In the scenario that Racoon originally posed if the FBI, etc are ready to serve you with a warrant then there is enough evidence already to obtain the warrant but one thing to be noted is that the majority of cases (nearly all) do not convict on the forensic or digital evidence found. It's often only corroborating evidence. This is why in the case of online predators, investigators attempt to get the individual to actually visit a location. The FBI need evidence of extortion, attempted fraud, etc... The digital evidence is there to back that up and reinforce an existing case in most instances and not to create a case. I have done my share of forensic work and each time the legal powers that be just wanted to "seal the deal" not build a case. This is only my experience though

I agree with pseud0's "smart ass" submissions in that if they are knocking on your door there is a damn good reason why.

But lets assume a scenario where nobody knows what you're up to.

1. Why would you use your own computer for starters? There are enough open systems around to store your files/data on. Compromised machines or devices like printers (Nice little self contained OSes) are a great place to store data. Highly doubtful they will be discovered in daily operations.

2. Accessing your data can be done in a number of ways too. Why even mount a drive. Install helix (does not mount swap space). use a computer at a coffee shop/internet cafe.

3. Route traffic through proxies, etc... Tunnel traffic over different protocols and use encryption. Bots can be used for more than just spamming or DDoS. I could have Bot A upload my set of commands and Bot B downloads and executes them at a predetermined time. Sure, it could be traced...but with enough countries, laws, etc... in the way it's highly doubtful.

4. Don't store anything on the usb key. Keep it on your person at all times. Try and rootkit that.

5. If someone actually walks in on you (assuming that you're at home and not an cafe, etc...) maintain a "dead-man switch" accessible from all roons in your home, step on it and kill all power or run your degausser  if you store data on your drive at home (you can build one that will actually melt the platters  on a drive let alone destroy the data).

6. Have encrypted volumes within encrypted volumes on your remote drive. You can always make the case that someone else also compromised that drive. Give up the key to one and deny even knowing about the other. (then again if you're at this point, the FBI has other evidence on you).

5. Google "anti forensics". Encase really does not stand a chance. BTW, the FBI uses encase and more recently FTK.

6. Network forensics is your next option for capturing enough data to reinforce your case but you need to prove that the data originated from a device the person was at during that time. Not so easy to do if that person is careful.

The reality is that most people get caught through their interactions with others, online or in person. The seized data is just icing on the cake at that point.

Are there flaws in the above? sure but it proves the point that it's not so easy to detect and then gather enough evidence to convict.

dean

Dean, good addition to the discussion.  Just to throw more fuel on the fire:

-Any live distro CD is going to be a good solution for your local system since any data is not going to be persistent.  You turn the computer off and it all goes "poof".  Well, except for all of the network traffic that brought the feds to your house in the first place.  The problem is that sometimes you are going to need to store some data for long term use.  Working with a gig size file in an OS that runs only in memory is going to cause some problems.  (hint: load BT2 live CD, mount local hard drives, turn them all into TreuCrypt volumes, throw all your crap in the secondary hidden volume)  Major problem with this solution is that the user is still at risk of getting picked up before they can kill the system.  At that point everything is still available.  Mot of the time you wouldn't want to turn everything off if you went outside because you're going to lose a lot of data (the whole live CD thing).
-Even using remote systems, proxies, bot nets, IRC, P2P, malformed packets, encrypted tunnels, smoke signals, isn't going to be perfect.  It is a great first step (as dean pointed out), but at some point you have to interact with those systems in order to do your work.  If that can ever be physically traced back to you, you're in trouble.  That means don't let it be physically traceable to you as per dean's "use coffee shop" comment.  You are still vulnerable to physical observation, though.  If I see you at the same couple of coffee shops every time we are tracking naughty data, well, as was already pointed out, actually catching you with the data is only part of the case.
-I'm not l33t enough to rootkit a thumbdrive, but I can drop some fun stuff on the system you'll be plugging into.  That might get me what I need.  Now, if your live distro was stored on the USB key and you were booting off of it...
-I have rarely even heard of deadman switches that work as advertised.  If you wire them correctly and are actually in the right spot to use them then you might get away with it.  But that's a lot of assuming things work correctly.  (Note: the coolest one I ever saw was a guy who stored all of his CD's and DVD's inside microwaves.  He had all of them turned on, but plugged into a power strip that was turned off.  All he had to do was turn on the power strip button to nuke everything he had.  Too bad for him that he got arrested at his mom's house.)
-Antiforensics are a bitch, but not if you are only using the data on the system to support a case not make it.  If you stomp my time stamps I could still use other data (physical observations, network logs, my rugged handsomeness) to convince a jury that it was probably you that pulled down that picture from boysinsprinknlers.com.  That being said, it does start to introduce a lot of reasonable doubt.
-Dean's last point is dead on.  Most people get caught by being stupid, cocky, and lazy. If they used all of the recommendations that he brought up they'd probably be in good shape.  Most of them won't.

dean busts out the SODDI defense... FTW!
http://cyb3rcrim3.blogspot.com/2006/06/trojan-horse-defense.html

That cuts both ways.  I'd sit on the witness stand and suggest that you are probably one of the guys who wrote the virus, stole their identity, and charged all of those 900 calls to their credit card.  Still, coin flip, but becoming less so every year as the public becomes more and more computer literate.

Christ isnt time to give this thread a rest!  The initial scenario given by Raccoon was answered by What90, Kev and Jimbob.  Everyone else has just repeated what they said with minor variations.  The reality is no decent hacker would hack from their home IP PERIOD!  Thinking you are safe because you hide your downloads or whatever is noob thinking at its worst. Even in cases with the RIAA they didn’t have to actually seize the computer in order to launch their lawsuits. 

EmanoN, you might want to take the time to read the entire thread be for answering next time. It evolved from Raccoon's orginal scenario into a discussion about ways to hide and what an agency like the FBi's response would be.

Additionally, do you really think that it is only 'hackers' that commit crimes and use digital means to cover it up??

With regards to the RIAA, I see these on a weekly basis through one of my clients. They send a cease and desist type of letter based on the IP address. It's a John Doe type document sent to the organization that owns the IP. It is the organizations responsibility to prove the user shared the songs or videos. Often this requires similar techniques as discussed previously. Most often network traffic (netflow, etc...) is used to prove or disprove and after that it needs to be proven that it was the persons workstation in use and not someone else's. Can you prove the person's IP was used by someone else? can you match the MAC address to the computer, etc...

So it seems that while this thread might have been dead you just did a good job of reviving it.

dean

So you can dodge any search warrants this way?