From what I'm gathering, they appear to be charging based on the images they have downloaded from that IP, not material located on the seized devices.
Seems like a bit of a stretch to be honest.
From what I'm gathering, they appear to be charging based on the images they have downloaded from that IP, not material located on the seized devices.
Seems like a bit of a stretch to be honest.
Torrential Downpour tool identifies IP with contraband
this tool single source connects to the computer and downloads files
the HSI / ICE then get a search warrant
they enter the house and obtain the machines
computers belong to 2 brothers - 1 computer, 1 brother has files - 1 computer, 1 brother does not have files (however this computer may have other artifacts such as LNK and MRU residue)
the defense asks for source code testing
and its granted to the 1 brother with no CP on device - as the lack of files equated to meeting threshold of materiality in Daubert test (legal thresholds)
Then the defense performs the test and comes up with its own issues / challenges
see the attached expert defense report from Loehrs in scribd
This case is kid of similar to the old program I-Look where defense wasn't allowed a copy to test how it put out its results.
Granted I-look wasn't a torrent program, it runs into the old "LE only" issue.
Something I don't see mentioned is version numbers. If in a specific version there was an issue with something which has any bearing on the case, then you need to explore that. You don't have to upgrade an item just because, but known issues and Detectives not upgrading creates a problem which they have to answer.
Lastly, I would say that most of the examiners I have run across (myself included) in the past 20 years would have no idea how to review code. We need to know the limits of what can be done not only to defend, but to prosecute a person, and be able to reach out to others who have this skillset in their memory banks.
There is no shame in bringing another set of hands onboard in order to defend or prosecute fairly and accurately.
the Torrential Downpour version for this case was v1.33 (feb 2017)
there is no understanding where this fits in the software lineage - for example how/when/for what reason the software is updated
there is no publications or validations available on this tool in any public space, among peers, nor even rubber stamped by NIST
That comes down to the Judge or Magistrate being willing to understand the nuances involved, and the attorney being good at what he does.
I don't even know if you would need the source code as much as you want to ask for it to see what makes it so different, because honestly you can look at the source code under a DOJ NDA and have 0 issues with talking about it to anyone. Local small town Judges who work next to task forces are the most likely to be influenced or least technically inclined.
This case is kid of similar to the old program I-Look where defense wasn't allowed a copy to test how it put out its results.
Granted I-look wasn't a torrent program, it runs into the old "LE only" issue.
Something I don't see mentioned is version numbers. If in a specific version there was an issue with something which has any bearing on the case, then you need to explore that. You don't have to upgrade an item just because, but known issues and Detectives not upgrading creates a problem which they have to answer.
Lastly, I would say that most of the examiners I have run across (myself included) in the past 20 years would have no idea how to review code. We need to know the limits of what can be done not only to defend, but to prosecute a person, and be able to reach out to others who have this skillset in their memory banks.
There is no shame in bringing another set of hands onboard in order to defend or prosecute fairly and accurately.
the Torrential Downpour version for this case was v1.33 (feb 2017)
there is no understanding where this fits in the software lineage - for example how/when/for what reason the software is updated
there is no publications or validations available on this tool in any public space, among peers, nor even rubber stamped by NIST
The defense asking for source code is just a grab and attempt at distraction. The hit from TDP is only enough to move the case further. No one is getting charged based solely on what TDP said.
God hope you never get charged with something you might not have done and want to explore what has happened.
The defense asking for source code is just a grab and attempt at distraction. The hit from TDP is only enough to move the case further. No one is getting charged based solely on what TDP said.
Still comes down to what they find at the suspects house and on the system. TDP is basically a tip. You can’t arrest because of a TDP hit no matter what the source code is
Still comes down to what they find at the suspects house and on the system. TDP is basically a tip. You can’t arrest because of a TDP hit no matter what the source code is
Perhaps I'm getting confused over the TD components, but doesn't the tip come from TDR? TDP follows up on the tip, and verifies (hopefully) that it indeed is a true bill the identified BT seed does announce 'known bad' data, and also serves that data to TDP.
However, as a P2P protocol is involved, it needs to be established that TDP did not, unbeknownst to the operator, use any other BT endpoint than the identified target. As single-peer mode is not a natural way for P2P software to operate, the question of correct implementation arises. If TDP uses a commercial component to implement BT protocol, the problem is how the restriction to one single peer is done. Does the component provide this functionality? Or was it added by FBI? In either case, was it done correctly?
(I misinterpreted early NMAP results pretty badly once I had specified a single source port to use, but an early version of NMAP decided that it needed a second port to do the job, so half of the scan was done with a second port without my knowledge. This happened without warning, and I interpreted the results as if they had been done from the port I specified. From then on, I always saved networks dumps of tests using components that were not totally transparent. )
Source code inspection could probably settle this question.
Testing might settle the question partly, provided that the exact configuration of the TDP client used was documented, that full logs from the operation were produced and retained, and that access to that software would be provided. Unfortunately, P2P software reacts to connection speed if the software decided that 'this is going too slowly', and started to use a second peer/seed on its own … there is a obvious problem. And also are all peers equal? Is any restriction regardless of peers, does it apply only to a subset of them? That kind of question needs some knowledge abut what component actually is used.
To some extent, testing needs to be complemented with any already performed validation, both as to test design and test results. If the design and realization is good, testing may not need to be done. If it is poor, any claim as to validation may be incorrect.
Guessing you are not in court very much.
TDP could be akin to a bad tip which leads to a bad search, heck even bad evidence.
Still comes down to what they find at the suspects house and on the system. TDP is basically a tip. You can’t arrest because of a TDP hit no matter what the source code is
Still comes down to what they find at the suspects house and on the system. TDP is basically a tip. You can’t arrest because of a TDP hit no matter what the source code is
That's not true. Whatever CSAM is on the defendant's devices can, by itself, only sustain a charge for possession. For distribution, law enforcement relies on Torrential Downpour to show that the defendant actually distributed the file (to the officer). In order to support the distribution charge, Torrential Downpour needs to report the IP address accurately and ensure that the download is a single-source download (which means the defendant possessed the entire file and was at least capable of viewing it).
If we were able to determine that Torrential Downpour only downloaded part of a file from a defendant (and downloaded the rest from somewhere else), and the warrant was based on an affidavit stating that the officer downloaded the entire file from the defendant, the court could throw out the warrant (whether or not the defendant actually had CSAM on his devices).
FWIW, I'd really like to see them make the tool available for review. I think the concerns about bad guys trying to avoid the tool (while continuing to use P2P networks) are not really an issue. I'm more concerned about making sure the tool is really 100% accurate. CSAM is a scourge, but that's not an excuse to not make sure that the data used to prosecute people for those crimes is rock solid and "trust us" isn't the assurance we need.