RE: Computer forensics to uncover illegal internet use

["dave kleiman" <dave () isecureu com>]

Jason,

Remember I have the utmost respect for you and have valued your opinion on
many occasions, but I have to disagree here on several points.




> Dave, Edmond, and Jason,
>
> How many times have you worked on, or been involved
> indirectly as a consultant in, real-world criminal cases or
> corporate investigations that involve child pornography
> offenses where the evidence is obtained entirely from
> computer hard drives and server log files?

Very many actually, you are more than welcome to check with the local DA and
Computer Crimes offices. I am also a FDLE certified LEO.


> Attempting to give the hard drive to the company's attorney
> guarantees that attorney-client confidentiality is created
> with respect to the hard drive and the entire incident,
> whether or not the attorney advises that it is necessary, in
> the situation at hand, to report the incident to law
> enforcement. It also forces the attorney to contemplate more
> fully just what the proper response is to the situation. You
> do not want, under any circumstances, the hard drive to be in
> any person's possession, or for there to be any way for the
> company's possession of the drive to result in particular
> individuals being associated with that ownership -- certainly
> not the original employee who was supposedly the one who had
> 'exclusive control or access' -- because the truth is that
> nobody knows whether that employee was the one who had
> exclusive control, and it is always the case that the
> employee was not the only person to have potential access.
> If you report this incident to law enforcement, you become
> one of the potential persons who could have done whatever it
> is that the computer shows somebody might have done.
>
> If you think your computer expertise or the expertise of any
> 'computer forensic' expert can distinguish between actions of
> particular human persons and actions of other persons or
> actions of spyware or third-party intruders who gained
> control over the computer, you are badly confused and very mistaken.
>
> The proper legal advice in different jurisdictions varies.
> The proper incident handling advice does not vary.
>
> Before you contact any law enforcement agency, before you go
> any further with any investigation, as soon as you see that
> there is reason to believe one of the computers used by a
> company employee may have acted to download child
> pornography, you isolate and contain and ensure custody of
> the potential evidence by the company and only the company.
> These are official company actions carried out by authorized
> employees, and the company is already in possession of its
> own equipment and the data stored thereon. You then wipe the
> drive as soon as possible, without investigating further, and
> if possible without doing any data backup from the drive, or
> if you must access the drive to backup company data, do so
> with care not to expose any employee to any potential
> contraband images, and do what you must to figure out what
> happened using only investigative techniques that have little
> or no chance of resulting in further access to child porn,
> wiping the drive only after confirming with the company
> attorney that this is the right thing to do (which you will
> not find out for sure unless you attempt to turn over the
> hard drive to the company attorney, who should refuse the
> offer unless the attorney knows of a reason in the
> jurisdiction in question for the attorney to receive the hard drive).

Handing the drive to, and conferring with the company attorney are two
different things.  You are almost making this sound like company attorneys
are exempt from the law??

If you found a pound of cocaine in the company lunch room, would you pick it
up and drive it to the company attorneys office? You might call the company
attorney, and say "what should I do?"  But, I do not think the attorneys
advice would be to "throw it in your car and drive it to my office." If you
happen to get pulled over on the way, I do not think you could convince any
LEO that you were just taking it to your attorneys office. Alternatively,
they might let you finish your journey there, and wait for you to hand it to
the attorney and arrest both of you?!?

There is no difference contraband is contraband, the attorney-client
privilege is not created nor extended to the hard drive, it is extended
between you and your attorney.



> As for the statement that “posses the contraband without the
> investigating law enforcement agency being present” -- that
> is so completely wrong as to be absurd and dangerous.

Once the evidence is in the LEAs possession, this is absolutely the
procedure.  If you had a lot of experience with this, as you stated, you
would know that when you go to an evidence room and do an image of a
contraband drive, let us say for arguments sake you are working for a
defense attorney.
You bring a drive to do an image, you have to do your examination there, if
you want to leave the imaged info on it, your imaged drive now stays in the
evidence room.  The defense attorney would have to come there to view the
images, or the LEO would bring it to them, but they would not leave I there
with them.


> The people whose advice you take in the next couple of weeks,
> Edmond, will determine whether you ruin one or more innocent
> persons' lives, possibly destroy your company, your career,
> the careers of others, trigger suicides or murders, and in
> other ways that you cannot anticipate and may have difficulty
> believing possible, become caught in a life-destroying mess
> of bad statutes and very badly misguided people who think
> they're doing their jobs but are actually just incompetent,
> careless, and self-serving.
>
> You cannot follow the interesting and useful technical advice
> offered by the other persons on this list -- they are
> mistaken, badly, to give you tips on how to engage in child
> pornographic investigations. You cannot, and you must not, do
> any investigations, and you must do everything in the
> company's considerable power to ensure that nobody else does, either.


You sure are quick to claim someone is innocent, and you may ruin their
lives.  Alternatively, could someone be destroying the lives of young
children??

Transporting it to anyone or sitting on the contraband while deciding what
to do is the main part in either of your e-mails I disagree with.

Personally I believe in calling an LEA immediately to report it, as opposed
to immediately wiping it upon discovery, but that is my personal opinion.


> However, because somebody else (most importantly, law
> enforcement) may already be investigating without your
> knowledge, and because you may be in possession of evidence
> that would prove reasonable doubt of the accused's guilt, you
> must attempt to get every bit of data (the so-called
> 'evidence') from the suspect's hard drive preserved
> forensically and in the custody of the company attorney.


> Do so 'after' you wipe the drives -- you need to seriously
> consider the value of keeping logs of your actions which
> reflect the fact that you wiped the drive AND THEN gave the
> drive to your company's attorney.
>
> Ask your company's attorney... He may tell you that your
> company's best course of action is to purposefully falsify
> the record of the company's response to the incident. The
> company is not legally obligated to keep accurate records of
> such things, after all, and with a company record showing the
> drive was wiped and the physical device is now in the custody
> of the company attorney, the company is able to prevent ANY
> loss of control over the situation in the event that the
> company's duty to protect its employee's interests end up in
> conflict with law enforcement's desire to aggressively
> prosecute somebody because they were at some point in time
> associated with or in proximity to a hard drive that was
> suspected to have contained, if only temporarily,
> circumstantial evidence of a crime.
>
> If you do not understand by now just how screwy this whole
> mess is, in the real world, and how uncertain things are in
> your situation, then nobody can help you, or your company, or
> the accused person, and you're all doomed to whatever outcome
> the local law enforcement, prosecution, and courts decide for you...
>
> ... All because one of your Windows computers got a spyware
> infection and some spammer who runs a porn business caused
> some Web pages to be requested and perhaps some pop-ups or
> pop-unders to occur.


Obviously you have dealt with some poor LEAs.  The ones I have dealt with
have always checked for spyware and things of that nature and have dropped
many cases because of it.  Further, they do not run in and arrest somebody
because an IT person found child porn on a computer.  First, they do a
thorough investigation, then decisions are made.



Regards,

Dave


> Good luck. You need it.
>
> Jason Coombs
> jasonc () science org
>
> -----Original Message-----
> From: "dave kleiman" <dave () isecureu com>
> Date: Tue, 30 Aug 2005 22:33:02
> To:<security-basics () securityfocus com>
> Cc:"'Jason Coombs'" <jasonc () science org>,       "'Edmond
> Chow'" <echow () videotron ca>,       "'Beauford, Jason'"
> <jbeauford () EightInOnePet com>
> Subject: RE: Computer forensics to uncover illegal internet use
>
> Jason,
>
> Even an attorney, District Attorney, or the doctor who
> verifies the evidence as child pornography, may not view or
> posses the contraband without the investigating law
> enforcement agency being present.  They are still bound by
> the same "possession of contraband" law.
> Therefore, the immediate contacting of an LEA is the only
> proper real resolve. Turning it over to the company attorney
> would be possession and distribution of contraband a definite no-no.
>
> However, just as if you found a bag of drugs on the ground,
> you have no obligation to report it, but picking it up and
> playing with it is ill-advised.
>
> Nonetheless, if you simply saw what you thought was child
> pornography, and you stopped and wiped the system you would
> technically be ok, since it takes a doctors examination to,
> for the courts, say it truly is/was child pornography.
>
>
> Dave
>
>
> > -----Original Message-----
> > From: Jason Coombs [mailto:jasonc () science org]
> > Sent: Tuesday, August 30, 2005 19:14
> > To: Edmond Chow; security-basics () securityfocus com; Beauford, Jason
> > Subject: Re: Computer forensics to uncover illegal internet use
> >
> > Edmond,
> >
> > You cannot 'investigate' viewing of child pornographic material
> > without violating the very same laws that you are informed may have
> > been violated by the employee of your company who stands accused.
> >
> > You must stop your work immediately. Do not begin your work if you
> > have not already, and get your company to turn the hard drive and
> > other details over to the corporate attorney.
> >
> > What you must understand is that certain persons have a legal
> > obligation to report any finding of evidence of child
> pornography, but
> > that your company and its employees, in the employees' professional
> > capacity, may not have an obligation to report to law enforcement.
> >
> > The company is typically allowed to simply wipe the hard
> drive of any
> > computer that may have been used to view child pornography,
> and take
> > whatever internal disciplinary action it deems appropriate with
> > respect to the accused employee.
> >
> > Only your company's attorney can guide you properly, and you are
> > completely wrong to want to investigate this yourself.
> >
> > Your company's attorney should advise you that the best
> thing to do is
> > wipe the drive, and get on with the business that you are in.
> >
> > If you report this to law enforcement, the employee WILL go
> to prison.
> > Innocent or not.
> >
> > If the employee goes to prison and is innocent, or is even accused
> > publicly and is innocent, and eventually finds a way to prove his
> > innocence, your company will be sued. The employee will win the
> > lawsuit. Your company may go out of business over its improper
> > handling of this incident.
> >
> > Please feel free to contact me directly to discuss this
> matter in more
> > detail. This is an area of criminal computer forensics with which I
> > have much experience.
> >
> > Sincerely,
> >
> > Jason Coombs
> > jasonc () science org
> >
> > -----Original Message-----
> > From: Edmond Chow <echow () videotron ca>
> > Date: Tue, 30 Aug 2005 10:27:24
> > To:security-basics () securityfocus com,       "Beauford, Jason"
> > <jbeauford () EightInOnePet com>
> > Cc:Edmond Chow <echow () videotron ca>
> > Subject: RE: Computer forensics to uncover illegal internet use
> >
> > Good morning Jason,
> >
> > Thank-you to you and all who responded to me with their
> ideas.  I am
> > wondering if there are any reference books available that
> would guide
> > me through an investigation of this sort?  I am dealing with a case
> > involving the viewing of child pornographic websites so I
> want to be
> > careful to follow reference guidelines of some sort so that I don't
> > end up in jail myself!
> >
> > Any help that you can provide in the form of links to
> articles and/or
> > books on this subject would be greatly appreciated.
> >
> > Regards,
> >
> >
> > Edmond
> >
> >
> > -----Original Message-----
> > From: Beauford, Jason [mailto:jbeauford () EightInOnePet com]
> > Sent: Tuesday, August 30, 2005 8:50 AM
> > To: Edmond Chow; security-basics () securityfocus com
> > Cc: Edmond Chow
> > Subject: RE: Computer forensics to uncover illegal internet use
> >
> >
> > Check out INDEXVIEW.exe.  Internet explorer writes a history of all
> > visited sites to a file labeled INDEX.DAT.  This file is usually
> > hidden.
> > Most end users are not bright enough to research thoroughly
> and will
> > not delete this file.  If they use Internet Explorer as
> their Browser,
> > then find this file and you will have your proof.  Download
> INDEXVIEW
> > here => http://superwebsearch.com/dwl/IndexView.exe
> >
> > Additionally, SecurityFocus has a great article which
> describes what
> > you want to do:
> >
> > Part 1 (for IE):  http://www.securityfocus.com/infocus/1827
> >
> > Part 2 (for Firefox) http://www.securityfocus.com/infocus/1832
> >
> >
> > Good Luck.
> >
> >
> > JMB
> >
> >      =|   -----Original Message-----
> >      =|   From: Edmond Chow [mailto:echow () gettechnologies com]
> >      =|   Sent: Friday, August 26, 2005 7:23 PM
> >      =|   To: security-basics () securityfocus com
> >      =|   Cc: Edmond Chow
> >      =|   Subject: RE: Computer forensics to uncover illegal
> >      =|   internet use
> >      =|
> >      =|
> >      =|   Dear List,
> >      =|
> >      =|   I'm working on the following project and would
> >      =|   appreciate your views:
> >      =|
> >      =|   I have been tasked with finding out if a certain
> >      =|   desktop computer was used to view pornographic sites
> >      =|   on the internet.  This user has gone to great lengths
> >      =|   to try to mask his illegal activities by erasing
> >      =|   cookies, temp.
> >      =|   files and by installing anti-spyware software on his
> >      =|   computer.  Are there any tools that would allow me to
> >      =|   still uncover proof that he had accessed these sites?
> >      =|    So far, the tech department is telling me that he
> >      =|   did access illegal sites on only two dates but I
> >      =|   suspect that this illegal activity started many
> >      =|   months or years ago and it will be up to me to find
> >      =|   more proof.
> >      =|
> >      =|   Also, at a network level, we know his IP address but
> >      =|   yet my technical support department is telling me
> >      =|   that they cannot (either because they don't want to
> >      =|   or because they are not technically capable of) tell
> >      =|   me what internet sites this IP address has accessed
> >      =|   in the past.  Logically, there must be a point in the
> >      =|   network (on some piece of hardware) where I can
> >      =|   consult log files to track his activities?  Or, is
> >      =|   there a log file that I can consult that will tell me
> >      =|   what sites all my users have accessed and from what
> >      =|   IP address?
> >      =|
> >      =|   In terms of access to the desktop in question, I will
> >      =|   have full access as the computer will be in my
> >      =|   possession in the coming days.
> >      =|
> >      =|   Thank-you and any help that you can provide would be
> >      =|   most appreciated.
> >      =|
> >      =|   Regards,
> >      =|
> >      =|
> >      =|   Edmond
> >      =|
> >      =|
> >      =|
> >      =|
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.344 / Virus Database: 267.10.17/84 - Release
> > Date: 8/29/2005
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.344 / Virus Database: 267.10.17/84 - Release
> > Date: 8/29/2005