Procedure for CP ev...
 
Notifications
Clear all

Procedure for CP evidence?

81 Posts
52 Users
0 Likes
6,221 Views
(@armresl)
Posts: 1011
Noble Member
 

Actually, it wasn't CP, that is why I used "problem material" it was a case of suspected terrorism and the person accused was a white American, never been in trouble before for anything and ran a very successful business for lots of years.

I have witnessed cases though where there were low level tech guys from large nationwide retail chains where the charges were for CP.

It's a judgment call on you and your counsel's part.
Several people are going to have several different answers, that doesn't make mine or anyone else's right for your situation.

Just trying to provide you with information from experiences I have had.

 
Posted : 11/02/2007 1:53 am
(@armresl)
Posts: 1011
Noble Member
 

I am a bit confused (or I misunderstood some posts).

I have read here to call your lawyer, examine around the CP, go straight to the FBI, and don't go straight to the FBI to avoid a civil suit if you are wrong.

The post by armresl concerns me the most about a repair guy getting convicted and doing time after calling the FBI. Is there more to the story than they found CP while servicing a computer and called the FBI?

It is starting to sound like my chosen career is like playing Russian Roulette with these hard drives.

Can someone clarify what to do if we run across it?
My contract states that I "will immediately cease its examination and advise CLIENT and appropriate law enforcement authorities of the nature of the materials found". Is this wrong?

Advise client and appropriate LE can be rather vague. Who is the appropriate LE? Who makes the decision on who is the appropriate LE?
Do you act the same in every instance of this? Based on the following wording you just have to contact any law enforcement agency, doesn't even have to be in your home state. But that is their wording and what you have differs from that.

If you look at the code, you probably don't fall under those guidelines.
BEGIN CUT AND PASTE

"Creates a mandatory reporting requirement for electronic communication service providers, Internet Service Providers, and remote computing service providers to report violations of federal child pornography laws to any law enforcement agency and/or the National Center for Missing and Exploited Children."

You may want to look up 2252(a)(4) and 2252A(a)(5)

 
Posted : 11/02/2007 2:05 am
mark777
(@mark777)
Posts: 101
Estimable Member
 

keydet

Read your reply with interest re your procedure and I realise that we are in different legal jurisdictions but I am interested to know you views on the following if you could

If you find CP images and stop your examination and give the drive back to the client what happens if the client is the person who put them there. They are not gonna contact LE. Do you have any procedures in place to ensure that LE becomes aware or indeed can you inform LE without the clients permission.

I notice you mention being sued in certain instances but what would be the outcome if you gave a disk back to a client who was the perp and he (or she) subsequently abused a kid and it come out about your drive and CP and nothing had been done about it. Would that leave you open to action being taken against you?

Also, in this country, if as a LE officer I discovered that a private practice investigator had come across CP on a drive and returned it to a client without informing LE then in all probability he/she would be arrested for distributing illegal images of children. Is there nothing like that over there you are leaving yourself open to.

All in all I do not envy you the position that you would find yourself in.

Please understand I am not making any criticism of any of your policies, I am just interested in how you deal with the problem you have as a private sector investigator when you come across someone who may be or have evidence of child abuse.

 
Posted : 11/02/2007 2:23 am
 ddow
(@ddow)
Posts: 278
Reputable Member
 

Mark,

This particular scenario starts many lively discussions in which the differences are really centered on jursidiction. The best advice of all so far was to consult your own attorney before even taking a case.

Cheers

 
Posted : 11/02/2007 3:22 am
(@wilber999)
Posts: 30
Eminent Member
 

I appreciate everyone's conversation and would like to say that I enjoy the conversation, but I do not like the topic of CP and admire (and thank) those that work with it daily to protect help protect my family.. Below is the complete section of my contract on CP

To the event that a forensics examination reveals the existence of possible child pornography on the examined media, COMPANY will immediately cease its examination and advise CLIENT and appropriate law enforcement authorities of the nature of the materials found. Before proceeding with further forensic examination, CLIENT will secure a court order or take such other legal action as may be necessary to prevent both COMPANY and CLIENT from being subject to any legal charges regarding the possession or distribution of child pornography.

Not that it makes it any better, but this section came from an ABA published book on electronic discovery in which the authors run a well respected Forensics company.. I agree with each of you to consult counsel and check my local laws and restrictions.

Everyone have a good weekend..

armresl… your post on people getting busted for what appears to be the "right thing" still concerns me 😯

 
Posted : 11/02/2007 5:17 am
(@olddawg)
Posts: 108
Estimable Member
Topic starter
 

This is certainly a more indepth and interesting topic than I had surmised.

In fact, it appears that official agencies are also somewhat in limbo about what to do. I've been in touch with NCMEC, 2 people at municipal PDs and 3 state police before finally getting an answer about how to pursue this. At this stage, no one knows whether the images are CP or not. NCMEC doesn't distribute their hash sets so there is no help there. I suspect that the state LEOs will forward the images to NCMEC for evaluation and a decision. Once that happens it is unknown how things will proceed. I'll keep you all posted, however. This stuff needs to be codified and a proper procedure outlined.

 
Posted : 11/02/2007 5:20 am
az_gcfa
(@az_gcfa)
Posts: 116
Estimable Member
 

While going over the responses there were several that generally caused me concern. I'm reviewing/developing new procedures and creating several custom forms to be used in the procedure of acquiring/obtaining digital media from clients. In otherwords, it is my intention to document the "Chain of Custody" throughly because of these exact situations.

While I'm generally not an alarmist by nature, I too have see some pretty scary facuets of the our legal system. I do not want to leave any thing to chance - like trying to prove that I did not put the "illegal content" on the media.

I can document the reciept of the media by serial number and physical description. Personally, I never accept any media that does not have any labels or unique descriptors. I have been known to require people to mark CD's and DVD's with a Sharpies before I take possession.

Documenting the physical exchange is all well and good. Now we are entering into a realm of where we must prove we did not put the "illegal content" on the media. The only way I know how to do this is to generate a MD5 or SHA1 hash valve. I always generate a MD5 hash valve on any and all media, first thing as part of the imaging process.
Reckon, now I will photograph the screen displaying the MD5 valve at the customer's site, insuring that I capture enough site details to prove when and where the image was created.

I admit that I have been fortunate in not having to deal with any CP. I have had to deal with some pornography. I need to insure that my Forensic WSs, processing procedures and data storage procedures prevent essential equipment from being effected by this type of an event.

I wonder why I still want to do this type of work without the protection of a shield. Oh Well! Document, document and document some more.

 
Posted : 11/02/2007 8:20 am
Jamie
(@jamie)
Posts: 1288
Moderator
 

This is an important and interesting discussion. I'm going to "sticky" the topic to give it some prominence and ask a few other members for their comments.

On a personal level I have some fairly strong feelings about what an appropriate course of action to take is in this situation (and I share some of the concerns about a few comments made so far). However, a clearer insight into the legal ramifications of discovering CP would undoubtedly be useful for everyone - let's see what we can all do to clarify the situation both at the national and, where appropriate (e.g. US), state level. Comments from legal counsel and law enforcement are very much welcome - please post what you know and encourage others to join the discussion.

Jamie

 
Posted : 11/02/2007 12:36 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

On a couple of occasions I have received a computer from a corporate data recovery source where CP was discovered by them. On those occasions the data recovery people felt that they should not be in possesion of this matieral and had some vague awareness that if they gave it back to the client they were inadvertantly committing the offence of distributing CP. So they gave it to the Police and we acted on it very quickly so that we could identify who was responsible.

It was important to have the image from the data recovery people and the actual exhibit. It was appropriate to image the drive(s) again and compare them to the image given to us. We also needed to verify for ourselves the BIOS date and time and any configuration issues on the PC which might have affected the findings, such as audio files but no sound card. It was also appropriate to compare the devices listed in the setupapi.log file and registry with the actual devices inside the computer. If more than one hard drive were found and the CP was on the drive not contianing the OS it would be necessary to identify when that drive was first installed in that PC.

Once CP had been found it was then necessary to prove that it was created intentionally or deliberately retained and following a recent ruling to prove that the person was still knowingly in possesion of it. Deleted images would not count as possesion but where it was possible to prove when and how the CP files were made a making charge could be applied to deleted images.

Because we could act quickly we were able to identify whether the client was involved and if so produce a case without them suspecting anything was wrong. If it was clear it was a member of staff we could approach the client and enlist their assitance in identifying any other locations in which this person might have put similar material.

I think the rules here in the UK are going to be quite a bit different to the US but certainly here I would want a corporate forensic analyst to call me. In return I would promise to act quickly as this does not put them in an awkward position regarding the client. I do understand that you would have concerns over getting paid for the work you did but you would technically be breaking the law if you gave the computer back, even with the instruction to contact LE.

Steve

 
Posted : 13/02/2007 2:56 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

Many thanks, Steve. Could I just pick up one last point? I understand from what you've said that returning the device in question to the client would be an offence (strictly speaking) but am I right in thinking that under UK law the examiner is not legally obliged to report the presence of such material to the police? In other words, could the examiner (with the permission/knowledge of the client, perhaps) in theory simply destroy the material without breaking the law?

Note to all I'm NOT suggesting that the above would be either ethical or professional (quite the reverse) but I am interested in whether there's a loophole here which has been closed in other jurisdictions.

Jamie

 
Posted : 13/02/2007 11:16 pm
Page 2 / 9
Share: