Thursday, June 18, 2015

USB Flash Drive Insecurity and Video Evidence

Recently there was a discussion among CITOC members regarding the increasing use of video from a variety of sources in courtrooms (including law enforcement patrol cars and body cameras).  One solution suggested was to have this evidence delivered by USB Flash Drive for replay in the courtroom because the “Stick” could be left with the court for evidence.  This may or may not be a good solution; we discuss below…


On several occasions in recent years I have encountered computer viruses on a USB Flash Drive given to me to transfer a file.  Luckily our anti-virus software has immediately caught it (I also run a full scan after this happens just to make sure).  Our new anti-virus software now does a full scan of the USB when it is plugged into my computer.  But unfortunately the virus writers have become even more creative.

Last summer at the hacker conference, Black Hat, researchers showed how a malware program they created called BadUSB can:
“completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.”
As one knows, once the concept of an “attack vector” is proven, it will become a real threat in the real world.

The idea of leaving the USB stick with the court as “evidence” may or may not fulfill the chain of custody standard.  This is because in many instances the video file format may be changed or edited from the source in order to be placed on the device to run it on a computer.  Therefore any processes used for evidence presentation must be well documented and attested to by the submitters.  This documentation should be filed with the video in support of its introduction.

If there is a jury involved, the court may wish to allow them to playback the video on their own.  Some courts are placing this evidence on iPads or similar devices that in turn can be linked to a large screen in the jury room (the new Microsoft Surface Hub supports this for example).  This approach can speed the jury’s work since they don’t have to adjourn, make a request to the judge, and return to the courtroom for playback as is done with videotapes and televisions.

Suffice to say that there is a digital file (in this instance video) involved.  We noted in an article a couple of weeks ago about the possibility of using the LegalXML ECF E-filing standard to file a “link” to an external approved service (server).  Now this server could be one that the court operates, a dedicated shared general government provided server, one provided by law enforcement (separate from their network), or a contracted service.  In any event the server must also allow and store the digital signature of the file submitted for evidentiary authentication.

One could still use USB flash drives to load files on the server.  I would say that if this is chosen that these devices should only be used for this purpose, and that they would be checked-in and out of a control office and scanned/cleaned between uses.  But that still doesn’t mean that they couldn’t be infected by the computer that is used to load the files.  This is a time and staff intensive approach to solving this problem and thus the E-filing approach probably makes more sense.

This is an issue to think about as the need to support this new video evidence in the courtroom is becoming greater every day.

No comments:

Post a Comment