Re: Computer forensics to uncover illegal internet use

["Jason Coombs" <jasonc () science org>]

Tobin Craig (tobin.craig () va gov) wrote:
> I have spent considerable time
> researching ad discussing with
> lawyers your fantastic notion that
> corporations are exempt from
> reporting electronic crimes against
> children.

What is this thing you believe in, an 'electronic crime against a child' ?

Are you even aware of the self-contradiction in your own position?

I understand the psychological conditioning that law enforcement and prosecutors experience that results in your sort 
of enthusiastic or zealous enforcement and application of law. To a great extent I admire those who undergo this 
conditioning, and value those persons who are willing to live under its effects in service of my safety and to protect 
and defend my rights.

However, it is my duty, as your employer, to make sure that you receive the mental health care that you need when you 
begin to believe in fantastic things such as these 'electronic crimes against children'.

Your intentions may be fine, but your reasoning is actually quite insane. An 'electronic crime against a child' ? 
Absolutely outrageous and patently absurd. There is no such thing.

Tobin Craig (tobin.craig () va gov) wrote:
> Title 18, USC 3:  Accessory after
> the fact.
> "Whoever, knowing that an offense
> against the United States has been
> committed, receives, relieves,
> comforts or assists the offender in
> order to hinder or prevent his
> apprehension, trial or punishment, is
> an accessory after the fact."

You presume to deprive me of my right to wipe my hard drive because, in your expert opinion and in the legal opinion of 
some prosecutors, doing so causes me to violate Title 18, USC 3 - making me an accessory to your so-called 'electronic 
crime against a child' - and you are mistaken.

You fail to understand the very important distinction between merely suspecting that a crime may have been committed 
and actually KNOWING.

To violate Title 18, USC 3 you must actually know, not merely suspect, that an offense has been committed. You are 
wrong when you think that the mere presence of data on a hard drive prove to you, the trained computer forensic 
examiner, that a crime has occurred.

Seeing child porn may make you feel as though you have been assaulted, but that is your own subjective and purely 
emotional reaction, and does not prove anything to you. It does not cause you to KNOW that an offense has been 
committed. You may choose to report your suspicion, and the reasons for it, but you most certainly do not have any 
obligation pursuant to Title 18, USC 3 until and unless you actually KNOW.

Seeing digital content that you know perfectly well is not a live broadcast of an act in progress should not give rise 
to your feeling that you KNOW an offense has been committed.

A highly-trained and credentialed 'IT Forensic Director, Computer Crimes and Forensics' professional such as yourself 
should understand the difference, but you don't. Your technical training ignores this extremely important awareness and 
your personal bias coupled with the fact that you never work on behalf of the defense render you unable to know the 
difference between opinion and fact.

Seeing such pornography on a computer that you are responsible for maintaining or which you own may prove that somebody 
(e.g. a spyware operator, an intruder, or a porn purveyor, or Microsoft) has harmed you in some fashion. You are a 
victim both of your own emotional reaction to what you have seen, and your computers show that somebody has likely 
trespassed against you. The trespassing was electronic, but under law that is now a crime as well. Are you an accessory 
to the crime against yourself if you do not report it and attempt to press charges? No.

More to the point, you only have proof of your own wrongdoing: possession of contraband data. You are absolutely 
permitted to destroy that evidence, else you would be compelled to offer evidence against yourself in reporting your 
crime to law enforcement.

Perhaps, in your view, we need everyone, everywhere, to know, as soon as possible, that they do not have the right to 
wipe hard drives because the legislature has passed these laws, you see, and, well, some law enforcement people and 
some lawyers who law enforcement have spent considerable time talking with believe that it would be a violation of 
Title 18, USC 3 for either a natural person (or a person incorporate) to continue to exercise their property rights, or 
to enjoy any of their other Constitutional protections, when their property becomes an electronic crime scene where an 
electronic crime against a child may have occurred?

Do you believe that the government has the right to press every one of us into both a) self-incrimination, and b) the 
service of the State in enforcing its various criminal laws?

If you really have the depth of experience with the application of law in a courtroom as you imply, you will know that 
lawyers give educated opinions, but that they are still just opinions. You will get a different answer from the lawyers 
with whom you speak when you do a better job of explaining to them that their belief that some unconstitutional 
legislation that creates the fantastic notion of an 'electronic crime against a child' is both impossible, in reality, 
and misinformed, in practice. Make a better showing of fact on this important issue and you will hear a different 
educated opinion. You are literally hearing your own thoughts echoed back to you as legal opinion because you are 
failing to properly construct the argument you make in defense of your own rights.

I assure you that your lawyer friends are wrong, but what is more wrong is your own forfeiture of your rights because 
you choose to believe that they do not exist. When you phrase your questions to them presuming that you have no rights, 
well, you get the legal opinion and the answer that you deserve.

When my hard drive becomes contaminated with child pornography because of the actions of some third-party, I have two 
conflicting duties:

1) to clean my hard drive of the offensive material as soon as it is practical for me to do so, and,

2) to be careful not to recklessly endanger other persons by destroying the only evidence that may clear them of any 
potential accusations of wrongdoing, or by spawning an irrational witch hunt or a stampede where I know ahead of time 
that somebody will be hurt.

Because of #2, it is still the best decision for a company to image, encrypt, and store with counsel the hard drive 
images of concern.

No report should be made to any law enforcement agency.

A logged record of wiping the drive where the log entry is designed intentionally to mislead an unskilled reader, so as 
to conceal from casual observation the fact that the encrypted drive image was made and placed in storage before the 
drive was wiped, is absolutely the right decision to make.

Give me a subpoena and you will get the truth, and the hard drive images, and the decryption keys. Without a court 
order, you will get only a misleading log of a hard drive having been wiped during incident response.

If we live in a rational world, and if time permits, I would say that carefully wiping a drive image of all contraband 
images so as to preserve any potentially-valuable exculpatory evidence and so as to remove any fear of prosecution for 
allegedly possessing or distributing the contraband would be the best approach. But, are we supposed to just accept the 
economic harm that such enormous time investment causes? I think not.

Furthermore, the law should not, in my opinion, be interpreted so as to actually encourage employees to spend dozens of 
hours looking at child porn on the job in order to wipe it selectively from retained drive images.

Despite your assertions to the contrary, every child porn statute that I have reviewed in a variety of jurisdictions 
stops short of criminalizing the viewing of child pornography incidental to one's necessary job function or without the 
intent to possess the material or participate in commerce with another person surrounding the viewing, as for-pay.

Your suggestion that simply viewing child pornography outside the presence of law enforcement is a criminal offense, 
even for a defense attorney, is completely wrong.

However, as you have demonstrated, much better than I could have done, we actually live in an irrational world where 
law enforcement-affiliated persons such as yourself, and even full-fledged sworn LEAs, currently believe in fantasies 
like so-called 'electronic crimes against children' -- and worse yet, believe that the crime actually occurs over 
again, and is even commited automatically (by computers) every time contraband bits are copied or moved.

Tobin Craig (tobin.craig () va gov) wrote:
> You have openly stated in this
> forum that your position is to wipe
> the drive which might otherwise be
> used in the investigation of crimes
> against children.

Yes. Wipe the drive. Any person who has any knowledge of this subject and any common sense would do the same. If you 
have any reason to believe that a real crime against a real child may have occurred or may be occurring, then you will 
obviously adjust your response accordingly.

If you actually believe that thumbnail child porn imagery downloaded from the Internet, and every occurrence of the 
electronic storage to a hard drive of any child porn digital imagery, constitutes another crime against a real child, 
then you will immediately take whatever steps you believe are appropriate to help apprehend a suspect. To do otherwise, 
given your belief, is probably an actual offense under Title 18 USC 3, as was claimed.

What? You say that this sounds rather like a self-fulfilling prophecy? Hmm... No matter, it's the law of the land.

Let the observer decide if they feel like there is such a thing as an electronic crime against a child, and if they 
believe there is one then make it a crime not to treat it as one.

Let the witch hunt begin.

Burn the witches! Burn them!

You there, sitting next to that computer, you're a witch, aren't you? No? Prove that you aren't one. Prove it, or burn!

I repeat that this thinking is insane.

You have to be insane in order to believe in electronic crimes against children, and once you are insane you are bound 
by law to help burn somebody for the crime because you believe in its existence...

How very sick.

Whatever happened to the good old days when the definition of 'crime' was objective rather than subjective? And what 
happened to law enforcement training that people have rights that are not to be infringed?

Where have all the LEAs gone who used to believe in conducting investigations to uncover all possible exculpatory 
evidence in addition to that which is inculpatory?

LEAs have had their position usurped by forensic expert opinion testimony.

This has resulted in LEAs not even doing investigations. They are now just the hands and the legs of the forensic 
investigator who uses deductive reasoning, fancy technology, and their valuable learnings in order to eliminate 
reasonable doubt through the power of thought alone.

Crimes are now often a matter of opinion, not a matter of reasonable proof. Does that not concern you substantially?

Are you teaching your children that somebody else's opinion will send them to prison under the modern day criminal 
jutice system?

I am teaching mine this, because it is the truth. In my opinion, that is more a crime against my child than what you 
propose to be an 'electronic crime' against somebody else's.

Your training and experience are biased against the defense because you are trained by law enforcement and you are 
never exposed to fundamental principles that would equip you to properly apply an unbiased and well-informed approach 
to your work. Ask yourself why not? Is there something wrong with 'computer forensics' that these truths must be 
ignored in order for 'computer forensics' to be used in practice?

My answer is yes, there is. You are what's wrong with so-called 'computer forensics' -- it is a biased system for 
telling lies under the guise of expert testimony, and these lies are being told over and over again in jurisdictions 
around the world. The purpose of the lies is to advance the cause, bias, and belief system of those who tell them. Your 
stated cause (today) is to catch everyone who commits an 'electronic crime against a child' -- the methods and thinking 
from which you derive this cause will, naturally, allow you to choose a different cause in the future and pursue it as 
well. Go get those 'electronic terrorists' who spread speech that harms commercial interests. Anyone who expresses hate 
toward Microsoft and its dangerous products must be an electronic criminal. Your expert testimony can take them off the 
street, so go to it. Hate speech, and speech against the interests of commerce, are against the law.

Go enforce the law to the best of your opinion. We depend on you to do just that, and to do it well.

Moderator:

This discussion is very important to the basics of information security. Please approve this and other postings that 
include the word 'insane' -- you can see that the term is not being used to flame, but to express accurately a 
technical issue that is fundamental to security:

Namely, that security is a belief - and not all beliefs are reasonable, nor healthy. Adopting the wrong set of beliefs 
will actually harm your ability to understand what security is.

A loss of legal protections for us as computer owners and operators, if we choose to forfeit our rights or allow 
ourselves to be tricked into thinking they do not exist, is a security risk just as certainly as any worm or Trojan 
(malicious software that grants an attacker further access to our computers at a future time, after it has infected a 
host).

A large number of people believe, incorrectly, that law enforcement is a form of security. This discussion helps to 
illustrate clearly that this is a flawed belief and that law enforcement can be one of the security threats against 
which we all must defend ourselves and our companies.

This is especially true today given the fact that law enforcement, as viewed individual by individual, frequently 
believe in irrational legal fictions like 'electronic crimes against children'.

What is the penalty under law for triggering and fueling an irrational witch hunt, or a panicked stampede that crushes 
and tramples its victim-participants, in your jurisdiction?

Every person who comes into contact with evidence that may be interpreted to be proof of an 'electronic crime against a 
child' should find out the answer to this question before they decide to try to report it to anyone.

Wipe your drives and get on with life. It is not your job to protect electronic children from virtual harm.

Sincerely,

Jason Coombs
jasonc () science org

P.S. Tobin, does the signature line of your e-mail (below) indicate that you are the very person of whom, having just 
been wrongfully convicted of a child porn offense at a court martial hearing where his own defense side so-called 
'computer forensics expert' testified against him by doing nothing more than finding and documenting the porn, the 
military service member who appealed to me (too late) for expert witness testimony on his behalf (to help the judge 
understand the technical evidence in a fashion that his incompetent law enforcement-affiliated 'computer forensics' 
expert refused to do or was incapable of doing) must ask help after he is released from confinement in two years and is 
dishonorably discharged? Is it your opinion that the presence of child porn on his hard drive is proof enough of his 
guilt? That was the opinion given by the 'computer forensics expert' that his attorney hired, and his career in the 
service has come to an abrupt end as a result. Perhaps he!
  will never become a 'veteran' such that his affairs are none of your concern. Just wondering. If you weren't so badly 
confused, you could actually help some innocent people who are deserving of your expert assistance.

> Just my opinion.
> ___________________________
> Tobin Craig, MRSC, CISSP, SCERS, EnCE, CCE
> IT Forensic Director, Computer Crimes and Forensics
> Department of Veterans Affairs
> Office of Inspector General
> 801 I Street NW
> Washington DC 20001
>
> Tel: 202 565 7702
> Fax: 202 565 7630
> ___________________________