Police Department Loses Years Of Evidence In Ransomware Incident

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,004
If you have recently submitted a public records request for some of the Cockrell Police Department’s evidence, you are probably out of luck, as the agency has lost practically all of their files stored digitally since 2009. This includes body camera video, in-car video, in-house surveillance video, photographs, Microsoft Office documents—you know, stuff that prosecutors and defendants may be interested in. Basically, someone at the agency clicked on the wrong link, and instead of paying up to have the files “unlocked,” the department just decided to wipe it all.

…“none of this was critical information.” "Well, that depends on what side of the jail cell you're sitting," said J. Collin Beggs, a Dallas criminal defense lawyer who has a client charged in a Cockrell Hill felony evading case involving some of the lost video evidence. The lost evidence surfaced publicly Wednesday after Beggs questioned a Cockrell Hill police detective in a hearing convened before Criminal District Court Judge Dominique Collins to compel the department to explain why it had not turned over video evidence in his client's case. Beggs said he had been asking for it since the summer -- well before the hacking incident was discovered on Dec. 12. Beggs said the loss of video evidence is significant for his client and others charged in Cockrell Hill cases involving police video. "It makes it incredibly difficult if not impossible to confirm what's written in police reports if there's no video," Beggs said. "The playing field is already tilted in their favor enormously and this tilts it even more."
 

PhotoBobBarker

[H]Lite
Joined
Oct 20, 2011
Messages
122
Sounds like a case of willful destruction of evidence to me. I don't know anything about the defendant, but unless he was convicted of something else major in relation to the "evading police" (in quotes because there is no longer any evidence of it) then they don't have much choice but to dismiss the charges.

Tilted in whose favor?
Tilted in the favor of the officers word. Always has been, always will be... Except where there is hard evidence to the contrary. That's why people talk about body cams "keeping police honest".
 
D

Deleted member 93354

Guest
And no password accessed cold storage tapes...JEBUS What the freek. Needless to say access to the internet by a evidence computer was just dumb. Somebody deserves to be fired over that.

Well at least they did the smart thing and not pay the ransom.
 

RogueTadhg

[H]ard|Gawd
Joined
Dec 14, 2011
Messages
1,527
Seeing as there was no backup strategy set up, I would certainly treat it as such.
I don't know how their IT is handled, but things like this shouldn't happen. If there's no backup, the IT is to be blamed, not the users.
 
D

Deleted member 93354

Guest
I don't know how their IT is handled, but things like this shouldn't happen. If there's no backup, the IT is to be blamed, not the users.
The users shouldn't be surfing the web on an evidence computer. There's multiple people at fault here. To be honest IT should have no only set up backups, but air gapped that sucker. An evidence computer with access to the internet? WTF were they thinking? Seriously!
 

nilepez

[H]ardForum Junkie
Joined
Jan 21, 2005
Messages
11,607
WTF? They don't back this shit up? Honestly, the criminals should just be let free. This gross incompetence should have consequences.
 

sir-gold

Gawd
Joined
Jan 19, 2006
Messages
931
Seeing as there was no backup strategy set up, I would certainly treat it as such.
According to other articles about this, all of the data WAS automatically backed up...but not until AFTER it was already encrypted by the ransomware.

As long as they didn't destroy the encrypted backup, there is still a chance it could be retrieved. If the police also deleted the encrypted backup though, that could be grounds for destruction of evidence.
 

Meeho

[H]ardness Supreme
Joined
Aug 16, 2010
Messages
4,768
According to other articles about this, all of the data WAS automatically backed up...but not until AFTER it was already encrypted by the ransomware.
Well that's just terrible backup practice then.
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,709
I am amazed that they only starting making backups AFTER they were infected. Hope the IT person has a good set of CYA emails that detail why there was no backup policy in place.
 

drakken

[H]ard|Gawd
Joined
Aug 19, 2004
Messages
1,196
actually once it was removed it was not even evidence anymore. If the municipal agent collects and it ends up some where else they have to collect new evidence. Once it is out of their control they can not say it has not changed. Through I have to wonder if cloud storage is even legal for evidence to being with.
 

nutzo

[H]ardness Supreme
Joined
Feb 15, 2004
Messages
7,380
Unless IT said they needed something and the bean counters said no.

This.
But if you are an IT person and they won't spend the money for a decent backup, you should probably be looking somewhere else for a job.

When I started my current job years ago, the company was a lot smaller. They had a worthless IT person who was leaving.
When I checked into the backups, the logs showed that they hadn't had a good backup for over 5 months.
He had told the manager that backups where working fine.
Tape drive in the changer was bad, so I had to get it repaired before I could get the backups going.
 

Master_shake_

[H]ardForum Junkie
Joined
Apr 9, 2012
Messages
10,732
um so....

free everyone or just call them guilty because no evidence showing otherwise.

also why didn't they pay the ransom?
 

cyclone3d

[H]ardForum Junkie
Joined
Aug 16, 2004
Messages
13,268
This.
But if you are an IT person and they won't spend the money for a decent backup, you should probably be looking somewhere else for a job.

When I started my current job years ago, the company was a lot smaller. They had a worthless IT person who was leaving.
When I checked into the backups, the logs showed that they hadn't had a good backup for over 5 months.
He had told the manager that backups where working fine.
Tape drive in the changer was bad, so I had to get it repaired before I could get the backups going.
Yeah, I ended up in a similar situation where I work now.

The previous person said they had backups but they had no backups whatsoever... well, they had some, but they were old tapes from years before.

That got remedied really quickly.
 

krotch

[H]ardness Supreme
Joined
Aug 12, 2004
Messages
4,509
I don't know how their IT is handled, but things like this shouldn't happen. If there's no backup, the IT is to be blamed, not the users.
I work in a place with no backup solution. They won't give us the funding for it. We semi-worked around with snapshots of vdmks, replicating data between dfs servers, and shadow copies. It really only helps for when someone deletes something accidentally or the same as what happened with this ransomeware. We lose storage, we lose it all.

So many times I wish we'd lose storage, so they'd actually give us the funding for a proper backup solution.
 

nilepez

[H]ardForum Junkie
Joined
Jan 21, 2005
Messages
11,607
I work in a place with no backup solution. They won't give us the funding for it. We semi-worked around with snapshots of vdmks, replicating data between dfs servers, and shadow copies. It really only helps for when someone deletes something accidentally or the same as what happened with this ransomeware. We lose storage, we lose it all.

So many times I wish we'd lose storage, so they'd actually give us the funding for a proper backup solution.
Sounds like IT dept needs to walk up to the suits and say either fund a backup solution or we're all walking. It's hard to believe management is that short sighted...I mean management is normally short sighted, but what you describe is a whole new level of stupid.
 

krotch

[H]ardness Supreme
Joined
Aug 12, 2004
Messages
4,509
Sounds like IT dept needs to walk up to the suits and say either fund a backup solution or we're all walking. It's hard to believe management is that short sighted...I mean management is normally short sighted, but what you describe is a whole new level of stupid.
We just told them if shit hits the fan, we aren't responsible. We've only had a couple times where off sites lost data and told them they were SOL. Told them to talk with their management about it and not my issue. They still never gave us money for the backup solution.

I'm also a government contractor. Walking out isn't an option, especially when your'e 5k miles away from the US.
 

RogueTadhg

[H]ard|Gawd
Joined
Dec 14, 2011
Messages
1,527
I work in a place with no backup solution. They won't give us the funding for it. We semi-worked around with snapshots of vdmks, replicating data between dfs servers, and shadow copies. It really only helps for when someone deletes something accidentally or the same as what happened with this ransomeware. We lose storage, we lose it all.

So many times I wish we'd lose storage, so they'd actually give us the funding for a proper backup solution.
I know how you feel about not having the funding for Backing up files. In one instance this happened where I work where the files were lost. I told them that the files weren't recoverable, off-site IT told me their Batshit crazy & SOL (They told them: Not Recoverable). There's just a point where we have to go: Meh. Shrug our shoulders. We can ask for the money for a simple backup solution. Hell at this point I'm thinking about buying a couple of thumbdrives and write a bat script just to have something.

But that's the problem with IT, it's not something that readily available and not really seen outside. It's best running when users don't have to interact with it, in my opinion. Security, for example is something that's so archaic that doesn't ring a bell for the majority of the public and never happens to us. Unless you can put it on a plaque and make it public news, most times, it's not worth the money.
 

The_Heretic

Certified [H]
Joined
Jun 22, 2001
Messages
12,132
This is a police department with about 20 people total. Do you think they even really have a IT budget ?
 

krotch

[H]ardness Supreme
Joined
Aug 12, 2004
Messages
4,509
I know how you feel about not having the funding for Backing up files. In one instance this happened where I work where the files were lost. I told them that the files weren't recoverable, off-site IT told me their Batshit crazy & SOL (They told them: Not Recoverable). There's just a point where we have to go: Meh. Shrug our shoulders. We can ask for the money for a simple backup solution. Hell at this point I'm thinking about buying a couple of thumbdrives and write a bat script just to have something.

But that's the problem with IT, it's not something that readily available and not really seen outside. It's best running when users don't have to interact with it, in my opinion. Security, for example is something that's so archaic that doesn't ring a bell for the majority of the public and never happens to us. Unless you can put it on a plaque and make it public news, most times, it's not worth the money.
If I could spend $100 or less on a backup solution, I'd do it. Just for my own peace of mind and the fact that I can actually recover missing data for customers. Who have absolutely no say in what management decides. Sadly, no way I'd get something for less than a few thousand. So cheap, our last set of computer purchases had 2 GB of ram, so they can save like what? $5 a machine. Even though they waste more money on people sitting idle, waiting for the machine to do things.
 

c3k

2[H]4U
Joined
Sep 8, 2007
Messages
2,114
A small police department should STILL have something for backup. "Innocent until proven guilty", should mean something. The BURDEN of proof rests on the State. Part of the BURDEN is protecting the EVIDENCE of criminal act... If there is a requirement to have a record, and that department cannot supply that record, then the only appropriate action is to dismiss all charges.

That sucks...but it's better than the alternative: a police department which is able to levy charges and erase evidence of prosecutorial misconduct.

The system (Constitution and Bill of Rights) is there to PROTECT the citizens, not make it easy for the State to imprison said citizens.

They should use Macrium, a cloud-based solution, a second computer. Or archives with hard evidence and original media (memory chips, video tapes, audio logs, etc.)
 

Jagger100

[H]ardness Supreme
Joined
Oct 31, 2004
Messages
7,563
Unless IT said they needed something and the bean counters said no.
Anyone can buy a solution. If my IT told me this, I would fire them and use the money saved to pay for the solution. Being facetious, but IT is hired for a reason.
 

NickJames

[H]ardness Supreme
Joined
Apr 28, 2009
Messages
6,663
actually once it was removed it was not even evidence anymore. If the municipal agent collects and it ends up some where else they have to collect new evidence. Once it is out of their control they can not say it has not changed. Through I have to wonder if cloud storage is even legal for evidence to being with.
The federal prosecutors office does have their own cloud based storage which is centralized for the entire country. Evidence does get backed up there for long periods of time, years even decades for really old digitized documents. Although this is against SOP and normally all digital evidence is backed up onto discs or a hard drive and stored in a file room locally to avoid cluttering the cloud. What gets admitted as a government exhibit is a copy on a disc or paper copies. Physical evidence is still up to the arresting organization, PD or FBI etc..
 
Last edited:

cyclone3d

[H]ardForum Junkie
Joined
Aug 16, 2004
Messages
13,268
Anyone can buy a solution. If my IT told me this, I would fire them and use the money saved to pay for the solution. Being facetious, but IT is hired for a reason.
Right, but when they can't get the purchase approved are they supposed to pay for it out of their own pocket?

That is downright laughable.
 

nilepez

[H]ardForum Junkie
Joined
Jan 21, 2005
Messages
11,607
This is a police department with about 20 people total. Do you think they even really have a IT budget ?
There are plenty of backup solutions that aren't insanely expensive for a small office. Bottom line is anyone that appeals, requests access to evidence and is denied because of this should be freed. It sucks that bad people will likely be let go, but there's no excuse for not backing up critical data. Even if they bought a sub back up like Crashplan's Business solution, it's only 900-1300/year for 12 seats (and if some employees share a computer with those working a different shift, it's less)
 

lcpiper

[H]ardForum Junkie
Joined
Jul 16, 2008
Messages
10,589
I don't know how their IT is handled, but things like this shouldn't happen. If there's no backup, the IT is to be blamed, not the users.

Not necessarily.

Sometimes IT knows they don't have a real backup capability and they ask for dollars and equipment just never gets purchased. We have this exact problem supporting an Army development network. Literally decades of data and no real back up solution. We tell the Government types who are the customer and they make noises and things take forever to get done. The first order was cancelled. The second order went through, over a year later the tape drives arrive. Now we are still waiting on licenses for NetBackUp and some other software to make the backup solution actually work.

It is not always IT's faulty.
 

lcpiper

[H]ardForum Junkie
Joined
Jul 16, 2008
Messages
10,589
The users shouldn't be surfing the web on an evidence computer. There's multiple people at fault here. To be honest IT should have no only set up backups, but air gapped that sucker. An evidence computer with access to the internet? WTF were they thinking? Seriously!
Agree completely, this machine shouldn't have access to the internet.
 

lcpiper

[H]ardForum Junkie
Joined
Jul 16, 2008
Messages
10,589
There are plenty of backup solutions that aren't insanely expensive for a small office. Bottom line is anyone that appeals, requests access to evidence and is denied because of this should be freed. It sucks that bad people will likely be let go, but there's no excuse for not backing up critical data. Even if they bought a sub back up like Crashplan's Business solution, it's only 900-1300/year for 12 seats (and if some employees share a computer with those working a different shift, it's less)
No no no. If evidence is gone it's gone. It's up to Prosecutors to do the right thing, case by case, and determine if they no longer have enough evidence to convict. If they push a case to trial without the evidence that's their career they are risking. Just because some evidence is missing doesn't mean everything needed for a conviction is gone or useless. There is no need to jump up and start clearing the docket, the process will work itself out just fine.
 

Terpfen

[H]ardness Supreme
Joined
Oct 29, 2004
Messages
6,079
"The playing field is already tilted in their favor enormously and this tilts it even more."
This is pure crap. This lawyer can now argue the state failed to produce evidence against his client in a timely manner, and has now admitted to destroying evidence. The average judge will toss the case out.
 

RogueTadhg

[H]ard|Gawd
Joined
Dec 14, 2011
Messages
1,527
Not necessarily.

Sometimes IT knows they don't have a real backup capability and they ask for dollars and equipment just never gets purchased. We have this exact problem supporting an Army development network. Literally decades of data and no real back up solution. We tell the Government types who are the customer and they make noises and things take forever to get done. The first order was cancelled. The second order went through, over a year later the tape drives arrive. Now we are still waiting on licenses for NetBackUp and some other software to make the backup solution actually work.

It is always IT's fault.
Let me just correct that last sentence for you, sir.
 

lcpiper

[H]ardForum Junkie
Joined
Jul 16, 2008
Messages
10,589
Let me just correct that last sentence for you, sir.
Well, IT might get the blame, but fault and blame are not the same thing. Spend better than 30 years working for or under contract to the government and you'll gain a whole new understanding of these things.

"Was it my fault, NO, did I get fired for it, so that my company has a scapegoat, so they don't have to piss off the contract officer by insisting it was the government's, (the customer's), fault? Yes"

But that's OK, they helped me find another job.
 

Meeho

[H]ardness Supreme
Joined
Aug 16, 2010
Messages
4,768
No no no. If evidence is gone it's gone. It's up to Prosecutors to do the right thing, case by case, and determine if they no longer have enough evidence to convict. If they push a case to trial without the evidence that's their career they are risking. Just because some evidence is missing doesn't mean everything needed for a conviction is gone or useless. There is no need to jump up and start clearing the docket, the process will work itself out just fine.
The problem is the defense may now not have enough evidence for acquittal.
 

lcpiper

[H]ardForum Junkie
Joined
Jul 16, 2008
Messages
10,589
The problem is the defense may now not have enough evidence for acquittal.
Although evidence does sometimes show innocence, it usually is the other way around. Usually it is evidence that shows guilt and lack of evidence is normally cause for a DA to drop charges because they can no longer convict.

Furthermore, the kind of evidence that proves innocence rarely ever is the kind that is stored by the cops. It normally is evidence that comes from other sources and the prosecution only finds out at the trial when the lawyers have to pony up their cards.

I know you are thinking that maybe there would be some body cam evidence that would prove a cop was wrong. That evidence is usually known to the DA and in those cases the DA usually has the good sense to drop the charges. Those cases just make the news, not the court room. Not unless it's the reverse and the cops are the defendants usually in a civil suite for monetary damages. And in those cases, the evidence isn't just in the cops computers, the other side's lawyers already have it as well.
 
Top