Portable power for search and seizure.

Feb 22, 2008

A major problem faced by data forensics professionals and law enforcement was how to confiscate computer systems without running the risk of damaging or losing access to information. It's all well and good if you seize a machine running full-disk encryption while it's online because, by definition, the disk is being transparently decrypted so that the machine can operate. Once you power it down, however, all bets are off because the machine won't boot back up without someone supplying a passphrase to the disk encryption system, and no one with anything shady in mind is going to give up their passphrases and incriminate themselves. It may not be feasible to gather electronic evidence from the running machine on-site due to the volume of data at hand, however, so this begs the question of how to move the whole shebang back to the forensics lab without actually cutting the power.

Enter Hotplug.

Hotplug is essentially a cut-over device which lets you connect an alternate source of power (such as an uninterruptible power supply) to a machine being seized that takes advantage of the fact that each power outlet in a multiple-outlet unit does not have an isolated power feed. You connect Hotplug to an unused outlet on a power strip (assuming that the box is plugged into one) so that you can then unplug the entire surge suppressor from the wall and move the system without it going offline (watch the "basic use" video, it's pretty cool), or you can use an attachment that fits over the electrical plug like a sleeve and supply electricity that way. There are even attachments that allow an S&S team to connect the Hotplug device to a spare outlet in a wall jack to supply power while the rest of the outlet is removed from the wall and physically disconnected from the power main. Or, if you're feeling particularly hardcore, you can cut the insulation on the power cable and patch Hotplug directly into the computer's power supply. Regardless of how the S&S team goes about it, they've got a live machine on AC power that can be carted away.

This certainly ups the ante for people who run servers that have encrypted file systems. Before, if a box was being seized, the team had to hope that they got lucky and found a logged in session (preferably with admin privileges) on a machine because this meant that the encrypted datastore could be accessed. If the machine was powered down somehow, the keys would be lost from memory and they'd be up a certain creek without a paddle, unless they happened to get hold of the passphrase somehow. There have also been cases in the past where a suspect had rigged up a power kill switch, so that when the door was kicked in all of the machines in a particular room went offline. While this is undoubtedly suspicious to law enforcement and the court, one of the nice things about cryptographic systems is that often they make it difficult to tell what is encrypted data and what is junk. A suspect could claim that the power coincidentally happened to go out and corrupted the contents of the drives in a machine, and there would be little way to prove otherwise. Now an active machine can be taken right to a lab and data extraction can begin.

I give this device about a year before it really penetrates the law enforcement and data forensics communities - the price starts at $500us, and good UPSes tend to start around $100us, so the barrier to entry is not so much the cost as it is word getting around about Hotplug.

ObDisclaimer: I don't work for Wiebetech, nor do I get any money from them. I find this device very interesting and potentially useful.