RE: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides
Hi Jason,
I've read your postings on this topic for the last few months on the
lists and I am really trying to understand where you are coming from. I
have no direct knowledge of any of these cases you cite. I am also not
in law enforcement, just a security consultant. These views are my own,
not of my employer. Please allow me to ask a few questions (see inline)
that I think are reasonable to further this discussion:
Site Key (U.S.) -- tens of thousands of suspects' credit card numbers
were found in the databases used by the alleged e-commerce child porn
ring, and law enforcement's careless misunderstanding of the Internet
and infosec (circa 1999) resulted in every single one of the suspects
being investigated and thousands have so far been prosecuted and
convicted.
ML: Wouldn't it be prudent, really standard practice for law enforcement
to investigate each lead out of a case like that? Since their number was
in the database, there was at least some probability that it might be a
legitimate case, and therefore enough to get a warrant to check it out.
It would seem to be a failure of duty *not* to do this. Would you want
your law enforcment to not follow up on every suspect on the murder of a
close family member?
Was your credit card number in the Operation Ore / Operation Site Key
database? How would you know unless and until you've been arrested?
ML: So are you saying that you believe a lot of innocent people have
their number in the database? I certainly agree that it is possible (if
not likely) that some credit card numbers might have come from dupes who
had no idea it was being used. There could be some where relatives were
used, maybe even credit card or identity theft. Still, I can't imagine
there are a lot of them, or if there were a lot of stolen numbers,
wouldn't that eventually be discovered? Perhaps evidence of some other
fraud with the cards? Or a pattern that many of the numbers in the
database were stolen?
Over the last few years I have seen numerous cases in which the computer
forensic evidence proves that a third party intruder was in control of
the suspect's computer. More often there is simply no way to know for
sure what might have happened between 1996 and 1999 with respect to the
computer seized by law enforcement at the time of arrest years later.
ML: I have as well - I agree that this happens a lot in hacking cases,
and certainly is possible in a CP case. To this point, though, how
likely is it that a large number of people accused of child porn have
all been targets of skilled hackers? Or if not skilled hackers, than
previously hacked machines where access was sold on the black market? I
have not heard of any such thing being prevalent, but I am not
all-knowing. So, while what you say is certainly possible - heck I
could even try to frame someone by hacking them and planting Child Porn,
it wouldn't be hard - I am not convinced that it is prevalent. For
this to be true, then either there would either have to be a rash of
intelligent hacker paedophiles, or a huge black-market industry that I
haven't heard of (which is possible).
ML: To your second point, you ask what might have happened to the
computers between 1996 and 1999. I ask you - shouldn't this be well
documented through chain of custody documents maintained by the law
enforcement agencies doing the analysis? If the documentation was
shoddy, or if in fact the machines were turned on, exposed to the
internet, etc - wouldn't that be exactly what the defendant's lawyers
could seize on to to get the cased dismissed or won? Couldn't you get a
copy of the HD and prove with your own forensic analysis that they
booted it and connected it to the Internet?
ML: It seems as if this, and other, issues of yours are solved simply
by fighting it out in the legal system. Where is the DEFENSE attorney
in all this? Are people all getting incompetant defense attornies? Are
they somehow being slighted within the system, such that they couldn't
point out in court that the prosecution couldn't account for the
evidence at all times? Isn't that a reasonable doubt? And therefore
enough to get acquitted in a criminal case?
If security flaws, porn spyware, or mistakes by an unskilled end user
resulted, over the years, in some child pornography being downloaded to
a suspect's hard drive, even in 'thumbnail' graphic formats and
recovered only using forensic data recovery tools that carve files out
of unallocated clusters, then the suspect is routinely charged, since
the presence of child pornography on a hard drive owned by a person who
is accused of purchasing child pornography is the best evidence law
enforcement has to prove guilt of these so-called 'electronic crimes
against children' -- crimes that are proved by the mere existence of
data, where it matters not that a suspect did not and could not have
known that the data existed on a hard drive that was in their
possession.
I ask you this question: why doesn't law enforcement bother to conduct
an analysis of the computer evidence looking for indications of
third-party intrusion and malware? Some people have indicated to me that
sometimes law enforcement actually does do post-intrusion forensics;
though this decision is entirely up to the prosecutor or forensic lab
director, and if they don't put in the time to do this they still get
their conviction so there is presently no incentive to spend hundreds of
hours analyzing large hard drives searching for evidence of intrusion
just in case one might have occurred.
ML: I agree, law enforcement should conduct this analysis, preferably
prior to getting the prosecutor to bring a case. But here again, isn't
it really the job of the defense to conduct this investigation?
Wouldn't the defense get a chance to bring in their own forensic person
to do an investigation? There are plenty of talented analysts that
could find malware, should it exist, and bring even more doubt on the
prosecution's case. Granted, you might not get an image with all the
pictures that were considered child porn, but you should get something.
A substantial factor in the answer to this question is that it is nearly
impossible to know what might have happened to a computer over the
years, and most computers are used by more than end user to begin with.
Not only is there no way to differentiate
Every person convicted of an electronic crime against a child based only
on evidence recovered from a hard drive that happened to be in their
possession should be immediately released from whatever prison they are
now being held.
ML: Isn't that a little extreme? I am quite sure there were a good
many folks who were flat out guilty. Were you privvy to each and every
case's details? If not, how could you recommend this? I understand
the idea that "it is better for 10 guilty men to go free than one
innocent man go to jail" but here again, where is the defense? Who is
appealing for the people? There should be an appeal process where they
could have yet again a chance to contest the prosecution's case on a
technicality such as "my machine was hacked". Is there some major error
in the system that justifies letting known paedophiles go free? If so,
I haven't yet heard it.
Law enforcement must be required to obtain Internet wiretaps, use
keyloggers and screen capture techniques, and conduct other
investigations of crimes-in-progress, because the current approach to
computer forensics being taught by vendors such as Guidance Software
(www.encase.com) and others (who just happen to sell products designed
to analyze and search hard drives) makes the outrageous assertion that a
person can be proven guilty of a crime based only on data that is found
on a hard drive in their possession.
ML: how are these two things connected? Wiretaps are a different issue
than forensics of storage media. How does what Guidance Software tells
anyone change the protections of privacy (e.g. requiring a warrant) to
do most wiretaps?
There is simply no way for law enforcement to know the difference
between innocent and guilty persons based on hard drive data
circumstantial evidence. Something must be done to correct this misuse
of computer evidence, and whatever that something is, it is clear that
only an information security organization is going to be able to explain
it to law enforcement and legislators.
ML: I agree, there is no way to know for sure, which is why the
prosecution has to make a case and present if convincingly. Computer
data being what it is (largely circumstancial) the onus is on the
prosecution to prove the case. Jurors have to attest, in criminal
cases, to a high level of confidence in guilt. Again, where is the
defense?
ML: In fact, I would argue a somewhat different angle. While I agree
that law enforcment does need to advance in understanding hacking
incidents, I would argue that this is actually due to the relatively
young state of the industry. This immaturity in the industry is *also*
a detriment to law enforcement. I think that because there is so little
standardization, and mutually agreed-upon best practices (as I am
guessing you might agree) that in fact the defendent has the advantage
in the criminal cases. Wouldn't it, in fact, be very easy to raise
doubt in the cases of forensic investigators in a lot of cases?
Wouldn't that shadow of a doubt of "my computer was hacked, it wasn't
me" be a powerful tool with a jury? There seems to be a lot of doubt
about the industry in general, and until there can be a common set of
agreed-upon best practices for computer forensics and law enforcement,
it actually makes the job harder for the cops.
ML: Based on all of this, I'm not yet convinced by your arguments
(though I look forward to clarification from you to possibly change
this) that the system really is slanted that terribly agains the
defendant. Unless there is some systemic problem that bypasses the
intent of due process, I don't see how it is that much different from
other types of crime in its prosecution.
Regards,
Mark Lachniet