Full Disclosure mailing list archives
RE: Computer forensics to uncover illegal internet use
From: "Craig, Tobin (OIG)" <tobin.craig () va gov>
Date: Fri, 2 Sep 2005 23:57:28 -0400
The opinions expressed below are my personal and professional opinions, and not the official position of my employer.... Apologies in advance for the long posting.....
What is this thing you believe in, an 'electronic crime against a child' ?
Well, if you had actually taken the time to quote me accurately, you would find I mentioned "electronic crimes against children", and not the phrase you chose to substitute in its place. A minor point, but nevertheless, you might want to make sure you are accurate before you go off the deep end.
Your intentions may be fine, but your reasoning is actually quite insane. An 'electronic crime against a child' ? Absolutely outrageous and patently absurd. There is no such thing.
Actually, if you hit any conventional internet search engine and type in the words "electronic" "crimes" "against" "children" you'll get several million hits. Review the top ones, you'll see they predominantly refer to "electronic" aspects of "crimes against children". You don't like that? Then take the same search engine, and search for the phrase "electronic crimes against children". I found only two hits, both pieces of legislation, and both coming from Hawaii. (Don't you have an office there?)
Tobin Craig (tobin.craig () va gov) wrote:Title 18, USC 3: Accessory after the fact. "Whoever, knowing that an offense against the United States has been committed, receives, relieves, comforts or assists the offender in order to hinder or prevent his apprehension, trial or punishment, is an accessory after the fact."
You presume to deprive me of my right to wipe my hard drive because, in your expert opinion and in the legal opinion of some prosecutors, doing so causes me to violate Title 18, USC 3 - making me an accessory to your so-called 'electronic crime against a child' - and you are mistaken.
You fail to understand the very important distinction between merely suspecting that a crime may have been committed and actually KNOWING.
To violate Title 18, USC 3 you must actually know, not merely suspect, that an offense has been committed. You are wrong when you think that the mere presence of data on a hard drive prove to you, the trained computer forensic examiner, that a crime has occurred.
OK, let's go through this once more. I asked you in response to an email sent by you on August 30, 2005: "So if I've read this correctly, you are advocating the willful destruction of evidence that would otherwise be used in the investigation of crimes against children??" You replied to my question on August 31, 2005: "Yes. Wipe the drive and get on with business." You have admitted that you advocate the WILLFUL DESTRUCTION of EVIDENCE. My question was not concerning the wiping of a hard drive you had suspicions about, it was about the WILLFUL (deliberate, voluntary, done on purpose) destruction of EVIDENCE. This means that a: you have determined that there is something there that might get someone in trouble, and b: rather than getting that person or corporation into trouble, you choose to try and make it all go away.
Seeing child porn may make you feel as though you have been assaulted, but that is your own subjective and purely emotional reaction, and does not prove anything to you. It does not cause you to KNOW that an offense has been committed. You may choose to report your suspicion, and the reasons for it, but you most certainly do not have any obligation pursuant to Title 18, USC 3 until and unless you actually KNOW.
Seeing digital content that you know perfectly well is not a live broadcast of an act in progress should not give rise to your feeling that you KNOW an offense has been committed.
A highly-trained and credentialed 'IT Forensic Director, Computer Crimes and Forensics' professional such as yourself should understand the difference, but you don't. Your technical training ignores this extremely important awareness and your personal bias coupled with the fact that you never work on behalf of the defense render you unable to know the difference between opinion and fact.
I know you are aware of the following, since you taught 2 courses for CCE in 2005, but for the record, there is a code of ethics that I as a Certified Computer Examiner must adhere to. This code of ethics, the standard of integrity that I hold myself to professionally and personally, and the value I place upon the ability to render an unbiased impartial opinion are an integral part of my work ethic, and I do not appreciate being maligned.
When my hard drive becomes contaminated with child pornography because of the actions of some third-party, I have two conflicting duties:
1) to clean my hard drive of the offensive material as soon as it is practical for me to do so, and,
2) to be careful not to recklessly endanger other persons by destroying the only evidence that may clear them of any potential accusations of wrongdoing, or by spawning an irrational witch hunt or a stampede where I know ahead of time that somebody will be hurt.
Because of #2, it is still the best decision for a company to image, encrypt, and store with counsel the hard drive images of concern.
No report should be made to any law enforcement agency.
I hate to break the news, but when your hard drive becomes contaminated with child pornography (so you're at the point that you've identified it as child pornography), you (according to the law of the United States) have only ONE course of action, report it to law enforcement. It's in the law, Jason. Title 18, USC 2252. Of course you can tighten down firewall rules, etc to prevent it happening again, but once you've identified it as child pornography, you must turn it over.
A logged record of wiping the drive where the log entry is designed intentionally to mislead an unskilled reader, so as to conceal from casual observation the fact that the encrypted drive image was made and placed in storage before the drive was wiped, is absolutely the right decision to make.
So in addition to falsifying log records, you are now advocating concealing the fact that the data was not in fact destroyed, but archived? Now instead of an individual being an offender, you have placed the corporation in jeopardy, since it now knowingly possesses the same images you identified as child pornography. In addition, you have (whether you choose to accept the reality of it or not) assisted the offender in order to hinder or prevent his apprehension. It's in the law Jason. Title 18, USC 3.
Your training and experience are biased against the defense because you are trained by law enforcement and you are never exposed to fundamental principles that would equip you to properly apply an unbiased and well-informed approach to your work.
Actually, I'm a trained chemist. My whole background is in fundamental principles, and I have tried whenever possible to apply that background to computer forensics. Furthermore, if you knew anything about my work as forensic chemist, you would know that the lab I worked at established more innocence that guilt. I learned very early on in my career the importance of identification, coupled with taking any evidentiary findings in context with surrounding factors. Don't even presume to lecture me on bias.
Ask yourself why >not? Is there something wrong with 'computer forensics' that these >truths must be ignored in order for 'computer forensics' to be used in practice?
My answer is yes, there is. You are what's wrong with so-called 'computer forensics' -- it is a biased system for telling lies under >the guise of expert testimony, and these lies are being told over and >over again in jurisdictions around the world. The purpose of the lies >is to advance the cause, bias, and belief system of those who tell >them. Your stated cause (today) is to catch everyone who commits an >'electronic crime against a child' -- the methods and thinking from >which you derive this cause will, naturally, allow you to choose a >different cause in the future and pursue it as well. Go get those >'electronic terrorists' who spread speech that harms commercial >interests. Anyone who expresses hate toward Microsoft and its >dangerous products must be an electronic criminal. Your expert >testimony can take them off the street, so go to it. Hate speech, andspeech against the interests of commerce, are against the law.
In other words, by your standard, I'm biased to investigate child pornography, but impartial to investigate terrorist crime. Remarkable. In closing: this discussion was for the most part a sensible, professional opportunity to exchange ideas and assist someone in the community with a valid question. Throughout this discussion I have sought to keep our communication on a civil and a professional level, and I would have appreciated the same courtesy in return. It appears I may have expected too much. Without knowing me, my background, or my experiences you have nevertheless leveled some groundless accusations at my character, integrity, and technical competence. I won't even dignify those accusations with a response, though I will reiterate: The International Society of Forensic Computer Examiners code of ethics, the standard of integrity that I hold myself to professionally and personally, and the value I place upon the ability to render an unbiased impartial opinion are an integral part of my work ethic, and I do not appreciate being maligned. Apologies for the long post, Just my opinion, Tobin ___________________________ Tobin Craig, MRSC, CISSP, SCERS, EnCE, CCE IT Forensic Director, Computer Crimes and Forensics Department of Veterans Affairs Office of Inspector General ___________________________ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Sep 02)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Sep 02)
- Re: RE: Computer forensics to uncover illegal internet use Steve Kudlak (Sep 03)
- RE: RE: Computer forensics to uncover illegal internet use dave kleiman (Sep 03)
- Re: RE: Computer forensics to uncover illegal internet use Steve Kudlak (Sep 03)
- <Possible follow-ups>
- RE: Computer forensics to uncover illegal internet use Craig, Tobin (OIG) (Sep 03)
- RE: RE: Computer forensics to uncover illegal internet use dave kleiman (Sep 03)
- Re: RE: Computer forensics to uncover illegal internet use Steve Kudlak (Sep 03)
- RE: RE: Computer forensics to uncover illegalinternet use Chuck Fullerton (Sep 04)
- RE: Computer forensics to uncover illegal internet use Craig, Tobin (OIG) (Sep 06)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Sep 02)