Security Basics mailing list archives
RE: Computer forensics to uncover illegal internet use
From: "dave kleiman" <dave () isecureu com>
Date: Wed, 31 Aug 2005 08:17:27 -0400
Jason, Remember I have the utmost respect for you and have valued your opinion on many occasions, but I have to disagree here on several points.
Dave, Edmond, and Jason, How many times have you worked on, or been involved indirectly as a consultant in, real-world criminal cases or corporate investigations that involve child pornography offenses where the evidence is obtained entirely from computer hard drives and server log files?
Very many actually, you are more than welcome to check with the local DA and Computer Crimes offices. I am also a FDLE certified LEO.
Attempting to give the hard drive to the company's attorney guarantees that attorney-client confidentiality is created with respect to the hard drive and the entire incident, whether or not the attorney advises that it is necessary, in the situation at hand, to report the incident to law enforcement. It also forces the attorney to contemplate more fully just what the proper response is to the situation. You do not want, under any circumstances, the hard drive to be in any person's possession, or for there to be any way for the company's possession of the drive to result in particular individuals being associated with that ownership -- certainly not the original employee who was supposedly the one who had 'exclusive control or access' -- because the truth is that nobody knows whether that employee was the one who had exclusive control, and it is always the case that the employee was not the only person to have potential access. If you report this incident to law enforcement, you become one of the potential persons who could have done whatever it is that the computer shows somebody might have done. If you think your computer expertise or the expertise of any 'computer forensic' expert can distinguish between actions of particular human persons and actions of other persons or actions of spyware or third-party intruders who gained control over the computer, you are badly confused and very mistaken. The proper legal advice in different jurisdictions varies. The proper incident handling advice does not vary. Before you contact any law enforcement agency, before you go any further with any investigation, as soon as you see that there is reason to believe one of the computers used by a company employee may have acted to download child pornography, you isolate and contain and ensure custody of the potential evidence by the company and only the company. These are official company actions carried out by authorized employees, and the company is already in possession of its own equipment and the data stored thereon. You then wipe the drive as soon as possible, without investigating further, and if possible without doing any data backup from the drive, or if you must access the drive to backup company data, do so with care not to expose any employee to any potential contraband images, and do what you must to figure out what happened using only investigative techniques that have little or no chance of resulting in further access to child porn, wiping the drive only after confirming with the company attorney that this is the right thing to do (which you will not find out for sure unless you attempt to turn over the hard drive to the company attorney, who should refuse the offer unless the attorney knows of a reason in the jurisdiction in question for the attorney to receive the hard drive).
Handing the drive to, and conferring with the company attorney are two different things. You are almost making this sound like company attorneys are exempt from the law?? If you found a pound of cocaine in the company lunch room, would you pick it up and drive it to the company attorneys office? You might call the company attorney, and say "what should I do?" But, I do not think the attorneys advice would be to "throw it in your car and drive it to my office." If you happen to get pulled over on the way, I do not think you could convince any LEO that you were just taking it to your attorneys office. Alternatively, they might let you finish your journey there, and wait for you to hand it to the attorney and arrest both of you?!? There is no difference contraband is contraband, the attorney-client privilege is not created nor extended to the hard drive, it is extended between you and your attorney.
As for the statement that “posses the contraband without the investigating law enforcement agency being present” -- that is so completely wrong as to be absurd and dangerous.
Once the evidence is in the LEAs possession, this is absolutely the procedure. If you had a lot of experience with this, as you stated, you would know that when you go to an evidence room and do an image of a contraband drive, let us say for arguments sake you are working for a defense attorney. You bring a drive to do an image, you have to do your examination there, if you want to leave the imaged info on it, your imaged drive now stays in the evidence room. The defense attorney would have to come there to view the images, or the LEO would bring it to them, but they would not leave I there with them.
The people whose advice you take in the next couple of weeks, Edmond, will determine whether you ruin one or more innocent persons' lives, possibly destroy your company, your career, the careers of others, trigger suicides or murders, and in other ways that you cannot anticipate and may have difficulty believing possible, become caught in a life-destroying mess of bad statutes and very badly misguided people who think they're doing their jobs but are actually just incompetent, careless, and self-serving. You cannot follow the interesting and useful technical advice offered by the other persons on this list -- they are mistaken, badly, to give you tips on how to engage in child pornographic investigations. You cannot, and you must not, do any investigations, and you must do everything in the company's considerable power to ensure that nobody else does, either.
You sure are quick to claim someone is innocent, and you may ruin their lives. Alternatively, could someone be destroying the lives of young children?? Transporting it to anyone or sitting on the contraband while deciding what to do is the main part in either of your e-mails I disagree with. Personally I believe in calling an LEA immediately to report it, as opposed to immediately wiping it upon discovery, but that is my personal opinion.
However, because somebody else (most importantly, law enforcement) may already be investigating without your knowledge, and because you may be in possession of evidence that would prove reasonable doubt of the accused's guilt, you must attempt to get every bit of data (the so-called 'evidence') from the suspect's hard drive preserved forensically and in the custody of the company attorney.
Do so 'after' you wipe the drives -- you need to seriously consider the value of keeping logs of your actions which reflect the fact that you wiped the drive AND THEN gave the drive to your company's attorney. Ask your company's attorney... He may tell you that your company's best course of action is to purposefully falsify the record of the company's response to the incident. The company is not legally obligated to keep accurate records of such things, after all, and with a company record showing the drive was wiped and the physical device is now in the custody of the company attorney, the company is able to prevent ANY loss of control over the situation in the event that the company's duty to protect its employee's interests end up in conflict with law enforcement's desire to aggressively prosecute somebody because they were at some point in time associated with or in proximity to a hard drive that was suspected to have contained, if only temporarily, circumstantial evidence of a crime. If you do not understand by now just how screwy this whole mess is, in the real world, and how uncertain things are in your situation, then nobody can help you, or your company, or the accused person, and you're all doomed to whatever outcome the local law enforcement, prosecution, and courts decide for you... ... All because one of your Windows computers got a spyware infection and some spammer who runs a porn business caused some Web pages to be requested and perhaps some pop-ups or pop-unders to occur.
Obviously you have dealt with some poor LEAs. The ones I have dealt with have always checked for spyware and things of that nature and have dropped many cases because of it. Further, they do not run in and arrest somebody because an IT person found child porn on a computer. First, they do a thorough investigation, then decisions are made. Regards, Dave
Good luck. You need it. Jason Coombs jasonc () science org -----Original Message----- From: "dave kleiman" <dave () isecureu com> Date: Tue, 30 Aug 2005 22:33:02 To:<security-basics () securityfocus com> Cc:"'Jason Coombs'" <jasonc () science org>, "'Edmond Chow'" <echow () videotron ca>, "'Beauford, Jason'" <jbeauford () EightInOnePet com> Subject: RE: Computer forensics to uncover illegal internet use Jason, Even an attorney, District Attorney, or the doctor who verifies the evidence as child pornography, may not view or posses the contraband without the investigating law enforcement agency being present. They are still bound by the same "possession of contraband" law. Therefore, the immediate contacting of an LEA is the only proper real resolve. Turning it over to the company attorney would be possession and distribution of contraband a definite no-no. However, just as if you found a bag of drugs on the ground, you have no obligation to report it, but picking it up and playing with it is ill-advised. Nonetheless, if you simply saw what you thought was child pornography, and you stopped and wiped the system you would technically be ok, since it takes a doctors examination to, for the courts, say it truly is/was child pornography. Dave-----Original Message----- From: Jason Coombs [mailto:jasonc () science org] Sent: Tuesday, August 30, 2005 19:14 To: Edmond Chow; security-basics () securityfocus com; Beauford, Jason Subject: Re: Computer forensics to uncover illegal internet use Edmond, You cannot 'investigate' viewing of child pornographic material without violating the very same laws that you are informed may have been violated by the employee of your company who stands accused. You must stop your work immediately. Do not begin your work if you have not already, and get your company to turn the hard drive and other details over to the corporate attorney. What you must understand is that certain persons have a legal obligation to report any finding of evidence of childpornography, butthat your company and its employees, in the employees' professional capacity, may not have an obligation to report to law enforcement. The company is typically allowed to simply wipe the harddrive of anycomputer that may have been used to view child pornography,and takewhatever internal disciplinary action it deems appropriate with respect to the accused employee. Only your company's attorney can guide you properly, and you are completely wrong to want to investigate this yourself. Your company's attorney should advise you that the bestthing to do iswipe the drive, and get on with the business that you are in. If you report this to law enforcement, the employee WILL goto prison.Innocent or not. If the employee goes to prison and is innocent, or is even accused publicly and is innocent, and eventually finds a way to prove his innocence, your company will be sued. The employee will win the lawsuit. Your company may go out of business over its improper handling of this incident. Please feel free to contact me directly to discuss thismatter in moredetail. This is an area of criminal computer forensics with which I have much experience. Sincerely, Jason Coombs jasonc () science org -----Original Message----- From: Edmond Chow <echow () videotron ca> Date: Tue, 30 Aug 2005 10:27:24 To:security-basics () securityfocus com, "Beauford, Jason" <jbeauford () EightInOnePet com> Cc:Edmond Chow <echow () videotron ca> Subject: RE: Computer forensics to uncover illegal internet use Good morning Jason, Thank-you to you and all who responded to me with theirideas. I amwondering if there are any reference books available thatwould guideme through an investigation of this sort? I am dealing with a case involving the viewing of child pornographic websites so Iwant to becareful to follow reference guidelines of some sort so that I don't end up in jail myself! Any help that you can provide in the form of links toarticles and/orbooks on this subject would be greatly appreciated. Regards, Edmond -----Original Message----- From: Beauford, Jason [mailto:jbeauford () EightInOnePet com] Sent: Tuesday, August 30, 2005 8:50 AM To: Edmond Chow; security-basics () securityfocus com Cc: Edmond Chow Subject: RE: Computer forensics to uncover illegal internet use Check out INDEXVIEW.exe. Internet explorer writes a history of all visited sites to a file labeled INDEX.DAT. This file is usually hidden. Most end users are not bright enough to research thoroughlyand willnot delete this file. If they use Internet Explorer astheir Browser,then find this file and you will have your proof. DownloadINDEXVIEWhere => http://superwebsearch.com/dwl/IndexView.exe Additionally, SecurityFocus has a great article whichdescribes whatyou want to do: Part 1 (for IE): http://www.securityfocus.com/infocus/1827 Part 2 (for Firefox) http://www.securityfocus.com/infocus/1832 Good Luck. JMB =| -----Original Message----- =| From: Edmond Chow [mailto:echow () gettechnologies com] =| Sent: Friday, August 26, 2005 7:23 PM =| To: security-basics () securityfocus com =| Cc: Edmond Chow =| Subject: RE: Computer forensics to uncover illegal =| internet use =| =| =| Dear List, =| =| I'm working on the following project and would =| appreciate your views: =| =| I have been tasked with finding out if a certain =| desktop computer was used to view pornographic sites =| on the internet. This user has gone to great lengths =| to try to mask his illegal activities by erasing =| cookies, temp. =| files and by installing anti-spyware software on his =| computer. Are there any tools that would allow me to =| still uncover proof that he had accessed these sites? =| So far, the tech department is telling me that he =| did access illegal sites on only two dates but I =| suspect that this illegal activity started many =| months or years ago and it will be up to me to find =| more proof. =| =| Also, at a network level, we know his IP address but =| yet my technical support department is telling me =| that they cannot (either because they don't want to =| or because they are not technically capable of) tell =| me what internet sites this IP address has accessed =| in the past. Logically, there must be a point in the =| network (on some piece of hardware) where I can =| consult log files to track his activities? Or, is =| there a log file that I can consult that will tell me =| what sites all my users have accessed and from what =| IP address? =| =| In terms of access to the desktop in question, I will =| have full access as the computer will be in my =| possession in the coming days. =| =| Thank-you and any help that you can provide would be =| most appreciated. =| =| Regards, =| =| =| Edmond =| =| =| =| -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.17/84 - Release Date: 8/29/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.17/84 - Release Date: 8/29/2005
Current thread:
- RE: Computer forensics to uncover illegal internet use, (continued)
- RE: Computer forensics to uncover illegal internet use Robinson, Sonja (Aug 30)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 30)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)
- Re: Computer forensics to uncover illegal internet use Micheal Cottingham (Aug 31)
- RE: Computer forensics to uncover illegal internet use McKinley, Jackson (Aug 31)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 31)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 31)
- RE: Computer forensics to uncover illegal internet use Craig, Tobin (OIG) (Aug 31)
- Re: Re: Computer forensics to uncover illegal internet use jbreci (Aug 31)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)