SoylentNews

Lawyer Representing Whistleblowers Finds Malware on Drive Supplied by Cops

posted by takyon on Wednesday April 15 2015, @10:20AM   
from the surveillance-stick dept.

Phoenix666 writes:

ArsTechnica reports that Matt Campbell, a North Little Rock attorney who represents police department whistleblowers supplied an external hard drive to the Fort Smith Police Department for them to copy emails and other evidence. When it was returned, he discovered that it contained three well-known trojan viruses:

According to court documents filed last week in the case, Campbell provided police officials with an external hard drive for them to load with e-mail and other data responding to his discovery request. When he got it back, he found something he didn't request. In a subfolder titled D:\Bales Court Order, a computer security consultant for Campbell allegedly found three well-known trojans, including:

• Win32:Zbot-AVH[Trj], a password logger and backdoor
• NSIS:Downloader-CC[Trj], a program that connects to attacker-controlled servers and downloads and installs additional programs, and
• Two instances of Win32Cycbot-NF[Trj], a backdoor

All three trojans are usually easily detected by antivirus software. In an affidavit filed in the whistle-blower case, Campbell's security consultant said it's unlikely the files were copied to the hard drive by accident, given claims by Fort Smith police that department systems ran real-time AV protection.

"Additionally, the placement of these trojans, all in the same sub-folder and not in the root directory, means that [t]he trojans were not already on the external hard drive that was sent to Mr. Campbell, and were more likely placed in that folder intentionally with the goal of taking command of Mr. Campbell's computer while also stealing passwords to his accounts."

Will the Fort Smith Police Department be held accountable? Place your bets...

• Re:Simple solution, mistrial by poison-tree (Score: 2) by urza9814 on Wednesday April 15 2015, @04:49PM

  by urza9814 (3954) on Wednesday April 15 2015, @04:49PM (#171060) Journal

  IANAL, but it seems in a sane world, if this had been done by the PD (and only if it can be reasonably proved to be so), the case would be thrown out for violation of procedures. The only way that might not occur is if the computer evidence had nothing to do with the charge and was only peripheral (e.g., the defendant was accused of something like trespassing, and the computer was seized). That all being said, I have a tough time understanding how one can quantifiably prove that trojans or command-control software was placed on the drive by the police (or some TLA). Unless a third-party holding company handled the transfer, along with images of the incoming/outgoing, it won't hold much ground.

  I think you've misunderstood the circumstances a bit. The drive itself isn't evidence. The drive was merely being used to transport files in response to a subpoena. So yes, this specific drive where the virus was found has nothing to do with the charges, and can't be thrown out as evidence because it's not really evidence to begin with, it's merely a copy of evidence.

  Of course, if they find out that these viruses were originally planted not on the drive but on the original copy...*then* it might screw up the case. Otherwise it's just new evidence of a new crime -- this one likely committed by the police themselves. Depending on the judge I imagine that could go anywhere from being basically ignored to having the police station raided by the FBI. Wouldn't be the first time...

  Parent

  Starting Score:	1		point
  Karma-Bonus Modifier		+1
  Total Score:		2