[mburns]

That would have been an improvement, but even basic computer forensic gathering knowledge would get around this without trouble. What he needed to do is keep his sensitive files encrypted separately from his laptop login. Like on a USB drive encrypted with GPG and a nice long passphrase.

Even then, the FBI grabbed him with his laptop logged into the management interface for Silk Road... So he still would have been in some hot water.

[SamReidHughes]

Maybe. For stuff like the personal notes you're keeping on a criminal conspiracy, a flash drive might be fine. But I'd be very skeptical of storing, say, the PHP source code to the Silk Road on a flash drive or SSD, because the internal data structures of the SSD could leak information about the sizes of individual files. If the feds can recover the sizes of individual files, rounded up to the next multiple of 4K, and you've got the PHP source code for the Silk Road stored there, it's game over. The same goes for filesystem encryption, like the kind ZFS (I think) has.

(I'm not personally familiar with ZFS, but the ZFS docs, especially https://docs.oracle.com/cd/E26502_01/html/E29007/gkkih.html#... really creep me with regard to this. The last thing you'd want is blocks in your local encrypted copy of PHP source code to be compressed first. And so then you'd think you'd want encryption enabled on a pool, but from reading the docs it seems that feature merely makes the filesystems on that pool inherit that encryption option, instead of doing some sort of filesystem-blind block-level encryption, where there's any variance in the encryption of blocks, or any information that could be derived from locations of blocks. So I think the suggestion to encrypt on a directory-by-directory basis to limit your exposure is not a very good one. I'd recommend that you use a spinning hard drive, whole disk encryption of the sort we have today, take out the battery, and keep your foot by the power outlet.)

[jaryd]

If the laptop turned off and the drive was encrypted by what basic method could they extrapolate the same information as if the computer was decrypted and powered on? Are you referring to some kind of memory attack? Wouldn't they need to be prepared to do that kind of forensic work in the extremely near term (or have some equipment on-hand to preserve the memory at least)? I'm pretty uninformed in this area and would appreciate a lesson.

[mburns]

You wouldn't turn off the device, particularly if you thought that turning it off could make you lose access to information.

That can be achieved by (1) transferring the machine to a portable battery unit without interrupting the power feed from the AC wall adapter and/or (2) imaging the machine's memory and mounted drives in-place.

These are things the FBI has in its toolbox, precisely because "yank the power cable" is how many criminals rely on protecting their otherwise encrypted data.