Computer forensics people are rarely given the password. They’re ok with that.
I cannot understand why the OP insists on making an admission of guilt practically the first thing out of your mouth when the cops come to the door. How do you not understand that telling the police that you deliberately destroyed the encryption key is very possibly incriminating in and of itself.
Pretty much everyone here disagrees with you. You are better off talking to a local lawyer and getting a more authoritative answer, than simply assuring yourself you are right and all of us are wrong.
Logging into a computer that you have physical access to without knowing the password is trivially easy; even easier is accessing files on the hard drives by just popping them out and plugging them into another computer.
But what we’re talking about here, decrypting data which is encrypted at rest, is not trivially easy. It’s not even sort of easy, it’s hard. Really effing hard, which is sort of the point of strong encryption. It’s not a matter of Microsoft knowing the secret super password or anything, it’s a matter of brute forcing the thing with an insane amount of time and computing power. Maybe the hypothetical involves a weak(er) encryption key/method and maybe the NSA has time to throw their experts at it, but for the sake of the hypothetical, it’s not hard to imagine a scenario where a criminal has encrypted files that are sufficiently difficult to decrypt that it won’t be done in time for the trial.
As for the OP, if you’re going to overcomplicate this by fabricating a story about flushing a water-soluble password on a whim, do it right. Create a device that holds your water-soluble password above a cup of water for 24 hours with a hidden reset button that you hit every day. Hide it somewhere where they won’t find it with the search warrant, and then when they’re grilling you 24 hours later, it’s gone.
Except letting a lawyer speak for you to the police.
It wouldn’t be the first thing I said; it would be what I said after, and only if, they had a warrant and demanded that I give them the password.
Nothing new, but when “everyone” is an anonymous five or six people, and I have a pretty good track record in real life against people who are certifiably smart, it’s not much of a deterrent.
I guess you saw through my claim it was for a friend, but it’s also not a real situation, so I don’t need a lawyer. And I’m not trying to say I’m right and everybody else is wrong; I’m playing Devil’s Advocate, trying to find flaws in my scenario. Of course, there are flaws — there would be something wrong if such a simple scheme entailed no risk whatever. But I still haven’t read anything that makes it seem like I would risk more by claiming I no longer have the password, than by refusing to tell them the password.
Right. And on The Mentalist, he can look around the guy’s office, note what books he has on the shelf and what pictures he has on his desk, and guess the password in about 30 seconds. But again, we’re talking about a strongly encrypted drive, not the Windows logon password.
You don’t claim you no longer have a password. You don’t refuse to give them a password. You tell them, “I will not answer questions without advice from my lawyer.”
There is zero chance that this will have negative legal consequences for you. Saying anything else entails some risk. This is not even a matter of opinion, it is matter of fact.
See, that’s where we disagree. As someone cited above, simple refusal to answer when asked the password can result in indefinite jail time, at least in some juridictions. So there is a significant risk in lawyering up and saying nothing.
So if I reject that alternative, and admit that the drive is encrypted (which they could easily prove without my admission), but that the password is impossible to memorize, I can either say that early or late in the process. If I say it right away, I can make a plausible case to the jury that I panicked and destroyed the password before I even let them in the door. If I lawyer up and finally say it after I’ve been out on bail for a month, no jury in the world is going to believe that I didn’t destroy the password after I was formally notified that it was considered evidence in a criminal case.
Like I said before, there would be something wrong if there was a perfect solution to this. I’ve just given three bad alternatives. But while the “lie immediately” alternative entails a risk of jail time, it seems the other two entail almost a certainty of jail time.
Now, IF the case law on refusing to give a password were settled, and it was considered a violation of the 4th Amendment to force someone to give his password, THEN lawyering up would be the obvious strategy. But AFAIK that has not happened.
I think " [The password is] too long and random to memorize, so I wrote it down, and I keep it hidden in my house …" is a major flaw. The police will find it, no matter how many weeks or months it takes to tear apart your house. They have a search warrant, so they already have evidence against you. Better you wait until your arraignment and find out what charges they are pursuing, balanced against the punishment of contempt of court … right … the police themselves don’t usually have the authority to demand your password … they have to have a court order.
Unless you have a lot of experience in these types of criminal court hearings, you’ll want a lawyer … and the first thing you need to be able to tell your lawyer is “No, I haven’t said anything to the police” … you definitely want your lawyer to like you.
Lying to police … contempt of court … these can be serious felonies and their punishments will be added to whatever felony you’ve already committed. Hire a lawyer …
I think the risk here is 1 … lie to the police and you will spend time in jail. They have logs from some router that says you downloaded a video from a site that only posts illegal videos. You certainly don’t have to give up the password when the search warrant is served, you’re entitled to remain silent.
From Wikipedia:
I said this right at the beginning - the timing of the destruction of evidence is irrelevant. You tell them the password is flushed, you have just confessed to obstruction. Guaranteed extended jail time, especially if the DA is frustrated over the main case. The less you say - other than “Lawyer, please” - the better; the rest is ammunition.
Contempt, although indefinite, has the option that they will give up and release you, or your lawyer will come through. After all, they cannot prove you have not forgotten.
But then, they can try to convict without the crucial evidence.
I suspect 90% of strong passwords (i.e. not the dog or the wife’s name) are not that simple to guess. Toss in L337speak and text message abbreviations. and the choices are astronomical. “LifeIsLikeABoxOfChocolates” (not my password) is pretty hard to guess - after all how many famous movie quotes are there? Book titles? Lines from songs? (Hint - don’t use the first line, and not from the most played songs on your iTunes…) etc. Anyone who puts a bit of thought into their password can make it basically unguessable.
What is your goal? According to the OP, you have actually committed one or more crimes, so you’ve taken risks and you face punishment if a case is made.
A lawyer is not there to magically justify your indefinite refusal to answer questions. A lawyer is there to give you an objective assessment of what punishment you might face given the choices you’re allowed. For instance, a lawyer may be able to negotiate some form of immunity or a reduced sentence in exchange for the information the cops want. The lawyer’s advice may be to tell them what they want to know, if the consequences of telling them are less dangerous than the possible consequences of keeping your mouth shut. .
A lawyer is there to tell you not to stupidly boast that you destroyed evidence in the mistaken belief it will get you off.
OK, that’s what I was missing. I somehow had the idea that you had to be told not to delete anything first, and I’m pretty sure I got if from news stories about people who deleted things after being told not to.
And in case anybody missed it, this was all hypothetical. I don’t need a lawyer. Thanks to everyone for their responses.
TV shows have given people the impression that a good hacker can break into any encrypted data in a matter of minutes. In reality, if the software is “good” (has no backdoors or other flaws, uses a good encryption algorithm, etc) and the user has chosen a good password, not written it down anywhere, etc., it is a monumental, bordering on impossible, task to break encryption in most cases. Maybe the NSA can do it in some cases, they are typically several years ahead of the rest of the crypto community. But some engineer hired by the police, or even employed by Microsoft, probably can’t do it.
Many encryption programs provide a form of “deniable encryption”. A simple example is when there are two passwords. The real password decrypts the files into your data. The fake password actually decrypts the files into some other, innocuous, data. You give the cops the fake password, they (apparently) successfully decrypt it, find nothing interesting and let you go. In an ideal world.
–Mark
Or a password of a random number of random characters, like between 24 characters and 32 characters.
Does anybody here know how hacker groups like Anonymous are so successful in hacking into so many computer systems, web sites, etc.?
This seems like one hell of an if. How common, really, is encryption that has all of these characteristics?
Not difficult if you know what you’re doing.