±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36115
New Yesterday: 0 Visitors: 129

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Procedure for CP evidence?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 ... 9, 10, 11, 12  Next 
  

akaplan0qw9
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: Mar 13, 10 23:59

Having been on both the government and private side of these issues, I perhaps have a different view than some. Whether you were talking about CP or anything else, if you see and recognize a felony, you're obligated to report it. Failure to do so could result in you being charged with misprision of a felony.

"Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years."

As you can see, you have to have a reasonable belief that you're looking at CP. That as we all know can be a pretty indefinite thing. It's a not like some disease where you have to wear a face mask and run away from it. You're allowed to establish and your own mind whether it's reasonable to believe that you probably have CP.

However, if you find some suspected CP and call your client and tell him what you think you found, you are starting down the road to a long time in court. Your client will probably ask you to either destroy the evidence or give it back to him. Obviously, that's a non-starter. Further, by notifying your client, you have pretty much confirmed that in your mind the evidence you had was convincing and you believed it to be CP.

My leaning would be to call the FBI, tell them that it looked like CP, but you weren't really sure and that he would appreciate it if they issued a subpoena for the forensic image you had created and came around and picked it up. We keep those images on external hard drives and could release such a drive without disrupting anything else here.

A few here have raised concerns about the cops seizing the lab computer because by the time you have made a determination that you may be in possession of CP, you would have conducted at least a partial analysis and most likely have actually seen such suspect photos.

If the guy picking up the forensic image is computer forensic trained, you should have no difficulty getting him or her to work with you in deciding what else they really need. I would try to get them to take your relavant work on my lab drive and move it to a thumb drive. They can then take some drive with them. Anything residual on your lab drive can be nuked out with secure clean or some other similar selective overwrite program as long as they OK it in advance

As I say, if the person taking the evidence is computer forensic trained you can probably work something out. On the other hand, if they are not computer forensic trained you could have more of a problem. In that case I would try to get them to get a computer forensic examiner in on the act either on the phone or in person. I think it pays to focus for a second on the investigation that cops have to run after they are finished picking up evidence from you. Remember, the forensic image they took from you is only "best evidence" if they can't get their hands on the original computer. Whatever you have on your lab computer is probably not ever going to be used for anything.

Remember, you are a potential prosecution witness. They want to keep you happy and friendly. If you started out calling them with the case, you are definitely looked on as someone who wants to cooperate. The last thing they want to do is screw up that relationship. So you start out in pretty good shape. For that reason, I wouldn't bring a lawyer and on it and I wouldn't bring my boss in on it unless we were of one mind.

If I got fired for making the report. I would probably be able to retire after I was finished suing. In my case, I'm boss and I'm not worried about some pervert coming after me.
_________________
Alan M. Kaplan, ACE
Nevada PI License #220
AKaplan @ LasVegasPI.com 
 
  

kovar
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: Mar 14, 10 01:03

Greetings,

Does anyone have any citations containing more information about the repair guy who ended up doing jail time? I suspect there's more to the story ....

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 
 
  

anton
Newbie
 

Re: Procedure for CP evidence?

Post Posted: Mar 17, 10 20:24

This topic became an issue in a case I had been retained on. I had been hired by the plaintiff in a case involving the misappropriation of trade secrets. The defendant’s counsel had hired another forensic firm to image the defendant’s home and office computers. They were shipped to me for analysis. I found CP on his home computer.

I contacted my supervisor and advised him what I had found and he agreed that we needed to contact law enforcement. I contacted the FBI and reported it, via the phone, to the call taker. I then contacted my local sheriff’s department and requested a deputy call me asap, explaining what was going on. A deputy who had received CF training called me and I described what was going on, including the fact that I had contacted the FBI. He asked that I bring the offending images to the sheriff’s department. Later that afternoon I attended the sheriff’s department and provided the images to the deputy, including a statement outlining all that had transpired.  
 
  

Infern0
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: May 18, 10 18:42

I have a slight curiosity on an aspect that doesn't appear to have been mentioned yet.

Does anyone have any experience in this activity having taken place in at a corporate place of business where a firm's security posture may have inadvertently also captured the activity, but wasn't necessarily the means for identification. For example, during a potential internal investigation of employee misuse or otherwise, the analyst discovers the material and then does the right thing (stop drop and roll to authorities (not client) seems to be the most popular). The media is then turned over to authorities and everyone feels good about themselves. Then, upon further thought the analyst realizes they have full PCAP capturing devices in place, bluecoat proxy monitoring and recording which will have undoubtedly recorded and retained this activity.

Immediate thoughts are to recontact your LE official who already has the original computer system and advise of your potential issue, but you can't exactly turn those devices over to officials. Selective wiping may also be a problem in these cases.

I suppose you could also find yourself in a similar situation if your processes involve imaging to or backing images up to a SAN. You can't reasonably be expected to turn your SAN over to authorities, or even wipe 50TB of other items can you?  
 
  

Fab4
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: May 18, 10 20:18

- Jonathan
- leafhound
- bshavers
Wiping a hard drive that contains CP would be destroying evidence.


Only if evidence could be provided that CP actually was on the HDD in the first place.


You could be wiping evidence of a child being raped. You could've provided the information that would have helped stop it or stop the same happening to other children, but you destroyed the evidence. With the knowledge of that possibility, is wiping the drive a reasonable action?


As a UK based analyst I am stunned by leafhound's suggestions. I do corporate and LE work. I cannot think of any other response than Stop, Drop and Roll. I would keep my line manager in the loop but it is my decision and accountability alone to report it and request LE to attend for seizure of the exhibit and all copies. Were my employer to frown about this or suggest that the matter of payment for the work completed to date on behalf of the client in any way impacted on this decision or the time taken to invoke it, I would look for another employer whose values were aligned with my own.

As far as I am concerned, in the UK, this is black and white. Protection of children above all else.  
 
  

markg43
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: Mar 06, 11 12:31

I have been in this direct situation, luckily I was on the LE side of the desk.

CP on a hard disk was reported to my office. We dispatched an agent and myself (FE guy) to the repair shop.

We spoke to the gents at the office and determined that the files were found on computer submitted by one of their clients (machine had a failing HD). SOP for the repair shop was to run a data recovery program on the failing drive to their server to save the client's files and then they drop in a new drive and copy back the files.

During the review of the recovered files, they saw CP and reported it to LE (us).

When we went out there, we got the clients name and address as well as his HD. I also took the drive at the repair shop were they copied the recovered files. Now I was a nice guy and after they showed me their folder structure for clients, I them wiped that clients files from the drive and returned their drive in about 2 days. Now some people would just take the drive - but that's not me. I want them to report it again when it happens.

Another case I had came in the mail. A client sent/mailed their laptop to Gateway to have some work done. Gateway found CP and called LE. The laptop owners address was in my jurisdiction, so it got mailed to me and we paid a visit to the client. You can guess where that went.

In both cases, none of the reporters of the CP were in any legal trouble. I can't guarantee you won't be. But try to do the right thing and you should be OK legally. My opinion has no bearing on what happens with your employer though.

My suggestion - if you do forensics or computer repair (and you have authorization from the boss if that's not you) - contact the local FBI Crimes against Children agent (just call the local field office and ask for that title), or local PD (Family crimes, Crimes against children) or local ICAC task force (Internet crimes against children).

Tell them who you are and why you are calling. Ask them to make a stop at your office, make friends, ask them what do to if it happens.

I don't know the story of the repair guy that got arrested according to the older post so I can't comment.

www.ndaa.org/pdf/Manda...202010.pdf
This link shows some of the laws for mandatory reporting.

As always, I am not a lawyer - refer to one. My advice is based on you being a repair guy or a a forensic guy that does not do CP exams AND that you work alone, are the boss, or are authorized to make these decisions. If you are not authorized, then talk to whomever is.  
 
  

rcherven
Newbie
 

Re: Procedure for CP evidence?

Post Posted: Jan 05, 12 12:36

- OldDawg
I think I have some CP images in a case I'm working on. I've been in touch with the po-po and will be providing them with a CD of the images in a face-to-face meeting. So how does this work?

Let's say they determine that the images are indeed CP. Do they then take my DD image disk as well as seize the original computer? How do I then provide evidence for the original case which has nothing to do with CP?

Maybe I should get a honkin big external drive and export everything EXCEPT the suspect images to it?

Inquiring minds want to know...


Stop.

Make a physical image of the HDD along with any and all peripherals. If it's a suspect machine, stop touching it, it now belongs to the law enforcement agency responsible for that jurisdiction.

You may now continue your examination on the image files that you created for yourself.

If you make a disk with CP and hand it to the police - Congratulations, you have now manufactured and disseminated child pornography!

Under some state and federal law, in compliance with the National Center for Missing and Exploited Children, there are strict CVIP (child victim identification program) procedures that must be adhered to.

p.s. The police agency might tell you to hold off on you creating the image. They will probably want a known certified forensic analyst to perform the acquisition.

Hope this helps.

-RC
Former ICAC Task Force
_________________
Robert Cherven, CFCE, EnCE, ACE
Senior Digital Forensic Examiner
robert @ baystateforensics.com 
 

Page 10 of 12
Page Previous  1, 2, 3 ... 9, 10, 11, 12  Next