investigating and litigating computer evidence in child...
TRANSCRIPT
![Page 1: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/1.jpg)
Investigating and Investigating and Litigating Computer Litigating Computer Evidence in Child Evidence in Child Pornography CasesPornography Cases
PEYTON [email protected]
![Page 2: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/2.jpg)
AGENDAAGENDA
Media, Data, Metadata When to Contact an Expert What Can an Expert Do? Lifecycle of Digital Evidence:
Acquisition Preservation Analysis: system, network, application Presentation
Strategies Based on Practical Experience
![Page 3: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/3.jpg)
MEDIA, DATA, METADATAMEDIA, DATA, METADATA
Media: the physical thing on which information is stored HDD, SSD, USB, CD/DVD, Floppy, Tape,
SD Card, etc…
Data: The information itself E-mail, documents, pictures, movies,
databases, etc…
Metadata: Housekeeping/Assistive info that accompanies the data Filenames, timestamps, EXIF data, etc….
![Page 4: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/4.jpg)
EXAMPLE: COPYING A FILEEXAMPLE: COPYING A FILE
Dear Mr. Engel, Blah blah blah…
letter.txt 3/5/2014Dear Mr. Engel,
Blah blah blah…
letter.txt 11/20/2014
Same data, but different media and metadata
![Page 5: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/5.jpg)
QUESTIONS ABOUT EACHQUESTIONS ABOUT EACH
Media: What kind(s) of machine(s)? How to store, preserve data?
Data: What do the files contain?
Metadata: How/when did the files get there? What has been done with the files?
![Page 6: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/6.jpg)
HOW IT OFTEN BEGINSHOW IT OFTEN BEGINS
Charging documents with multiple counts
Affidavits with both technical information and narrative
Maybe some preliminary reports or other supporting data (“offense-specific graphics”)
![Page 7: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/7.jpg)
TALK WITH AN EXPERT ASAPTALK WITH AN EXPERT ASAP
Digital evidence only accumulates More artifacts get found Deeper analysis gets done
Need to develop a theory of the case That’s not CP That’s CP, but it’s not mine That’s CP, and it’s my computer, but
I didn’t know about it Help decide about disposition,
timeline
![Page 8: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/8.jpg)
HOW AN EXPERT CAN HELP HOW AN EXPERT CAN HELP EARLY ONEARLY ON Review the charging documents
Evaluate the state’s position Look at the warrant
Spot and explain technical issues In the evidence In the client’s story
Suggest a plan: answer open questions, find needed proof What to seek When and how to get it
![Page 9: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/9.jpg)
LIFECYCLE OF DIGITAL LIFECYCLE OF DIGITAL EVIDENCEEVIDENCE Acquisition
Obtaining materials in a sound manner
Preservation Making sure things don’t change when
we’re not looking
Analysis Figuring out what it all means
Presentation Persuading a non-technical audience
![Page 10: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/10.jpg)
ACQUISITION/COLLECTIONACQUISITION/COLLECTION
Create a copy of the evidence without altering it Write-blockers Previewing
Ensure that the copy is accurate Use hashing functions to make the
image verifiable/tamper-evident This calls for a brief digression into
scary math cryptography
![Page 11: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/11.jpg)
Hash Functions
One-Way Functions Like a Magic Machine
Hard Disk Copy of Hard Disk
MD5 (hash algorithm)
If the results match, the inputs must have been the same.
![Page 12: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/12.jpg)
QUESTIONS ABOUT QUESTIONS ABOUT ACQUISITIONACQUISITION Why were the materials seized? Did anyone do anything to the
evidence before making the image? Was there any previewing? Did investigators record the system
time when they made the image? Did investigators:
Seize anything they shouldn’t have? Neglect to grab anything of interest?
(phone, iPod, tablet, USB drives, etc…)
![Page 13: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/13.jpg)
SSD STORAGE DEVICESSSD STORAGE DEVICES
Found in: tablets, phones, high-end laptops
Their contents change as they are used: no such thing as a write-blocker
An open problem in forensics Free shot at the analyst: can’t prove
the evidence is untainted Be wary if the evidence is yours
![Page 14: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/14.jpg)
PRESERVATIONPRESERVATION
Usually just lock the evidence up All analysis will be done on the
forensic image Very little chance there will be
problems with this step But still, it’s good to review the
chain of custody Won’t win or lose the case, but a
maybe a chance to score a point
![Page 15: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/15.jpg)
ANALYSISANALYSIS
Preliminary Report: the bare minimum needed to support charging “We found these files” Filenames, paths, timestamps
The main tools EnCase (state/local) FTK (federal) Cellebrite: for phones and tablets
![Page 16: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/16.jpg)
ANALYSISANALYSIS
Spotting contraband via automation: KFF: Known File Filter (hashes of
known contraband) NCMEC: nationwide clearinghouse
Spotting contraband by hand: Sort by file type, review one by one Check unallocated space
Breadth of search: Signature matching
![Page 17: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/17.jpg)
ANATOMY OF YOUR COMPUTERANATOMY OF YOUR COMPUTER
Peripherals
Operating System (Windows)
Applications
CPU (Intel x86)
![Page 18: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/18.jpg)
WHATWHAT’’S GOING ON?S GOING ON?
Solving the problem of how to write programs that will run on computers in general
The Operating System starts and stops applications, and mediates interactions with hardware
Filesystem: The organizational scheme used by an operating system when writing information to media
![Page 19: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/19.jpg)
ANALYSIS: A SIMPLIFIED ANALYSIS: A SIMPLIFIED FILESYSTEM FILESYSTEM MASTER FILE TABLE
Index Name Date and Timestamp Offsets1: picture.jpg 02/24/2014 15:03:16 0005530 01399482: letter.txt 03/05/2014 09:45:11 0139949 02331873: song.mp3 03/22/2014 11:39:01 0233188 0294472...
EXIF DATA, Picture data
Dear Mr. Engel,\n Blah blah blah…
ID3 tags, Music data
0005530
0139948
0139949
0233187
0233188
0294472
…
…
…
![Page 20: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/20.jpg)
ANALYSIS: A SIMPLIFIED ANALYSIS: A SIMPLIFIED FILESYSTEM FILESYSTEM MASTER FILE TABLE
Index Name Date and Timestamp Offsets1: picture.jpg 02/24/2014 15:03:16 0005530 01399482: song.mp3 03/22/2014 11:39:01 0233188 0294472...
EXIF DATA, Picture data
Dear Mr. Engel,\n Blah blah blah…
ID3 tags, Music data
0005530
0139948
0139949
0233187
0233188
0294472
…
…
…
Deleted file’s metadata gone, but contents still present until overwritten!
![Page 21: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/21.jpg)
ANALYSIS: FILESYSTEMANALYSIS: FILESYSTEM Typical timestamps:
Created Written Modified Accessed
Unallocated Space May have only partial files No date/time information
Applications may leak metadata History (“recent files”) Preferences
![Page 22: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/22.jpg)
ANALYSIS: FILE ANALYSIS: FILE ((FoofusCropped.pngFoofusCropped.png))
FoofusCropped.pngC:\Users\Pengel\My PicturesCreated 10/29/14 11:03 AMWritten 10/29/14/12:23 PMModified 10/29/14 12:23 PMAccessed 10/31/14 1:38 PMSize: 1.46MB
Filesystem Metadata
Camera: iPhone 5 Dimensions: 1639x1452 pixelsColor Depth: 24Taken: 10/27/14 3:45 PM
File Metadata
![Page 23: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/23.jpg)
ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER
Web Server
www.example.com
Web Browser
Internet Explorer
GET / HTTP 1.1\n\n
1. Browser goes to http://www.example.com
![Page 24: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/24.jpg)
ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER
Web Server
www.example.com
Web Browser
Internet Explorer
2. Web server responds. In order to be able to recognize this particularweb browser in the future, the web server issues a piece of data to be included with subsequent requests.
3. The web browser stores the cookie, which contains the name of the web server, the date and time the cookie was issued, and maybe some
otherdata (usually just a big long number, but sometimes information aboutwhat the user was doing at the web site).
![Page 25: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/25.jpg)
ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER
Web Browser
Internet Explorer
4. The web page contains graphics, which are highly complex comparedwith text, so the web browser stores them to keep them handy in they are needed again in a hurry (e.g., user clicks the back button)
Temporary Internet Files
5. Cached images accumulate as the user continues to browse. To keep track of them, the browser keeps a record of the user’s activity.
Index.dat
![Page 26: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/26.jpg)
ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER
It is often possible to reconstruct a great deal about web usage patterns.
Common tools: Internet Evidence Finder (IEF) NetAnalysis
Extra Credit: what happens when you clear your web browser’s cache?
![Page 27: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/27.jpg)
ANALYSIS: NETWORKINGANALYSIS: NETWORKINGHome Computing
Devices
Router
ISP
(AT&T, Charter, Time Warner,
Google Fiber, etc.)
The Internet
PublicPrivate
IP Address Blocks
Individual IP Address
![Page 28: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/28.jpg)
PEERPEER--TOTO--PEER NETWORKINGPEER NETWORKING
File1.jpg
File2.jpg File1.jpg
File3.jpg
The Internet
• Computers connected to the Internet
• Sharing files (Ares, eMule, …)
• Law Enforcement
• RoundUp: searches for files, checks hash values (published for disambiguation)
![Page 29: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/29.jpg)
PEERPEER--TOTO--PEER NETWORKINGPEER NETWORKING
File1.jpg
File2.jpg File1.jpg
File3.jpg
The Internet
• Get public IP addresses of target sharers
• Are they in our jurisdiction?
• Can we get a single-source download?
• Yay! Let’s go get a warrant and start booting in doors!
![Page 30: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/30.jpg)
A TYPICAL INVESTIGATIONA TYPICAL INVESTIGATION
Find computers sharing suspected contraband on the Internet
Identify their physical location Get warrant and seize all computers
at that location Acquire and preserve their data Analyze file data (usually not
metadata)
![Page 31: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/31.jpg)
WHATWHAT’’S MISSING AT THIS S MISSING AT THIS POINTPOINT…… How did the files get there? Did the defendant know about them? Did the defendant ever see them? Are they isolated incidents, or part of
a pattern? Are they from prior to April 2012? Did the warrant authorize the search
that was performed?
![Page 32: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/32.jpg)
PRESENTATIONPRESENTATION
On direct, need a good explainer Balancing: accuracy, simplicity, credibility,
and stimulation Be wary of analogies Can your expert attend the state’s direct?
On cross, two paths: The state’s expert is wrong/not credible The state is right about the facts but not
what they mean Have a detailed script– the material can be
hard and the state’s expert is experienced
![Page 33: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/33.jpg)
PRESENTATIONPRESENTATION
Generally not doing acquisitionOften need to explain
How web sites work How web browsers work How e-mail works How peer-to-peer file sharing works
You need your expert to Verify/falsify the state’s analysis Tell your story to the jury
![Page 34: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/34.jpg)
THE CAST OF CHARACTERSTHE CAST OF CHARACTERS
The Primary Investigator Police, Sheriff, FBI Discover crime, seize evidence, swear
complaint Criminal Analyst
Usually state (but can be county, city, federal)
Make forensic image, perform analysis Prosecutor
Issue charges Try the case, if needed Probably hasn’t seen the evidence
![Page 35: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/35.jpg)
WHY DOES THIS MATTER?WHY DOES THIS MATTER?
The Criminal Analyst is overworked Bare minimum needed to move along Poor or reactive communications with
prosecutor and investigator
Your advantage lies here You can know more about the
evidence than the prosecutor You can find it out earlier
![Page 36: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/36.jpg)
RELATIONS WITH THE RELATIONS WITH THE ANALYSTANALYST The analyst is unlikely to be wrong
Their analysis may be incomplete They are biased, but helpful with
technical mattersWhere possible, establish rapport
They like to talk to people who understand them (i.e., your expert)
They are often frustrated with the other folks in the case
They can give you insight
![Page 37: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/37.jpg)
REVIEWING THE EVIDENCEREVIEWING THE EVIDENCE
State vs. federal premises: paranoia State crime lab
Need to bring your own PC with EnCase or equivalent
Artificial economic and time limits May be worthy of 6A litigation
Key questions Are the files what the state claims? How and when did they get there? What has been done with them?
![Page 38: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/38.jpg)
THE TYPICAL CASETHE TYPICAL CASE
Computer observed transferring known contraband (e.g., via Ares)
IP address traced to residence, warrant executed
Computer seized Target makes inculpatory
statements Charged with possession of a few
files
![Page 39: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/39.jpg)
THAT PATTERN TELLS US THAT PATTERN TELLS US SOMETHINGSOMETHING Primed for prompt resolution
Slam-dunk evidence ICAC is churning these out
Potential repercussions to fighting They will seek and find additional
evidence Mandatory sentences
HIDDEN MESSAGE: the prosecutor and the analyst are not expecting to work hard or go to trial on possession of CP
![Page 40: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/40.jpg)
THE NOTTHE NOT--SOSO--TYPICAL CASETYPICAL CASE
Materials discovered during computer repair
Materials discovered during contentious divorce
Materials discovered during investigation of something else
Basically, anything not gift-wrapped by ICAC…
![Page 41: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/41.jpg)
WHEN YOU FIRST GET THE WHEN YOU FIRST GET THE CASECASE There has probably been only
cursory analysis You can get ahead of the other side The closer you get to trial:
More pressure on the Analyst to find something dispositive
More likely that additional evidence will come to light
Harder to get time with the evidence
![Page 42: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/42.jpg)
WHAT MORE CAN THE STATE WHAT MORE CAN THE STATE DO?DO? Deeper review of seized media
Encrypted containers
More thorough inspection of metadata
Search “slack space” Seize other things and search them
Other home systems Systems at work In the cloud: ISP records, email, etc.
![Page 43: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/43.jpg)
THOUGHTS ON STRATEGY IN THOUGHTS ON STRATEGY IN COURTCOURT Judge doesn’t like wasting time:
shift that to the prosecutor They won’t be ready on time Presenting the evidence is their
problem
“How big is that picture” No intrinsic physical size Why should the jury see things blown
up big?
![Page 44: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/44.jpg)
MOTION PRACTICEMOTION PRACTICE
Nobody wants to be the judge who excluded the child porn evidence.
Your chance to educate: Prosecution: weaknesses in their case Judge: nature of the evidence
Talk to Rose Oliveto: she lost a motion, but in doing so got a great result
Ambush is unproductive: Nobody understands the evidence You want to frame the issues
![Page 45: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/45.jpg)
JURIESJURIES
You may want Young, educated/techy, male People who spend lots of time online
You may not want Teachers or others who work with
children Physicians or people with medical
experience
![Page 46: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/46.jpg)
EXAMPLEEXAMPLE
Image in “Temporary Internet Files” Who was using the computer? Where did it come from? What else was going on at that time? Was it specifically sought out? Was it ever even on the screen? Has the web site been revisited? Did the web page have disclaimers? Has the file been revisited?
![Page 47: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/47.jpg)
WORKING WITH AN EXPERTWORKING WITH AN EXPERT
Expect more than one visit to review the evidence (follow-up questions)
Use the expert to help develop your cross of the state’s expert
Interact with the expert about the report
Make the state’s expert your ally They need to tell your story on cross They need to agree with your expert
![Page 48: Investigating and Litigating Computer Evidence in Child …wispd.org/attachments/article/243/Investigating and... · 2018-06-05 · Investigating and Litigating Computer Evidence](https://reader035.vdocuments.us/reader035/viewer/2022081405/5f0b1d027e708231d42ee9f0/html5/thumbnails/48.jpg)
YOU MADE IT TO THE END! YOU MADE IT TO THE END!
Thanks!Questions?