2013-12-18 Digital Forensics and Child Pornography (inc. 1 hour ethics)

Digital Forensics andChild Pornography

Federal Defenders Program, D. Ind. (N.D.)

Plymouth, IN18 December 2013

Frederick S. Lane

www.FrederickLane.com

www.ComputerForensicsDigest.com 1

2

Seminar Overview

• Introduction and Overview• Digital Technology and CP• Digital Investigations

• Hash Values and Image Integrity

• Defending Child Pornography Cases

• The Ethics of Client Datawww.FrederickLane.co

mwww.ComputerForensicsDi

gest.com

3

Introduction and Overview

• Background and Expertise

• What Is Child Pornography?

• Digital Technology and the Spread of Child Pornography


www.ComputerForensicsDigest.com

4

Background and Expertise

• Attorney and Author of 7 Books

• Computer Forensics Expert -- 15 years

• Over 100 criminal cases

• Lecturer on Computer-Related Topics – 20+ years

• Computer user (midframes, desktops, laptops) – 35+ yearswww.FrederickLane.co


gest.com

5

What Is Child Pornography?

• Federal Laws

• State Laws

• Indiana CP Laws

• International Law



6

Federal CP Laws• 18 U.S.C. c. 110 – Sexual

Exploitation and Other Abuse of Children

• 18 U.S.C. § 2251 – Production

• 18 U.S.C. § 2252 – Possession, Distribution, and Receipt

• 18 U.S.C. § 2256 -- Definitions



7

“Child Pornography”

18 U.S.C. § 2256(8): “any visual depiction, including any photograph, film, video, picture, or computer or computer-generated image or picture, whether made or produced by electronic, mechanical, or other means, of sexually explicit conduct, where—

(A) the production of such visual depiction involves the use of a minor engaging in sexually explicit conduct; [or]

(B) such visual depiction is a digital image, computer image, or computer-generated image that is, or is indistinguishable from, that of a minor engaging in sexually explicit conduct; or

(C) such visual depiction has been created, adapted, or modified to appear that an identifiable minor is engaging in sexually explicit conduct.”www.FrederickLane.co


gest.com

8

Other Relevant Definitions

• “Minor” [18 U.S.C. § 2256(1)]: <18• 18 U.S.C. § 2257: Record-keeping requirements

• “Sexually Explicit Conduct” [18 U.S.C. § 2256(2)(A)]:• (i) sexual intercourse, including genital-genital, oral-genital, anal-genital,

or oral-anal, whether between persons of the same or opposite sex;

• (ii) bestiality;

• (iii) masturbation;

• (iv) sadistic or masochistic abuse; or

• (v) lascivious exhibition of the genitals or pubic area of any person.

• Slightly Different Definitions for Computer Images [18 U.S.C. § 2256(2)(B)]



9

NCMEC• “National Center for Missing and

Exploited Children”

• Created by Congress in 1984

• Child Recognition and Identification System – database of hash values of CP images

• Child Victim Identification Program



10

State CP Laws• All 50 states have their own CP laws

• Age of minority varies: 16 (30 states); 17 (9 states); and 18 (12 states)

• Prosecution can be federal or state, or both.

• Can include “harmful to minors” standard (states only)



11

Indiana CP Laws• Ind. Code, tit. 35, art. 42, ch. 4, § 4

– Child exploitation; possession of CP

• Ind. Cod, tit. 35, art. 49, chs. 1-3 – Obscenity and Pornography

• Ind. Code § 35-49-3-1 – Distribution is a Class D felony if person depicted is or appear to be < 16.



12

Ind. Code § 35-49-1-4, -9

• “Minor”: • Anyone under age of 18 (increased penalties if individual is

or appears less than <16).• “Sexual Conduct”:

• (1) sexual intercourse or deviate sexual conduct;

• (2) exhibition of the uncovered genitals in the context of masturbation or other sexual activity;

• (3) exhibition of the uncovered genitals of a person under sixteen (16) years of age;

• (4) sado-masochistic abuse; or

• (5) sexual intercourse or deviate sexual conduct with an animal.



13

International CP Laws

• Over last 7 years, 100 countries have adopted new CP laws

• 53 countries still have no CP law at all

• International Center for Missing and Exploited Children

• 2012 Child Pornography Model Laws: http://bit.ly/19eWJPz



End of Section One



15

Digital Technology and CP

• A Brief Background• Digital Production of CP• Digital Distribution of CP• Digital Consumption

(Receipt and Possession)• Societal Changeswww.FrederickLane.co


gest.com

16

A Brief Background

• 1978: Protection of Children Against Sexual Exploitation Act

• 1982: New York v. Ferber – Upholding state law banning child pornography

• 1984: Child Protection Act (prohibiting non-commercial distribution)

• 1992: Jacobson v. United States – Postal Service entrapment

• 2000: Poehlman v. United States – FBI entrapped defendant after lengthy email correspondence



17

Digital Production of CP

• Scanners• Digital Cameras (still and

video)• Cameraphones (dumb and

smart)• Web camswww.FrederickLane.co


gest.com

18

Digital Distribution of CP

• One-to-One• Sneakernet• E-mail / Personal File-Sharing• Instant Messaging / Chat Rooms

• One-to-Many• Newsgroups and Forums• Peer-to-Peer Networks• Torrent Networks / File-Hosting• Underground Web Sites



19

Digital Consumption of CP

• Producer of CP may be in possession without having “received” it

• Defendant may be in “receipt” of CP without “knowingly” possessing it

• The challenges of determining “intentionally” and “knowingly” in the context of Internet activity



20

Societal Changes• Computers and the

Internet• The Democratization of

Porn Production• “Porn Chic”• The “Selfie”www.FrederickLane.co


gest.com

End of Section Two



22

Digital Investigations

• Discovery of Possible Child Pornography

• The Role of IP Addresses• Intro to Computer

Forensics



23

Discovery of Possible CP

• Angry Spouse or Girlfriend• Geek Squads• Chat Rooms• Hash Flags• P2P and Torrent Investigations• Server or Payment Logswww.FrederickLane.co


gest.com

24

Overview of IP Addresses

• Assigned to Every Internet-Connected Device

• Two Flavors:• IPv4: 196.172.0.1• IPv6:

2001:0db8:85a3:0042:1000:8a2e:0370:7334

• Leading to “Internet of Things”www.FrederickLane.co


gest.com

25

IP → Physical Address

• Ranges of IP Addresses Assigned to ISPs by Internet Assigned Numbers Authority

• Online Tools to Look Up ISP• Dynamic vs. Static• Subscriber Records Show Date,

Time, IP Address, Limited Activitywww.FrederickLane.co


gest.com

26

Limitations of IP Addresses

• Links Online Activity to Device, Not Necessarily a Specific User

• Data May Not Be Available from ISP

• Possibility of War-Dialingwww.FrederickLane.co


gest.com

27

Intro to Computer Forensics

• Increasingly Specialized• Forensics Procedures• Forensics Software• A Typical Forensics

Reportwww.FrederickLane.co


gest.com

28

Increasingly Specialized

• Computer Forensics• Windows• Mac OS• Linux

• Network Forensics• Mobile Forensics• Dozens of Mobile OSs• Hundreds of Models

• Cloud Forensics• Many Questions, No Clear Answers



29

Forensics Procedures

• Field Previews• Mirror Images • Hash Values• Staggering Amounts of Data• Chains of Custody• 2006: The Adam Walsh Actwww.FrederickLane.co


gest.com

30

A Typical Forensics Report

• There should be at least two reports:• Acquisition• Evaluation of Evidence

• Bowdlerized• Detailed procedures• Hash value checks• Bookmarks of possible contraband• Evidence of user IDwww.FrederickLane.co


gest.com

End of Section Three



Hash Values & Image Integrity

• Not Your Mother’s Hash

• The Role of Hash Values in Computer Forensics

• The Growing Use of Hash Flags

• P2P Investigations Using Hash Values



Not Your Mother’s Hash

• Cryptograhic Hash Values• Relatively Easy to Generate

• Extremely Difficult to Determine Original Data from Hash Value

• Extremely Difficult to Change Data without Changing Hash

• Extremely Unlikely that Different Data Will Produce the Same Hash Value



Complex Explanation (1)

• The word DOG can be represented in different ways:• Binary: 010001000110111101100111• Hexadecimal: 646f67

• A hash algorithm converts the hexadecimal value to a fixed-length hexadecimal string.• SHA-1:

e49512524f47b4138d850c9d9d85972927281da0

• MD5: 06d80eb0c50b49a509b49f2424e8c805



Complex Explanation (2)

• Changing a single letter changes each value.

• For instance, the word COG produces the following values:• Binary: 010000110110111101100111• Hexadecimal: 436f67• SHA-1:

d3da816674b638d05caa672f60f381ff504e578c

• MD5: 01e33197684afd628ccf82a5ae4fd6ad



Simple Explanation

Oatmeal-Raisin Cookies

Oatmeal-Chocolate Chip Cookieswww.FrederickLane.co


gest.com 36

Evidence Integrity

• Acquisition Hashes

• Creation of Mirror Images

• Verification of Accuracy of Mirror Images

• Use of “Known File Filter”

• Hashkeeper

• National Software Reference Library

• NCMEC CVIP Databasewww.FrederickLane.co


gest.com 37

Growing Use of Hash Flags

• Child Protection and Sexual Predator Act of 1998

• 2008: ISPs Agree to Block Access to Known Sources of CP and to Scan for NCMEC Hash Values

• SAFE Act: Requires ISPs and OSPs to Turn Over Subscriber Info If Known CP Is Identified



P2P Hash Values• Basic Operation of Peer-to-

Peer Networks

• Decentralized Distribution

• Gnutella and eDonkey

• Client Software

• Hash Values Associated with Each File



Automated P2P Searches

• “Peer Spectre” or “Nordic Mule” Scans for IP Addresses of Devices Offering to Share Known CP Files

• IP Addresses Are Stored by TLO in Child Protection System

• Officers Conduct “Undercover” Investigations by Reviewing Spreadsheets of Hits in CPS



Growing Defense Concerns

• No Independent Examination of Proprietary Software

• Very Little Information Regarding TLO or CPS

• Peer Spectre May Generate False Hits Due to Normal Operation of P2P Clients

• Search Warrant Affidavits Fail to Mention Role of TLO or CPS



End of Section Four



43

Defending CP Cases

• Determining Age of Person Depicted

• Pre-Trial Issues

• Trial Issues

• Typical Defenses in CP Cases [Some More Viable than Others]



44

Determining Age• Is expert testimony need?

• Tanner Stage: Outmoded?

• Role of environmental factors

• Bait and switch

• Defendant’s subjective belief is irrelevant

• Prosecutors prefer clear caseswww.FrederickLane.co


gest.com

45

Pre-Trial Issues• Retaining a Defense Expert• Deposition of Government

Experts• Motion(s) to Produce• Motion(s) to Suppress or

in liminewww.FrederickLane.co


gest.com

46

Trial Issues

• Should There Be a Trial?• Motion(s) in limine• Cross-Examination of

Government Expert



47

Typical Defenses (1)

• Lack of Possession or Receipt• Mere Browsing• The Phantom Hash

• Accident or Lack of Intent• Ignorance or Mistake as to Age• Not a Real Child / Morphed /

Computer-Generatedwww.FrederickLane.co


gest.com

48

Typical Defenses (2)

• Multiple Persons with Access to Device

• Used Equipment with Pre-Existing CP

• Viral Infection• Planting of Evidence by Spouse or

Police• Entrapmentwww.FrederickLane.co


gest.com

End of Section Five



The Ethics of Client Data

• Client Data in the Office

• Client Data in the Home

• Client Data in the Cloud

• Client Metadata

• CP-Specific Issueswww.FrederickLane.co


gest.com 50

Client Data in the Office

• Physical Security• Locks

• Supervision of Visitors

• Electronic Security• Logins and Passwords

• Screensavers

• Authorized Users

• Backup(s)www.FrederickLane.co


gest.com 51

Client Data in the Home

• Should It Even Be There?

• How Does It Get There?

• Physical Security

• Encryption?

• Who Has Access to the Device(s)?



Communicating with Clients

• Is It Ethical to Use E-Mail?

• Understanding How E-Mail Works

• Ethics of Automatic Robot Scanning

• Is HTTPS Sufficient?

• Secure E-Mail Alternativeswww.FrederickLane.co


gest.com 53

Client Data in the Cloud

• Brief Overview of Types of Cloud Services

• The Ethics of Cloud Storage

• The Ethics of Cloud Collaboration

• Discovery in the Cloudwww.FrederickLane.co


gest.com 54

The Ethics of Metadata

• What Is Metadata?

• Who Knows What Metadata Lurks in a File?

• Don’t Accidentally Release Metadata

• Can I Use Someone Else’s Accidentally-Released Metadata?

• Should I Affirmatively Ask for Metadata During Discovery, and Can I Get It?



CP-Specific Issues

• Rule #1: Do Not Obstruct Justice

• Rule #2: Minimize Handling and Isolate Device(s)

• Rule #3: If Identifiable Victim, Review Mandatory Reporting Requirements [Ind. Code § 31-33-5-1]

• Rule #4: Never Re-Distribute

• Rule #5: Hire an Expert



End of Section Six



58

Slides and Contact Info

• Download a PDF of slides from:

SlideShare.net/FSL3• E-mail or Call Me:

[email protected] 802-318-4604



Digital Forensics andChild Pornography

Federal Defenders Program, D. Ind. (N.D.)

Plymouth, IN18 December 2013

Frederick S. Lane



2013-12-18 Digital Forensics and Child Pornography (inc. 1 hour ethics)

Education

digital image

child pornography cases

computer image

child pornography frederick

spread of child pornography

explicit conduct

visual depiction

digital forensics