Forensics Investigation as Computer Crime?
OWADE (Offline Windows Analysis and Data Extraction) is an open source forensics tool for extracting “hidden” data from the hard drive of a Windows PC. According to New Scientist, OWADE enables an investigator to “bypass” the encryption Windows uses to store data on the hard drive so the investigator can discover web browsing history, including user IDs and passwords. New Scientist, “New forensics tool can expose all your online activity,” Sept. 7, 2011.
I wonder whether OWADE violates the Windows EULA or other legal restrictions Microsoft asserts with respect to Windows. For example, paragraph 8 of the End User License Agreement for Windows 7 Professional says the user may not “work around any technical limitations in the [Windows] software.”
What is the implication of an investigator violating the Windows EULA when he gathers data? Is the investigator committing a computer crime? Is he accessing a computer without authority and causing harm (paraphrase for violating the Computer Fraud and Abuse Act)?
Is he infringing privacy law?
Is he opening himself to a lawsuit from any person who is harmed?
Is he rendering the data he collects inadmissible as evidence in court?
What do you think?
[Update: I wonder whether use of OWADE would violate the Digital Millennium Copyright Act (DMCA). 17 USC Sec. 1201 (a)(1) (A): “No person shall circumvent a technological measure that effectively controls access to a work protected under this title.” The argument might be this: 1. The Windows user used Windows to make records of his “work” (i.e. codes showing his browsing activity and history). 2. He used the encryption in Windows to control access to his “work.” 3. OWADE circumvents the encryption.
DMCA is complex. I note that DMCA contains many exceptions, including certain exceptions for law enforcement.]
Mr. Wright teaches the law of data security and investigations at the SANS Institute.