What to do for a client who discovers child porn on his computer (and he didn’t put it there)

Habeas Hard Drive was dismayed at the ruckus that unfolded in North Las Vegas earlier this month, when the retiring police chief revealed some details from a six-month-old child porn investigation. Police had responded last fall to Mayor John Lee’s report that he found images on his iPad he believed to be child pornography.

Everyone did just about everything wrong in this episode, if news reports are accurate. Law enforcement took a forensic copy of the hard drive, seemingly without observing the generally accepted digital forensic principle that calls for giving a copy of the disk to the other party or his attorney. Police officers then took the device to the Apple Store to be wiped.

The mayor did not receive a copy of the preserved data, and thus has been forced to face questions from the public with nothing to back up his claim that the images were delivered in an email. It’s an entirely plausible scenario, by the way, since malware attacks that plant pornography via email have recently proliferated.

Presumably, Mayor Lee thought he was doing the right thing when he reported the images to the authorities. But Habeas Hard Drive prefers a different approach for anyone in this situation. Turn the computer off, and take it directly to your attorney’s office.

There is a separate protocol for you, the attorney, should this mess lands in your lap.

Child porn is the most frightening of contraband. The client in this situation is a witness to a crime, but he is also in possession, albeit passively. The law will view him as a criminal suspect. The attorney must be able to guide the process, acknowledging this jeopardy.

Habeas Hard Drive is not an attorney. The course of action prescribed here is derived from various trainings for certifications, some conducted by members of the bar.

The first task is to secure the device in a locked closet or safe, with a chain of custody document. Sit down with the client and get the details of the discovery. You need to record as much as (s)he can remember about how the images appeared, and what was depicted. It’s important to recall what the client was doing before, during, and after the discovery of the images. Checking email? Doing a web search? Reading news when pop-up boxes appeared? Details will important to your forensic examiner.

As uncomfortable as it might be, physical descriptions are important, right down to the nitty-gritty. We’re talking body parts, how bodies were positioned, colors of hair, eyes, skin, clothing, and the setting in which the photo was taken. This could be a difficult discussion for some folks. But the details of what was depicted are critically important. Do not turn the computer on to see for yourself.

Next, locate a digital forensic expert. A digital forensic expert is someone whose training stems from the computer sciences, not necessarily from law enforcement. Avoid experts whose only certifications are from product vendors. Those experts may be knowledgeable, but may also be more committed to the product than they are to the correct solution for your particular set of facts. A skilled expert is familiar with a variety of tools and techniques, and will have credentials described described at the bottom of this post. *

Review your notes with the expert, who will guide you as you reach out to your district attorney or relevant prosecution agency. Ask the D.A. to issue a subpoena describing with particularity the evidence of a crime that’s being sought. This might include email messages or the remnants of email messages bearing images of child pornography. Refer to your notes about witness’s experience. Reject overly broad demands, such as descriptions of “any and all” documents or information.

Arrange for a forensic examination by both parties in a secure “lab.” The lab is merely a room in your office, where the door is locked, and access is limited. Entrances and exits are logged. The only persons allowed in are the attorneys and their respective experts. An examination can be conducted here, using mutually approved tools and techniques.

Should evidence be found, it needs to be encrypted so that when it leaves the lab, it doesn’t facilitate the circulation of contraband. Chain of custody documentation is critical. If law enforcement insists on seizing the device – that’s not necessary, since you are an officer of the court, but it could happen – record the make, model and serial number. These are supplied by forensic software, and appear many times in the course of the examination.

Be prepared to counter any extraneous accusations arising from exposure of stored data that was not specified in the warrant.

Of course, you are unlikely to meet a client at your door with this problem. Honest citizens aren’t inclined to respond to this event by delivering the computer to an attorney. They are much more likely to try to delete the images, which in many cases will simply make them appear guilty. Or to call their IT manager, or call the police. It’s a sad fact that these options will not often serve justice.

The big task is educating the public. Not about evading the police, but about the vulnerability every internet user faces. Cyberattacks featuring pornography and other fuel for extortion are becoming more common. Additionally, law-abiding people are generally not prepared for a situation in which they become automatically suspect when they report a crime. This is the unfortunate reality of the moment.

* A qualified digital forensic expert might have academic credentials, or might be certified by the following bodies: The SANS Institute, The International Society of Forensic Computer Examiners, or the Certified Computer Examiners. The SANS Institute is the gold standard, and in the interest of full disclosure, is one of the places Habeas Hard Drive has trained.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s