2013-12-18 digital forensics and child pornography
DESCRIPTION
This is a 6-hour CLE seminar that I presented to the federal defenders program for the Northern District of Illinois.TRANSCRIPT
Digital Forensics andChild Pornography
Federal Defenders Program, D. Ind. (N.D.)
Plymouth, IN18 December 2013
Frederick S. Lane
www.FrederickLane.com
www.ComputerForensicsDigest.com 1
2
Seminar Overview
• Introduction and Overview• Digital Technology and CP• Digital Investigations
• Hash Values and Image Integrity
• Defending Child Pornography Cases
• The Ethics of Client Datawww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
3
Introduction and Overview
• Background and Expertise
• What Is Child Pornography?
• Digital Technology and the Spread of Child Pornography
www.FrederickLane.com
www.ComputerForensicsDigest.com
4
Background and Expertise
• Attorney and Author of 7 Books
• Computer Forensics Expert -- 15 years
• Over 100 criminal cases
• Lecturer on Computer-Related Topics – 20+ years
• Computer user (midframes, desktops, laptops) – 35+ yearswww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
5
What Is Child Pornography?
• Federal Laws
• State Laws
• Indiana CP Laws
• International Law
www.FrederickLane.com
www.ComputerForensicsDigest.com
6
Federal CP Laws• 18 U.S.C. c. 110 – Sexual
Exploitation and Other Abuse of Children
• 18 U.S.C. § 2251 – Production
• 18 U.S.C. § 2252 – Possession, Distribution, and Receipt
• 18 U.S.C. § 2256 -- Definitions
www.FrederickLane.com
www.ComputerForensicsDigest.com
7
“Child Pornography”
18 U.S.C. § 2256(8): “any visual depiction, including any photograph, film, video, picture, or computer or computer-generated image or picture, whether made or produced by electronic, mechanical, or other means, of sexually explicit conduct, where—
(A) the production of such visual depiction involves the use of a minor engaging in sexually explicit conduct; [or]
(B) such visual depiction is a digital image, computer image, or computer-generated image that is, or is indistinguishable from, that of a minor engaging in sexually explicit conduct; or
(C) such visual depiction has been created, adapted, or modified to appear that an identifiable minor is engaging in sexually explicit conduct.”www.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
8
Other Relevant Definitions
• “Minor” [18 U.S.C. § 2256(1)]: <18• 18 U.S.C. § 2257: Record-keeping requirements
• “Sexually Explicit Conduct” [18 U.S.C. § 2256(2)(A)]:• (i) sexual intercourse, including genital-genital, oral-genital, anal-genital,
or oral-anal, whether between persons of the same or opposite sex;
• (ii) bestiality;
• (iii) masturbation;
• (iv) sadistic or masochistic abuse; or
• (v) lascivious exhibition of the genitals or pubic area of any person.
• Slightly Different Definitions for Computer Images [18 U.S.C. § 2256(2)(B)]
www.FrederickLane.com
www.ComputerForensicsDigest.com
9
NCMEC• “National Center for Missing and
Exploited Children”
• Created by Congress in 1984
• Child Recognition and Identification System – database of hash values of CP images
• Child Victim Identification Program
www.FrederickLane.com
www.ComputerForensicsDigest.com
10
State CP Laws• All 50 states have their own CP laws
• Age of minority varies: 16 (30 states); 17 (9 states); and 18 (12 states)
• Prosecution can be federal or state, or both.
• Can include “harmful to minors” standard (states only)
www.FrederickLane.com
www.ComputerForensicsDigest.com
11
Indiana CP Laws• Ind. Code, tit. 35, art. 42, ch. 4, § 4
– Child exploitation; possession of CP
• Ind. Cod, tit. 35, art. 49, chs. 1-3 – Obscenity and Pornography
• Ind. Code § 35-49-3-1 – Distribution is a Class D felony if person depicted is or appear to be < 16.
www.FrederickLane.com
www.ComputerForensicsDigest.com
12
Ind. Code § 35-49-1-4, -9
• “Minor”: • Anyone under age of 18 (increased penalties if individual is
or appears less than <16).• “Sexual Conduct”:
• (1) sexual intercourse or deviate sexual conduct;
• (2) exhibition of the uncovered genitals in the context of masturbation or other sexual activity;
• (3) exhibition of the uncovered genitals of a person under sixteen (16) years of age;
• (4) sado-masochistic abuse; or
• (5) sexual intercourse or deviate sexual conduct with an animal.
www.FrederickLane.com
www.ComputerForensicsDigest.com
13
International CP Laws
• Over last 7 years, 100 countries have adopted new CP laws
• 53 countries still have no CP law at all
• International Center for Missing and Exploited Children
• 2012 Child Pornography Model Laws: http://bit.ly/19eWJPz
www.FrederickLane.com
www.ComputerForensicsDigest.com
End of Section One
www.FrederickLane.com
www.ComputerForensicsDigest.com 14
15
Digital Technology and CP
• A Brief Background• Digital Production of CP• Digital Distribution of CP• Digital Consumption
(Receipt and Possession)• Societal Changeswww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
16
A Brief Background
• 1978: Protection of Children Against Sexual Exploitation Act
• 1982: New York v. Ferber – Upholding state law banning child pornography
• 1984: Child Protection Act (prohibiting non-commercial distribution)
• 1992: Jacobson v. United States – Postal Service entrapment
• 2000: Poehlman v. United States – FBI entrapped defendant after lengthy email correspondence
www.FrederickLane.com
www.ComputerForensicsDigest.com
17
Digital Production of CP
• Scanners• Digital Cameras (still and
video)• Cameraphones (dumb and
smart)• Web camswww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
18
Digital Distribution of CP
• One-to-One• Sneakernet• E-mail / Personal File-Sharing• Instant Messaging / Chat Rooms
• One-to-Many• Newsgroups and Forums• Peer-to-Peer Networks• Torrent Networks / File-Hosting• Underground Web Sites
www.FrederickLane.com
www.ComputerForensicsDigest.com
19
Digital Consumption of CP
• Producer of CP may be in possession without having “received” it
• Defendant may be in “receipt” of CP without “knowingly” possessing it
• The challenges of determining “intentionally” and “knowingly” in the context of Internet activity
www.FrederickLane.com
www.ComputerForensicsDigest.com
20
Societal Changes• Computers and the
Internet• The Democratization of
Porn Production• “Porn Chic”• The “Selfie”www.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
Something’s Changed
www.FrederickLane.com
www.ComputerForensicsDigest.com 21
End of Section Two
www.FrederickLane.com
www.ComputerForensicsDigest.com 22
23
Digital Investigations
• Discovery of Possible Child Pornography
• The Role of IP Addresses• Intro to Computer
Forensics
www.FrederickLane.com
www.ComputerForensicsDigest.com
24
Discovery of Possible CP
• Angry Spouse or Girlfriend• Geek Squads• Chat Rooms• Hash Flags• P2P and Torrent Investigations• Server or Payment Logswww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
25
Overview of IP Addresses
• Assigned to Every Internet-Connected Device
• Two Flavors:• IPv4: 196.172.0.1• IPv6:
2001:0db8:85a3:0042:1000:8a2e:0370:7334
• Leading to “Internet of Things”www.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
26
IP → Physical Address
• Ranges of IP Addresses Assigned to ISPs by Internet Assigned Numbers Authority
• Online Tools to Look Up ISP• Dynamic vs. Static• Subscriber Records Show Date,
Time, IP Address, Limited Activitywww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
27
Limitations of IP Addresses
• Links Online Activity to Device, Not Necessarily a Specific User
• Data May Not Be Available from ISP
• Possibility of War-Dialingwww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
28
Intro to Computer Forensics
• Increasingly Specialized• Forensics Procedures• Forensics Software• A Typical Forensics
Reportwww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
29
Increasingly Specialized
• Computer Forensics• Windows• Mac OS• Linux
• Network Forensics• Mobile Forensics• Dozens of Mobile OSs• Hundreds of Models
• Cloud Forensics• Many Questions, No Clear Answers
www.FrederickLane.com
www.ComputerForensicsDigest.com
30
Forensics Procedures
• Field Previews• Mirror Images • Hash Values• Staggering Amounts of Data• Chains of Custody• 2006: The Adam Walsh Actwww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
31
A Typical Forensics Report
• There should be at least two reports:• Acquisition• Evaluation of Evidence
• Bowdlerized• Detailed procedures• Hash value checks• Bookmarks of possible contraband• Evidence of user IDwww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
End of Section Three
www.FrederickLane.com
www.ComputerForensicsDigest.com 32
Hash Values & Image Integrity
• Not Your Mother’s Hash
• The Role of Hash Values in Computer Forensics
• The Growing Use of Hash Flags
• P2P Investigations Using Hash Values
www.FrederickLane.com
www.ComputerForensicsDigest.com 33
Not Your Mother’s Hash
• Cryptograhic Hash Values• Relatively Easy to Generate
• Extremely Difficult to Determine Original Data from Hash Value
• Extremely Difficult to Change Data without Changing Hash
• Extremely Unlikely that Different Data Will Produce the Same Hash Value
www.FrederickLane.com
www.ComputerForensicsDigest.com 34
Complex Explanation (1)
• The word DOG can be represented in different ways:• Binary: 010001000110111101100111• Hexadecimal: 646f67
• A hash algorithm converts the hexadecimal value to a fixed-length hexadecimal string.• SHA-1:
e49512524f47b4138d850c9d9d85972927281da0
• MD5: 06d80eb0c50b49a509b49f2424e8c805
www.FrederickLane.com
www.ComputerForensicsDigest.com 35
Complex Explanation (2)
• Changing a single letter changes each value.
• For instance, the word COG produces the following values:• Binary: 010000110110111101100111• Hexadecimal: 436f67• SHA-1:
d3da816674b638d05caa672f60f381ff504e578c
• MD5: 01e33197684afd628ccf82a5ae4fd6ad
www.FrederickLane.com
www.ComputerForensicsDigest.com 36
Simple Explanation
Oatmeal-Raisin Cookies
Oatmeal-Chocolate Chip Cookieswww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com 37
Evidence Integrity
• Acquisition Hashes
• Creation of Mirror Images
• Verification of Accuracy of Mirror Images
• Use of “Known File Filter”
• Hashkeeper
• National Software Reference Library
• NCMEC CVIP Databasewww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com 38
Growing Use of Hash Flags
• Child Protection and Sexual Predator Act of 1998
• 2008: ISPs Agree to Block Access to Known Sources of CP and to Scan for NCMEC Hash Values
• SAFE Act: Requires ISPs and OSPs to Turn Over Subscriber Info If Known CP Is Identified
www.FrederickLane.com
www.ComputerForensicsDigest.com 39
P2P Hash Values• Basic Operation of Peer-to-
Peer Networks
• Decentralized Distribution
• Gnutella and eDonkey
• Client Software
• Hash Values Associated with Each File
www.FrederickLane.com
www.ComputerForensicsDigest.com 40
Automated P2P Searches
• “Peer Spectre” or “Nordic Mule” Scans for IP Addresses of Devices Offering to Share Known CP Files
• IP Addresses Are Stored by TLO in Child Protection System
• Officers Conduct “Undercover” Investigations by Reviewing Spreadsheets of Hits in CPS
www.FrederickLane.com
www.ComputerForensicsDigest.com 41
Growing Defense Concerns
• No Independent Examination of Proprietary Software
• Very Little Information Regarding TLO or CPS
• Peer Spectre May Generate False Hits Due to Normal Operation of P2P Clients
• Search Warrant Affidavits Fail to Mention Role of TLO or CPS
www.FrederickLane.com
www.ComputerForensicsDigest.com 42
End of Section Four
www.FrederickLane.com
www.ComputerForensicsDigest.com 43
44
Defending CP Cases
• Determining Age of Person Depicted
• Pre-Trial Issues
• Trial Issues
• Typical Defenses in CP Cases [Some More Viable than Others]
www.FrederickLane.com
www.ComputerForensicsDigest.com
45
Determining Age• Is expert testimony need?
• Tanner Stage: Outmoded?
• Role of environmental factors
• Bait and switch
• Defendant’s subjective belief is irrelevant
• Prosecutors prefer clear caseswww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
46
Pre-Trial Issues• Retaining a Defense Expert• Deposition of Government
Experts• Motion(s) to Produce• Motion(s) to Suppress or
in liminewww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
47
Trial Issues
• Should There Be a Trial?• Motion(s) in limine• Cross-Examination of
Government Expert
www.FrederickLane.com
www.ComputerForensicsDigest.com
48
Typical Defenses (1)
• Lack of Possession or Receipt• Mere Browsing• The Phantom Hash
• Accident or Lack of Intent• Ignorance or Mistake as to Age• Not a Real Child / Morphed /
Computer-Generatedwww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
49
Typical Defenses (2)
• Multiple Persons with Access to Device
• Used Equipment with Pre-Existing CP
• Viral Infection• Planting of Evidence by Spouse or
Police• Entrapmentwww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com
End of Section Five
www.FrederickLane.com
www.ComputerForensicsDigest.com 50
The Ethics of Client Data
• Client Data in the Office
• Client Data in the Home
• Client Data in the Cloud
• Client Metadata
• CP-Specific Issueswww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com 51
Client Data in the Office
• Physical Security• Locks
• Supervision of Visitors
• Electronic Security• Logins and Passwords
• Screensavers
• Authorized Users
• Backup(s)www.FrederickLane.co
mwww.ComputerForensicsDi
gest.com 52
Client Data in the Home
• Should It Even Be There?
• How Does It Get There?
• Physical Security
• Encryption?
• Who Has Access to the Device(s)?
www.FrederickLane.com
www.ComputerForensicsDigest.com 53
Communicating with Clients
• Is It Ethical to Use E-Mail?
• Understanding How E-Mail Works
• Ethics of Automatic Robot Scanning
• Is HTTPS Sufficient?
• Secure E-Mail Alternativeswww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com 54
Client Data in the Cloud
• Brief Overview of Types of Cloud Services
• The Ethics of Cloud Storage
• The Ethics of Cloud Collaboration
• Discovery in the Cloudwww.FrederickLane.co
mwww.ComputerForensicsDi
gest.com 55
The Ethics of Metadata
• What Is Metadata?
• Who Knows What Metadata Lurks in a File?
• Don’t Accidentally Release Metadata
• Can I Use Someone Else’s Accidentally-Released Metadata?
• Should I Affirmatively Ask for Metadata During Discovery, and Can I Get It?
www.FrederickLane.com
www.ComputerForensicsDigest.com 56
CP-Specific Issues
• Rule #1: Do Not Obstruct Justice
• Rule #2: Minimize Handling and Isolate Device(s)
• Rule #3: If Identifiable Victim, Review Mandatory Reporting Requirements [Ind. Code § 31-33-5-1]
• Rule #4: Never Re-Distribute
• Rule #5: Hire an Expert
www.FrederickLane.com
www.ComputerForensicsDigest.com 57
End of Section Six
www.FrederickLane.com
www.ComputerForensicsDigest.com 58
59
Slides and Contact Info
• Download a PDF of slides from:
SlideShare.net/FSL3• E-mail or Call Me:
[email protected] 802-318-4604
www.FrederickLane.com
www.ComputerForensicsDigest.com
Digital Forensics andChild Pornography
Federal Defenders Program, D. Ind. (N.D.)
Plymouth, IN18 December 2013
Frederick S. Lane
www.FrederickLane.com
www.ComputerForensicsDigest.com 60