RE: Computer forensics to uncover illegal internet use

["Hindle, Dallas" <Dallas.Hindle () bakersdelight com au>]

I agree with Tobin, not to mention that anyone who publicly says they
would conceal this type of activity should be slapped down both
internally and publicly if it was revealed in a court or other
investigation, We all have a moral, ethical and legal responsibility to
ensure that if we detect this type of activity we should report it. Now,
I would assume that before reporting we confirm and secure evidence to
support any claim and that this type of thing is handled both
responsibly and with all due disgression understanding of the
sensitivities involved.



Thanks
Dallas Hindle
Infrastructure Team Leader


-----Original Message-----
From: Craig, Tobin (OIG) [mailto:tobin.craig () va gov] 
Sent: Friday, 2 September 2005 10:54 PM
To: Jason Coombs; echow () videotron ca; security-basics () securityfocus com;
jbeauford () EightInOnePet com; dave kleiman; Sadler, Connie
Subject: RE: Computer forensics to uncover illegal internet use

As before, the opinions expressed below are my personal and professional
opinions, and not the official position of my employer....
.....

I hate to be the one to break it to you Jason, but not only is your
advice in this matter seriously flawed, it is liable to get you and
anyone who follows it in trouble.

I've already dug out Title 18, USC 2252.  Let me dig out another
one.....

Title 18, USC 3:  Accessory after the fact.

"Whoever, knowing that an offense against the United States has been
committed, receives, relieves, comforts or assists the offender in order
to hinder or prevent his apprehension, trial or punishment, is an
accessory after the fact."

If you wipe the drive and then (under corporate counsel's advice, as you
suggested in another email, falsified the logs), you are in violation of
Title 18 USC 3.  Plain and simple.

You have openly stated in this forum that your position is to wipe the
drive which might otherwise be used in the investigation of crimes
against children.  You then proceed to refer to those who would disagree
as "insane", and "very badly misguided people who think they're doing
their jobs but are actually just incompetent, careless, and
self-serving".

I'm not going to resort to such tactics, you are an adult.

I have spent considerable time researching ad discussing with lawyers
your fantastic notion that corporations are exempt from reporting
electronic crimes against children.  I have not found one piece of
legislation that supports your claim.  And then I read this:

"Disagree with my assertion, if you wish. You won't find a statute,
presently, that makes this clear -- but I have been told recently that
the U.S. Attorney General is about to give a written opinion clarifying
this very topic for everyone.

The opinion is reportedly going to include an explicit statement that
corporations do not have a duty to report in the case of child
pornography offenses."

So if I'm reading THIS email from you correctly, there is no in
existence a statute that supports your professional opinion, and that
you are basing this opinion on a conversation?  Furthermore you are
expecting that our Attorney General, appointed by a Republican
President, is going to draft legislation that actually makes it more
difficult to investigate crimes against children by creating safe havens
in the form of corporations?

Let's assume that such exemptions exist.  What is there to stop anyone
from hiking down to the local town hall, paying their $50 and becoming a
corporation?  Secondly, why just stop at child pornography images?  Why
not extend the legal exemption to crimes like (for example)
embezzlement?

"Obscenity laws are unconstitutional and they are also wrong."

Again, after a little research:

The United States Supreme Court, in Miller v. California, 413 U.S. 15
(1973), established a three-part test for determining whether a
depiction is obscene:

       1. Whether the average person would find that the work, taken as
a whole and applying contemporary community standards, appeals to the
prurient interest;

       2. Whether the work depicts or describes sexual conduct in a
patently offensive way, when applying contemporary community standards;
and

       3. Whether the work, taken as a whole, lacks serious literary,
artistic, political, or scientific value.

So what does THIS mean?

It is based around what the average man would deem obscene, and that
will obviously vary from jurisdiction to jurisdiction.  HOWEVER, when
dealing with CHILD pornography, there are other Federal laws in place
that carry much clearer guidelines.

You are perfectly entitled to express your opinion about "right" or
"wrong"
regarding this or other statutes, but you cannot simply reject them or
advise others to do likewise just becauase you don't agree with them.
If you don't like the law, lobby to have it changed, otherwise live by
it or be held accountable by it.

Just my opinion,

Tobin
__________________________
Tobin Craig, MRSC, CISSP, SCERS, EnCE, CCE IT Forensic Director,
Computer Crimes and Forensics Department of Veterans Affairs Office of
Inspector General
801 I Street NW
Washington DC 20001
___________________________
-----Original Message-----
From: Jason Coombs [mailto:jasonc () science org]
Sent: Wednesday, August 31, 2005 9:11 PM
To: Craig, Tobin (OIG); echow () videotron ca;
security-basics () securityfocus com; jbeauford () EightInOnePet com
Subject: Re: Computer forensics to uncover illegal internet use

> advocating the willful destruction
> of evidence ... of crimes against
> children??

Yes. Wipe the drive and get on with business. Do a better job next time
of keeping the company's vulnerable Windows computers from being used by
third-parties to swap warez, porn, MP3s, and unauthorized copies of
Hollywood movies. Do a better job of keeping the spyware out. Do a
better job of protecting employees from the risk that all of this
nonsense creates for everyone.

Spyware-initiated, or Web site-forced downloads of child pornography is
NOT a crime against a child. You're insane if you think otherwise. You
cannot possibly be advocating automatic prosecution of any person who
comes within a certain distance of data that are deemed, in violation of
the First Amendment, to be 'contraband' under present-day statutes.

Obscenity laws are unconstitutional and they are also wrong.

Keep this stuff out of the workplace, or you cause enormous harm for
absolutely no reason.

Why wouldn't a terrorist organization spread child pornography as widely
as possible throughout the business computers of its enemy nations?

What better way to bring the nation to its knees than by exploiting the
vulnerabilities in its own systems?

Sincerely,

Jason Coombs
jasonc () science org

-----Original Message-----
From: "Craig, Tobin \(OIG\)" <tobin.craig () va gov>
Date: Wed, 31 Aug 2005 08:34:43
To:<jasonc () science org>, <echow () videotron ca>,
<security-basics () securityfocus com>, <jbeauford () EightInOnePet com>
Subject: Re: Computer forensics to uncover illegal internet use

So if I've read this correctly, you are advocating the willful
destruction of evidence that would otherwise be used in the
investigation of crimes against children??

Remarkable.






-----Original Message-----
From: Jason Coombs <jasonc () science org>
To: Edmond Chow <echow () videotron ca>; security-basics () securityfocus com
<security-basics () securityfocus com>; Beauford, Jason
<jbeauford () EightInOnePet com>
Sent: Tue Aug 30 19:14:24 2005
Subject: Re: Computer forensics to uncover illegal internet use

Edmond,

You cannot 'investigate' viewing of child pornographic material without
violating the very same laws that you are informed may have been
violated by the employee of your company who stands accused.

You must stop your work immediately. Do not begin your work if you have
not already, and get your company to turn the hard drive and other
details over to the corporate attorney.

What you must understand is that certain persons have a legal obligation
to report any finding of evidence of child pornography, but that your
company and its employees, in the employees' professional capacity, may
not have an obligation to report to law enforcement.

The company is typically allowed to simply wipe the hard drive of any
computer that may have been used to view child pornography, and take
whatever internal disciplinary action it deems appropriate with respect
to the accused employee.

Only your company's attorney can guide you properly, and you are
completely wrong to want to investigate this yourself.

Your company's attorney should advise you that the best thing to do is
wipe the drive, and get on with the business that you are in.

If you report this to law enforcement, the employee WILL go to prison.
Innocent or not.

If the employee goes to prison and is innocent, or is even accused
publicly and is innocent, and eventually finds a way to prove his
innocence, your company will be sued. The employee will win the lawsuit.
Your company may go out of business over its improper handling of this
incident.

Please feel free to contact me directly to discuss this matter in more
detail. This is an area of criminal computer forensics with which I have
much experience.

Sincerely,

Jason Coombs
jasonc () science org

-----Original Message-----
From: Edmond Chow <echow () videotron ca>
Date: Tue, 30 Aug 2005 10:27:24 
To:security-basics () securityfocus com,       "Beauford, Jason"
<jbeauford () EightInOnePet com>
Cc:Edmond Chow <echow () videotron ca>
Subject: RE: Computer forensics to uncover illegal internet use

Good morning Jason,

Thank-you to you and all who responded to me with their ideas.  I am
wondering if there are any reference books available that would guide me
through an investigation of this sort?  I am dealing with a case
involving the viewing of child pornographic websites so I want to be
careful to follow reference guidelines of some sort so that I don't end
up in jail myself!

Any help that you can provide in the form of links to articles and/or
books on this subject would be greatly appreciated.

Regards,


Edmond


-----Original Message-----
From: Beauford, Jason [mailto:jbeauford () EightInOnePet com]
Sent: Tuesday, August 30, 2005 8:50 AM
To: Edmond Chow; security-basics () securityfocus com
Cc: Edmond Chow
Subject: RE: Computer forensics to uncover illegal internet use


Check out INDEXVIEW.exe.  Internet explorer writes a history of all
visited sites to a file labeled INDEX.DAT.  This file is usually hidden.
Most end users are not bright enough to research thoroughly and will not
delete this file.  If they use Internet Explorer as their Browser, then
find this file and you will have your proof.  Download INDEXVIEW here =>
http://superwebsearch.com/dwl/IndexView.exe

Additionally, SecurityFocus has a great article which describes what you
want to do:

Part 1 (for IE):  http://www.securityfocus.com/infocus/1827

Part 2 (for Firefox) http://www.securityfocus.com/infocus/1832


Good Luck.


JMB

     =|   -----Original Message-----
     =|   From: Edmond Chow [mailto:echow () gettechnologies com]
     =|   Sent: Friday, August 26, 2005 7:23 PM
     =|   To: security-basics () securityfocus com
     =|   Cc: Edmond Chow
     =|   Subject: RE: Computer forensics to uncover illegal
     =|   internet use
     =|
     =|
     =|   Dear List,
     =|
     =|   I'm working on the following project and would
     =|   appreciate your views:
     =|
     =|   I have been tasked with finding out if a certain
     =|   desktop computer was used to view pornographic sites
     =|   on the internet.  This user has gone to great lengths
     =|   to try to mask his illegal activities by erasing
     =|   cookies, temp.
     =|   files and by installing anti-spyware software on his
     =|   computer.  Are there any tools that would allow me to
     =|   still uncover proof that he had accessed these sites?
     =|    So far, the tech department is telling me that he
     =|   did access illegal sites on only two dates but I
     =|   suspect that this illegal activity started many
     =|   months or years ago and it will be up to me to find
     =|   more proof.
     =|
     =|   Also, at a network level, we know his IP address but
     =|   yet my technical support department is telling me
     =|   that they cannot (either because they don't want to
     =|   or because they are not technically capable of) tell
     =|   me what internet sites this IP address has accessed
     =|   in the past.  Logically, there must be a point in the
     =|   network (on some piece of hardware) where I can
     =|   consult log files to track his activities?  Or, is
     =|   there a log file that I can consult that will tell me
     =|   what sites all my users have accessed and from what
     =|   IP address?
     =|
     =|   In terms of access to the desktop in question, I will
     =|   have full access as the computer will be in my
     =|   possession in the coming days.
     =|
     =|   Thank-you and any help that you can provide would be
     =|   most appreciated.
     =|
     =|   Regards,
     =|
     =|
     =|   Edmond
     =|
     =|
     =|
     =|

--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.17/84 - Release Date:
8/29/2005

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.17/84 - Release Date:
8/29/2005

--
Message protected by MailGuard: e-mail anti-virus, anti-spam and content
filtering.
http://www.mailguard.com.au/mg