We are working a case that involves a 'father' sexually molesting his 6 1/2 year old son. That much is known as he has confessed. The remainder of the family is very curious to know if there are any CP images on the remainder of their digital data. They have provided everything they have to our office for examination and to alert Law Enforcement should we find anything.
Hoping to gather some low hanging fruit, we are doing our first pass with IEF. Full searches, all partitions, all artifacts, full blown attack. We are using plain text keywords provided to us by a local LEO who has a successful history of ferreting out C.P. Of course, one of the keywords is 'sex'. To date we have processed about 3 Terabytes of data and the hit count on all of the words except sex is zero. Even the word sex has a hit count of about 50 after 3 TB's of processing.
I am concerned that there is something going on here that I am missing. Usually 'sex' picks up more hits than we can easily deal with. The suspect is a medical doctor of extraordinary intelligence but he is not necessarily computer literate. Of course, he could have hired someone. There are about 25 encrypted files and everything could be hiding there but based on prior experience this still seems too far out on the bell curve. We have not found any images that are either CP or adult porn.
Maybe there just isn't anything to be found but I wanted some input on the matter.
Thank you,
C.M. "Mike" Adams
Prime Focus Forensics
I recently worked on a case searching for CP using IEF and found nothing. Then I processed the image using FTK version 6 and found dozens (FTK version 4.2 found only a single CP image). Since then I have seriously questioned IEF's ability to find both allocated and unallocated graphics files. I suggest doing a graphics analysis using FTK or EnCase to be sure, don't rely on just IEF for the graphics.
As for the number of hits on the word sex, that does seem odd. I would suggest attempting to break the encryption on those files for sure. What type of encryption are they?
I would strongly suggest that using IEF to perform a full analyis on a serious case such as this is at best deeply flawed.
IEF does an excellent job of extracting Internet History and other forensic artefacts, however it is not a one stop show. AFAIK it only runs the keyword searches against things it can extract, not the raw data. Therefore if the text was present in a file it doesn't process, it would never find the result.
I would suggest processing the images in X-ways or a similar tool to carve for pictures and movies and run keyword searches. This will generally get you far more data that you will ever get with IEF.
If you do, I would remove the work "Sex" from your keyword list as you will probably be inundated with results. However if you are still getting no hits for keyword search terms you may be looking for evidence of anti-forensics tools (CCleaner etc.)
A few side questions, if I may.
Is the curiosity of the family enough to "authorize" a private forensics firm to expressly "look for CP" and to legally provide to it all the storage media (I presume belonging to the "suspect").
I mean, till now I had gathered that (at least in the US) as soon as evidence of CP is found, the whole thing should immediately go to the Police (or however LE), but long before that, isn't the storage media (if examined without an explicit consent of the suspect) "stolen"?
On the other hand, if the "suspect" is cooperating, why not have those encrypted files decrypted by him?
And if the "suspect" already confessed some crime, shouldn't the matter be already anyway in the hands of LE?
jaclaz
All good points.
However, on this case, we are also working at the request of the local DA. For some reason, even with the confession in hand, she did not feel that she had enough probable cause to go after any of the digital devices owned and used by the family. Believe me, if we find it, we shut down and blow the whistles, all of them.
Thank you,
Mike
I recently worked on a case searching for CP using IEF and found nothing. Then I processed the image using FTK version 6 and found dozens (FTK version 4.2 found only a single CP image). Since then I have seriously questioned IEF's ability to find both allocated and unallocated graphics files. I suggest doing a graphics analysis using FTK or EnCase to be sure, don't rely on just IEF for the graphics.
As for the number of hits on the word sex, that does seem odd. I would suggest attempting to break the encryption on those files for sure. What type of encryption are they?
As I mentioned IEF is being utilized first for low hanging fruit. I also forget to mention that we are interested in any peer to peer stuff, particularly Zoom. We will go back again with EnCase, and proabaly Belkasoft EC, depending on results
Using TruCrypt.
Thnak you,
Mike
I would strongly suggest that using IEF to perform a full analyis on a serious case such as this is at best deeply flawed.
IEF does an excellent job of extracting Internet History and other forensic artefacts, however it is not a one stop show. AFAIK it only runs the keyword searches against things it can extract, not the raw data. Therefore if the text was present in a file it doesn't process, it would never find the result.
I would suggest processing the images in X-ways or a similar tool to carve for pictures and movies and run keyword searches. This will generally get you far more data that you will ever get with IEF.
If you do, I would remove the work "Sex" from your keyword list as you will probably be inundated with results. However if you are still getting no hits for keyword search terms you may be looking for evidence of anti-forensics tools (CCleaner etc.)
We never intended to use IEF as the only tool. Goes against our SOP and we don't wish to be 'seriously flawed', ever. However, we are also interested in peer to peer. We have a DOJ attorney who runs a group of about 30 forensic examiners consulting with us on this case and he reports IEF does a good job of carving the Internet stuff that will also provide clues.
You are correct about the word 'sex' but I always use it as a test to make sure that things seem to be working normally. Occasionally, as in this case, the canary in the mine was having difficulty so we were alerted.
Thank you,
Mike
What OS is this?
We have more than 9 TB, almost all of it Apple products.
Two iPhones, 2 LaCie external drives, 2 iMacs, 2 MacBook Pros, 1 iPod
Also 4 32GB SD cards, FAT32
Thank you
Just here to offer support and throw in my 2 cents to this for both Pachuco and minime2k9. You're both correct that there's no way you should be using only one tool in any examination including IEF. No tool will ever get everything, it's impossible, that's why it's so important as an examiner to run several tools in any case and it sounds like that's what Pachuco is doing which is right.
minime2k9 is also correct when it comes to keywords. IEF is an artifact tool and it searches for artifacts, it's not a full forensic analysis tool with full file system support. This is a major area where IEF and AXIOM differ. IEF will do keyword searches across the artifacts (which include the content of aritfacts like chat, docs, email, etc.) which is great but if the keyword isn't in the artifact, it won't pick it up so there's a limitation to it. AXIOM gives you both, the artifact search and the full binary search across the entire disk/file system. There are pros and cons to each search (a binary search from most forensic tools won't pick up encrypted, encoded, or compressed data whereas if we can understand the artifact and first decrypt/decode/decompress, we can then search it but it requires prior knowledge or understanding of the given artifact by the tool).
With that being said, any time you guys come across IEF or AXIOM not picking something up you would expect it to, let us know. The only details we really need is the type of data (header would be good too if it's not a common one) and where you found it. We generally do a great job carving stuff from unallocated, within allocated files like documents, etc. but I guarantee we won't ever get every possible image on a computer or phone, it's the nature of carving and why we as examiners use several tools.
One final point about the evidence, you mentioned Macs so one final ask, what file system are they running HFS+ or APFS? Apple just realeased APFS like 3 weeks ago for all iOS, Mac, watch, tv, etc… and we don't support APFS yet. This doesn't matter too much for iOS since all tools are generally only getting a backup these days and the file system doesn't matter but for Mac computers it does so be careful when looking at any newer Macs to check the file system being used.
Jamie
jamie dot mcquaid at magnetforensics dot com