2013-12-18 Digital Forensics and Child Pornography

  • 463 views
Uploaded on

This is a 6-hour CLE seminar that I presented to the federal defenders program for the Northern District of Illinois.

This is a 6-hour CLE seminar that I presented to the federal defenders program for the Northern District of Illinois.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
463
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
12
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Digital Forensics and Child Pornography Frederick S. Lane Federal Defenders Program, D. Ind. (N.D.) Plymouth, IN 18 December 2013 www.FrederickLane.com www.ComputerForensicsDigest.com 1
  • 2. Seminar Overview • Introduction and Overview • Digital Technology and CP • Digital Investigations • Hash Values and Image Integrity • Defending Child Pornography Cases • The Ethics of Client Data www.FrederickLane.com www.ComputerForensicsDigest.com 2
  • 3. Introduction and Overview • Background and Expertise • What Is Child Pornography? • Digital Technology and the Spread of Child Pornography www.FrederickLane.com www.ComputerForensicsDigest.com 3
  • 4. Background and Expertise • Attorney and Author of 7 Books • Computer Forensics Expert -- 15 years • Over 100 criminal cases • Lecturer on ComputerRelated Topics – 20+ years • Computer user (midframes, desktops, la ptops) – 35+ years www.FrederickLane.com www.ComputerForensicsDigest.com 4
  • 5. What Is Child Pornography? • Federal Laws • State Laws • Indiana CP Laws • International Law www.FrederickLane.com www.ComputerForensicsDigest.com 5
  • 6. Federal CP Laws • 18 U.S.C. c. 110 – Sexual Exploitation and Other Abuse of Children • 18 U.S.C. § 2251 – Production • 18 U.S.C. § 2252 – Possession, Distribution, and Receipt • 18 U.S.C. § 2256 -- Definitions www.FrederickLane.com www.ComputerForensicsDigest.com 6
  • 7. “Child Pornography” 18 U.S.C. § 2256(8): “any visual depiction, including any photograph, film, video, picture, or computer or computer-generated image or picture, whether made or produced by electronic, mechanical, or other means, of sexually explicit conduct, where— (A) the production of such visual depiction involves the use of a minor engaging in sexually explicit conduct; [or] (B) such visual depiction is a digital image, computer image, or computer-generated image that is, or is indistinguishable from, that of a minor engaging in sexually explicit conduct; or (C) such visual depiction has been created, adapted, or modified to appear that an identifiable minor is engaging in sexually explicit conduct.” www.FrederickLane.com www.ComputerForensicsDigest.com 7
  • 8. Other Relevant Definitions • “Minor” [18 U.S.C. § 2256(1)]: <18 • 18 U.S.C. § 2257: Record-keeping requirements • “Sexually Explicit Conduct” [18 U.S.C. § 2256(2)(A)]: • (i) sexual intercourse, including genital-genital, oral-genital, analgenital, or oral-anal, whether between persons of the same or opposite sex; • (ii) bestiality; • (iii) masturbation; • (iv) sadistic or masochistic abuse; or • (v) lascivious exhibition of the genitals or pubic area of any person. • Slightly Different Definitions for Computer Images [18 U.S.C. § 2256(2)(B)] www.FrederickLane.com www.ComputerForensicsDigest.com 8
  • 9. NCMEC • “National Center for Missing and Exploited Children” • Created by Congress in 1984 • Child Recognition and Identification System – database of hash values of CP images • Child Victim Identification Program www.FrederickLane.com www.ComputerForensicsDigest.com 9
  • 10. State CP Laws • All 50 states have their own CP laws • Age of minority varies: 16 (30 states); 17 (9 states); and 18 (12 states) • Prosecution can be federal or state, or both. • Can include “harmful to minors” standard (states only) www.FrederickLane.com www.ComputerForensicsDigest.com 10
  • 11. Indiana CP Laws • Ind. Code, tit. 35, art. 42, ch. 4, § 4 – Child exploitation; possession of CP • Ind. Cod, tit. 35, art. 49, chs. 1-3 – Obscenity and Pornography • Ind. Code § 35-49-3-1 – Distribution is a Class D felony if person depicted is or appear to be < 16. www.FrederickLane.com www.ComputerForensicsDigest.com 11
  • 12. Ind. Code § 35-49-1-4, -9 • “Minor”: • • Anyone under age of 18 (increased penalties if individual is or appears less than <16). “Sexual Conduct”: • (1) sexual intercourse or deviate sexual conduct; • (2) exhibition of the uncovered genitals in the context of masturbation or other sexual activity; • (3) exhibition of the uncovered genitals of a person under sixteen (16) years of age; • (4) sado-masochistic abuse; or • (5) sexual intercourse or deviate sexual conduct with an animal. www.FrederickLane.com www.ComputerForensicsDigest.com 12
  • 13. International CP Laws • Over last 7 years, 100 countries have adopted new CP laws • 53 countries still have no CP law at all • International Center for Missing and Exploited Children • 2012 Child Pornography Model Laws: http://bit.ly/19eWJPz www.FrederickLane.com www.ComputerForensicsDigest.com 13
  • 14. End of Section One www.FrederickLane.com www.ComputerForensicsDigest.com 14
  • 15. Digital Technology and CP A Brief Background Digital Production of CP Digital Distribution of CP Digital Consumption (Receipt and Possession) • Societal Changes • • • • www.FrederickLane.com www.ComputerForensicsDigest.com 15
  • 16. A Brief Background • 1978: Protection of Children Against Sexual Exploitation Act • 1982: New York v. Ferber – Upholding state law banning child pornography • 1984: Child Protection Act (prohibiting noncommercial distribution) • 1992: Jacobson v. United States – Postal Service entrapment • 2000: Poehlman v. United States – FBI entrapped defendant after lengthy email correspondence www.FrederickLane.com www.ComputerForensicsDigest.com 16
  • 17. Digital Production of CP • Scanners • Digital Cameras (still and video) • Cameraphones (dumb and smart) • Web cams www.FrederickLane.com www.ComputerForensicsDigest.com 17
  • 18. Digital Distribution of CP • One-to-One • Sneakernet • E-mail / Personal File-Sharing • Instant Messaging / Chat Rooms • One-to-Many • • • • Newsgroups and Forums Peer-to-Peer Networks Torrent Networks / File-Hosting Underground Web Sites www.FrederickLane.com www.ComputerForensicsDigest.com 18
  • 19. Digital Consumption of CP • Producer of CP may be in possession without having “received” it • Defendant may be in “receipt” of CP without “knowingly” possessing it • The challenges of determining “intentionally” and “knowingly” in the context of Internet activity www.FrederickLane.com www.ComputerForensicsDigest.com 19
  • 20. Societal Changes • Computers and the Internet • The Democratization of Porn Production • “Porn Chic” • The “Selfie” www.FrederickLane.com www.ComputerForensicsDigest.com 20
  • 21. Something’s Changed www.FrederickLane.com www.ComputerForensicsDigest.com 21
  • 22. End of Section Two www.FrederickLane.com www.ComputerForensicsDigest.com 22
  • 23. Digital Investigations • Discovery of Possible Child Pornography • The Role of IP Addresses • Intro to Computer Forensics www.FrederickLane.com www.ComputerForensicsDigest.com 23
  • 24. Discovery of Possible CP • • • • • Angry Spouse or Girlfriend Geek Squads Chat Rooms Hash Flags P2P and Torrent Investigations • Server or Payment Logs www.FrederickLane.com www.ComputerForensicsDigest.com 24
  • 25. Overview of IP Addresses • Assigned to Every InternetConnected Device • Two Flavors: • IPv4: 196.172.0.1 • IPv6: 2001:0db8:85a3:0042:1000:8a2 e:0370:7334 • Leading to “Internet of Things” www.FrederickLane.com www.ComputerForensicsDigest.com 25
  • 26. IP → Physical Address • Ranges of IP Addresses Assigned to ISPs by Internet Assigned Numbers Authority • Online Tools to Look Up ISP • Dynamic vs. Static • Subscriber Records Show Date, Time, IP Address, Limited Activity www.FrederickLane.com www.ComputerForensicsDigest.com 26
  • 27. Limitations of IP Addresses • Links Online Activity to Device, Not Necessarily a Specific User • Data May Not Be Available from ISP • Possibility of War-Dialing www.FrederickLane.com www.ComputerForensicsDigest.com 27
  • 28. Intro to Computer Forensics • • • • Increasingly Specialized Forensics Procedures Forensics Software A Typical Forensics Report www.FrederickLane.com www.ComputerForensicsDigest.com 28
  • 29. Increasingly Specialized • Computer Forensics • Windows • Mac OS • Linux • Network Forensics • Mobile Forensics • Dozens of Mobile OSs • Hundreds of Models • Cloud Forensics • Many Questions, No Clear Answers www.FrederickLane.com www.ComputerForensicsDigest.com 29
  • 30. Forensics Procedures • • • • • • Field Previews Mirror Images Hash Values Staggering Amounts of Data Chains of Custody 2006: The Adam Walsh Act www.FrederickLane.com www.ComputerForensicsDigest.com 30
  • 31. A Typical Forensics Report • There should be at least two reports: • • • • • • Acquisition • Evaluation of Evidence Bowdlerized Detailed procedures Hash value checks Bookmarks of possible contraband Evidence of user ID www.FrederickLane.com www.ComputerForensicsDigest.com 31
  • 32. End of Section Three www.FrederickLane.com www.ComputerForensicsDigest.com 32
  • 33. Hash Values & Image Integrity • Not Your Mother’s Hash • The Role of Hash Values in Computer Forensics • The Growing Use of Hash Flags • P2P Investigations Using Hash Values www.FrederickLane.com www.ComputerForensicsDigest.com 33
  • 34. Not Your Mother’s Hash • Cryptograhic Hash Values • Relatively Easy to Generate • Extremely Difficult to Determine Original Data from Hash Value • Extremely Difficult to Change Data without Changing Hash • Extremely Unlikely that Different Data Will Produce the Same Hash Value www.FrederickLane.com www.ComputerForensicsDigest.com 34
  • 35. Complex Explanation (1) • The word DOG can be represented in different ways: • • Binary: 010001000110111101100111 Hexadecimal: 646f67 • A hash algorithm converts the hexadecimal value to a fixed-length hexadecimal string. • • SHA-1: e49512524f47b4138d850c9d9d85972927 281da0 MD5: 06d80eb0c50b49a509b49f2424e8c805 www.FrederickLane.com www.ComputerForensicsDigest.com 35
  • 36. Complex Explanation (2) • Changing a single letter changes each value. • For instance, the word COG produces the following values: • Binary: 010000110110111101100111 • Hexadecimal: 436f67 • SHA-1: d3da816674b638d05caa672f60f381ff 504e578c • MD5: 01e33197684afd628ccf82a5ae4fd6ad www.FrederickLane.com www.ComputerForensicsDigest.com 36
  • 37. Simple Explanation Oatmeal-Raisin Cookies OatmealChocolate Chip Cookies www.FrederickLane.com www.ComputerForensicsDigest.com 37
  • 38. Evidence Integrity • Acquisition Hashes • Creation of Mirror Images • Verification of Accuracy of Mirror Images • Use of “Known File Filter” • • • Hashkeeper National Software Reference Library NCMEC CVIP Database www.FrederickLane.com www.ComputerForensicsDigest.com 38
  • 39. Growing Use of Hash Flags • Child Protection and Sexual Predator Act of 1998 • 2008: ISPs Agree to Block Access to Known Sources of CP and to Scan for NCMEC Hash Values • SAFE Act: Requires ISPs and OSPs to Turn Over Subscriber Info If Known CP Is Identified www.FrederickLane.com www.ComputerForensicsDigest.com 39
  • 40. P2P Hash Values • Basic Operation of Peer-toPeer Networks • Decentralized Distribution • Gnutella and eDonkey • Client Software • Hash Values Associated with Each File www.FrederickLane.com www.ComputerForensicsDigest.com 40
  • 41. Automated P2P Searches • “Peer Spectre” or “Nordic Mule” Scans for IP Addresses of Devices Offering to Share Known CP Files • IP Addresses Are Stored by TLO in Child Protection System • Officers Conduct “Undercover” Investigations by Reviewing Spreadsheets of Hits in CPS www.FrederickLane.com www.ComputerForensicsDigest.com 41
  • 42. Growing Defense Concerns • No Independent Examination of Proprietary Software • Very Little Information Regarding TLO or CPS • Peer Spectre May Generate False Hits Due to Normal Operation of P2P Clients • Search Warrant Affidavits Fail to Mention Role of TLO or CPS www.FrederickLane.com www.ComputerForensicsDigest.com 42
  • 43. End of Section Four www.FrederickLane.com www.ComputerForensicsDigest.com 43
  • 44. Defending CP Cases • Determining Age of Person Depicted • Pre-Trial Issues • Trial Issues • Typical Defenses in CP Cases [Some More Viable than Others] www.FrederickLane.com www.ComputerForensicsDigest.com 44
  • 45. Determining Age Is expert testimony need? Tanner Stage: Outmoded? Role of environmental factors Bait and switch Defendant’s subjective belief is irrelevant • Prosecutors prefer clear cases • • • • • www.FrederickLane.com www.ComputerForensicsDigest.com 45
  • 46. Pre-Trial Issues • Retaining a Defense Expert • Deposition of Government Experts • Motion(s) to Produce • Motion(s) to Suppress or in limine www.FrederickLane.com www.ComputerForensicsDigest.com 46
  • 47. Trial Issues • Should There Be a Trial? • Motion(s) in limine • Cross-Examination of Government Expert www.FrederickLane.com www.ComputerForensicsDigest.com 47
  • 48. Typical Defenses (1) • Lack of Possession or Receipt • Mere Browsing • The Phantom Hash • Accident or Lack of Intent • Ignorance or Mistake as to Age • Not a Real Child / Morphed / Computer-Generated www.FrederickLane.com www.ComputerForensicsDigest.com 48
  • 49. Typical Defenses (2) • Multiple Persons with Access to Device • Used Equipment with PreExisting CP • Viral Infection • Planting of Evidence by Spouse or Police • Entrapment www.FrederickLane.com www.ComputerForensicsDigest.com 49
  • 50. End of Section Five www.FrederickLane.com www.ComputerForensicsDigest.com 50
  • 51. The Ethics of Client Data • Client Data in the Office • Client Data in the Home • Client Data in the Cloud • Client Metadata • CP-Specific Issues www.FrederickLane.com www.ComputerForensicsDigest.com 51
  • 52. Client Data in the Office • Physical Security • Locks • Supervision of Visitors • Electronic Security • Logins and Passwords • Screensavers • Authorized Users • Backup(s) www.FrederickLane.com www.ComputerForensicsDigest.com 52
  • 53. Client Data in the Home • Should It Even Be There? • How Does It Get There? • Physical Security • Encryption? • Who Has Access to the Device(s)? www.FrederickLane.com www.ComputerForensicsDigest.com 53
  • 54. Communicating with Clients • Is It Ethical to Use E-Mail? • Understanding How E-Mail Works • Ethics of Automatic Robot Scanning • Is HTTPS Sufficient? • Secure E-Mail Alternatives www.FrederickLane.com www.ComputerForensicsDigest.com 54
  • 55. Client Data in the Cloud • Brief Overview of Types of Cloud Services • The Ethics of Cloud Storage • The Ethics of Cloud Collaboration • Discovery in the Cloud www.FrederickLane.com www.ComputerForensicsDigest.com 55
  • 56. The Ethics of Metadata • What Is Metadata? • Who Knows What Metadata Lurks in a File? • Don’t Accidentally Release Metadata • Can I Use Someone Else’s Accidentally-Released Metadata? • Should I Affirmatively Ask for Metadata During Discovery, and Can I Get It? www.FrederickLane.com www.ComputerForensicsDigest.com 56
  • 57. CP-Specific Issues • Rule #1: Do Not Obstruct Justice • Rule #2: Minimize Handling and Isolate Device(s) • Rule #3: If Identifiable Victim, Review Mandatory Reporting Requirements [Ind. Code § 31-33-5-1] • Rule #4: Never Re-Distribute • Rule #5: Hire an Expert www.FrederickLane.com www.ComputerForensicsDigest.com 57
  • 58. End of Section Six www.FrederickLane.com www.ComputerForensicsDigest.com 58
  • 59. Slides and Contact Info • Download a PDF of slides from: SlideShare.net/FSL3 • E-mail or Call Me: FSLane3@gmail.com 802-318-4604 www.FrederickLane.com www.ComputerForensicsDigest.com 59
  • 60. Digital Forensics and Child Pornography Frederick S. Lane Federal Defenders Program, D. Ind. (N.D.) Plymouth, IN 18 December 2013 www.FrederickLane.com www.ComputerForensicsDigest.com 60