Computer Forensics & Copyright Troll Cases

Thought I would go over some information concerning the forensic aspect of these types of cases.  It is a rehash of a previous post, but the information is still relevant.

For a majority of the current BitTorrent copyright infringement cases, the only Plaintiff/Troll to likely conduct a forensic examination at this time is Malibu Media/Troll Lipscomb.  The reason for this is forensic consultants are not generally cheap.  Malibu Media has adapted their case filings to what they deem the more serious long-term offenders; so they believe their false-positive rate is lower than the other mass-Doe cases.  Even with this belief, the forensic consultant is costly and not to be employed lightly.

Many other factors come into play, such as the Defendant’s likely income and ability to pay a judgment.  Spending thousands of dollars for a forensic examination is pointless if the defendant has no money/assets to pay from.  The best you get from a non-paying party is more headaches and the right to brag that you “actually do go after offenders.”  The large judgments (as well as the fees/costs) against the three defendants in the PA Bellwether trial are good for Malibu Media/Troll Lipscomb’s PR/fear image, but not necessarily the bottom line (getting paid).  There may be some debate on the long-term benefit of this case, but the up-front costs were born by Malibu Media/Troll Lipscomb.  Remember that the business model is to generate revenue on a repeatable basis, not stamp out piracy of Plaintiff’s content.

When Will Forensics Occur?

forensics3This is usually done after depositions (interviews of the network users) and written interrogatories (questions to the ISP subscriber/Defendant(s)).  The forensics can take place during such activity, but a forensic consultant will better benefit from knowing what the Defendant stated in their Answer, Interrogatories, and Deposition.  If the answers the defendant provided indicate guilt or looks really bad, a settlement may occur prior to any forensics.  Usually a forensic examination is going to happen if the previous actions failed to disclose any direct evidence or that a settlement could not be reached.

What Will They Look For?

Anything and everything that can possibly help them.  Mainly this means evidence of a BitTorrent client installed on the system, Plaintiff’s movies, any .torrent files, and any of the “other” files (AKA: Exhibit C) that were being shared via BitTorrent on the public IP address of the Defendant.

Other things that will likely be searched for are dates showing when the current operating system was installed on the computers, as well as general use of the system.  Was it installed after the Doe was notified of the case by the ISP??? – Indicating a system was wiped & reloaded.   Does the system have very little use up until the Doe was notified of the case by the ISP??? – indicating a possible replacement system.  Or was a new system purchased after this notification – indicating that a system was possibly removed/replaced from the residence.

They will likely look at the Web history to see if you visit sites such as “The Pirate Bay,” “TorrentFreak,” or even “DieTrollDie” and “Fight Copyright Trolls.”

– Deposition question asked of Doe #1 (PA Bellwether case)

Identify each Web site, blog, or message board, which you have visited, or which you have subscribed, posted to, which refers to, relates to, or discusses Internet Piracy, BitTorrent file sharing, or which provides information to people regarding suits which alleged people have committed online copyright infringement.

Is there any programs that could be used to securely delete (wipe) files from the system???  We have seen Trolls claim “CCleaner” was used to destroy evidence simply because it has that ability.  I would assume they would also look for data encryption programs that could be used to hide possible evidence.

These items will be looked for in the system file structure, as well as the unused portions of the hard drives (Unallocated Space).  The Unallocated space of the hard drive can hold lots of past information, but the context of it is sometimes hard to know.  What if a search of the hard drive comes up with the SHA-1 file number and file name for the Malibu Media movie “Pretty Back Door Baby” (B17E6CBB71FF9E931ED034CFC5EC7A3B8F29BB1E) in the Unallocated Space of the hard drive?  Does this mean you guilty???  Or is that part of a Web search you conducted once you started to look into the case.  Here is what I get if you search for that SHA1 file number in Google.


Oh look, “The Pirate Bay” is in the search results, I guess I’m guilty… Not.  What if I clicked on the link to The Pirate Bay result???  It still doesn’t mean you did anything wrong.  But that will not stop Plaintiff from claiming you are the offender and you visit “pirate” sites.

The free rein Plaintiff wants to conduct such forensic examinations is scary, as it is so open in comparison to what they are actually searching for – BT Client, BT/.torrent files, Plaintiff’s movie(s) in the complaint, and Third-party movies (Exhibit C).  As far as Federal civil law suits, I don’t know if this “Wide-Open” (Fishing Expedition) forensic examination can be tailored down to a search for the relevant evidence.

I would certainly try to limit the scope of the search.  I believe a court could limit the scope of the search to the obvious relevant evidence, as well as when the OS was installed, activity at specific dates/times in question (claims in the complaint), and for obvious signs of data destruction (Unallocated Space is overwritten with “0”s, etc.).  Any other information sought needs to be part of a specific request with the proper justification supporting it (My opinion).

Now What Happens If The Forensics Turns Up Nothing?

If a forensic examination fails to turn-up a “smoking gun,” (Plaintiff’s movie(s), BT Client, .torrent files, and the Third-party files (Exhibit C)) the Plaintiff/Troll is likely to point to any file or data remnant that may support their position.  Remember that in these cases, the burden of proof is only preponderance (AKA: More than likely that a Doe did it).

Even if they find absolutely no evidence, they can simply claim that you removed the offending system from the residence and did not provide a copy of the hard drive for analysis.  Such activity is of course possible and Troll Keith Lipscomb has stated as much in the PA Bellwether trial.

The following folder contains the audio recording for the PA Bellwether trial and can provide some good insight.  Note: I’m attempting to obtain a transcript of the trial – will hopefully post soon.  Audio Folder

DieTrollDie 🙂

Previous Posts Of Interest

Copyright Trolls Don’t Do Investigations

Copyright Troll Crap Shoot

About DieTrollDie

I'm one of the many 'John Does' (200,000+ & growing in the US) who Copyright Trolls have threatened with a civil law suit unless they are paid off. What is a Copyright Troll? Check out the Electronic Frontier Foundation link -
This entry was posted in Keith Lipscomb and tagged , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

10 Responses to Computer Forensics & Copyright Troll Cases

  1. norahc says:

    Given Microsoft’s announcement that they are retiring SHA1 due to “collision”s (, I wonder how this is going to affect these types of cases. Theoretically, a defendant could claim that the SHA1 file on their computer is the result of a “collision” and point to Microsoft’s comments about it to support them. How would the Trolls be able to prove that the SHA1 file they found is the file for their torrent?

    • DieTrollDie says:

      I will review the article. But the chance of a collision is super rare. Even with this chance, the technician will simply download enough parts to review it visually. BT will eventually update its hashing function to a higher standard.

      DTD 🙂

      • norahc says:

        I realize the chance is extremely rare, but I could see an enterprising defendant using the claim just to make a Troll prove it was their file the SHA1 indicates and not another one.

    • DonaldB says:

      That’s a pretty narrow point to stand on.
      The chance of a collision is extremely remote. It’s beyond a reasonable doubt, let alone the standard of a preponderance of evidence.

  2. that anonymous coward says:

    You left off the single most damning thing they claim.
    If you have a penis, you MUST have done it.
    Men like porn, ergo if our target is male he is guilty guilty guilty.

    • DieTrollDie says:

      TAC – here is my take on it using a scene from the movie “Full Metal Jacket.”
      “Any Doe who fights is a Pirate – Any Doe who does nothing is a well-disciplined Pirate.”

  3. Daniel says:


    Good post.

    Would it be prudent to use a separate machine i.e a virtualized OS to do P2P?

    Evidence spoilation is a crime, but what about deliberately setting up your system in such a way that you have no router logs and no way of knowing what your roommate, family or guests are doing from the connection?

    Are there any theories of civil or criminal liability you think would be viable in such a situation?

    Another issue, I don’t remember you have covered is the number of connectable devices covered by the subpoena.

    Must the subpoena be directed specifically to all persons or only the internet subscriber?

    And what if the internet subscriber lacks the ability to account for unknown devices – some of which aren’t in his custody?

    How would they prove or disprove the subscriber’s claim that some of the devices using the access point can’t be accounted for?

    • DieTrollDie says:

      I will not present methods to do P2P – this is not the forum. I do not support copyright infringement and ask people not to do it. Some people do use virtualized systems, but a seasoned forensic expert is going to note the application and look for the most used OS images, as well as the date of the image. There is no problem with having little to no logging IMO – as long as this is done prior to any copyright infringement cases/ISP notification. Changing this after the fact looks suspicious and doesn’t help. Even with logging, majority of people will never look through the logs or even try to determine what the users are doing AND there is no requirement to do so. PERIOD. No criminal or civil liability. The ISP subpoena only covers the information in the records of the ISP and not all your devices. The “discovery” portion of the case (if it ever reaches this point) will cover all the devices in the residence that a Doe has control over. The troll will also ask the Doe who else has used the Internet connection during the infringement time – The Doe tell the Troll that a friend spent a week at a Doe’s house and used the Internet connection during the date/time in question. It then becomes the responsibility of the troll to interview the friend and possibly do a forensic exam on his system – will require some court order unless the friend voluntarily consents. The Troll doesn’t care if there were other unknown devices that used the Internet connection. In fact they would prefer that you don’t say anything like that. Otherwise they have to try to disprove the possibility that a third-party did it. The trolls love to hear that the WiFi was secure and no unknown systems or third-party used it during the date/time in question. Remember they DO NOT have to Prove or Disprove, only show that it is more than likely that a Doe did it – as 99% of the cases never reach this stage, having to even do this is remote.

      DTD 🙂

  4. computer crime investigation says:


    “Computer Forensics in London is a specialty of First Response. We offer investigations of computer crimes like IP theft and fraud and employment disputes.”
    The URL is hXXp://

    I would usually kill the following comment, as a form of Spam, but I decided to let it go so some people might have a chance to look at the private sector computer forensics out there. Computer forensics for these BT copyright infringement cases is generally going to be a very very small sub-section for majority of these companies. Most of the technician will likely have never run a BT copyright infringement case. A forensic examination of this type isn’t that different from their standard cases. The thing that is normal for all computer forensic examinations is the cost – high (in general terms). So high that it is not generally cost effective for a Plaintiff/Troll to do this. Here is what if found at the MSA Investigations Web site.

    What does a computer forensic examination cost?
    We charge $325/hour for forensic analysis and require a $5,000 retainer for ordinary cases (a single PC or Mac with an 80 gigabyte hard drive or less). An average in-depth examination generally takes a minimum of 12 hours, though this can vary greatly for any given situation.

    The cost includes the three basic components of the full investigation: Acquisition, Investigation, and Reporting. On their own, acquisitions usually cost approximately $750.00. Investigation and reporting, of course, depend on the nature of your case.

    Prices can vary, but how do you like that hourly rate??? Lets do some math. As in these BT cases, the defendant usually provided a copy of the hard drive, so the Plaintiff doesn’t have to pay for the “acquisition.” So lets start with 10 billable hours at $325. Note: This is for a 80 GB hard drive – More likely that the drive will be at least 500 GB. Minimal cost for this small HD is $3250. So if they don’t find any direct evidence (BT software, .Torrent files, Plaintiff’s movies, Torrent Web searches, obvious signs of spoliation, etc.) they have to decide if a deeper inspection is cost effective.

    Each examination/case is different, but the fact remains that doing this is “on average” not cost effective for them. It may be effective to show the Does that they “can” do this or when a Doe has assets and indications of guilt. Remember that these civil cases are a business model and profit directs the actions. Criminal cases are (for the most part) are not influence too much by the costs – prove or disprove the allegation is the motivation.

    DTD 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s