This is a presentation I delivered to the Federal Defenders Program for the District of Indiana (N.D.) on December 18, 2013. It is a 6-hour CLE presentation covering the following topics: overview of the law of child pornography, methods of distribution, digital investigations, hash values, trial issues, and the ethics of client data.

1. Digital Forensics and
Child Pornography
Frederick S. Lane
Federal Defenders Program, D. Ind. (N.D.)
Plymouth, IN
18 December 2013
www.FrederickLane.com
www.ComputerForensicsDigest.com
1

2. Seminar Overview
• Introduction and Overview
• Digital Technology and CP
• Digital Investigations
• Hash Values and Image Integrity
• Defending Child Pornography
Cases
• The Ethics of Client Data
www.FrederickLane.com
www.ComputerForensicsDigest.com
2

3. Introduction and Overview
• Background and Expertise
• What Is Child
Pornography?
• Digital Technology and the
Spread of Child
Pornography
www.FrederickLane.com
www.ComputerForensicsDigest.com
3

4. Background and Expertise
• Attorney and Author of 7
Books
• Computer Forensics
Expert -- 15 years
• Over 100 criminal cases
• Lecturer on ComputerRelated Topics – 20+
years
• Computer user
(midframes, desktops,
laptops) – 35+ years
www.FrederickLane.com
www.ComputerForensicsDigest.com
4

5. What Is Child Pornography?
• Federal Laws
• State Laws
• Indiana CP Laws
• International Law
www.FrederickLane.com
www.ComputerForensicsDigest.com
5

6. Federal CP Laws
• 18 U.S.C. c. 110 – Sexual
Exploitation and Other Abuse
of Children
• 18 U.S.C. § 2251 – Production
• 18 U.S.C. § 2252 – Possession,
Distribution, and Receipt
• 18 U.S.C. § 2256 -- Definitions
www.FrederickLane.com
www.ComputerForensicsDigest.com
6

7. “Child Pornography”
18 U.S.C. § 2256(8): “any visual depiction, including
any photograph, film, video, picture, or computer or
computer-generated image or picture, whether made
or produced by electronic, mechanical, or other
means, of sexually explicit conduct, where—
(A) the production of such visual depiction
involves the use of a minor engaging in sexually
explicit conduct; [or]
(B) such visual depiction is a digital image,
computer image, or computer-generated image that is,
or is indistinguishable from, that of a minor engaging in
sexually explicit conduct; or
(C) such visual depiction has been created,
adapted, or modified to appear that an identifiable
minor is engaging in sexually explicit conduct.”
www.FrederickLane.com
www.ComputerForensicsDigest.com
7

8. Other Relevant Definitions
• “Minor” [18 U.S.C. § 2256(1)]: <18
• 18 U.S.C. § 2257: Record-keeping requirements
• “Sexually Explicit Conduct” [18 U.S.C. § 2256(2)(A)]:
• (i) sexual intercourse, including genital-genital, oral-genital, anal-genital,
or oral-anal, whether between persons of the same or opposite sex;
• (ii) bestiality;
• (iii) masturbation;
• (iv) sadistic or masochistic abuse; or
• (v) lascivious exhibition of the genitals or pubic area of any person.
• Slightly Different Definitions for Computer Images [18
U.S.C. § 2256(2)(B)]
www.FrederickLane.com
www.ComputerForensicsDigest.com
8

9. NCMEC
• “National Center for Missing and
Exploited Children”
• Created by Congress in 1984
• Child Recognition and
Identification System – database of
hash values of CP images
• Child Victim Identification
Program
www.FrederickLane.com
www.ComputerForensicsDigest.com
9

10. State CP Laws
• All 50 states have their own CP laws
• Age of minority varies: 16 (30
states); 17 (9 states); and 18 (12
states)
• Prosecution can be federal or state,
or both.
• Can include “harmful to minors”
standard (states only)
www.FrederickLane.com
www.ComputerForensicsDigest.com
10

11. Indiana CP Laws
• Ind. Code, tit. 35, art. 42, ch. 4, § 4 –
Child exploitation; possession of CP
• Ind. Cod, tit. 35, art. 49, chs. 1-3 –
Obscenity and Pornography
• Ind. Code § 35-49-3-1 – Distribution
is a Class D felony if person
depicted is or appear to be < 16.
www.FrederickLane.com
www.ComputerForensicsDigest.com
11

12. Ind. Code § 35-49-1-4, -9
•
“Minor”:
•
•
Anyone under age of 18 (increased penalties if individual is
or appears less than <16).
“Sexual Conduct”:
• (1) sexual intercourse or deviate sexual conduct;
• (2) exhibition of the uncovered genitals in the context of
masturbation or other sexual activity;
• (3) exhibition of the uncovered genitals of a person under
sixteen (16) years of age;
• (4) sado-masochistic abuse; or
• (5) sexual intercourse or deviate sexual conduct with an
animal.
www.FrederickLane.com
www.ComputerForensicsDigest.com
12

13. International CP Laws
• Over last 7 years, 100 countries
have adopted new CP laws
• 53 countries still have no CP law
at all
• International Center for Missing
and Exploited Children
• 2012 Child Pornography Model
Laws: http://bit.ly/19eWJPz
www.FrederickLane.com
www.ComputerForensicsDigest.com
13

14. End of Section One
www.FrederickLane.com
www.ComputerForensicsDigest.com
14

15. Digital Technology and CP
A Brief Background
Digital Production of CP
Digital Distribution of CP
Digital Consumption
(Receipt and Possession)
• Societal Changes
•
•
•
•
www.FrederickLane.com
www.ComputerForensicsDigest.com
15

16. A Brief Background
•
1978: Protection of Children Against Sexual
Exploitation Act
•
1982: New York v. Ferber – Upholding state
law banning child pornography
•
1984: Child Protection Act (prohibiting noncommercial distribution)
•
1992: Jacobson v. United States – Postal
Service entrapment
•
2000: Poehlman v. United States – FBI
entrapped defendant after lengthy email
correspondence
www.FrederickLane.com
www.ComputerForensicsDigest.com
16

17. Digital Production of CP
• Scanners
• Digital Cameras (still and
video)
• Cameraphones (dumb and
smart)
• Web cams
www.FrederickLane.com
www.ComputerForensicsDigest.com
17

18. Digital Distribution of CP
• One-to-One
• Sneakernet
• E-mail / Personal File-Sharing
• Instant Messaging / Chat Rooms
• One-to-Many
•
•
•
•
Newsgroups and Forums
Peer-to-Peer Networks
Torrent Networks / File-Hosting
Underground Web Sites
www.FrederickLane.com
www.ComputerForensicsDigest.com
18

19. Digital Consumption of CP
• Producer of CP may be in
possession without having
“received” it
• Defendant may be in “receipt” of
CP without “knowingly”
possessing it
• The challenges of determining
“intentionally” and “knowingly” in
the context of Internet activity
www.FrederickLane.com
www.ComputerForensicsDigest.com
19

20. Societal Changes
• Computers and the
Internet
• The Democratization of
Porn Production
• “Porn Chic”
• The “Selfie”
www.FrederickLane.com
www.ComputerForensicsDigest.com
20

21. End of Section Two
www.FrederickLane.com
www.ComputerForensicsDigest.com
21

22. Digital Investigations
• Discovery of Possible Child
Pornography
• The Role of IP Addresses
• Intro to Computer
Forensics
www.FrederickLane.com
www.ComputerForensicsDigest.com
22

23. Discovery of Possible CP
•
•
•
•
•
Angry Spouse or Girlfriend
Geek Squads
Chat Rooms
Hash Flags
P2P and Torrent
Investigations
• Server or Payment Logs
www.FrederickLane.com
www.ComputerForensicsDigest.com
23

24. Overview of IP Addresses
• Assigned to Every InternetConnected Device
• Two Flavors:
• IPv4: 196.172.0.1
• IPv6:
2001:0db8:85a3:0042:1000:8a2
e:0370:7334
• Leading to “Internet of Things”
www.FrederickLane.com
www.ComputerForensicsDigest.com
24

25. IP → Physical Address
• Ranges of IP Addresses
Assigned to ISPs by Internet
Assigned Numbers Authority
• Online Tools to Look Up ISP
• Dynamic vs. Static
• Subscriber Records Show
Date, Time, IP Address,
Limited Activity
www.FrederickLane.com
www.ComputerForensicsDigest.com
25

26. Limitations of IP Addresses
• Links Online Activity to
Device, Not Necessarily a
Specific User
• Data May Not Be Available
from ISP
• Possibility of War-Dialing
www.FrederickLane.com
www.ComputerForensicsDigest.com
26

27. Intro to Computer Forensics
•
•
•
•
Increasingly Specialized
Forensics Procedures
Forensics Software
A Typical Forensics
Report
www.FrederickLane.com
www.ComputerForensicsDigest.com
27

28. Increasingly Specialized
• Computer Forensics
• Windows
• Mac OS
• Linux
• Network Forensics
• Mobile Forensics
• Dozens of Mobile OSs
• Hundreds of Models
• Cloud Forensics
• Many Questions, No Clear Answers
www.FrederickLane.com
www.ComputerForensicsDigest.com
28

29. Forensics Procedures
•
•
•
•
•
•
Field Previews
Mirror Images
Hash Values
Staggering Amounts of Data
Chains of Custody
2006: The Adam Walsh Act
www.FrederickLane.com
www.ComputerForensicsDigest.com
29

30. A Typical Forensics Report
• There should be at least two
reports:
•
•
•
•
•
• Acquisition
• Evaluation of Evidence
Bowdlerized
Detailed procedures
Hash value checks
Bookmarks of possible contraband
Evidence of user ID
www.FrederickLane.com
www.ComputerForensicsDigest.com
30

31. End of Section Three
www.FrederickLane.com
www.ComputerForensicsDigest.com
31

32. Hash Values & Image Integrity
• Not Your Mother’s Hash
• The Role of Hash Values in
Computer Forensics
• The Growing Use of Hash
Flags
• P2P Investigations Using Hash
Values
www.FrederickLane.com
www.ComputerForensicsDigest.com
32

33. Not Your Mother’s Hash
• Cryptograhic Hash Values
• Relatively Easy to Generate
• Extremely Difficult to Determine
Original Data from Hash Value
• Extremely Difficult to Change Data
without Changing Hash
• Extremely Unlikely that Different Data
Will Produce the Same Hash Value
www.FrederickLane.com
www.ComputerForensicsDigest.com
33

34. Complex Explanation (1)
• The word DOG can be represented in
different ways:
•
•
Binary: 010001000110111101100111
Hexadecimal: 646f67
• A hash algorithm converts the
hexadecimal value to a fixed-length
hexadecimal string.
•
•
SHA-1:
e49512524f47b4138d850c9d9d85972927
281da0
MD5:
06d80eb0c50b49a509b49f2424e8c805
www.FrederickLane.com
www.ComputerForensicsDigest.com
34

35. Complex Explanation (2)
• Changing a single letter changes
each value.
• For instance, the word COG
produces the following values:
• Binary: 010000110110111101100111
• Hexadecimal: 436f67
• SHA-1:
d3da816674b638d05caa672f60f381ff
504e578c
• MD5:
01e33197684afd628ccf82a5ae4fd6ad
www.FrederickLane.com
www.ComputerForensicsDigest.com
35

36. Simple Explanation
Oatmeal-Raisin
Cookies
OatmealChocolate Chip
Cookies
www.FrederickLane.com
www.ComputerForensicsDigest.com
36

37. Evidence Integrity
•
Acquisition Hashes
•
Creation of Mirror Images
•
Verification of Accuracy of Mirror Images
•
Use of “Known File Filter”
•
•
•
Hashkeeper
National Software Reference Library
NCMEC CVIP Database
www.FrederickLane.com
www.ComputerForensicsDigest.com
37

38. Growing Use of Hash Flags
• Child Protection and Sexual Predator
Act of 1998
• 2008: ISPs Agree to Block Access to
Known Sources of CP and to Scan for
NCMEC Hash Values
• SAFE Act: Requires ISPs and OSPs to
Turn Over Subscriber Info If Known
CP Is Identified
www.FrederickLane.com
www.ComputerForensicsDigest.com
38

39. P2P Hash Values
• Basic Operation of Peer-toPeer Networks
• Decentralized Distribution
• Gnutella and eDonkey
• Client Software
• Hash Values Associated with
Each File
www.FrederickLane.com
www.ComputerForensicsDigest.com
39

40. Automated P2P Searches
• “Peer Spectre” or “Nordic Mule”
Scans for IP Addresses of Devices
Offering to Share Known CP Files
• IP Addresses Are Stored by TLO in
Child Protection System
• Officers Conduct “Undercover”
Investigations by Reviewing
Spreadsheets of Hits in CPS
www.FrederickLane.com
www.ComputerForensicsDigest.com
40

41. Growing Defense Concerns
• No Independent Examination of
Proprietary Software
• Very Little Information Regarding TLO or
CPS
• Peer Spectre May Generate False Hits Due
to Normal Operation of P2P Clients
• Search Warrant Affidavits Fail to Mention
Role of TLO or CPS
www.FrederickLane.com
www.ComputerForensicsDigest.com
41

42. End of Section Four
www.FrederickLane.com
www.ComputerForensicsDigest.com
42

43. Defending CP Cases
• Determining Age of Person
Depicted
• Pre-Trial Issues
• Trial Issues
• Typical Defenses in CP Cases
[Some More Viable than Others]
www.FrederickLane.com
www.ComputerForensicsDigest.com
43

44. Determining Age
Is expert testimony need?
Tanner Stage: Outmoded?
Role of environmental factors
Bait and switch
Defendant’s subjective belief
is irrelevant
• Prosecutors prefer clear cases
•
•
•
•
•
www.FrederickLane.com
www.ComputerForensicsDigest.com
44

45. Pre-Trial Issues
• Retaining a Defense Expert
• Deposition of Government
Experts
• Motion(s) to Produce
• Motion(s) to Suppress or
in limine
www.FrederickLane.com
www.ComputerForensicsDigest.com
45

46. Trial Issues
• Should There Be a
Trial?
• Motion(s) in limine
• Cross-Examination of
Government Expert
www.FrederickLane.com
www.ComputerForensicsDigest.com
46

47. Typical Defenses (1)
• Lack of Possession or Receipt
• Mere Browsing
• The Phantom Hash
• Accident or Lack of Intent
• Ignorance or Mistake as to Age
• Not a Real Child / Morphed /
Computer-Generated
www.FrederickLane.com
www.ComputerForensicsDigest.com
47

48. Typical Defenses (2)
• Multiple Persons with Access
to Device
• Used Equipment with PreExisting CP
• Viral Infection
• Planting of Evidence by Spouse
or Police
• Entrapment
www.FrederickLane.com
www.ComputerForensicsDigest.com
48

49. End of Section Five
www.FrederickLane.com
www.ComputerForensicsDigest.com
49

50. The Ethics of Client Data
• Client Data in the Office
• Client Data in the Home
• Client Data in the Cloud
• Client Metadata
• CP-Specific Issues
www.FrederickLane.com
www.ComputerForensicsDigest.com
50

51. Client Data in the Office
• Physical Security
•
Locks
•
Supervision of Visitors
• Electronic Security
•
Logins and Passwords
•
Screensavers
• Authorized Users
• Backup(s)
www.FrederickLane.com
www.ComputerForensicsDigest.com
51

52. Client Data in the Home
• Should It Even Be There?
• How Does It Get There?
• Physical Security
• Encryption?
• Who Has Access to the
Device(s)?
www.FrederickLane.com
www.ComputerForensicsDigest.com
52

53. Communicating with Clients
• Is It Ethical to Use E-Mail?
• Understanding How E-Mail
Works
• Ethics of Automatic Robot
Scanning
• Is HTTPS Sufficient?
• Secure E-Mail Alternatives
www.FrederickLane.com
www.ComputerForensicsDigest.com
53

54. Client Data in the Cloud
• Brief Overview of Types of
Cloud Services
• The Ethics of Cloud Storage
• The Ethics of Cloud
Collaboration
• Discovery in the Cloud
www.FrederickLane.com
www.ComputerForensicsDigest.com
54

55. The Ethics of Metadata
• What Is Metadata?
• Who Knows What Metadata Lurks in a
File?
• Don’t Accidentally Release Metadata
• Can I Use Someone Else’s
Accidentally-Released Metadata?
• Should I Affirmatively Ask for
Metadata During Discovery, and Can I
Get It?
www.FrederickLane.com
www.ComputerForensicsDigest.com
55

56. CP-Specific Issues
• Rule #1: Do Not Obstruct Justice
• Rule #2: Minimize Handling and
Isolate Device(s)
• Rule #3: If Identifiable Victim, Review
Mandatory Reporting Requirements
[Ind. Code § 31-33-5-1]
• Rule #4: Never Re-Distribute
• Rule #5: Hire an Expert
www.FrederickLane.com
www.ComputerForensicsDigest.com
56

57. End of Section Six
www.FrederickLane.com
www.ComputerForensicsDigest.com
57

58. Slides and Contact Info
• Download a PDF of slides
from:
SlideShare.net/FSL3
• E-mail or Call Me:
FSLane3@gmail.com
802-318-4604
www.FrederickLane.com
www.ComputerForensicsDigest.com
58

59. Digital Forensics and
Child Pornography
Frederick S. Lane
Federal Defenders Program, D. Ind. (N.D.)
Plymouth, IN
18 December 2013
www.FrederickLane.com
www.ComputerForensicsDigest.com
59