There are around thirty shortcuts each refer to the same location where IIOC should have been found. These should be enough to proof that the user accessed a multiple selection of files and not simply accessed one by mistake. The shortcut filenames suggest IIOC.
Although shortcuts do not produce SHA1 values, we can use the limewire data as reference to SHA1 and compare with the national database.
However, without the real files, we cannot verify or validate the true content or the actual sha1 values.
Anyone can argue against or pro with this method to proof the user at least accessed IIOC?
There are around thirty shortcuts each refer to the same location where IIOC should have been found. These should be enough to proof that the user accessed a multiple selection of files and not simply accessed one by mistake. The shortcut filenames suggest IIOC.
Although shortcuts do not produce SHA1 values, we can use the limewire data as reference to SHA1 and compare with the national database.
However, without the real files, we cannot verify or validate the true content or the actual sha1 values.
Anyone can argue against or pro with this method to proof the user at least accessed IIOC?
I suppose this depends on what you're trying to do. Are you looking for intelligence or evidence for a charge?
Lets say for example that a user searched for "hardcore porn" in Limewire and striped the first 100 files in the list and downloaded them without checking the filenames. He then went and accessed each one. After he had done so he realised that there were some IIOC amongst some adult porn and some files which would not open. So he deletes the lot. In this case he has downloaded and viewed some IIOC. I.e He has accessed them - however, he has not done so intentionally and has made reasonable attempt to delete them (so he thinks). Even if you had found deleted images and LNK files you would have no 'Making' charge unless you had evidence that a user had searched for keywords which relate to IIOC.
Charging - You can't charge with making or possesion or distribution without the images. The CPS will clarify this.
If you are not looking to charge then what are the aims of the investigation? Is it for inteligence? If so, is there any evidence that a user has searched for IIOC? Do the LNK files suggests access to files with names suggestive of IIOC on multiple dates?
The main objective is charging the offender. We cant charge of making or possession but at least we could issue a written caution. LNK clearly gives access to multiple dates.
rche001 – Curious if anything became of this case.
What forensic utility have you used?
If you run an index search on common CP terms, it could be possible to find SHA1 values attached to downloaded files.
Main thing for me is that if I have a case like this and I actually find a host of SHA1 values… I run these SHA1 values through NCMEC database to see if any confirmed SHA1's have been dubbed CP
have you found any specific search terms the user may have searched for?? if there are no files at all then what can you charge the user with?
were there any other LNK files, i.e. music, movies etc etc, were there any other values for limewire - i.e. music, movies etc, what was the ratio legal to illegal, could it be possible that the downloads were accidental??!