RE: Computer forensics to uncover illegal internet use

["Craig, Tobin (OIG)" <tobin.craig () va gov>]

The opinions expressed below are my personal and professional opinions,
and not the official position of my employer....

Apologies in advance for the long posting.....

> What is this thing you believe in, an 'electronic crime against a
> child' ?

Well, if you had actually taken the time to quote me accurately, you
would find I mentioned "electronic crimes against children", and not the
phrase you chose to substitute in its place.  A minor point, but
nevertheless, you might want to make sure you are accurate before you go
off the deep end.

> Your intentions may be fine, but your reasoning is actually quite
> insane. An 'electronic crime against a child' ? Absolutely outrageous
> and patently absurd. There is no such thing.

Actually, if you hit any conventional internet search engine and type in
the words "electronic" "crimes" "against" "children" you'll get several
million hits.  Review the top ones, you'll see they predominantly refer
to "electronic" aspects of "crimes against children".

You don't like that?  Then take the same search engine, and search for
the phrase "electronic crimes against children".  I found only two hits,
both pieces of legislation, and both coming from Hawaii. (Don't you have
an office there?)

> Tobin Craig (tobin.craig () va gov) wrote:
> > Title 18, USC 3:  Accessory after
> > the fact.
> > "Whoever, knowing that an offense
> > against the United States has been
> > committed, receives, relieves,
> > comforts or assists the offender in
> > order to hinder or prevent his
> > apprehension, trial or punishment, is
> > an accessory after the fact."

> You presume to deprive me of my right to wipe my hard drive because,
> in your expert opinion and in the legal opinion of some prosecutors,
> doing so causes me to violate Title 18, USC 3 - making me an accessory
> to your so-called 'electronic crime against a child' - and you are
> mistaken.

> You fail to understand the very important distinction between merely
> suspecting that a crime may have been committed and actually KNOWING.

> To violate Title 18, USC 3 you must actually know, not merely suspect,
> that an offense has been committed. You are wrong when you think that
> the mere presence of data on a hard drive prove to you, the trained
> computer forensic examiner, that a crime has occurred.

OK, let's go through this once more.

I asked you in response to an email sent by you on August 30, 2005:

"So if I've read this correctly, you are advocating the willful
destruction of evidence that would otherwise be used in the
investigation of crimes against children??"

You replied to my question on August 31, 2005:

"Yes. Wipe the drive and get on with business."

You have admitted that you advocate the WILLFUL DESTRUCTION of EVIDENCE.
My question was not concerning the wiping of a hard drive you had
suspicions about, it was about the WILLFUL (deliberate, voluntary, done
on purpose) destruction of EVIDENCE.  This means that a: you have
determined that there is something there that might get someone in
trouble, and b: rather than getting that person or corporation into
trouble, you choose to try and make it all go away.

> Seeing child porn may make you feel as though you have been assaulted,
> but that is your own subjective and purely emotional reaction, and
> does not prove anything to you. It does not cause you to KNOW that an
> offense has been committed. You may choose to report your suspicion,
> and the reasons for it, but you most certainly do not have any
> obligation pursuant to Title 18, USC 3 until and unless you actually
> KNOW.

> Seeing digital content that you know perfectly well is not a live
> broadcast of an act in progress should not give rise to your feeling
> that you KNOW an offense has been committed.

> A highly-trained and credentialed 'IT Forensic Director, Computer
> Crimes and Forensics' professional such as yourself should understand
> the difference, but you don't. Your technical training ignores this
> extremely important awareness and your personal bias coupled with the
> fact that you never work on behalf of the defense render you unable to
> know the difference between opinion and fact.

I know you are aware of the following, since you taught 2 courses for
CCE in 2005, but for the record, there is a code of ethics that I as a
Certified Computer Examiner must adhere to.

This code of ethics, the standard of integrity that I hold myself to
professionally and personally, and the value I place upon the ability to
render an unbiased impartial opinion are an integral part of my work
ethic, and I do not appreciate being maligned.

> When my hard drive becomes contaminated with child pornography because
> of the actions of some third-party, I have two conflicting duties:

> 1) to clean my hard drive of the offensive material as soon as it is
> practical for me to do so, and,

> 2) to be careful not to recklessly endanger other persons by
> destroying the only evidence that may clear them of any potential
> accusations of wrongdoing, or by spawning an irrational witch hunt or
> a stampede where I know ahead of time that somebody will be hurt.

> Because of #2, it is still the best decision for a company to image,
> encrypt, and store with counsel the hard drive images of concern.

> No report should be made to any law enforcement agency.

I hate to break the news, but when your hard drive becomes contaminated
with child pornography (so you're at the point that you've identified it
as child pornography), you (according to the law of the United States)
have only ONE course of action, report it to law enforcement.

It's in the law, Jason.  Title 18, USC 2252.

Of course you can tighten down firewall rules, etc to prevent it
happening again, but once you've identified it as child pornography, you
must turn it over.

> A logged record of wiping the drive where the log entry is designed
> intentionally to mislead an unskilled reader, so as to conceal from
> casual observation the fact that the encrypted drive image was made
> and placed in storage before the drive was wiped, is absolutely the
> right decision to make.

So in addition to falsifying log records, you are now advocating
concealing the fact that the data was not in fact destroyed, but
archived?  Now instead of an individual being an offender, you have
placed the corporation in jeopardy, since it now knowingly possesses the
same images you identified as child pornography.  In addition, you have
(whether you choose to accept the reality of it or not) assisted the
offender in order to hinder or prevent his apprehension.

It's in the law Jason.  Title 18, USC 3.

> Your training and experience are biased against the defense because
> you are trained by law enforcement and you are never exposed to
> fundamental principles that would equip you to properly apply an
> unbiased and well-informed approach to your work.

Actually, I'm a trained chemist.  My whole background is in fundamental
principles, and I have tried whenever possible to apply that background
to computer forensics.  Furthermore, if you knew anything about my work
as forensic chemist, you would know that the lab I worked at established
more innocence that guilt.  I learned very early on in my career the
importance of identification, coupled with taking any evidentiary
findings in context with surrounding factors.  Don't even presume to
lecture me on bias.

> Ask yourself why >not? Is there something wrong with 'computer
> forensics' that these >truths must be ignored in order for
> 'computer forensics' to be used in practice?

> My answer is yes, there is. You are what's wrong with so-called
> 'computer forensics' -- it is a biased system for telling lies
> under >the guise of expert testimony, and these lies are being
> told over and >over again in jurisdictions around the world. The
> purpose of the lies >is to advance the cause, bias, and belief
> system of those who tell >them. Your stated cause (today) is to
> catch everyone who commits an >'electronic crime against a
> child' -- the methods and thinking from >which you derive this
> cause will, naturally, allow you to choose a >different cause in
> the future and pursue it as well. Go get those >'electronic
> terrorists' who spread speech that harms commercial >interests.
> Anyone who expresses hate toward Microsoft and its >dangerous
> products must be an electronic criminal. Your expert >testimony
> can take them off the street, so go to it. Hate speech, and
> > speech against the interests of commerce, are against the law.

In other words, by your standard, I'm biased to investigate child
pornography, but impartial to investigate terrorist crime.  Remarkable.

In closing: this discussion was for the most part a sensible,
professional opportunity to exchange ideas and assist someone in the
community with a valid question.

Throughout this discussion I have sought to keep our communication on a
civil and a professional level, and I would have appreciated the same
courtesy in return.  It appears I may have expected too much.

Without knowing me, my background, or my experiences you have
nevertheless leveled some groundless accusations at my character,
integrity, and technical competence.  I won't even dignify those
accusations with a response, though I will reiterate: The International
Society of Forensic Computer Examiners code of ethics, the standard of
integrity that I hold myself to professionally and personally, and the
value I place upon the ability to render an unbiased impartial opinion
are an integral part of my work ethic, and I do not appreciate being
maligned.

Apologies for the long post,

Just my opinion,

Tobin

___________________________
Tobin Craig, MRSC, CISSP, SCERS, EnCE, CCE
IT Forensic Director, Computer Crimes and Forensics
Department of Veterans Affairs
Office of Inspector General
___________________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/