My empathy really goes out to those of you in the private sector when it comes to CP images. I am a lead forensic examiner for a municipal PD. Just a couple of years ago, defense was entitled to all the evidence I was. This included images of drives etc. This is no longer the case. The Federal Govt (US) has really restricted the distribution of CP in legal cases. Private experts in the field that defense attorney's use to hire to examine the same images I examine are now getting arrested and charged if they have possession of ANY CP images no matter what it is for.
Personally, I think that is a little over the top. As a LE officer, one would think I would be all for this type of legislation, but I DO think everyone has the right to a fair trial. This should include a separate examination of the digital evidence.
We have gotten around this issue here locally. I invite the defense's expert to the PD and have him/her conduct the examine here with our images of the drive. Before they leave, their drive is to be wiped, exporting only reports and other non-contraband items. It is a huge pain in the back side, but what other choice do we have? Alot of private exainer are just turning down these types of cases.
As for the private sector examiners….. I highly respect so many people here on these forums. I would hate to see you get into trouble for such a thing. I would definately consult the Corp Atty. Make sure they are up-to-date on the lastest federal regualtions as it pertains to the CP issue.
I am biased, but I would make sure my company had strict CP policies in place which should include the "stop, drop, and roll" procedure mentioned in earlier posts. Remember, just because you gave the image back to the client, doesn't mean you haven't possessed the CP. I think reporting would be the best solution. Also, there is nothing wrong with contacting your local FBI office and speak to an agent. Get their input on the matter. Make sure you document who you talked to, better yet, record the call with the agents permission. CYA
Real quick, just to hit on what Jamie mentioned….
I would not destroy evidence… yes evidence here in the US. If you think the FEDS are nasty with the CP issue, try destroying the evidence. I think one would feel their full rath…..Just my opinion.
Good luck with this everyone.
Jamie,
Good question. As a civilian examiner I'm not sure about whether the examiner is under any legal obligation to report to LE about the presence of CP. I would suess they are not legally obliged but under unwritten rules of conduct an examiner would likely 'feel' obligated to do so.
Banerift, I know it's gone a bit mad in the US over defence having access to evidence at their own premises. In the UK we use a memorandum of understanding for defence examiners. They agree to certain practices concerning the transportation, storage, method of examination and destruction of evidence provided to them. The MOU is then their written authority to possess the material for the duration of the case. If they breach the terms of the MOU they can become subject to the law themselves. Although it is not up to the Police to say who can act as the expert for the defence we do have a professional obligation to ensure that the examiner is able to comply with the MOU. i.e. secure storage, proper analysis techniques and the ability to destroy the data at the end. This approach is working very well and has been for some years now. Maybe because it is very difficult to get setup as a forensic computer examiner doing defence work. As a consequence it tends to be small companies or individuals who have been in the market for many years.
Steve
Actually, it hasn't been years ago, it has only been around 6 months since the Fed Rule took place.
There is already a bunch of appeals and one reversal of this based on it being unconstitutional.
Going to a police dept, RCFL, or other location which is basically run by the prosecution is totally unacceptable. You surely wouldn't do your investigation at my office, and by needing to do it at yours you have limited my hours, resources, right to privacy, and to put on a defense with counsel.
As far as working off of someone else's image goes, that is another issue where I have to believe that whoever made the image did so correctly and there is nothing that was left out. Once again I say that the police wouldn't accept an image from me without making one for themselves, checking bios, taking pictures of the machine, etc.
I have gone to police stations before and made images, and in the process made a very good friend who is a great examiner. I even wrote the person who hired me to tell them that he was good and that no attacks on his methods or skills would be beneficial.
My empathy really goes out to those of you in the private sector when it comes to CP images. I am a lead forensic examiner for a municipal PD. Just a couple of years ago, defense was entitled to all the evidence I was. This included images of drives etc. This is no longer the case. The Federal Govt (US) has really restricted the distribution of CP in legal cases. Private experts in the field that defense attorney's use to hire to examine the same images I examine are now getting arrested and charged if they have possession of ANY CP images no matter what it is for.
Personally, I think that is a little over the top. As a LE officer, one would think I would be all for this type of legislation, but I DO think everyone has the right to a fair trial. This should include a separate examination of the digital evidence.
We have gotten around this issue here locally. I invite the defense's expert to the PD and have him/her conduct the examine here with our images of the drive. Before they leave, their drive is to be wiped, exporting only reports and other non-contraband items. It is a huge pain in the back side, but what other choice do we have? Alot of private exainer are just turning down these types of cases.
As for the private sector examiners….. I highly respect so many people here on these forums. I would hate to see you get into trouble for such a thing. I would definately consult the Corp Atty. Make sure they are up-to-date on the lastest federal regualtions as it pertains to the CP issue.
I am biased, but I would make sure my company had strict CP policies in place which should include the "stop, drop, and roll" procedure mentioned in earlier posts. Remember, just because you gave the image back to the client, doesn't mean you haven't possessed the CP. I think reporting would be the best solution. Also, there is nothing wrong with contacting your local FBI office and speak to an agent. Get their input on the matter. Make sure you document who you talked to, better yet, record the call with the agents permission. CYA
Real quick, just to hit on what Jamie mentioned….
I would not destroy evidence… yes evidence here in the US. If you think the FEDS are nasty with the CP issue, try destroying the evidence. I think one would feel their full rath…..Just my opinion.
Good luck with this everyone.
I like the way they are doing things in London. I understand the reluctance to further distribute CP, but I also believe that everyone is entitled to a good defense and sometimes that requires a defense expert having access to the evidence. I am in the process of developing/building a lab (hopefully, this is in the initial stages) and one of the requirements that I am incorporating is an examination room and system so a defense expert can come in, work in privacy with any tools needed to conduct the examination, and provide an effective defense. Unfortunately, this costs money so I am not sure what will happen.
There in Australia there are different laws for different states and these are superseded by federal but in the area of abuse, if someone in a professional role does not disclose to the LE that they know of abuse occurring the can get charged-AFAIA. i'd imagine, but would need to check,that this is the case for CP.
Here's a follow on question with regard to if you do find something whilst recovering data/repairing for a client;How much weight is given to the fact that you have
a) had the machine in your possession
b) booted it or worked on it in some fashion or shutdown etc
I'm putting this from the angle of the 'ideal' situation for LE being one where the machine has not had any write operations etc to it between the suspect using it and them getting it in their possession.
I mean, for example, I'm not sure what work was being done on the original machine but the 'Stop, Drop, and roll' method would seem to be the most sensible. Inform who you need to. personally, I think the sooner you involve LE and or legal from your company, the better. Don't sit on it for too long.
amresl's post concerns me too. But then reading the post about Julie Amero(?) made me shake my head too.
Jamie
re your comments about an examiner not contacting the Police and with the permission or in consultation with the client just destroying the drive.
Its a fair comment but dependant on the circumstances if it came out there is a good possibility that the examiner could be arrested and convicted of at the least attempting to pervert the course of justice.
I am lucky in the sense that being LE when I find CP on a computer I deal with it and do not have to take into consideration any client but just deal with it.
Llike I mentioned in my previous posting on tthe subject I do not envy private sector examiners who have all the external matters to consider when finding evidence of CP. In all honesty I have never come across any private sector examiners who I would think for one minute would ignore CP or destroy evidence of child abuse just to please or satisfy a client.
In respect of defence examiners possesion of illegal images we also use the memorandum of understanding system. Strict guidlines are agreed in respect of the possesion and storage of the images as well as an understanding as to who will examine them. No copies are allowed to be made and no prints are allowed to be taken of the images. Once the matter is finalised the drive is securley wiped with certifications of the wiping process being sent to us as proof. This will negate any charges being brought against the examiner in respect of his/her possesion of the drive.
I'm a corporate analyst that does a lot of work for UK LE.
The situation here is made much easier by the Sexual Offences Act of 2003 - this provides a statutory defence for possesion of CP if the analyst is actively involved in an on-going investigation when the CP is discovered. Clearly there are very definite time constraints in play here - you can't keep this stuff once the investigation is complete, for example.
In the UK, there is a legal requirement (and as a forensic analyst - I believe a duty of care) to report any criminal activity that is discovered during the course of your investigation. There is an economic imperative of not pissing off the client though - so it's a fine balancing act.
In the one civil case I've had which contained CP, as soon as I found it, I called the client and advised them what I had found and the fact that I was under a legal obligation to report this to the police. I advised the client that I would allow them a 4 hour headstart to contact the police themselves, but that at the end of that I would be doing so. I then confirmed this in an email to the client and my manager.
We then got in touch with the local (to the client) police child protection team who, given our relationship with them, asked us to complete the examination.
One of the key concerns for the client with this type of material will be confidentiality - the reputational loss for their firm could be substantial.
Kind regards,
John Douglas.
QCC Information Security,
London.
As a Sheriff's Investigator AND a private sector employee I ride the fence. I would recommend any private examiner in the U.S. to first get to know the L.E. examiner folks in your area - join groups, HTCIA, etc. This way when you DO find something "bad" you already know the procedure and the people to call. I worked a trade secrets case on the private side just recently and recovered CP. I COULD have addressed it myself - of course conflict of interest arises - but I called my friend at the local police department who took over the criminal investigation. Documenting everything - he wiped the CP for my working copy, and he kept the original copy. CoC stays true because it is always documented. The corporate client's counsel was not pleased - until I told him the value of bringing up a CP charge in questioning the ethics of their former employee. Long story short… it helped the civil case. The L.E. department worked with me because they trusted me. They trusted me because they knew me. Simple as that. As for The criminal case didn't get out so it didn't effect the integrity of the client company.
A few thoughts on the last post..
Knowing examiners in your area has nothing at all to do with a CP case. If you find CP, then you find CP. Who to call is relative at best to the person finding the material.
Depending on how uptight your USA's are, then as soon as you "discovered" the CP you could have been nabbed with possession. Having a shield may but shouldn't get you a free pass since you said you walk the fence and do private sector work.
HTCIA is not an organization you can join if you do defense work.
Knowing examiners in your area has nothing at all to do with a CP case
I think that's a little harsh, the previous poster was simply stating that knowing people in the field is likely to help you stay up to date with current procedures and know who to call when you need to do so. Seems like a fair comment to me.
Jamie