September 08, 2011

Is OWADE Illegal?

Forensics Investigation as Computer Crime?

OWADE (Offline Windows Analysis and Data Extraction) is an open source forensics tool for extracting “hidden” data from the hard drive of a Windows PC.  According to New Scientist, OWADE enables an investigator to “bypass” the encryption Windows uses to store data on the hard drive so the investigator can discover web browsing history, including user IDs and passwords.  New Scientist, “New forensics tool can expose all your online activity,” Sept. 7, 2011.

I wonder whether OWADE violates the Windows EULA or other legal restrictions  Microsoft asserts with respect to Windows.   
 For example, paragraph 8 of the End User License Agreement for Windows 7 Professional says the user may not “work around any technical limitations in the [Windows] software.”

What is the implication of an investigator violating the Windows EULA when he gathers data?  Is the investigator committing a computer crime?  Is he accessing a computer without authority and causing harm (paraphrase for violating the Computer Fraud and Abuse Act)?  

Is he infringing privacy law?  

Is he opening himself to a lawsuit from any person who is harmed?  

Is he rendering the data he collects inadmissible as evidence in court?

What do you think?

[Update: I wonder whether use of OWADE would violate the Digital Millennium Copyright Act (DMCA). 17 USC Sec. 1201 (a)(1) (A): “No person shall circumvent a technological measure that effectively controls access to a work protected under this title.” The argument might be this: 1. The Windows user used Windows to make records of his “work” (i.e. codes showing his browsing activity and history). 2. He used the encryption in Windows to control access to his “work.” 3. OWADE circumvents the encryption.  

DMCA is complex. I note that DMCA contains many exceptions, including certain exceptions for law enforcement.]



Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Sep 8, 2011 11:14:27 AM | computer investigation training, criminal investigation, digital evidence, technology crime

3 Comments

Rob Dewhirst

If I understand the question correctly, your asking if you are violating the EULA of Windows on a computer you examine because you accepted the Agreement on another Windows computer?

In perusing the windows 7 license, it says it is licensed "per copy per computer basis". The investigator would have had to accept the EULA for the computer they are examining, no? I think that's unlikely.

Posted by: Rob Dewhirst | September 08, 2011 at 01:15 PM

Benjamin Wright

Rob: Your analysis sounds logical. Still, I'm not sure your analysis answers all the possible arguments about whether the investigator is doing something illegal.

Does it not feel fishy for an investigator to "bypass" encryption that is intended to protect privacy?

Thank you for your excellent comment. --Ben

Posted by: Benjamin Wright | September 08, 2011 at 01:30 PM

Peter de Lacey

Surely the Windows EULA only applies if you are running Windows. If you are using software on Linux or some other OS to analyse data on a disk the EULA does not apply, does it? Regardless of what OS was used to create the data. The DMCA and privacy issues are a different matter though.
-- Peter.

Posted by: Peter de Lacey | September 20, 2011 at 02:20 AM

The comments to this entry are closed.

NEXT POST
Cloud Computing Police Raid Seizure of Servers; Co-mingled Data What happens when police seize servers belonging to a cloud computing service provider? Spring 2009, a federal district court granted the FBI a search warrant to seize control of computer servers and related equipment in facilities run by Core IP Networks. Apparently Core leased its facilities to the owners of servers, including a cloud computing service provider named Liquid Motors. Liquid Motors was not accused of wrongdoing, but the FBI had information suggesting that a criminal enterprise (including apparently Core) had used LM’s servers or some of the data stored in them. LM helps large, national auto dealers manage their inventory and Internet marketing. The seizure shut LM down, and debilitated the operations of its innocent customers. The data of all LM users and customers were co-mingled in a cloud-computing style. Request Relief from Court LM promptly requested that the court cause the FBI to release the servers. It claimed that it and its innocent customers were suffering great economic hard. The court denied the request. The court was satisfied...
PREVIOUS POST
Augmented Reality Property Protection Augmented reality apps enable the user of a mobile device to see data and symbols laid over the image displayed in real time from the device’s camera. Data Over Famous Images For example, while standing outside a famous commercial building like Caesars Palace in Las Vegas, the user could point the camera on her Android smartphone at the building. The phone could display a live video image of the building. As that image is displayed, an augmented reality app could use geolocation and image recognition technology to discern that the video shows an image of the famous building. With the knowledge that CP is being displayed, the app might cause to be displayed on top of the image additional information, such as an advertisement that says, “Thinking of staying at Caesars Palace? We’ll give you a better deal down the street.” Or (hypothetically speaking) the app might display remarks from other users about Caesars Palace, like “CP is a dump!” What legal steps might the owner of Caesars Palace take to prevent apps from displaying...

Benjamin Wright

Attorney Benjamin Wright helps others navigate the law of technology.

The Typepad Team

Search

Become a Fan

My Other Accounts

Recent Comments