Join Us!

Procedure for CP ev...
 
Notifications
Clear all

Procedure for CP evidence?  

Page 2 / 6
  RSS
OldDawg
(@olddawg)
Active Member

This is certainly a more indepth and interesting topic than I had surmised.

In fact, it appears that official agencies are also somewhat in limbo about what to do. I've been in touch with NCMEC, 2 people at municipal PDs and 3 state police before finally getting an answer about how to pursue this. At this stage, no one knows whether the images are CP or not. NCMEC doesn't distribute their hash sets so there is no help there. I suspect that the state LEOs will forward the images to NCMEC for evaluation and a decision. Once that happens it is unknown how things will proceed. I'll keep you all posted, however. This stuff needs to be codified and a proper procedure outlined.

ReplyQuote
Posted : 11/02/2007 5:20 am
az_gcfa
(@az_gcfa)
Active Member

While going over the responses there were several that generally caused me concern. I'm reviewing/developing new procedures and creating several custom forms to be used in the procedure of acquiring/obtaining digital media from clients. In otherwords, it is my intention to document the "Chain of Custody" throughly because of these exact situations.

While I'm generally not an alarmist by nature, I too have see some pretty scary facuets of the our legal system. I do not want to leave any thing to chance - like trying to prove that I did not put the "illegal content" on the media.

I can document the reciept of the media by serial number and physical description. Personally, I never accept any media that does not have any labels or unique descriptors. I have been known to require people to mark CD's and DVD's with a Sharpies before I take possession.

Documenting the physical exchange is all well and good. Now we are entering into a realm of where we must prove we did not put the "illegal content" on the media. The only way I know how to do this is to generate a MD5 or SHA1 hash valve. I always generate a MD5 hash valve on any and all media, first thing as part of the imaging process.
Reckon, now I will photograph the screen displaying the MD5 valve at the customer's site, insuring that I capture enough site details to prove when and where the image was created.

I admit that I have been fortunate in not having to deal with any CP. I have had to deal with some pornography. I need to insure that my Forensic WSs, processing procedures and data storage procedures prevent essential equipment from being effected by this type of an event.

I wonder why I still want to do this type of work without the protection of a shield. Oh Well! Document, document and document some more.

ReplyQuote
Posted : 11/02/2007 8:20 am
Jamie
(@jamie)
Community Legend

This is an important and interesting discussion. I'm going to "sticky" the topic to give it some prominence and ask a few other members for their comments.

On a personal level I have some fairly strong feelings about what an appropriate course of action to take is in this situation (and I share some of the concerns about a few comments made so far). However, a clearer insight into the legal ramifications of discovering CP would undoubtedly be useful for everyone - let's see what we can all do to clarify the situation both at the national and, where appropriate (e.g. US), state level. Comments from legal counsel and law enforcement are very much welcome - please post what you know and encourage others to join the discussion.

Jamie

ReplyQuote
Posted : 11/02/2007 12:36 pm
steve862
(@steve862)
Active Member

Hi,

On a couple of occasions I have received a computer from a corporate data recovery source where CP was discovered by them. On those occasions the data recovery people felt that they should not be in possesion of this matieral and had some vague awareness that if they gave it back to the client they were inadvertantly committing the offence of distributing CP. So they gave it to the Police and we acted on it very quickly so that we could identify who was responsible.

It was important to have the image from the data recovery people and the actual exhibit. It was appropriate to image the drive(s) again and compare them to the image given to us. We also needed to verify for ourselves the BIOS date and time and any configuration issues on the PC which might have affected the findings, such as audio files but no sound card. It was also appropriate to compare the devices listed in the setupapi.log file and registry with the actual devices inside the computer. If more than one hard drive were found and the CP was on the drive not contianing the OS it would be necessary to identify when that drive was first installed in that PC.

Once CP had been found it was then necessary to prove that it was created intentionally or deliberately retained and following a recent ruling to prove that the person was still knowingly in possesion of it. Deleted images would not count as possesion but where it was possible to prove when and how the CP files were made a making charge could be applied to deleted images.

Because we could act quickly we were able to identify whether the client was involved and if so produce a case without them suspecting anything was wrong. If it was clear it was a member of staff we could approach the client and enlist their assitance in identifying any other locations in which this person might have put similar material.

I think the rules here in the UK are going to be quite a bit different to the US but certainly here I would want a corporate forensic analyst to call me. In return I would promise to act quickly as this does not put them in an awkward position regarding the client. I do understand that you would have concerns over getting paid for the work you did but you would technically be breaking the law if you gave the computer back, even with the instruction to contact LE.

Steve

ReplyQuote
Posted : 13/02/2007 2:56 pm
Jamie
(@jamie)
Community Legend

Many thanks, Steve. Could I just pick up one last point? I understand from what you've said that returning the device in question to the client would be an offence (strictly speaking) but am I right in thinking that under UK law the examiner is not legally obliged to report the presence of such material to the police? In other words, could the examiner (with the permission/knowledge of the client, perhaps) in theory simply destroy the material without breaking the law?

Note to all I'm NOT suggesting that the above would be either ethical or professional (quite the reverse) but I am interested in whether there's a loophole here which has been closed in other jurisdictions.

Jamie

ReplyQuote
Posted : 13/02/2007 11:16 pm
BraneRift
(@branerift)
Member

My empathy really goes out to those of you in the private sector when it comes to CP images. I am a lead forensic examiner for a municipal PD. Just a couple of years ago, defense was entitled to all the evidence I was. This included images of drives etc. This is no longer the case. The Federal Govt (US) has really restricted the distribution of CP in legal cases. Private experts in the field that defense attorney's use to hire to examine the same images I examine are now getting arrested and charged if they have possession of ANY CP images no matter what it is for.

Personally, I think that is a little over the top. As a LE officer, one would think I would be all for this type of legislation, but I DO think everyone has the right to a fair trial. This should include a separate examination of the digital evidence.

We have gotten around this issue here locally. I invite the defense's expert to the PD and have him/her conduct the examine here with our images of the drive. Before they leave, their drive is to be wiped, exporting only reports and other non-contraband items. It is a huge pain in the back side, but what other choice do we have? Alot of private exainer are just turning down these types of cases.

As for the private sector examiners….. I highly respect so many people here on these forums. I would hate to see you get into trouble for such a thing. I would definately consult the Corp Atty. Make sure they are up-to-date on the lastest federal regualtions as it pertains to the CP issue.

I am biased, but I would make sure my company had strict CP policies in place which should include the "stop, drop, and roll" procedure mentioned in earlier posts. Remember, just because you gave the image back to the client, doesn't mean you haven't possessed the CP. I think reporting would be the best solution. Also, there is nothing wrong with contacting your local FBI office and speak to an agent. Get their input on the matter. Make sure you document who you talked to, better yet, record the call with the agents permission. CYA

Real quick, just to hit on what Jamie mentioned….

I would not destroy evidence… yes evidence here in the US. If you think the FEDS are nasty with the CP issue, try destroying the evidence. I think one would feel their full rath…..Just my opinion.

Good luck with this everyone.

ReplyQuote
Posted : 13/02/2007 11:21 pm
steve862
(@steve862)
Active Member

Jamie,

Good question. As a civilian examiner I'm not sure about whether the examiner is under any legal obligation to report to LE about the presence of CP. I would suess they are not legally obliged but under unwritten rules of conduct an examiner would likely 'feel' obligated to do so.

Banerift, I know it's gone a bit mad in the US over defence having access to evidence at their own premises. In the UK we use a memorandum of understanding for defence examiners. They agree to certain practices concerning the transportation, storage, method of examination and destruction of evidence provided to them. The MOU is then their written authority to possess the material for the duration of the case. If they breach the terms of the MOU they can become subject to the law themselves. Although it is not up to the Police to say who can act as the expert for the defence we do have a professional obligation to ensure that the examiner is able to comply with the MOU. i.e. secure storage, proper analysis techniques and the ability to destroy the data at the end. This approach is working very well and has been for some years now. Maybe because it is very difficult to get setup as a forensic computer examiner doing defence work. As a consequence it tends to be small companies or individuals who have been in the market for many years.

Steve

ReplyQuote
Posted : 14/02/2007 2:09 am
armresl
(@armresl)
Community Legend

Actually, it hasn't been years ago, it has only been around 6 months since the Fed Rule took place.

There is already a bunch of appeals and one reversal of this based on it being unconstitutional.

Going to a police dept, RCFL, or other location which is basically run by the prosecution is totally unacceptable. You surely wouldn't do your investigation at my office, and by needing to do it at yours you have limited my hours, resources, right to privacy, and to put on a defense with counsel.

As far as working off of someone else's image goes, that is another issue where I have to believe that whoever made the image did so correctly and there is nothing that was left out. Once again I say that the police wouldn't accept an image from me without making one for themselves, checking bios, taking pictures of the machine, etc.

I have gone to police stations before and made images, and in the process made a very good friend who is a great examiner. I even wrote the person who hired me to tell them that he was good and that no attacks on his methods or skills would be beneficial.

My empathy really goes out to those of you in the private sector when it comes to CP images. I am a lead forensic examiner for a municipal PD. Just a couple of years ago, defense was entitled to all the evidence I was. This included images of drives etc. This is no longer the case. The Federal Govt (US) has really restricted the distribution of CP in legal cases. Private experts in the field that defense attorney's use to hire to examine the same images I examine are now getting arrested and charged if they have possession of ANY CP images no matter what it is for.

Personally, I think that is a little over the top. As a LE officer, one would think I would be all for this type of legislation, but I DO think everyone has the right to a fair trial. This should include a separate examination of the digital evidence.

We have gotten around this issue here locally. I invite the defense's expert to the PD and have him/her conduct the examine here with our images of the drive. Before they leave, their drive is to be wiped, exporting only reports and other non-contraband items. It is a huge pain in the back side, but what other choice do we have? Alot of private exainer are just turning down these types of cases.

As for the private sector examiners….. I highly respect so many people here on these forums. I would hate to see you get into trouble for such a thing. I would definately consult the Corp Atty. Make sure they are up-to-date on the lastest federal regualtions as it pertains to the CP issue.

I am biased, but I would make sure my company had strict CP policies in place which should include the "stop, drop, and roll" procedure mentioned in earlier posts. Remember, just because you gave the image back to the client, doesn't mean you haven't possessed the CP. I think reporting would be the best solution. Also, there is nothing wrong with contacting your local FBI office and speak to an agent. Get their input on the matter. Make sure you document who you talked to, better yet, record the call with the agents permission. CYA

Real quick, just to hit on what Jamie mentioned….

I would not destroy evidence… yes evidence here in the US. If you think the FEDS are nasty with the CP issue, try destroying the evidence. I think one would feel their full rath…..Just my opinion.

Good luck with this everyone.

ReplyQuote
Posted : 14/02/2007 2:12 am
matt3x166
(@matt3x166)
Junior Member

I like the way they are doing things in London. I understand the reluctance to further distribute CP, but I also believe that everyone is entitled to a good defense and sometimes that requires a defense expert having access to the evidence. I am in the process of developing/building a lab (hopefully, this is in the initial stages) and one of the requirements that I am incorporating is an examination room and system so a defense expert can come in, work in privacy with any tools needed to conduct the examination, and provide an effective defense. Unfortunately, this costs money so I am not sure what will happen.

ReplyQuote
Posted : 14/02/2007 11:11 am
elmurado
(@elmurado)
Junior Member

There in Australia there are different laws for different states and these are superseded by federal but in the area of abuse, if someone in a professional role does not disclose to the LE that they know of abuse occurring the can get charged-AFAIA. i'd imagine, but would need to check,that this is the case for CP.

Here's a follow on question with regard to if you do find something whilst recovering data/repairing for a client;How much weight is given to the fact that you have
a) had the machine in your possession
b) booted it or worked on it in some fashion or shutdown etc

I'm putting this from the angle of the 'ideal' situation for LE being one where the machine has not had any write operations etc to it between the suspect using it and them getting it in their possession.
I mean, for example, I'm not sure what work was being done on the original machine but the 'Stop, Drop, and roll' method would seem to be the most sensible. Inform who you need to. personally, I think the sooner you involve LE and or legal from your company, the better. Don't sit on it for too long.

amresl's post concerns me too. But then reading the post about Julie Amero(?) made me shake my head too.

ReplyQuote
Posted : 15/02/2007 10:06 am
mark777
(@mark777)
Active Member

Jamie

re your comments about an examiner not contacting the Police and with the permission or in consultation with the client just destroying the drive.

Its a fair comment but dependant on the circumstances if it came out there is a good possibility that the examiner could be arrested and convicted of at the least attempting to pervert the course of justice.

I am lucky in the sense that being LE when I find CP on a computer I deal with it and do not have to take into consideration any client but just deal with it.

Llike I mentioned in my previous posting on tthe subject I do not envy private sector examiners who have all the external matters to consider when finding evidence of CP. In all honesty I have never come across any private sector examiners who I would think for one minute would ignore CP or destroy evidence of child abuse just to please or satisfy a client.

In respect of defence examiners possesion of illegal images we also use the memorandum of understanding system. Strict guidlines are agreed in respect of the possesion and storage of the images as well as an understanding as to who will examine them. No copies are allowed to be made and no prints are allowed to be taken of the images. Once the matter is finalised the drive is securley wiped with certifications of the wiping process being sent to us as proof. This will negate any charges being brought against the examiner in respect of his/her possesion of the drive.

ReplyQuote
Posted : 17/02/2007 3:40 am
finbarr
(@finbarr)
Junior Member

I'm a corporate analyst that does a lot of work for UK LE.

The situation here is made much easier by the Sexual Offences Act of 2003 - this provides a statutory defence for possesion of CP if the analyst is actively involved in an on-going investigation when the CP is discovered. Clearly there are very definite time constraints in play here - you can't keep this stuff once the investigation is complete, for example.

In the UK, there is a legal requirement (and as a forensic analyst - I believe a duty of care) to report any criminal activity that is discovered during the course of your investigation. There is an economic imperative of not pissing off the client though - so it's a fine balancing act.

In the one civil case I've had which contained CP, as soon as I found it, I called the client and advised them what I had found and the fact that I was under a legal obligation to report this to the police. I advised the client that I would allow them a 4 hour headstart to contact the police themselves, but that at the end of that I would be doing so. I then confirmed this in an email to the client and my manager.

We then got in touch with the local (to the client) police child protection team who, given our relationship with them, asked us to complete the examination.

One of the key concerns for the client with this type of material will be confidentiality - the reputational loss for their firm could be substantial.

Kind regards,

John Douglas.
QCC Information Security,
London.

ReplyQuote
Posted : 23/04/2007 2:56 am
mikeypopo
(@mikeypopo)
Junior Member

As a Sheriff's Investigator AND a private sector employee I ride the fence. I would recommend any private examiner in the U.S. to first get to know the L.E. examiner folks in your area - join groups, HTCIA, etc. This way when you DO find something "bad" you already know the procedure and the people to call. I worked a trade secrets case on the private side just recently and recovered CP. I COULD have addressed it myself - of course conflict of interest arises - but I called my friend at the local police department who took over the criminal investigation. Documenting everything - he wiped the CP for my working copy, and he kept the original copy. CoC stays true because it is always documented. The corporate client's counsel was not pleased - until I told him the value of bringing up a CP charge in questioning the ethics of their former employee. Long story short… it helped the civil case. The L.E. department worked with me because they trusted me. They trusted me because they knew me. Simple as that. As for The criminal case didn't get out so it didn't effect the integrity of the client company.

ReplyQuote
Posted : 23/04/2007 8:55 pm
armresl
(@armresl)
Community Legend

A few thoughts on the last post..

Knowing examiners in your area has nothing at all to do with a CP case. If you find CP, then you find CP. Who to call is relative at best to the person finding the material.

Depending on how uptight your USA's are, then as soon as you "discovered" the CP you could have been nabbed with possession. Having a shield may but shouldn't get you a free pass since you said you walk the fence and do private sector work.

HTCIA is not an organization you can join if you do defense work.

ReplyQuote
Posted : 24/04/2007 5:44 am
Jamie
(@jamie)
Community Legend

Knowing examiners in your area has nothing at all to do with a CP case

I think that's a little harsh, the previous poster was simply stating that knowing people in the field is likely to help you stay up to date with current procedures and know who to call when you need to do so. Seems like a fair comment to me.

Jamie

ReplyQuote
Posted : 25/04/2007 9:39 pm
Page 2 / 6
Share: