RE: Computer forensics to uncover illegal internet use

["dave kleiman" <dave () isecureu com>]

Jason,

Now that sounds more like you, and I could not agree more.

I was just a little a little concerned with the passing of the "contraband"
and the fudging the logs theory.

Yes wipe and go on could be a plausible option, as long as they stop and go
no further. However, if they get involved in making copies of it and passing
it around to whomever (attorney etc.), they have already begun an
investigation and began handling the contraband.

My vote is stop and wipe, or stop and call the proper authorities.

Yes, of course this is governed by the rules of evidence for the
jurisdiction they are in.

Best regards,

Dave


> -----Original Message-----
> From: Jason Coombs [mailto:jasonc () science org]
> Sent: Wednesday, August 31, 2005 17:06
> To: dave kleiman; security-basics () securityfocus com
> Cc: 'Edmond Chow'; 'Beauford, Jason'; tobin.craig () va gov
> Subject: Re: Computer forensics to uncover illegal internet use
>
> dave kleiman wrote:
> > You bring a drive to do an image,
> > you have to do your examination
> > there, if you want to leave the
> > imaged info on it, your imaged drive
> > now stays in the evidence room.
> >  The defense attorney would have
> > to come there to view the
> > images, or the LEO would bring it to
> > them, but they would not leave I
> > there with them.
>
> Dave,
>
> Nice response. You are correct, of course, that this is how
> many jurisdictions prefer that things be done. The prosecutor
> and law enforcement do try to follow their own rules once
> they confiscate potential contraband.
>
> I am glad to see Tobin Craig cite Title 18, USC 2252, as it
> now stands, having been modified by COPPA, etc. in recent
> years. It is very important to understand what Federal law
> requires of you in order to avoid prosecution for what has
> already been done. However, as Tobin acknowledges in his
> e-mail, he is unaware that Corporations are treated
> completely differently than are natural persons with respect
> to the child porn statutes.
>
> If not for the possibility that the worker whose computer is
> at-issue may have had their identity stolen or in some other
> fashion been framed by the actions of a third-party, such
> that the hard drives in the computer are potentially the only
> source of evidence to prove reasonable doubt of the person's
> guilt, it would ALWAYS be the proper course of action for the
> company to wipe the drive and go on with business as usual,
> without reporting to law enforcement.
>
> Where much of the discussion thus far has also been mistaken
> is in presuming that all jurisdictions operate according to
> the same rules and procedures once potential contraband is
> confiscated.
>
> This discussion deserves additional attention, for the very
> reason that the behavior of various persons on all sides of
> this struggle, and in many respects the very statutory
> language itself, are outrageous and are ruining lives of
> people who are in fact victims -- much the way that the
> original child abuse that became the contraband child
> pornography harmed an innocent child.
>
> If only persons as well-informed and concerned with the
> pursuit of truth, such as Mr. Craig, were more often involved
> in advising law enforcement and participating in decisions to
> prosecute individual cases.
>
> And if only more corporations were aware that their own
> failures to protect their employees' Windows computers from
> spyware and other security threats are placing workers at
> undue risk of criminal prosecution for doing nothing other
> than their jobs.
>
> Sincerely,
>
> Jason Coombs
> jasonc () science org