This thread is getting a little long in the tooth. At the time it was started, there was a new law here in the USA, and there was a lot of discussion about how it could be interpreted to mean that even the investigator may end up in jail.
Does anyone have a resource for current laws or cases involving investigators who stumble on CP during an investigation? How has this new law worked in practice? I assume no one has gone to jail for reporting finding CP or there would be some screaming going on in this thread.
I'm new in the field, and I realize I have to be prepared to respond appropriately if I ever do find CP on a computer. I think it's better to have a procedure in place already so the heat of the moment (moment of discovering the images) doesn't cause me to do something stupid.
Stop, drop, and roll seems like good advice, and that's a good start for my policy, but I need to flesh that out a little more.
Rule #1 If you come across it, get it off your hands (call 9-1-1 so they can take it). Don't ship it, transport, copy it, mail it, view it, show it, delete it, wipe it, modify it, or give it to anyone, including your client. 9-1-1 (PD, SO, etc…) can come and pick it up from you.
Rule #2 If you need to examine it or the media it exists on, get approval
Approval means a court authorized protection order or signed letter of non-prosecution by both the Federal and local prosecution authorities. I prefer a judge's order personally.
"Getting rid" of it does not mean deletion or otherwise destroying it (that would be destroying evidence)
Be prepared your machine may be co-mingled with criminal evidence (cache, etc…) and will need to be cleaned or could be seized, depending on circumstances. With that, forensic machines should always be 'forensic machines', not personal or business use machines (email, client files, personal files, etc…), because you never know if it becomes part of a case due to co-mingled evidence from CP.
Let clients know in advance that if CP is found, all bets are off. LE has to take custody of the affected data and media.
In short, "stop, drop, and roll".
You can ask your local prosecutor how to handle it as well. Don't ask your local PD for help unless you speak with the forensic examiner directly.
I don't work non-LEO cases but, I always thought that if I were doing a private engagement, I would try to do my examination (depending on what the matter was) so that images and videos were the last thing I reviewed. That way, I would may could get the evidence I needed (and the billable hours) before I found any CP.
As a former computer forensics examiner in police force, I suggest reporting it to the local law enforcement. Even only one CP exists on the hard drive, it is a very serious crime. We have treaty amongst different countries to join force to combat the CP offence.
Thinking about the victims, if you have conscience you need to report it!
It should also be a company policy, best practice and moral conscious to report any CP found on mobile tablets/smart phones interconnecting and accessing/receiving data from company networks; thus should NOT be outside the focus of company continuous focus.
This is potentially another reason to be cautious with BYOD as it has the potential to emerge as a major problem if CP is allowed to infect company data systems; particularly as companies are not fully in control of BYOD products communicating with company systems.
The only new point to the conversation I would like to add. If YOU, reading this thread are NOT the company owner, then get your own attorney. Remember the company attorney advises the owner and really doesn't care of the individaul
Is there a documented guideline for handling CP in the UK?
I work in a corporate environment providing a number of security services to large UK company. As part of this I provide some forensic services. As part of a recent investigation, I identified what I believed to be CP. At this point, the investigation was halted, the client informed, and law enforcement engaged.
No problem with any of this.
I've subsequently been asked by the company's HR/legal team for some information on the evidence found. I have responded to say that I have nothing I can provide them as little analysis was done, because in line with accepted guidelines, I ceased the investigation immediately on finding CP.
I'm now being asked to provide them with information on where these guidelines are documented, and to date I have been unable to do so. I initially thought it would be under the ACPO guidelines, but I have been unable to find it there.
Is there a documented guideline for handling CP in the UK?
I work in a corporate environment providing a number of security services to large UK company. As part of this I provide some forensic services. As part of a recent investigation, I identified what I believed to be CP. At this point, the investigation was halted, the client informed, and law enforcement engaged.
No problem with any of this.
I've subsequently been asked by the company's HR/legal team for some information on the evidence found. I have responded to say that I have nothing I can provide them as little analysis was done, because in line with accepted guidelines, I ceased the investigation immediately on finding CP.
I'm now being asked to provide them with information on where these guidelines are documented, and to date I have been unable to do so. I initially thought it would be under the ACPO guidelines, but I have been unable to find it there.
What about the examiners that dogo to the police with what they find and find themselves being arrested because i know that this happens far too often.
This is a long and very interesting thread. I have been following it for some time as I have (unfortunately) had a lot of experience dealing with these types of investigations as an examiner for a Federal Law Enforcement Agency. I have been waiting for the repeated requests for citations supporting the above claim. To even spread poison like this through the DF community is offensive in itself. Sparing members of this forum a long rant about your unethical decision to promote a fear of reporting a crime, I instead offer you the 18 U.S. Code, protecting any forensic examiner, in any capacity from prosecution for reporting a crime.
18 U.S. Code § 2252
© Affirmative Defense.— It shall be an affirmative defense to a charge of violating paragraph (4) of subsection (a) that the defendant—
(1)possessed less than three matters containing any visual depiction proscribed by that paragraph; and
(2)promptly and in good faith, and without retaining or allowing any person, other than a law enforcement agency, to access any visual depiction or copy thereof—
(A)took reasonable steps to destroy each such visual depiction; or
(B)reported the matter to a law enforcement agency and afforded that agency access to each such visual depiction.
Is there a documented guideline for handling CP in the UK?
In the UK, you will have to use IIOC as search term. 😯
http//www.forensicfocus.com/Forums/viewtopic/p=6561830/#6561830
I guess that what you should obtain, one way or the other, is coverage under Section 10 of the Computer Misuse Act 1990, not unlikely what an expert contractor for the Police may obtain to even get near those data again, see page 33 and following of these ACPO guidelines
http//
i.e. the unwritten part is seemingly that if you don't stop and report to Police immediately you are actually committing a crime.
See if these fit
http//www.forensicfocus.com/Forums/viewtopic/t=6727/start=0/postdays=0/postorder=asc/highlight=/
http//www.forensicfocus.com/Forums/viewtopic/t=7914/start=35/postdays=0/postorder=asc/highlight=/
And the whole thread
http//www.forensicfocus.com/Forums/viewtopic/t=7914/postdays=0/postorder=asc/start=0/
may provide insights.
jaclaz