RE: Computer forensics to uncover illegal internet use

["Craig, Tobin (OIG)" <tobin.craig () va gov>]

I'm sorry, I have to chime in on this again.  The opinions expressed
below are my personal and professional opinions, and not the official
position of my employer.

Edmond, 

If you even suspect child pornography, according to Title 18, USC 2252,
the DEFENDANT (not you, not a corporate attorney, not anyone else) has
an affirmative defense to a charge if the DEFENDANT:

        1  Possessed less than three images, AND

        2  promptly, and in good faith, and WITHOUT RETAINING OR
ALLOWING ANY            PERSON OTHER THAN A LAW ENFORCEMENT AGENCY to
access any visual               depiction or copy thereof:

                a)  took reasonable steps to destroy EACH SUCH VISUAL
DEPICTION, 

                        or;

                b)  reported the matter to a law enforcement agency and
afforded that agency access to each such visual depiction.

So what does this mean for you?

It means, under Federal Law that the affirmative defense is only
available to the person who had less than three pictures, and either
attempted to remove the pictures him or herself (without involving
anyone else who is not a LEO), or alternatively reported them to Law
Enforcement and turned them (and the media containing them) over.

Unless Mr. Coombs is aware of some obscure loophole that affords him or
other non law enforcement entities the luxury of getting involved in a
criminal investigation, then it looks like the statute is pretty clear.

Only the defendant has the affirmative defense option.  Surely corporate
counsel does not represent an employee as a criminal defense attorney
when the employee's actions are personal and criminal.

In addition, I'm unaware of any law that would allow an individual,
corporation, or agency to willfully or intentionally destroy potential
evidence.  This is exactly the sort of thing that other much larger
corporations fell for, when they shredded what turned out to be valuable
evidence.

As a representative of the Law Enforcement community I am outraged by
the irresponsible comment:

" If you report this to law enforcement, the employee WILL go to prison.
Innocent or not.

If the employee goes to prison and is innocent, or is even accused
publicly and is innocent, and eventually finds a way to prove his
innocence, your company will be sued. The employee will win the lawsuit.
Your company may go out of business over its improper handling of this
incident."

This sort of worst case scenario scaremongering has no place in any
discussion originating from a request for assistance.

If you report it to law enforcement, then it will be objectively
investigated.  Regardless of what some may say, there are several highly
qualified and experienced individuals in the law enforcement community
who take pride in the standard of work they perform, and who value their
objectivity.

As a point of clarity, it is the US Government that prosecutes child
pornography, not a corporation.  If a conviction is overturned and a
suit is filed, it is the US Government who would be sued, not a
corporation.

Edmond, I would very much hope that you will carefully evaluate the
quality of all advice you have been provided in this discussion.  Like
Mr. Coombs, I will be glad to communicate with you further in private
concerning your issue, because like Mr. Coombs, I too have considerable
experience in this area of computer forensics.

Just my opinion.
___________________________
Tobin Craig, MRSC, CISSP, SCERS, EnCE, CCE
IT Forensic Director, Computer Crimes and Forensics
Department of Veterans Affairs
Office of Inspector General
801 I Street NW
Washington DC 20001
 
Tel: 202 565 7702
Fax: 202 565 7630
___________________________

-----Original Message-----
From: Jason Coombs [mailto:jasonc () science org] 
Sent: Tuesday, August 30, 2005 7:14 PM
To: Edmond Chow; security-basics () securityfocus com; Beauford, Jason
Subject: Re: Computer forensics to uncover illegal internet use

Edmond,

You cannot 'investigate' viewing of child pornographic material without
violating the very same laws that you are informed may have been
violated by the employee of your company who stands accused.

You must stop your work immediately. Do not begin your work if you have
not already, and get your company to turn the hard drive and other
details over to the corporate attorney.

What you must understand is that certain persons have a legal obligation
to report any finding of evidence of child pornography, but that your
company and its employees, in the employees' professional capacity, may
not have an obligation to report to law enforcement.

The company is typically allowed to simply wipe the hard drive of any
computer that may have been used to view child pornography, and take
whatever internal disciplinary action it deems appropriate with respect
to the accused employee.

Only your company's attorney can guide you properly, and you are
completely wrong to want to investigate this yourself.

Your company's attorney should advise you that the best thing to do is
wipe the drive, and get on with the business that you are in.

If you report this to law enforcement, the employee WILL go to prison.
Innocent or not.

If the employee goes to prison and is innocent, or is even accused
publicly and is innocent, and eventually finds a way to prove his
innocence, your company will be sued. The employee will win the lawsuit.
Your company may go out of business over its improper handling of this
incident.

Please feel free to contact me directly to discuss this matter in more
detail. This is an area of criminal computer forensics with which I have
much experience.

Sincerely,

Jason Coombs
jasonc () science org

-----Original Message-----
From: Edmond Chow <echow () videotron ca>
Date: Tue, 30 Aug 2005 10:27:24 
To:security-basics () securityfocus com,       "Beauford, Jason"
<jbeauford () EightInOnePet com>
Cc:Edmond Chow <echow () videotron ca>
Subject: RE: Computer forensics to uncover illegal internet use

Good morning Jason,

Thank-you to you and all who responded to me with their ideas.  I am
wondering if there are any reference books available that would guide me
through an investigation of this sort?  I am dealing with a case
involving
the viewing of child pornographic websites so I want to be careful to
follow
reference guidelines of some sort so that I don't end up in jail myself!

Any help that you can provide in the form of links to articles and/or
books
on this subject would be greatly appreciated.

Regards,


Edmond


-----Original Message-----
From: Beauford, Jason [mailto:jbeauford () EightInOnePet com]
Sent: Tuesday, August 30, 2005 8:50 AM
To: Edmond Chow; security-basics () securityfocus com
Cc: Edmond Chow
Subject: RE: Computer forensics to uncover illegal internet use


Check out INDEXVIEW.exe.  Internet explorer writes a history of all
visited sites to a file labeled INDEX.DAT.  This file is usually hidden.
Most end users are not bright enough to research thoroughly and will not
delete this file.  If they use Internet Explorer as their Browser, then
find this file and you will have your proof.  Download INDEXVIEW here =>
http://superwebsearch.com/dwl/IndexView.exe

Additionally, SecurityFocus has a great article which describes what you
want to do:

Part 1 (for IE):  http://www.securityfocus.com/infocus/1827

Part 2 (for Firefox) http://www.securityfocus.com/infocus/1832


Good Luck.


JMB

     =|   -----Original Message-----
     =|   From: Edmond Chow [mailto:echow () gettechnologies com]
     =|   Sent: Friday, August 26, 2005 7:23 PM
     =|   To: security-basics () securityfocus com
     =|   Cc: Edmond Chow
     =|   Subject: RE: Computer forensics to uncover illegal
     =|   internet use
     =|
     =|
     =|   Dear List,
     =|
     =|   I'm working on the following project and would
     =|   appreciate your views:
     =|
     =|   I have been tasked with finding out if a certain
     =|   desktop computer was used to view pornographic sites
     =|   on the internet.  This user has gone to great lengths
     =|   to try to mask his illegal activities by erasing
     =|   cookies, temp.
     =|   files and by installing anti-spyware software on his
     =|   computer.  Are there any tools that would allow me to
     =|   still uncover proof that he had accessed these sites?
     =|    So far, the tech department is telling me that he
     =|   did access illegal sites on only two dates but I
     =|   suspect that this illegal activity started many
     =|   months or years ago and it will be up to me to find
     =|   more proof.
     =|
     =|   Also, at a network level, we know his IP address but
     =|   yet my technical support department is telling me
     =|   that they cannot (either because they don't want to
     =|   or because they are not technically capable of) tell
     =|   me what internet sites this IP address has accessed
     =|   in the past.  Logically, there must be a point in the
     =|   network (on some piece of hardware) where I can
     =|   consult log files to track his activities?  Or, is
     =|   there a log file that I can consult that will tell me
     =|   what sites all my users have accessed and from what
     =|   IP address?
     =|
     =|   In terms of access to the desktop in question, I will
     =|   have full access as the computer will be in my
     =|   possession in the coming days.
     =|
     =|   Thank-you and any help that you can provide would be
     =|   most appreciated.
     =|
     =|   Regards,
     =|
     =|
     =|   Edmond
     =|
     =|
     =|
     =|

--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.17/84 - Release Date:
8/29/2005

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.17/84 - Release Date:
8/29/2005