Security Basics mailing list archives
Re: Computer forensics to uncover illegal internet use
From: "Jason Coombs" <jasonc () science org>
Date: Wed, 31 Aug 2005 22:44:33 +0000 GMT
Yes, of course this is governed by the rules of evidence for the jurisdiction they are in.
And governed by common sense, hopefully. If the persons are acting in their official capacity in their position within the business, they cannot be prosecuted as individuals -- the company can be prosecuted, but the person cannot, even if a person is the one who gives a copy to corporate counsel, or to a supervisor, or in some other way complies with a stated or an implied chain of command or company incident response policy and in so doing literally violates a criminal statute. The company can't be imprisoned, and the person was doing the company's reasonable business, so no worries. As long as the actors do not take actions that fail the 'reasonable company' test or perhaps better stated as the Reasonable Corporation Test. (Yes, I have just coined a term, and a terrible one -- applying the 'reasonable person' test to a business even further attribute the quality of being a 'person' to a corporation pursuant to the 14th Amendment.) Disagree with my assertion, if you wish. You won't find a statute, presently, that makes this clear -- but I have been told recently that the U.S. Attorney General is about to give a written opinion clarifying this very topic for everyone. The opinion is reportedly going to include an explicit statement that corporations do not have a duty to report in the case of child pornography offenses. It is important to understand that non-corporations (other business entities, especially sole proprietorships) may actually have individual criminal liability exposure for a variety of people (such as the sole proprietor herself) even for circumstances in which a corporate entity and its employees would not. Also, in the case being dicussed, as in most cases of alleged employee actions at work using a computer owned by the employer, nobody has actually seen the alleged contraband. There may be good reason to fear it is present on the drive, but suspicion or feelings of a vigilante duty must not be allowed to interfere with our proper response, which is to consider the precise circumstances that brought the matter to our attention, A very important and interesting discussion. Hopefully it has guided Edmond sufficiently. (It hasn't been pointed out before, but it appears that Edmond is located in Canada where everything is quite different from this U.S.-centric discussion) Best, Jason Coombs jasonc () science org -----Original Message----- From: "dave kleiman" <dave () isecureu com> Date: Wed, 31 Aug 2005 17:18:51 To:"'Jason Coombs'" <jasonc () science org>, <security-basics () securityfocus com> Cc:"'Edmond Chow'" <echow () videotron ca>, "'Beauford, Jason'" <jbeauford () EightInOnePet com>, <tobin.craig () va gov> Subject: RE: Computer forensics to uncover illegal internet use Jason, Now that sounds more like you, and I could not agree more. I was just a little a little concerned with the passing of the "contraband" and the fudging the logs theory. Yes wipe and go on could be a plausible option, as long as they stop and go no further. However, if they get involved in making copies of it and passing it around to whomever (attorney etc.), they have already begun an investigation and began handling the contraband. My vote is stop and wipe, or stop and call the proper authorities. Yes, of course this is governed by the rules of evidence for the jurisdiction they are in. Best regards, Dave
-----Original Message----- From: Jason Coombs [mailto:jasonc () science org] Sent: Wednesday, August 31, 2005 17:06 To: dave kleiman; security-basics () securityfocus com Cc: 'Edmond Chow'; 'Beauford, Jason'; tobin.craig () va gov Subject: Re: Computer forensics to uncover illegal internet use dave kleiman wrote:You bring a drive to do an image, you have to do your examination there, if you want to leave the imaged info on it, your imaged drive now stays in the evidence room. The defense attorney would have to come there to view the images, or the LEO would bring it to them, but they would not leave I there with them.Dave, Nice response. You are correct, of course, that this is how many jurisdictions prefer that things be done. The prosecutor and law enforcement do try to follow their own rules once they confiscate potential contraband. I am glad to see Tobin Craig cite Title 18, USC 2252, as it now stands, having been modified by COPPA, etc. in recent years. It is very important to understand what Federal law requires of you in order to avoid prosecution for what has already been done. However, as Tobin acknowledges in his e-mail, he is unaware that Corporations are treated completely differently than are natural persons with respect to the child porn statutes. If not for the possibility that the worker whose computer is at-issue may have had their identity stolen or in some other fashion been framed by the actions of a third-party, such that the hard drives in the computer are potentially the only source of evidence to prove reasonable doubt of the person's guilt, it would ALWAYS be the proper course of action for the company to wipe the drive and go on with business as usual, without reporting to law enforcement. Where much of the discussion thus far has also been mistaken is in presuming that all jurisdictions operate according to the same rules and procedures once potential contraband is confiscated. This discussion deserves additional attention, for the very reason that the behavior of various persons on all sides of this struggle, and in many respects the very statutory language itself, are outrageous and are ruining lives of people who are in fact victims -- much the way that the original child abuse that became the contraband child pornography harmed an innocent child. If only persons as well-informed and concerned with the pursuit of truth, such as Mr. Craig, were more often involved in advising law enforcement and participating in decisions to prosecute individual cases. And if only more corporations were aware that their own failures to protect their employees' Windows computers from spyware and other security threats are placing workers at undue risk of criminal prosecution for doing nothing other than their jobs. Sincerely, Jason Coombs jasonc () science org
Current thread:
- RE: Computer forensics to uncover illegal internet use, (continued)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)
- RE: Computer forensics to uncover illegal internet use Robinson, Sonja (Aug 30)
- RE: Computer forensics to uncover illegal internet use Robinson, Sonja (Aug 30)
- RE: Computer forensics to uncover illegal internet use Robinson, Sonja (Aug 30)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 30)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)
- Re: Computer forensics to uncover illegal internet use Micheal Cottingham (Aug 31)
- RE: Computer forensics to uncover illegal internet use McKinley, Jackson (Aug 31)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 31)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 31)
- RE: Computer forensics to uncover illegal internet use Craig, Tobin (OIG) (Aug 31)
- Re: Re: Computer forensics to uncover illegal internet use jbreci (Aug 31)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)