trip up very intelligent people all the time...
JBG
Do we know anything about the operating system that Hans used at home? If he's using some Linux variant, then the standard forensic exam tools won't work, or won't work well. Sure, Encase can read ReiserFS but how easy will it be for the prosecution expert to find things? This is a complex task.
If Hans has implemented some odd filesystem modifications -- i.e., a non-standard implementation of ReiserFS that would "break" Encase, or, even worse for the prosecution, if he's implemented disk-based encryption, it's possible that no information would be recoverable at all. Hans strikes me as just paranoid enough to do either.
Posted by: Brian | April 9, 2008 05:16 PM
JBG, this may be one of the cases in which a lot of what we normally deal with in forensics gets thrown out the door.
Encase and FTK -- the standard computer forensic tools law enforcement would have experience with -- work well with Windows file systems. It's relatively easy for an investigator to offer an opinion about whether files were deleted on an NTFS partition.
But ReiserFS is structured differently. There appears to be NO undelete utility for ReiserFS (google it). I don't have the time or inclination to create a sample ReiserFS partition and peek at it in Encase, but I strongly, strongly suspect that standard tools aren't going to cut it.
My guess is that Hans knows that normal law enforcement forensics isn't going to cut it. Even if he wasn't trying hard to cover himself (with encryption, etc.) his hard drives might be a black box. If he was actively paranoid, then all bets are off.
Posted by: Brian | April 9, 2008 06:42 PM
Note this:
During earlier testimony he stated that he had two computers,JBG
a Linux one and a Windows one.
We know not the machine out of which the drives came, but I suspect the Linux one, because drives out of standard Windows boxes are an open-sesame to the 'expert' who works at the local Sheriff's office, because he will have forensic tools for Windows on hand, but almost certainly not ones for one of Hans' filesystems on Linux.
Posted by: Christopher | April 9, 2008 08:23 PM
Good question.
JBG
Did authorities check Nina's computer(s) and/or her ISP for Hans' emails to her? If Hans had sent threatening emails to me, I would have saved them somewhere(just in case).
Posted by: Teresa Ravella | April 10, 2008 09:22 AM
Probably true, but not as bad as a "smoking gun"discovery!
JBG
If nothing shows up on the drives, it will be VERY bad for Hans. The prosecution would just point to them and say "Look , it's his filesystem, he was studying murder/police investigations..and he attempted to hide the drives from us anyway."
Lack of evidence is not evidence that something's lacking, but the attempted concealment of this data indicates that speculation may be allowed.
Posted by: jh | April 11, 2008 11:05 AM
The comment is true as far as it goes, but a specific threat that fits the "vanishng Nina" scenario is potentially terrible for Hans. Many divorces are "hot", but few involve actual violence or concrete threats. But within that subset, instances of real violence (and worse) are fairly common.
JBG
Though much has been made of threatening emails, please consider that in the course of divorcing an unfaithful and rather conniving spouse Hans may have written something he is not proud of. Nina's emails should also be under suspicion of being just machinations of her crafty, men-hating attorney. The first thing that is being recommended to a woman seeking divorce: accuse husband of violence toward you, get a restraining order (almost a sure thing), kick him out of the house (read: he looses property + custody is automatically resolved).
Such posturing, it could be argued, is a common tactic of divorce lawyers and as such, should not be perceived by jury as indication of guilt or innocence.
If Nina has decided to vanish indeed (there is no proof that she is dead, is there?) - the game certainly went her way. Kids are in her mom's custody, her almost ex-husband is in jail, on trial for murder. Nina has left behind her documents, etc -- which would have no value to her if she headed back to Russia. Obtaining an alternative document for travel purposes would not be a huge issue for her (including a document under a different name). No one seems to have picked up that Nina went to high school in the US. No ordinary kid would have this option unless the family was well-connected (preferably KGB or Party elite).
Hans has already spent 1.5 years behind bars, his life is shattered, children taken away. IMO, government should be made accountable for this, unless the jury finds him guilty as charged and the verdict survives an appeal.
Posted by: Joy | April 11, 2008 03:10 PM
Re your question: I just don't know, but one correspondent has suggested that one computer was running a version of Windows and the other was running on a variation of Linux. The Sheriff's department in Alameda County has access to some sophisticated resources and is helping OPD here.
Stay tuned.
JBG
I'm curious to know what filesystem reiser is using on his home computer - it'd be pretty funny if they weren't running reiserfs.
Also, I think it'd be terribly naive to think reiser wouldn't have anything incriminating on those drives. i'm sure there are google searches in his history for s... like "how to dispose of a body in Oakland"
That said, if they're reiserfs I highly doubt whatever chump the OPD has doing forensics is going to know what the hell to do with it, particularly if it's running a development version of the filesystem.
Is there any way for the public to inquire as to what filesystem is on the drives? A lot of us (speaking for the Linux development community) would like to know...
Posted by: bobo | April 11, 2008 05:11 PM
"No one seems to have picked up that Nina went to high school in the US. No ordinary kid would have this option unless the family was well-connected (preferably KGB or Party elite)"
This is plainly not true. Lots of young people from Russia study in US schools. Most of them get scolarships or other forms of financial assistance. In no way the ability to go to the US school is related to being connected to the elite. All you have to do is to pass the tests and compete with other kids who applied.
Posted by: rguy | April 13, 2008 03:59 PM
Oops, I didn't read carefully the joy's post -- missed the high in high school. I thought we're talking about colleges :-)
So there's not so many people from Russian in the US high schools, but still there are some. Again, this is in no way related to the eliteness. It is more related to having relatives/contacts in the States. If parents are working/studying the in US, the kids usually go to school there.
Posted by: rguy | April 13, 2008 04:05 PM
As a professional programmer, I can tell you that this is complete rubbish. A fairy tale by somebody who watched way too many Hollywood movies.
Posted by: Peter | April 14, 2008 11:23 AM
This is related to my comment regarding the school. In 2006 Nina's age was specified at 31. This would make her 15 in 1990. At that time, Soviet Union, although coming apart at the seams, was still Soviet Union. Going to high school in the US would have required *connections*. The family has been portrayed in the media as "traditional family of doctors". It would have been a rather unusual event at the time to have Nina sent to the US to study; family has got to have pulled strings or known right people (hence my comment regarding KGB or Party). It would not be possible for an "ordinary" person to get their kid to study in high school OR college abroad at that time. Clearly, the story spun by the prosecution with respect to Nina's family and background does not match what I've outlined above.
Assumptions that are commonly made about Russia or Soviet Union in general, and in the course of this trial in particular do not reflect reality at all (Riser is right on many points in his testimony with respect to what was involved in running business in that part of the world, life there, etc).
Media and trial coverage exposes tremendous amount of cultural ignorance -- people just do not understand that, for instance Ellen Doren, would NOT have betrayed Nina's confidence, had there been a conspiracy or shady behavior on Nina's part. It is not in Russian culture to "rat out" your compatriot to the police, etc.
Another [unrelated] point. 20/20 had shown rather weird interview with Riser, with Hans answering the question "Where is Nina?" in a rather odd way: "I think I am the person who does not know". To me it speaks volumes -- 20/20, like any other media outlet engages in sensationalism. Most likely the phrase was cut and taken out of context to create appearance of controversy. I had simply assumed that Riser was trying to ascertain that the question is pointless. What was the purpose of asking him that?
I would assume a fair amount of the same (taking things out of context in absence of any real evidence) going on in the courtroom.
Posted by: joy | April 14, 2008 12:27 PM