I was working on a CP case this past week and the HDD had 384 KFF files. When I went to view them I found that some of them were like poems, or word documents with a picture of a lighthouse.
My guess is that since these are known CP files in thew KFF tab that these are stegonography and have hidden pictures behind the documents. I was unable to try Steghide since the shift was over and should be able to work on them later this week.
Has anyone else run into these?
Please remember I am an intern and not fully quailfied as some of you.
Just as a point of clarity, I always took that "kff" meant known file filter.
If that is what you are referring to some of the files may actually be benign as the NSRL contains hashes for various non-contraband files as well.
How did you conclude they were CP? Did you use a database of known CP hashes similar to the one from the NIST?
Greetings,
Something strikes me as odd about an intern working on a CP case. "Odd" isn't the right word, perhaps "unwise" or "fraught with peril". The fact that you posted for help about the case rather than going to whoever is overseeing your internship really causes me some concern.
If these are known CP files and you're not interning with an LE agency, stop, drop, and roll.
-David
Greetings,
Something strikes me as odd about an intern working on a CP case. "Odd" isn't the right word, perhaps "unwise" or "fraught with peril". The fact that you posted for help about the case rather than going to whoever is overseeing your internship really causes me some concern.
If these are known CP files and you're not interning with an LE agency, stop, drop, and roll.
-David
I will try and show some restraint with my answer as you deserve respect as you are currently more qualified than me.
But I need you to answer some other questions and then provide me with some alternatives.
First. I am interning at a company that is giving me the opportunity to get into this field and zince they deal with CP how else am I expected to get the real world experience thst every person on this site tells me I need to get a job.
I see that you are in IL. Do you have an opening for me at your company to train in the other types of materials. I can be in IL by the end if the month. Please let me know. Since you are concerned with the way I am being trained I am sure you have more superior methods to train me. Once again I can be at your company at the end of the month.
If you have ideas on other ways that I should be or other interns should he trained please join my thread I made a few days ago in this same General section about internship standards. I would like to hear your input.
The company I work is not LE but have been retained in the defense if the guy as he is entitled to a defense. Am I not correct. So since the LE is prosecuting this guy I could not possibly be working for them.
Another thing I am told to do is find my answers. The guy I work for won't answer all my questions in order to train me on finding certain info out on my own. Since this is technically what I am doing I would appreciate an answer.
As for my role in this case I was asked to help him bookmark the known images. That's all. I only go there a few night a week.
Greetings,
One definition of "intern" follows
"a person who works as an apprentice or trainee in an occupation or profession to gain practical experience, and sometimes also to satisfy legal or other requirements for being licensed or accepted professionally."
Both apprentice and trainee imply that there is direct supervision of the person in question. All internships I've seen recently required direct supervision of the intern. Your question, and status, prompted me to wonder who your direct supervisor is and why they're not helping answer your questions.
If your supervisor wants you to find certain information on your own, he probably didn't mean for you to post the question here for someone else to answer it instead of him.
So that was red flag #1.
Red flag #2 went up when you said CP for two reasons. One, the consequences of CP possession are significant and having an intern working on that sort of case is a bit surprising, particularly with an apparent lack of supervision. Two, if you were working for LE, then posting this sort of information would be unwise.
Thank you for clarifying your situation. I am still concerned, and you might ask your supervisor if he wants this sort of information posted to a public forum.
As for interning, I understand your problem. It is a tough, tough road. I wish more established firms would run internship programs but I've seen very few of them.
-David
Well since he sits right behind no less than 2 feet I feel that this is as close of direct supervision that can be unless I want him on my back. Results that I found were not the ones that were final and put in the report so I suspect that he will go through what I found and verify the mistakes I might have made and correct them. If I made any to begin with.
The night I worked in this case was just luck and I have worked on other cases not involving CP. This was my first case actually dealing with it. Since this is the field I have chosen I need to encounter this material sooner or later and I would rather do it sooner as I may choose not to deal with it at a later time and finding out later what its like would not be a good career move.
So do you have an answer to the post about what was found?
Greetings,
Beetle had some observations and questions that are on point.
-David
Hi Josh,
So are you LE?
Well since he sits right behind no less than 2 feet I feel that this is as close of direct supervision that can be unless I want him on my back. Results that I found were not the ones that were final and put in the report so I suspect that he will go through what I found and verify the mistakes I might have made and correct them. If I made any to begin with.
The night I worked in this case was just luck and I have worked on other cases not involving CP. This was my first case actually dealing with it. Since this is the field I have chosen I need to encounter this material sooner or later and I would rather do it sooner as I may choose not to deal with it at a later time and finding out later what its like would not be a good career move.
So do you have an answer to the post about what was found?
If you are working a CP case the only way you should have access to the material is at an LE office. If you are working on CP in your own office you are guilty of at a minimum possession and more likely manufacture because following some sort of forensic procedure you would have made an image of the drive or medium you are examining.
Let's see if someone else gets through to him. I certainly could not.
He said he's working for a defense firm, not for LE.
-David