Your SlideShare is downloading. ×
0
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
2013-12-18 Digital Forensics and Child Pornography
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

2013-12-18 Digital Forensics and Child Pornography

609

Published on

This is a 6-hour CLE seminar that I presented to the federal defenders program for the Northern District of Illinois.

This is a 6-hour CLE seminar that I presented to the federal defenders program for the Northern District of Illinois.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
609
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Digital Forensics and Child Pornography Frederick S. Lane Federal Defenders Program, D. Ind. (N.D.) Plymouth, IN 18 December 2013 www.FrederickLane.com www.ComputerForensicsDigest.com 1
  • 2. Seminar Overview • Introduction and Overview • Digital Technology and CP • Digital Investigations • Hash Values and Image Integrity • Defending Child Pornography Cases • The Ethics of Client Data www.FrederickLane.com www.ComputerForensicsDigest.com 2
  • 3. Introduction and Overview • Background and Expertise • What Is Child Pornography? • Digital Technology and the Spread of Child Pornography www.FrederickLane.com www.ComputerForensicsDigest.com 3
  • 4. Background and Expertise • Attorney and Author of 7 Books • Computer Forensics Expert -- 15 years • Over 100 criminal cases • Lecturer on ComputerRelated Topics – 20+ years • Computer user (midframes, desktops, la ptops) – 35+ years www.FrederickLane.com www.ComputerForensicsDigest.com 4
  • 5. What Is Child Pornography? • Federal Laws • State Laws • Indiana CP Laws • International Law www.FrederickLane.com www.ComputerForensicsDigest.com 5
  • 6. Federal CP Laws • 18 U.S.C. c. 110 – Sexual Exploitation and Other Abuse of Children • 18 U.S.C. § 2251 – Production • 18 U.S.C. § 2252 – Possession, Distribution, and Receipt • 18 U.S.C. § 2256 -- Definitions www.FrederickLane.com www.ComputerForensicsDigest.com 6
  • 7. “Child Pornography” 18 U.S.C. § 2256(8): “any visual depiction, including any photograph, film, video, picture, or computer or computer-generated image or picture, whether made or produced by electronic, mechanical, or other means, of sexually explicit conduct, where— (A) the production of such visual depiction involves the use of a minor engaging in sexually explicit conduct; [or] (B) such visual depiction is a digital image, computer image, or computer-generated image that is, or is indistinguishable from, that of a minor engaging in sexually explicit conduct; or (C) such visual depiction has been created, adapted, or modified to appear that an identifiable minor is engaging in sexually explicit conduct.” www.FrederickLane.com www.ComputerForensicsDigest.com 7
  • 8. Other Relevant Definitions • “Minor” [18 U.S.C. § 2256(1)]: <18 • 18 U.S.C. § 2257: Record-keeping requirements • “Sexually Explicit Conduct” [18 U.S.C. § 2256(2)(A)]: • (i) sexual intercourse, including genital-genital, oral-genital, analgenital, or oral-anal, whether between persons of the same or opposite sex; • (ii) bestiality; • (iii) masturbation; • (iv) sadistic or masochistic abuse; or • (v) lascivious exhibition of the genitals or pubic area of any person. • Slightly Different Definitions for Computer Images [18 U.S.C. § 2256(2)(B)] www.FrederickLane.com www.ComputerForensicsDigest.com 8
  • 9. NCMEC • “National Center for Missing and Exploited Children” • Created by Congress in 1984 • Child Recognition and Identification System – database of hash values of CP images • Child Victim Identification Program www.FrederickLane.com www.ComputerForensicsDigest.com 9
  • 10. State CP Laws • All 50 states have their own CP laws • Age of minority varies: 16 (30 states); 17 (9 states); and 18 (12 states) • Prosecution can be federal or state, or both. • Can include “harmful to minors” standard (states only) www.FrederickLane.com www.ComputerForensicsDigest.com 10
  • 11. Indiana CP Laws • Ind. Code, tit. 35, art. 42, ch. 4, § 4 – Child exploitation; possession of CP • Ind. Cod, tit. 35, art. 49, chs. 1-3 – Obscenity and Pornography • Ind. Code § 35-49-3-1 – Distribution is a Class D felony if person depicted is or appear to be < 16. www.FrederickLane.com www.ComputerForensicsDigest.com 11
  • 12. Ind. Code § 35-49-1-4, -9 • “Minor”: • • Anyone under age of 18 (increased penalties if individual is or appears less than <16). “Sexual Conduct”: • (1) sexual intercourse or deviate sexual conduct; • (2) exhibition of the uncovered genitals in the context of masturbation or other sexual activity; • (3) exhibition of the uncovered genitals of a person under sixteen (16) years of age; • (4) sado-masochistic abuse; or • (5) sexual intercourse or deviate sexual conduct with an animal. www.FrederickLane.com www.ComputerForensicsDigest.com 12
  • 13. International CP Laws • Over last 7 years, 100 countries have adopted new CP laws • 53 countries still have no CP law at all • International Center for Missing and Exploited Children • 2012 Child Pornography Model Laws: http://bit.ly/19eWJPz www.FrederickLane.com www.ComputerForensicsDigest.com 13
  • 14. End of Section One www.FrederickLane.com www.ComputerForensicsDigest.com 14
  • 15. Digital Technology and CP A Brief Background Digital Production of CP Digital Distribution of CP Digital Consumption (Receipt and Possession) • Societal Changes • • • • www.FrederickLane.com www.ComputerForensicsDigest.com 15
  • 16. A Brief Background • 1978: Protection of Children Against Sexual Exploitation Act • 1982: New York v. Ferber – Upholding state law banning child pornography • 1984: Child Protection Act (prohibiting noncommercial distribution) • 1992: Jacobson v. United States – Postal Service entrapment • 2000: Poehlman v. United States – FBI entrapped defendant after lengthy email correspondence www.FrederickLane.com www.ComputerForensicsDigest.com 16
  • 17. Digital Production of CP • Scanners • Digital Cameras (still and video) • Cameraphones (dumb and smart) • Web cams www.FrederickLane.com www.ComputerForensicsDigest.com 17
  • 18. Digital Distribution of CP • One-to-One • Sneakernet • E-mail / Personal File-Sharing • Instant Messaging / Chat Rooms • One-to-Many • • • • Newsgroups and Forums Peer-to-Peer Networks Torrent Networks / File-Hosting Underground Web Sites www.FrederickLane.com www.ComputerForensicsDigest.com 18
  • 19. Digital Consumption of CP • Producer of CP may be in possession without having “received” it • Defendant may be in “receipt” of CP without “knowingly” possessing it • The challenges of determining “intentionally” and “knowingly” in the context of Internet activity www.FrederickLane.com www.ComputerForensicsDigest.com 19
  • 20. Societal Changes • Computers and the Internet • The Democratization of Porn Production • “Porn Chic” • The “Selfie” www.FrederickLane.com www.ComputerForensicsDigest.com 20
  • 21. Something’s Changed www.FrederickLane.com www.ComputerForensicsDigest.com 21
  • 22. End of Section Two www.FrederickLane.com www.ComputerForensicsDigest.com 22
  • 23. Digital Investigations • Discovery of Possible Child Pornography • The Role of IP Addresses • Intro to Computer Forensics www.FrederickLane.com www.ComputerForensicsDigest.com 23
  • 24. Discovery of Possible CP • • • • • Angry Spouse or Girlfriend Geek Squads Chat Rooms Hash Flags P2P and Torrent Investigations • Server or Payment Logs www.FrederickLane.com www.ComputerForensicsDigest.com 24
  • 25. Overview of IP Addresses • Assigned to Every InternetConnected Device • Two Flavors: • IPv4: 196.172.0.1 • IPv6: 2001:0db8:85a3:0042:1000:8a2 e:0370:7334 • Leading to “Internet of Things” www.FrederickLane.com www.ComputerForensicsDigest.com 25
  • 26. IP → Physical Address • Ranges of IP Addresses Assigned to ISPs by Internet Assigned Numbers Authority • Online Tools to Look Up ISP • Dynamic vs. Static • Subscriber Records Show Date, Time, IP Address, Limited Activity www.FrederickLane.com www.ComputerForensicsDigest.com 26
  • 27. Limitations of IP Addresses • Links Online Activity to Device, Not Necessarily a Specific User • Data May Not Be Available from ISP • Possibility of War-Dialing www.FrederickLane.com www.ComputerForensicsDigest.com 27
  • 28. Intro to Computer Forensics • • • • Increasingly Specialized Forensics Procedures Forensics Software A Typical Forensics Report www.FrederickLane.com www.ComputerForensicsDigest.com 28
  • 29. Increasingly Specialized • Computer Forensics • Windows • Mac OS • Linux • Network Forensics • Mobile Forensics • Dozens of Mobile OSs • Hundreds of Models • Cloud Forensics • Many Questions, No Clear Answers www.FrederickLane.com www.ComputerForensicsDigest.com 29
  • 30. Forensics Procedures • • • • • • Field Previews Mirror Images Hash Values Staggering Amounts of Data Chains of Custody 2006: The Adam Walsh Act www.FrederickLane.com www.ComputerForensicsDigest.com 30
  • 31. A Typical Forensics Report • There should be at least two reports: • • • • • • Acquisition • Evaluation of Evidence Bowdlerized Detailed procedures Hash value checks Bookmarks of possible contraband Evidence of user ID www.FrederickLane.com www.ComputerForensicsDigest.com 31
  • 32. End of Section Three www.FrederickLane.com www.ComputerForensicsDigest.com 32
  • 33. Hash Values & Image Integrity • Not Your Mother’s Hash • The Role of Hash Values in Computer Forensics • The Growing Use of Hash Flags • P2P Investigations Using Hash Values www.FrederickLane.com www.ComputerForensicsDigest.com 33
  • 34. Not Your Mother’s Hash • Cryptograhic Hash Values • Relatively Easy to Generate • Extremely Difficult to Determine Original Data from Hash Value • Extremely Difficult to Change Data without Changing Hash • Extremely Unlikely that Different Data Will Produce the Same Hash Value www.FrederickLane.com www.ComputerForensicsDigest.com 34
  • 35. Complex Explanation (1) • The word DOG can be represented in different ways: • • Binary: 010001000110111101100111 Hexadecimal: 646f67 • A hash algorithm converts the hexadecimal value to a fixed-length hexadecimal string. • • SHA-1: e49512524f47b4138d850c9d9d85972927 281da0 MD5: 06d80eb0c50b49a509b49f2424e8c805 www.FrederickLane.com www.ComputerForensicsDigest.com 35
  • 36. Complex Explanation (2) • Changing a single letter changes each value. • For instance, the word COG produces the following values: • Binary: 010000110110111101100111 • Hexadecimal: 436f67 • SHA-1: d3da816674b638d05caa672f60f381ff 504e578c • MD5: 01e33197684afd628ccf82a5ae4fd6ad www.FrederickLane.com www.ComputerForensicsDigest.com 36
  • 37. Simple Explanation Oatmeal-Raisin Cookies OatmealChocolate Chip Cookies www.FrederickLane.com www.ComputerForensicsDigest.com 37
  • 38. Evidence Integrity • Acquisition Hashes • Creation of Mirror Images • Verification of Accuracy of Mirror Images • Use of “Known File Filter” • • • Hashkeeper National Software Reference Library NCMEC CVIP Database www.FrederickLane.com www.ComputerForensicsDigest.com 38
  • 39. Growing Use of Hash Flags • Child Protection and Sexual Predator Act of 1998 • 2008: ISPs Agree to Block Access to Known Sources of CP and to Scan for NCMEC Hash Values • SAFE Act: Requires ISPs and OSPs to Turn Over Subscriber Info If Known CP Is Identified www.FrederickLane.com www.ComputerForensicsDigest.com 39
  • 40. P2P Hash Values • Basic Operation of Peer-toPeer Networks • Decentralized Distribution • Gnutella and eDonkey • Client Software • Hash Values Associated with Each File www.FrederickLane.com www.ComputerForensicsDigest.com 40
  • 41. Automated P2P Searches • “Peer Spectre” or “Nordic Mule” Scans for IP Addresses of Devices Offering to Share Known CP Files • IP Addresses Are Stored by TLO in Child Protection System • Officers Conduct “Undercover” Investigations by Reviewing Spreadsheets of Hits in CPS www.FrederickLane.com www.ComputerForensicsDigest.com 41
  • 42. Growing Defense Concerns • No Independent Examination of Proprietary Software • Very Little Information Regarding TLO or CPS • Peer Spectre May Generate False Hits Due to Normal Operation of P2P Clients • Search Warrant Affidavits Fail to Mention Role of TLO or CPS www.FrederickLane.com www.ComputerForensicsDigest.com 42
  • 43. End of Section Four www.FrederickLane.com www.ComputerForensicsDigest.com 43
  • 44. Defending CP Cases • Determining Age of Person Depicted • Pre-Trial Issues • Trial Issues • Typical Defenses in CP Cases [Some More Viable than Others] www.FrederickLane.com www.ComputerForensicsDigest.com 44
  • 45. Determining Age Is expert testimony need? Tanner Stage: Outmoded? Role of environmental factors Bait and switch Defendant’s subjective belief is irrelevant • Prosecutors prefer clear cases • • • • • www.FrederickLane.com www.ComputerForensicsDigest.com 45
  • 46. Pre-Trial Issues • Retaining a Defense Expert • Deposition of Government Experts • Motion(s) to Produce • Motion(s) to Suppress or in limine www.FrederickLane.com www.ComputerForensicsDigest.com 46
  • 47. Trial Issues • Should There Be a Trial? • Motion(s) in limine • Cross-Examination of Government Expert www.FrederickLane.com www.ComputerForensicsDigest.com 47
  • 48. Typical Defenses (1) • Lack of Possession or Receipt • Mere Browsing • The Phantom Hash • Accident or Lack of Intent • Ignorance or Mistake as to Age • Not a Real Child / Morphed / Computer-Generated www.FrederickLane.com www.ComputerForensicsDigest.com 48
  • 49. Typical Defenses (2) • Multiple Persons with Access to Device • Used Equipment with PreExisting CP • Viral Infection • Planting of Evidence by Spouse or Police • Entrapment www.FrederickLane.com www.ComputerForensicsDigest.com 49
  • 50. End of Section Five www.FrederickLane.com www.ComputerForensicsDigest.com 50
  • 51. The Ethics of Client Data • Client Data in the Office • Client Data in the Home • Client Data in the Cloud • Client Metadata • CP-Specific Issues www.FrederickLane.com www.ComputerForensicsDigest.com 51
  • 52. Client Data in the Office • Physical Security • Locks • Supervision of Visitors • Electronic Security • Logins and Passwords • Screensavers • Authorized Users • Backup(s) www.FrederickLane.com www.ComputerForensicsDigest.com 52
  • 53. Client Data in the Home • Should It Even Be There? • How Does It Get There? • Physical Security • Encryption? • Who Has Access to the Device(s)? www.FrederickLane.com www.ComputerForensicsDigest.com 53
  • 54. Communicating with Clients • Is It Ethical to Use E-Mail? • Understanding How E-Mail Works • Ethics of Automatic Robot Scanning • Is HTTPS Sufficient? • Secure E-Mail Alternatives www.FrederickLane.com www.ComputerForensicsDigest.com 54
  • 55. Client Data in the Cloud • Brief Overview of Types of Cloud Services • The Ethics of Cloud Storage • The Ethics of Cloud Collaboration • Discovery in the Cloud www.FrederickLane.com www.ComputerForensicsDigest.com 55
  • 56. The Ethics of Metadata • What Is Metadata? • Who Knows What Metadata Lurks in a File? • Don’t Accidentally Release Metadata • Can I Use Someone Else’s Accidentally-Released Metadata? • Should I Affirmatively Ask for Metadata During Discovery, and Can I Get It? www.FrederickLane.com www.ComputerForensicsDigest.com 56
  • 57. CP-Specific Issues • Rule #1: Do Not Obstruct Justice • Rule #2: Minimize Handling and Isolate Device(s) • Rule #3: If Identifiable Victim, Review Mandatory Reporting Requirements [Ind. Code § 31-33-5-1] • Rule #4: Never Re-Distribute • Rule #5: Hire an Expert www.FrederickLane.com www.ComputerForensicsDigest.com 57
  • 58. End of Section Six www.FrederickLane.com www.ComputerForensicsDigest.com 58
  • 59. Slides and Contact Info • Download a PDF of slides from: SlideShare.net/FSL3 • E-mail or Call Me: FSLane3@gmail.com 802-318-4604 www.FrederickLane.com www.ComputerForensicsDigest.com 59
  • 60. Digital Forensics and Child Pornography Frederick S. Lane Federal Defenders Program, D. Ind. (N.D.) Plymouth, IN 18 December 2013 www.FrederickLane.com www.ComputerForensicsDigest.com 60

×