±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36312
New Yesterday: 7 Visitors: 151

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Procedure for CP evidence?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4 ... 10, 11, 12  Next 
  

wilber999
Member
 

Re: Procedure for CP evidence?

Post Posted: Feb 11, 07 05:17

I appreciate everyone's conversation and would like to say that I enjoy the conversation, but I do not like the topic of CP and admire (and thank) those that work with it daily to protect help protect my family.. Below is the complete section of my contract on CP:

To the event that a forensics examination reveals the existence of possible child pornography on the examined media, COMPANY will immediately cease its examination and advise CLIENT and appropriate law enforcement authorities of the nature of the materials found. Before proceeding with further forensic examination, CLIENT will secure a court order or take such other legal action as may be necessary to prevent both COMPANY and CLIENT from being subject to any legal charges regarding the possession or distribution of child pornography.

Not that it makes it any better, but this section came from an ABA published book on electronic discovery in which the authors run a well respected Forensics company.. I agree with each of you to consult counsel and check my local laws and restrictions.

Everyone have a good weekend..

armresl... your post on people getting busted for what appears to be the "right thing" still concerns me Shocked  
 
  

OldDawg
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: Feb 11, 07 05:20

This is certainly a more indepth and interesting topic than I had surmised.

In fact, it appears that official agencies are also somewhat in limbo about what to do. I've been in touch with NCMEC, 2 people at municipal PDs and 3 state police before finally getting an answer about how to pursue this. At this stage, no one knows whether the images are CP or not. NCMEC doesn't distribute their hash sets so there is no help there. I suspect that the state LEOs will forward the images to NCMEC for evaluation and a decision. Once that happens it is unknown how things will proceed. I'll keep you all posted, however. This stuff needs to be codified and a proper procedure outlined.
_________________
Jerry Nicholson, Owner
Mlink.com
www.mlink.com 
 
  

az_gcfa
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: Feb 11, 07 08:20

While going over the responses there were several that generally caused me concern. I'm reviewing/developing new procedures and creating several custom forms to be used in the procedure of acquiring/obtaining digital media from clients. In otherwords, it is my intention to document the "Chain of Custody" throughly because of these exact situations.

While I'm generally not an alarmist by nature, I too have see some pretty scary facuets of the our legal system. I do not want to leave any thing to chance - like trying to prove that I did not put the "illegal content" on the media.

I can document the reciept of the media by serial number and physical description. Personally, I never accept any media that does not have any labels or unique descriptors. I have been known to require people to mark CD's and DVD's with a Sharpies before I take possession.

Documenting the physical exchange is all well and good. Now we are entering into a realm of where we must prove we did not put the "illegal content" on the media. The only way I know how to do this is to generate a MD5 or SHA1 hash valve. I always generate a MD5 hash valve on any and all media, first thing as part of the imaging process.
Reckon, now I will photograph the screen displaying the MD5 valve at the customer's site, insuring that I capture enough site details to prove when and where the image was created.

I admit that I have been fortunate in not having to deal with any CP. I have had to deal with some pornography. I need to insure that my Forensic WSs, processing procedures and data storage procedures prevent essential equipment from being effected by this type of an event.

I wonder why I still want to do this type of work without the protection of a shield. Oh Well! Document, document and document some more.
_________________
Give a man a fish and he can eat today. Teach the man how to fish and he will be able to eat his whole life. 
 
  

jamie
Site Admin
 

Re: Procedure for CP evidence?

Post Posted: Feb 11, 07 12:36

This is an important and interesting discussion. I'm going to "sticky" the topic to give it some prominence and ask a few other members for their comments.

On a personal level I have some fairly strong feelings about what an appropriate course of action to take is in this situation (and I share some of the concerns about a few comments made so far). However, a clearer insight into the legal ramifications of discovering CP would undoubtedly be useful for everyone - let's see what we can all do to clarify the situation both at the national and, where appropriate (e.g. US), state level. Comments from legal counsel and law enforcement are very much welcome - please post what you know and encourage others to join the discussion.

Jamie
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 
 
  

steve862
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: Feb 13, 07 14:56

Hi,

On a couple of occasions I have received a computer from a corporate data recovery source where CP was discovered by them. On those occasions the data recovery people felt that they should not be in possesion of this matieral and had some vague awareness that if they gave it back to the client they were inadvertantly committing the offence of distributing CP. So they gave it to the Police and we acted on it very quickly so that we could identify who was responsible.

It was important to have the image from the data recovery people and the actual exhibit. It was appropriate to image the drive(s) again and compare them to the image given to us. We also needed to verify for ourselves the BIOS date and time and any configuration issues on the PC which might have affected the findings, such as audio files but no sound card. It was also appropriate to compare the devices listed in the setupapi.log file and registry with the actual devices inside the computer. If more than one hard drive were found and the CP was on the drive not contianing the OS it would be necessary to identify when that drive was first installed in that PC.

Once CP had been found it was then necessary to prove that it was created intentionally or deliberately retained and following a recent ruling to prove that the person was still knowingly in possesion of it. Deleted images would not count as possesion but where it was possible to prove when and how the CP files were made a making charge could be applied to deleted images.

Because we could act quickly we were able to identify whether the client was involved and if so produce a case without them suspecting anything was wrong. If it was clear it was a member of staff we could approach the client and enlist their assitance in identifying any other locations in which this person might have put similar material.

I think the rules here in the UK are going to be quite a bit different to the US but certainly here I would want a corporate forensic analyst to call me. In return I would promise to act quickly as this does not put them in an awkward position regarding the client. I do understand that you would have concerns over getting paid for the work you did but you would technically be breaking the law if you gave the computer back, even with the instruction to contact LE.

Steve
_________________
Forensic Computer Examiner, London, UK 
 
  

jamie
Site Admin
 

Re: Procedure for CP evidence?

Post Posted: Feb 13, 07 23:16

Many thanks, Steve. Could I just pick up one last point? I understand from what you've said that returning the device in question to the client would be an offence (strictly speaking) but am I right in thinking that under UK law the examiner is not legally obliged to report the presence of such material to the police? In other words, could the examiner (with the permission/knowledge of the client, perhaps) in theory simply destroy the material without breaking the law?

Note to all: I'm NOT suggesting that the above would be either ethical or professional (quite the reverse) but I am interested in whether there's a loophole here which has been closed in other jurisdictions.

Jamie
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 


Last edited by jamie on Feb 13, 07 23:29; edited 1 time in total
 
  

BraneRift
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: Feb 13, 07 23:21

My empathy really goes out to those of you in the private sector when it comes to CP images. I am a lead forensic examiner for a municipal PD. Just a couple of years ago, defense was entitled to all the evidence I was. This included images of drives etc. This is no longer the case. The Federal Govt (US) has really restricted the distribution of CP in legal cases. Private experts in the field that defense attorney's use to hire to examine the same images I examine are now getting arrested and charged if they have possession of ANY CP images no matter what it is for.

Personally, I think that is a little over the top. As a LE officer, one would think I would be all for this type of legislation, but I DO think everyone has the right to a fair trial. This should include a separate examination of the digital evidence.

We have gotten around this issue here locally. I invite the defense's expert to the PD and have him/her conduct the examine here with our images of the drive. Before they leave, their drive is to be wiped, exporting only reports and other non-contraband items. It is a huge pain in the back side, but what other choice do we have? Alot of private exainer are just turning down these types of cases.

As for the private sector examiners..... I highly respect so many people here on these forums. I would hate to see you get into trouble for such a thing. I would definately consult the Corp Atty. Make sure they are up-to-date on the lastest federal regualtions as it pertains to the CP issue.

I am biased, but I would make sure my company had strict CP policies in place which should include the "stop, drop, and roll" procedure mentioned in earlier posts. Remember, just because you gave the image back to the client, doesn't mean you haven't possessed the CP. I think reporting would be the best solution. Also, there is nothing wrong with contacting your local FBI office and speak to an agent. Get their input on the matter. Make sure you document who you talked to, better yet, record the call with the agents permission. CYA

Real quick, just to hit on what Jamie mentioned....

I would not destroy evidence... yes evidence here in the US. If you think the FEDS are nasty with the CP issue, try destroying the evidence. I think one would feel their full rath.....Just my opinion.

Good luck with this everyone.  
 

Page 3 of 12
Page Previous  1, 2, 3, 4 ... 10, 11, 12  Next