Original article from LiveJournal.com


There are a number of utilities that log packets for forensic analysis. Every person that deals with the Internet in a serious fashion has used them at one point or another. I’ve used packetlogs generated by tcpdump to do things as trivial as respond to fraudulent abuse reports against a virtual machine that I use a chat client from. Needless to say, packets which are the basis of a federal criminal complaint are several orders of magnitude more important than me scrolling ANSI goatse on IRC. I’d imagine that a federal investigator citing packets as a basis for a search is going to store them. I’m saying this because in the case of United States v. Ulbricht, the drug conspiracy case involving the Silk Road, many have been concerned that the search methods used were illegal. Parallel construction is a huge issue here, and it turns out packet headers are now a central issue to the case. FBI Special Agent Christopher Tarbell cites data in packet headers in a declaration sworn to the court under penalty of perjury:

“Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined. The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal.

I have sat in a court and watched federal agents lie about how the Internet works multiple times. Right here Agent Tarbell is claiming that he sent a GET request to a Tor hidden service and the Tor hidden service sent back a packet containing its true source address in the TCP header. This seems to me to be improbable, given how Tor and TCP work. It is very easy for a federal agent to claim something. It is several orders of magnitude more difficult to fake packetlogs of network traffic which include a protocol as complex as Tor. I think the FBI needs to release these in a timely fashion to corroborate their claims here.

The right to review evidence is pretty central to the Federal Rules of Criminal Procedure. The defense needs to look over these logs very carefully. If the federal government fails to produce them, it is absolutely a matter of evidence destruction. It is the digital equivalent of the FBI destroying potential DNA evidence after running cursory lab tests upon it that are helpful to its claims, but refusing to allow a defense team to perform DNA analysis.