| In This Issue:
 FROM THE BENCH: IMAGES RETRIEVED FROM TEMPORARY INTERNET FILES VITAL TO GOVERNMENT CASES
In a recent set of decisions, computer forensic investigators recovered child pornography images stored in the temporary Internet files of the defendants' computers. The investigators' analysis and testimony played a vital role in convicting each defendant.
* * *
In United States v. Sanchez, 59 M.J. 566 (A.F.Ct.Crim.App. 2003), a federal appellate military
judge determined that the government produced sufficient evidence to prove that the Defendant
knowingly possessed child pornography images stored in his computer's temporary Internet files.
The Defendant argued that he was not responsible for possession of the images because the
computer automatically saved them in temporary Internet files. Therefore, he could not have
"knowingly" or "meaningfully" possessed these files.
Upon reviewing the methods the government used to search the Defendant's computer, the court
rejected the Defendant's position. After making a mirror image of the computer's hard drive,
investigators completed a "physical level search" and a "logical level search" of the computer. In
the physical level search, investigators used a software program not available commercially to
uncover remnants of files that were overwritten or deleted from the hard drive. The investigator
found that the presence of the images on the hard drive was consistent with someone viewing
them on the Internet and the images then being automatically saved to the hard drive by the web
browser.
Next, using a logical level search, investigators looked at the directory structure on the computer
itself, much like one would search a filing cabinet. The computer forensic investigator testified
that average users of the computer would have been able to see the files in the directory
structures, and then open and view the files by clicking on the file name. Combining this with
evidence of the Defendant's subscriptions to nude teen Web sites, the court determined that the
evidence supported the allegation that the Defendant knowingly possessed the pornographic
images.
* * *
Similarly, in Commonwealth v. Simone, 2003 WL 22994245 (Va. Cir. Ct. Nov 12, 2003), the
court determined that the Defendant knowingly possessed three sexually explicit images of
juveniles found in the cache of his computer even though the images could have appeared on the
Defendant's computer screen as pop-ups for Web sites other than ones intentionally accessed or
manually downloaded by the Defendant.
The computer forensic investigator recovered the sexually explicit images from the computer's
directory cache, also known as temporary Internet files. The investigator testified that when
accessing a Web site, a computer operator normally cannot stop these images from being placed
in the cache; however, images must actually appear on the computer screen before they are
automatically placed in the cache. The investigator produced further evidence that the computer
operator conducted Internet searches using child pornography search terms.
The defense argued that the Defendant was not guilty of "knowing possession" because the
cached images could have possibly appeared on the Defendant's computer screen as pop-ups from
a Web site other than one intentionally accessed by Defendant. The court rejected the defense's
argument and determined that the Defendant exhibited knowing possession of the three child
pornography images contained in his computer's cache/temporary Internet files.
THE BRILL FILES: A NEW YEAR'S RESOLUTION, PRESENTED FOR YOUR
CONSIDERATION
*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack,
The Brill Files reflect his work in the field with clients who have
encountered some not-so-pleasant events and what was done to remedy
the situation. With more than 25 years of consulting experience, Mr.
Brill has assisted organizations with a wide range of technology
security issues and is an internationally recognized speaker and instructor.***
I loved the original "Twilight Zone" series – the one where Rod Serling often ended the program
with the words "presented, for your consideration, from the Twilight Zone." Information security
can often seem like the Twilight Zone where mysterious, unseen forces conspire to make terrible
things happen. The reality is usually less about the Twilight Zone and more about that quote
attributed to the cartoon character Pogo Possum who once observed "We have seen the enemy,
and it is us!"
When your organization buys desktops, laptops, PDAs, and the like, they often come with
impressive security options. For example, some machines encrypt the entire hard drive unless the
right password is given, and a few devices now feature biometric authentication. Here's the issue:
When you buy these machines, who performs the security set-up? If it is the end user, you could
be in a position where the user has the only access codes for the machine. If the need arises to get
to the information without the cooperation of that person (who could conceivably be disgruntled,
the subject of an investigation, on vacation, or even deceased) you might find yourself out of
luck. At the very least, you are faced with a difficult and expensive computer forensics project to
pry your own information out of your own computer.
Don't let that happen. Every new machine should be configured by your Information Technology
(IT) staff. They should be the overall system administrators, with the end user only given the
authorities needed in the particular circumstances. In addition, the user should not have the power
to disable or otherwise interfere with your access to the device. Inevitably, a company that does
not make assured access to its computers a priority will suddenly find itself in a situation where
such access is vital.
One way to make sure that you have access is to require users to give the machines to the IT staff
on a quarterly basis for a preventive check up. They can use the occasion to be sure that all of the
software, including anti-virus solutions, are up do date, but it also discourages users from locking
out the administrative staff as well. Maintaining ultimate control over access to your own
machines is an important part of corporate governance, and does not have to be difficult to
accomplish. It just takes awareness and a bit of planning…presented for your consideration.
If you would like to explore the opportunity of
Alan Brill speaking at a conference you are supporting
or organizing, please contact Amanda Karls at
(952) 516-3637 or at akarls@krollontrack.com.
TECHNOLOGY YOU SHOULD KNOW: BEST PRACTICES MIRROR IMAGING
***As technology continues to play a larger role in litigation and
internal company investigations, lawyers, and investigators are expected
to comprehend the inner workings of computers and how they relate to
any computer conduct at issue. ***
Computer forensic best practices require a complete bit-by-bit copy of the media under
investigation so that all activity occurring on the media is available in the investigation. Thus, the
first step in any computer forensic investigation is to create a mirror image of the target media.
What is a mirror image?
This imaging process utilizes proprietary or commercial imaging software to provide an exact
duplication or image of the data contained on the media. The snap shot is a perfect byte-by-byte
copy of the drive, including all of the unused and partially overwritten spaces—the nooks and
crannies where important evidence may reside.
The imaging process must be non-destructive to the data and should not require the operating
system to be turned on, ensuring that the system is not altered in any way during the imaging
process, thus preserving its evidentiary value. It is not commonly understood that the mere act of
booting a computer may damage critical evidence and may change metadata. Also, booting the
system may cause the hard drive to be written to with startup data in a way that may overwrite
information that would have remained more accessible if the boot did not occur.
Various software tools are available to a forensics investigator when completing a mirror image.
While there is no standard tool set in this emerging industry, some groups have attempted to
review current commercial tools. It is important to note that these studies do not include
proprietary imaging tools that are used by some more savvy computer forensics experts, police
departments, and government agencies.
http://www.ojp.usdoj.gov/ - National Institute of Justice's Computer
Forensic Tool Testing Project
http://www.scmagazine.com/scmagazine/2000_09/survey/survey.html - SC Magazine, Computer
Forensics Market Survey, September 2000
Why create a mirror image?
Performing computer forensic analysis on original media is undesirable and can be a grave
mistake in the electronic evidence industry given spoliation concerns. Investigators should make
an image whenever possible so that they can work on an exact duplicate of the media rather than
the original. Most often two copies of the original media are made. A copy of the media is made
for archival purposes and a copy of the copy is made for the investigator to use in his or her
recovery and analysis.
Anywhere the imaging process may not accurately reproduce the original evidence there may be
room to question the authenticity of the copy or image. At a minimum, mirror imaging requires
forensically sound software and knowledge of its use because both the client and its counsel can
be at risk for sanction if best practices imaging protocols are not followed.
KROLL ONTRACK NEWS AND EVENTS
KEN WITHERS PROMOTED TO JUDICIAL EDUCATION
POSITION AT FJC
Ken Withers, a very well-known writer and panelist on the
electronic discovery education circuit, is leaving his post at the
Research Division of the Federal Judicial Center and moving to the
Judicial Education Division. He will be devoted full-time to the
development of Internet-based distance learning programs for federal
judges. While he will remain the FJC's in-house expert on electronic
discovery and will be seen at a number of upcoming events in the
U.S. and Canada, he will spend the majority of his time in
Washington, D.C. producing educational programs on a wide range
of topics. He will also remain active in supporting the Advisory
Committee on Civil Rules of the Judicial Conference of the United
States in its ongoing discussion of discovery rules reform.
Maintenance of the "kenwithers.com" Web site, which contains a
number of articles and resource materials on electronic discovery, is
being turned over to independent consultant George Socha of
Minneapolis.
We hope to see you at some of the events listed below, where
representatives of Kroll Ontrack will be attending.
Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of e-discovery law.
If you are aware of any additional local court rules
or new cases in this area of the law, please do not
hesitate to contact us by writing to mlange@krollontrack.com.
For more information about electronic discovery
and computer forensics services, contact Kroll Ontrack
at 1-800-347-6105 or www.krollontrack.com.
|
