Winnipeg police blocked by encryption of electronic devices of alleged child sex predator
Recently unsealed court documents provide insight into the challenges the Winnipeg Police Service faced trying to uncover the contents of an accused child sex offender’s electronic devices.
The devices were seized in a 2019 search warrant at Marshall Ruskin’s home in Garden City.
Ruskin, 63, faces three arrest warrants in the Philippines for his alleged involvement in a child sex trafficking ring run by notorious Australian pedophile Peter Scully.
Winnipeg police seized 10 electronic devices from Ruskin’s home and returned seven after they were able to open and examine them.
A 4-digit passcode can have 10,000 different combinations. A 6-digit passcode can have 1,000,000 different combinations.– Lawrence Trinidad, Winnipeg Police Service
However, investigators from the Winnipeg Police’s Technical Crimes Unit (TCU) have been trying for three years to open the other three – an iPhone, an iPad and a Macbook – to see if charges might be warranted in Canada. for nearly three years,
They say the encryption is too good, and so far outside agencies, including the RCMP, have been unwilling to help.
Last Tuesday, Manitoba Court of Queen’s Bench Judge Vic Toews told police they could keep the devices for three more years.
Those additional three years will give Winnipeg police time to catch up with technology, a security researcher told CBC News.
“What was very difficult to access 10 years ago, five years ago, is very easy to access now,” said Christopher Parsons, senior research associate at the Citizen Lab at the University of Toronto.
“The odds are in their favor that they will eventually gain access to these devices.”
Officers allege Ruskin sent more than $3,000 Canadian to Scully’s girlfriend in the Philippines to watch the sexual abuse of an 11-year-old girl live on the internet via the Skype teleconferencing app, according to a sworn affidavit. of 2019 to obtain permission to search his home.
Police believe he recorded these Skype sessions on his electronic devices.
Over 100,000 attempts to access Ruskin’s devices
In affidavits filed in court between November 2021 and February 2022 as part of a police request to keep Ruskin’s electronic devices, investigators explained why they haven’t yet been able to see what’s inside.
The affidavits were unsealed last week after Ruskin waived a publication ban that had previously been ordered by Toews.
Lawrence Trinidad, a Winnipeg police technical crime investigator, says officers don’t have access to any of the passcodes required to access Ruskin’s devices.
As devices age and new skills, techniques, or technologies are developed, agencies establish breakthroughs that allow them to “break” encryption and gain access to data,– Det. Chad Black, Winnipeg Police
The Technological Crime Unit [TCU] collectively has more than 50 years of experience in computer forensics and has access to the best encryption solutions in the computer forensics industry, Trinidad wrote in a January 28, 2022 affidavit to the court.
However, this is still not enough to hack these devices.
He said some devices allow the unit to try thousands of passcodes per second, “making it possible to get the passcode very quickly, while other devices prevent the passcodes from happening. access to be tried quickly and only 100 codes per day can be tried”.
“A 4-digit passcode can have 10,000 different combinations. A 6-digit passcode can have 1,000,000 different combinations,” Trinidad wrote.
Investigators tried nearly 30,000 different passcodes to get into Ruskin’s iPhone alone, he wrote.
Another 72,000 attempts and counts were made to access content on Ruskin’s iPad, according to police.
The Macbook is another story – Trinidad says they have “no solution available” for accessing computer content.
“There is currently no solution available known to TCU that will allow access to this device in its current state and configuration,” Trinidad wrote. “TCU is constantly monitoring progress so that if a solution becomes available, steps are taken to gain access to the device.”
Apple encryption prevents law enforcement
Internet Child Exploitation Investigator Det. Chad Black said the computer has what’s called “File Vault 2” encryption and there’s no way around it, according to a November 2021 affidavit.
FileVault2 is Apple’s encryption tool, which encrypts data on a Mac computer. It prevents unauthorized access by anyone who does not have the decryption key or the user’s account credentials.
“In some cases, devices may be sent to companies with expertise in cracking encrypted devices. However, these companies are unable to crack FileVault 2 encryption at this time,” Black wrote in November 2021. .
He says that with new training and new software, the encrypted stuff could probably be analyzed.
“It is expected that as technology advances, the Winnipeg Police Service will be able to … examine electronic devices for evidence of child sexual abuse material,” Black said.
Without being able to look at what’s on Ruskin’s devices, he says, the investigation cannot progress.
A spokesperson for Apple Inc. did not respond to questions from CBC News, but did send a 16-page document that explained its legal guidelines for law enforcement when seeking device information. Apple.
It takes years to find ‘vulnerabilities’ in Mac: expert
Parsons says a security chip built into the Mac’s operating system is designed to protect its information from third parties, but that also includes law enforcement.
“[It] prevents law enforcement or forensic companies from quickly testing passwords, which can take months, years or centuries to determine a password,” he told CBC News .
This means that law enforcement or an outside forensic company must rely on finding “vulnerabilities” in operating systems to gain access to his data – and Parsons said these are a slow process.
“The longer the police have had a device, the more vulnerabilities will be discovered and exploited by forensic companies,” he said.
“Thus increases the likelihood that the police will eventually gain access to information stored on devices in their custody.”
Winnipeg police asked RCMP for help, but got none
Police say in court documents that they even tried to ask other law enforcement agencies for help with FileVault2 encryption.
This includes the National Child Exploitation Crime Center of the Royal Canadian Mounted Police in Ottawa.
“[I] received no additional resources,” Detective Chad Black wrote in a November 2021 affidavit regarding his request to the RCMP.
The RCMP said in an email to CBC News that they cannot comment on ongoing investigations and that they “remain committed to working with our municipal partners to assist with investigations.”
Black says the Winnipeg Police’s Internet Child Exploitation Unit has already turned to the US Department of Homeland Security and the Federal Bureau of Investigation for help in hacking into the FileVault encryption program from Apple on other devices.
Black says police are still awaiting results.
He said in the affidavit that as technology continues to evolve, it has given police access to devices they did not have access to five years ago.
“As devices age and new skills, techniques, or technologies are developed, agencies build advancements that allow them to ‘break’ encryption and gain access to data,” he wrote.
“The complexity of this investigation, given the difficulty of examining the items seized, is vast and the data is sensitive, so the possibility of assistance from outside agencies and the time are essential.”
Ruskin abandons the fight for devices
Ruskin filed a motion with the court asking a judge to return his belongings in January.
In February, he won a publication ban on details of the police investigation, which barred CBC News from continuing to report information obtained in the yet-to-be-tested search warrant documents.
The ban was overturned last week.
Ruskin argued that at one point the police had his devices illegally for 2½ months because the order to detain them had expired and they had applied for an extension in the wrong court.
In a January motion brief, Ruskin accused police of dragging their feet during their investigation.
The brief says police have provided no evidence as to what training, if any, police have had since executing a search warrant at his home or what training might still be needed.
“The failure of WPS to adequately train its survey team, despite being aware that additional training is needed for over 2 years, constitutes delay, procrastination and ‘foot-dragging'”, indicates the document.
“Furthermore, while WPS has made a vague assertion that ‘efforts are underway to attempt to gain access to the devices’, no evidence has been provided as to what these ‘efforts are underway’ or how many. much time has been devoted to these efforts.”
In the end, Ruskin consented to the continued detention of his devices for three years, but did not say why he changed his position.
Police had argued they could not return the devices to Ruskin if they contained child sexual abuse images or videos.
None of the allegations against Ruskin have been tested in court.