RE: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides

["dave kleiman" <dave () isecureu com>]

Inline...

> -----Original Message-----
> From: Jason Coombs [mailto:jasonc () science org]
> Sent: Saturday, October 01, 2005 14:18
> To: Full-Disclosure
> Cc: bugtraq () securityfocus com; isn () attrition org
> Subject: Careless Law Enforcement Computer Forensics Lacking
> InfoSec Expertise Causes Suicides
>
> 34 people have killed themselves in the U.K. after being
> accused of purchasing child pornography using their credit
> card numbers on the Web between 1996 and 1999;

I have known hundreds, that law enforcement seized and examined a computer
and after the examination returned the system due to lack of evidence. None
of those people attempted suicide. As a matter of fact the LEA's never file
charges until after the examination.

 and thousands
> have been imprisoned around the world for allegedly doing the
> same. Two of the first, and still ongoing, large-scale
> investigations of credit card purchases of child pornography
> through the Internet are known as Operation Ore (U.K.) and
> Operation Site Key (U.S.) -- tens of thousands of suspects'
> credit card numbers were found in the databases used by the
> alleged e-commerce child porn ring, and law enforcement's
> careless misunderstanding of the Internet and infosec (circa
> 1999) resulted in every single one of the suspects being
> investigated and thousands have so far been prosecuted and convicted.

The key here is every one being investigated and thousands being arrested.
Do you happen to know the number of CC's in the operations, was it not close
to 1,000,000

> Was your credit card number in the Operation Ore / Operation
> Site Key database? How would you know unless and until you've
> been arrested?

After an investigation proved, through other means, that a person was the
one using the card and arrest would be facilitated.


> Over the last few years I have seen numerous cases in which
> the computer forensic evidence proves that a third party
> intruder was in control of the suspect's computer. More often
> there is simply no way to know for sure what might have
> happened between 1996 and 1999 with respect to the computer
> seized by law enforcement at the time of arrest years later.

I have asked you this before, can you please cite these "numerous cases in
which the computer forensic evidence proves that a third party intruder was
in control of the suspect's computer".  I have several LEA's who will gladly
help re-review the cases and help get them overturned.


> If security flaws, porn spyware, or mistakes by an unskilled
> end user resulted, over the years, in some child pornography
> being downloaded to a suspect's hard drive, even in
> 'thumbnail' graphic formats and recovered only using forensic
> data recovery tools that carve files out of unallocated
> clusters, then the suspect is routinely charged, since the
> presence of child pornography on a hard drive owned by a
> person who is accused of purchasing child pornography is the
> best evidence law enforcement has to prove guilt of these
> so-called 'electronic crimes against children' -- crimes that
> are proved by the mere existence of data, where it matters
> not that a suspect did not and could not have known that the
> data existed on a hard drive that was in their possession.

I have NEVER seen a case that some was convicted, or even gotten as far as
filing charges based merely on presence and items in unallocated space
without other circumstances.

The LEA's are trained to be responsible, they look for file structure, and
most of the time they find external copies, (Carom's, DVD's etc) of the
contraband.


> I ask you this question: why doesn't law enforcement bother
> to conduct an analysis of the computer evidence looking for
> indications of third-party intrusion and malware?

They absolutely do.  As an ex-LEA an and someone who reviews cases before
they go to court, I can tell you a hundreds occasions where charges were
dropped.

Most LEA's will not even look at Temp Inet file or Unallocated cluster until
after they find more substantial items.

 Some people
> have indicated to me that sometimes law enforcement actually
> does do post-intrusion forensics; though this decision is
> entirely up to the prosecutor or forensic lab director, and
> if they don't put in the time to do this they still get their
> conviction so there is presently no incentive to spend
> hundreds of hours analyzing large hard drives searching for
> evidence of intrusion just in case one might have occurred.

The DA's a LEA's are compelled to turn over evidence to exonerate the
accused.

Funny it the Defense attorneys are the one I cannot get to buy off on my
ethics.  That is my rule that both parties get a copy of my report no matter
if they like the results or not.


> A substantial factor in the answer to this question is that
> it is nearly impossible to know what might have happened to a
> computer over the years, and most computers are used by more
> than end user to begin with.
> Not only is there no way to differentiate
>
> Every person convicted of an electronic crime against a child
> based only on evidence recovered from a hard drive that
> happened to be in their possession should be immediately
> released from whatever prison they are now being held.


And this is based on the fact that????????


> Law enforcement must be required to obtain Internet wiretaps,
> use keyloggers and screen capture techniques, and conduct
> other investigations of crimes-in-progress, because the
> current approach to computer forensics being taught by
> vendors such as Guidance Software
> (www.encase.com) and others (who just happen to sell products
> designed to analyze and search hard drives) makes the
> outrageous assertion that a person can be proven guilty of a
> crime based only on data that is found on a hard drive in
> their possession.

They go through much greater training than that, and it takes much more than
just data on a H/D to get them to effect and arrest. Most go through FLETC
and receive at a minimum DEASTP and SCERS.  Many additionally have their
CFCE, that is one of the better examinations for certification I have seen.


> There is simply no way for law enforcement to know the
> difference between innocent and guilty persons based on hard
> drive data circumstantial evidence. Something must be done to
> correct this misuse of computer evidence, and whatever that
> something is, it is clear that only an information security
> organization is going to be able to explain it to law
> enforcement and legislators.

Hard drive evidence is not circumstantial, there must be many factors that
go along with it.
Sorry I cannot speak for how they handle cases in the UK.


> Regards,
>
> Jason Coombs
> jasonc () science org


And as for your subject line "Careless Law Enforcement Computer Forensics
Lacking InfoSec Expertise Causes Suicides" people who commit suicide tend to
have underlying problems to strart with.



Regards,


__________________________________________________
Dave Kleiman, CAS,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

www.SecurityBreachResponse.com
 
















_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/