Investigating and Investigating and Litigating Computer Litigating Computer Evidence in Child Evidence in Child Pornography CasesPornography Cases

PEYTON ENGELPENGEL@HBSLAWFIRM.COM608.257.0945

AGENDAAGENDA

Media, Data, Metadata When to Contact an Expert What Can an Expert Do? Lifecycle of Digital Evidence:

Acquisition Preservation Analysis: system, network, application Presentation

Strategies Based on Practical Experience

MEDIA, DATA, METADATAMEDIA, DATA, METADATA

Media: the physical thing on which information is stored HDD, SSD, USB, CD/DVD, Floppy, Tape,

SD Card, etc…

Data: The information itself E-mail, documents, pictures, movies,

databases, etc…

Metadata: Housekeeping/Assistive info that accompanies the data Filenames, timestamps, EXIF data, etc….

EXAMPLE: COPYING A FILEEXAMPLE: COPYING A FILE

Dear Mr. Engel, Blah blah blah…

letter.txt 3/5/2014Dear Mr. Engel,

Blah blah blah…

letter.txt 11/20/2014

Same data, but different media and metadata

QUESTIONS ABOUT EACHQUESTIONS ABOUT EACH

Media: What kind(s) of machine(s)? How to store, preserve data?

Data: What do the files contain?

Metadata: How/when did the files get there? What has been done with the files?

HOW IT OFTEN BEGINSHOW IT OFTEN BEGINS

Charging documents with multiple counts

Affidavits with both technical information and narrative

Maybe some preliminary reports or other supporting data (“offense-specific graphics”)

TALK WITH AN EXPERT ASAPTALK WITH AN EXPERT ASAP

Digital evidence only accumulates More artifacts get found Deeper analysis gets done

Need to develop a theory of the case That’s not CP That’s CP, but it’s not mine That’s CP, and it’s my computer, but

I didn’t know about it Help decide about disposition,

timeline

HOW AN EXPERT CAN HELP HOW AN EXPERT CAN HELP EARLY ONEARLY ON Review the charging documents

Evaluate the state’s position Look at the warrant

Spot and explain technical issues In the evidence In the client’s story

Suggest a plan: answer open questions, find needed proof What to seek When and how to get it

LIFECYCLE OF DIGITAL LIFECYCLE OF DIGITAL EVIDENCEEVIDENCE Acquisition

Obtaining materials in a sound manner

Preservation Making sure things don’t change when

we’re not looking

Analysis Figuring out what it all means

Presentation Persuading a non-technical audience

ACQUISITION/COLLECTIONACQUISITION/COLLECTION

Create a copy of the evidence without altering it Write-blockers Previewing

Ensure that the copy is accurate Use hashing functions to make the

image verifiable/tamper-evident This calls for a brief digression into

scary math cryptography

Hash Functions

One-Way Functions Like a Magic Machine

Hard Disk Copy of Hard Disk

MD5 (hash algorithm)

If the results match, the inputs must have been the same.

QUESTIONS ABOUT QUESTIONS ABOUT ACQUISITIONACQUISITION Why were the materials seized? Did anyone do anything to the

evidence before making the image? Was there any previewing? Did investigators record the system

time when they made the image? Did investigators:

Seize anything they shouldn’t have? Neglect to grab anything of interest?

(phone, iPod, tablet, USB drives, etc…)

SSD STORAGE DEVICESSSD STORAGE DEVICES

Found in: tablets, phones, high-end laptops

Their contents change as they are used: no such thing as a write-blocker

An open problem in forensics Free shot at the analyst: can’t prove

the evidence is untainted Be wary if the evidence is yours

PRESERVATIONPRESERVATION

Usually just lock the evidence up All analysis will be done on the

forensic image Very little chance there will be

problems with this step But still, it’s good to review the

chain of custody Won’t win or lose the case, but a

maybe a chance to score a point

ANALYSISANALYSIS

Preliminary Report: the bare minimum needed to support charging “We found these files” Filenames, paths, timestamps

The main tools EnCase (state/local) FTK (federal) Cellebrite: for phones and tablets

ANALYSISANALYSIS

Spotting contraband via automation: KFF: Known File Filter (hashes of

known contraband) NCMEC: nationwide clearinghouse

Spotting contraband by hand: Sort by file type, review one by one Check unallocated space

Breadth of search: Signature matching

ANATOMY OF YOUR COMPUTERANATOMY OF YOUR COMPUTER

Peripherals

Operating System (Windows)

Applications

CPU (Intel x86)

WHATWHAT’’S GOING ON?S GOING ON?

Solving the problem of how to write programs that will run on computers in general

The Operating System starts and stops applications, and mediates interactions with hardware

Filesystem: The organizational scheme used by an operating system when writing information to media

ANALYSIS: A SIMPLIFIED ANALYSIS: A SIMPLIFIED FILESYSTEM FILESYSTEM MASTER FILE TABLE

Index Name Date and Timestamp Offsets1: picture.jpg 02/24/2014 15:03:16 0005530 01399482: letter.txt 03/05/2014 09:45:11 0139949 02331873: song.mp3 03/22/2014 11:39:01 0233188 0294472...

EXIF DATA, Picture data

Dear Mr. Engel,\n Blah blah blah…

ID3 tags, Music data

0005530

0139948

0139949

0233187

0233188

0294472

…

…

…

ANALYSIS: A SIMPLIFIED ANALYSIS: A SIMPLIFIED FILESYSTEM FILESYSTEM MASTER FILE TABLE

Index Name Date and Timestamp Offsets1: picture.jpg 02/24/2014 15:03:16 0005530 01399482: song.mp3 03/22/2014 11:39:01 0233188 0294472...

EXIF DATA, Picture data

Dear Mr. Engel,\n Blah blah blah…

ID3 tags, Music data

0005530

0139948

0139949

0233187

0233188

0294472

…

…

…

Deleted file’s metadata gone, but contents still present until overwritten!

ANALYSIS: FILESYSTEMANALYSIS: FILESYSTEM Typical timestamps:

Created Written Modified Accessed

Unallocated Space May have only partial files No date/time information

Applications may leak metadata History (“recent files”) Preferences

ANALYSIS: FILE ANALYSIS: FILE ((FoofusCropped.pngFoofusCropped.png))

FoofusCropped.pngC:\Users\Pengel\My PicturesCreated 10/29/14 11:03 AMWritten 10/29/14/12:23 PMModified 10/29/14 12:23 PMAccessed 10/31/14 1:38 PMSize: 1.46MB

Filesystem Metadata

Camera: iPhone 5 Dimensions: 1639x1452 pixelsColor Depth: 24Taken: 10/27/14 3:45 PM

File Metadata

ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER

Web Server

www.example.com

Web Browser

Internet Explorer

GET / HTTP 1.1\n\n

1. Browser goes to http://www.example.com

ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER

Web Server

www.example.com

Web Browser

Internet Explorer

2. Web server responds. In order to be able to recognize this particularweb browser in the future, the web server issues a piece of data to be included with subsequent requests.

3. The web browser stores the cookie, which contains the name of the web server, the date and time the cookie was issued, and maybe some

otherdata (usually just a big long number, but sometimes information aboutwhat the user was doing at the web site).

ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER

Web Browser

Internet Explorer

4. The web page contains graphics, which are highly complex comparedwith text, so the web browser stores them to keep them handy in they are needed again in a hurry (e.g., user clicks the back button)

Temporary Internet Files

5. Cached images accumulate as the user continues to browse. To keep track of them, the browser keeps a record of the user’s activity.

Index.dat

ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER

It is often possible to reconstruct a great deal about web usage patterns.

Common tools: Internet Evidence Finder (IEF) NetAnalysis

Extra Credit: what happens when you clear your web browser’s cache?

ANALYSIS: NETWORKINGANALYSIS: NETWORKINGHome Computing

Devices

Router

ISP

(AT&T, Charter, Time Warner,

Google Fiber, etc.)

The Internet

PublicPrivate

IP Address Blocks

Individual IP Address

PEERPEER--TOTO--PEER NETWORKINGPEER NETWORKING

File1.jpg

File2.jpg File1.jpg

File3.jpg

The Internet

• Computers connected to the Internet

• Sharing files (Ares, eMule, …)

• Law Enforcement

• RoundUp: searches for files, checks hash values (published for disambiguation)

PEERPEER--TOTO--PEER NETWORKINGPEER NETWORKING

File1.jpg

File2.jpg File1.jpg

File3.jpg

The Internet

• Get public IP addresses of target sharers

• Are they in our jurisdiction?

• Can we get a single-source download?

• Yay! Let’s go get a warrant and start booting in doors!

A TYPICAL INVESTIGATIONA TYPICAL INVESTIGATION

Find computers sharing suspected contraband on the Internet

Identify their physical location Get warrant and seize all computers

at that location Acquire and preserve their data Analyze file data (usually not

metadata)

WHATWHAT’’S MISSING AT THIS S MISSING AT THIS POINTPOINT…… How did the files get there? Did the defendant know about them? Did the defendant ever see them? Are they isolated incidents, or part of

a pattern? Are they from prior to April 2012? Did the warrant authorize the search

that was performed?

PRESENTATIONPRESENTATION

On direct, need a good explainer Balancing: accuracy, simplicity, credibility,

and stimulation Be wary of analogies Can your expert attend the state’s direct?

On cross, two paths: The state’s expert is wrong/not credible The state is right about the facts but not

what they mean Have a detailed script– the material can be

hard and the state’s expert is experienced

PRESENTATIONPRESENTATION

Generally not doing acquisitionOften need to explain

How web sites work How web browsers work How e-mail works How peer-to-peer file sharing works

You need your expert to Verify/falsify the state’s analysis Tell your story to the jury

THE CAST OF CHARACTERSTHE CAST OF CHARACTERS

The Primary Investigator Police, Sheriff, FBI Discover crime, seize evidence, swear

complaint Criminal Analyst

Usually state (but can be county, city, federal)

Make forensic image, perform analysis Prosecutor

Issue charges Try the case, if needed Probably hasn’t seen the evidence

WHY DOES THIS MATTER?WHY DOES THIS MATTER?

The Criminal Analyst is overworked Bare minimum needed to move along Poor or reactive communications with

prosecutor and investigator

Your advantage lies here You can know more about the

evidence than the prosecutor You can find it out earlier

RELATIONS WITH THE RELATIONS WITH THE ANALYSTANALYST The analyst is unlikely to be wrong

Their analysis may be incomplete They are biased, but helpful with

technical mattersWhere possible, establish rapport

They like to talk to people who understand them (i.e., your expert)

They are often frustrated with the other folks in the case

They can give you insight

REVIEWING THE EVIDENCEREVIEWING THE EVIDENCE

State vs. federal premises: paranoia State crime lab

Need to bring your own PC with EnCase or equivalent

Artificial economic and time limits May be worthy of 6A litigation

Key questions Are the files what the state claims? How and when did they get there? What has been done with them?

THE TYPICAL CASETHE TYPICAL CASE

Computer observed transferring known contraband (e.g., via Ares)

IP address traced to residence, warrant executed

Computer seized Target makes inculpatory

statements Charged with possession of a few

files

THAT PATTERN TELLS US THAT PATTERN TELLS US SOMETHINGSOMETHING Primed for prompt resolution

Slam-dunk evidence ICAC is churning these out

Potential repercussions to fighting They will seek and find additional

evidence Mandatory sentences

HIDDEN MESSAGE: the prosecutor and the analyst are not expecting to work hard or go to trial on possession of CP

THE NOTTHE NOT--SOSO--TYPICAL CASETYPICAL CASE

Materials discovered during computer repair

Materials discovered during contentious divorce

Materials discovered during investigation of something else

Basically, anything not gift-wrapped by ICAC…

WHEN YOU FIRST GET THE WHEN YOU FIRST GET THE CASECASE There has probably been only

cursory analysis You can get ahead of the other side The closer you get to trial:

More pressure on the Analyst to find something dispositive

More likely that additional evidence will come to light

Harder to get time with the evidence

WHAT MORE CAN THE STATE WHAT MORE CAN THE STATE DO?DO? Deeper review of seized media

Encrypted containers

More thorough inspection of metadata

Search “slack space” Seize other things and search them

Other home systems Systems at work In the cloud: ISP records, email, etc.

THOUGHTS ON STRATEGY IN THOUGHTS ON STRATEGY IN COURTCOURT Judge doesn’t like wasting time:

shift that to the prosecutor They won’t be ready on time Presenting the evidence is their

problem

“How big is that picture” No intrinsic physical size Why should the jury see things blown

up big?

MOTION PRACTICEMOTION PRACTICE

Nobody wants to be the judge who excluded the child porn evidence.

Your chance to educate: Prosecution: weaknesses in their case Judge: nature of the evidence

Talk to Rose Oliveto: she lost a motion, but in doing so got a great result

Ambush is unproductive: Nobody understands the evidence You want to frame the issues

JURIESJURIES

You may want Young, educated/techy, male People who spend lots of time online

You may not want Teachers or others who work with

children Physicians or people with medical

experience

EXAMPLEEXAMPLE

Image in “Temporary Internet Files” Who was using the computer? Where did it come from? What else was going on at that time? Was it specifically sought out? Was it ever even on the screen? Has the web site been revisited? Did the web page have disclaimers? Has the file been revisited?

WORKING WITH AN EXPERTWORKING WITH AN EXPERT

Expect more than one visit to review the evidence (follow-up questions)

Use the expert to help develop your cross of the state’s expert

Interact with the expert about the report

Make the state’s expert your ally They need to tell your story on cross They need to agree with your expert

YOU MADE IT TO THE END! YOU MADE IT TO THE END!

Thanks!Questions?