Wednesday, June 27, 2007

Where is the science?

Well it's happened again. First a case in Pennsylvania, now a case in Georgia

What I'd like to know is where is the science that would prove that someone knowingly stored these images. To quote one of the judges in the panel "It's not enough, wrote Miller for the panel, to prove a defendant has pornographic images in the inaccessible cache files of his computer."

This is yet another failure of the experts and prosecution to make their case in a clear and concise manner that is backed by something other than "well my super-duper automated toolkit found these images in the temporary internet files directory."

Folks, this has got to stop. It's time we find a solution to the following claims:

...arguing that the state hadn't shown he knowingly possessed the images because he hadn't taken any affirmative action to store the photos on his computer, was unaware the computer had automatically saved the images and had no ability to access the saved images.

We need something scientific that would prove that the only way one could store those images is knowingly, and unless deleted, he had the ability to access the saved images - without special software. If we can't do this, then we might as well pack it up and find new jobs.

Thoughts welcome.


Mark McKinnon said...

After reading the reading the write up on from the case in Georgia one of the things that perturbed me was the following

"...couldn't retrieve the images again without special software"

Now going into IE (Yes I will assume that is what he was using) you can easily view any of the files that were downloaded. Al you have to do is go to Tools / Internet Option / Settings button under the Temporary Internet Files / view file .

This bings up a explorer window with all your cached files that you can view, copy, delete, etc..

Now another question to ask was if any settings had been changed in IE for example the amount of disk space to use for caching or the number of days of history to keep.

If any of these settings had been changed then I would certainly think the user would have a little more knowledge then the casual browser user.

Now for the Science part. If we created a base line of our applications (a clean generic install) we can then compare our generic clean application to a suspects application on a hard drive. We can then conclude certain things using these comparisons, now this will not work for everything but it will work for somethings.

If we do this for Internet Explorer what would we compare. The directories that it writes to, or the number of days it keeps history, or the security settings, etc...?

Another thing we also need to do is learn our applications. Now I know there are a lot of applications out there to learn and try and keep up with but that is what we have a community for so that we do not need to know every application. Hogfly has some apps he knows, harlan has apps he knows and so on. By passing out this information and sharing in the community we make ourselves stronger.

Now for all the lurkers out there that do not think they have anything to contribute here is what you can do. See if there is some Application out there you have access to and document the hell out of it, IE: places where files are stored, what kind of file format does it use, what security is needed for it, etc... Then publish your findings to the group and see if anyone else can add value to it or use it.

Hopefully this all made sense it is kinda late here.


Keydet89 said...

A couple of things...

First, don't expect to read about "science" in something like these articles, even from

Second, given the circumstances, "special software" could mean anything.

So, basically, it would appear that these cases were investigated, and the argument is about knowingly storing images when the user claims to have no idea that the browser caches files. Welcome to the World, my friend! I tell my friends that, and they don't remember that I told how can we expect another Joe User (who happens to be looking at CP) to know?

Rather than poo-poo'ing the lack of "science", maybe this is a better example of where the law needs to be updated; after all, even though the defendant claims to not have knowingly stored the files, they were still viewed...


Bill said...

In reading the article, I assumed that this had less to do with bad forensics, and more to do with the state of the law. In the Federal system, there are judicial decisions that state that merely browsing CP images is not knowingly possessing the images. The reasoning is that most people do not know that they retain, or do not intentionally retain, images when they are web surfing so the issue is one of intent to possess. Many states are still establishing case law regarding CP possession and a number allow convictions based on browsing history alone, but it seems that the court in GA was moving more towards the Federal interpretation of possession of CP images.

It is unfortunate, but I suspect that this will continue to happen in the states. You don't see any of these issues in the Federal courts any more because the issue has already been put to bed. United States Attorney's offices won't take a case unless the defendant knowingly stored the images.

I agree with Harlan that this area of the law needs to be revisited; there is no reason that it should not be unlawful to view CP, but someone would have to change the law (at least at the federal level).

Dave said...

Mark implied that, if default IE settings have been changed, a user has more knowledge than a casual browser and I'd agree with that. However, as computer usage and internet access are increasing ever more rapidly, isn't it likely that "Joe Doe" will become more computer literate? The inference that I drew from Mark's comment was that more knowledge about changing IE settings may make the user more likely to have done so for an illicit reason, rather than simply wanting to get "under the hood" of an application to see what can be tweaked.

I am heartened by Mark's comment for lurkers to get involved. I am one such lurker - a keen amateur, rather than a professional. I suppose that I am somewhat daunted in the presence of what I have come to realise are such well-known names in the field that any contribution that I might offer the community wouldn't be worth a grain of salt. Maybe I will start to get more involved!

As for these cases, I don't know details of US law because I'm not a US citizen so can't add anything further.

Mark McKinnon said...


At one point I was a lurker like you and an amateur. I then took the bold step forward and here I am. If you have a idea but are not sure about it then send a private email to someone stating you did not want to send it to the group but would you mind taking a look at this. A lot of the people are pretty approachable and good about helping others out and they can hopefully help to get you more involved.

You have taken the first step in getting involved by posting keep up the good work, hope to see more posts from you in the future.


hogfly said...

Not "knowingly" storing these images strikes me as something on par with diminished capacity arguements. Forensics is so mainstream now that this information is a given.


I agree that the laws are poorly written, but it highlights the lack of scientific proof that's generated in these cases because they have nothing other than an automated toolkit that finds these images. There is a lack of deeper understanding and ability to explain the findings. This is where the application of science to digital forensics (creating what the DFRWS called Digital Forensic Science) is critical. We can't continue to function as an IT industry going to court trying to prove stuff based on conjecture.

I wouldn't say I'm poo-pooing the lack of science, rather I'm calling for the application of it. There are poorly written laws all over the place and criminals still get successfully prosecuted.

This isn't a case of bad forensics?
The agent said the files' existence meant that Barton had viewed the images on the Internet but hadn't taken any additional steps to save them on his computer -- and couldn't retrieve the images again without special software he didn't have.

Come on...special software? Who the heck says that as an expert? If the files were deleted that proves knowledge of the files - that is the ONLY time you need "special software" to recover them If the files are not deleted, then as Mark points out - they are easily recovered by browsing the directory structure..

"Who knows what kind of computer malady would break loose," said Ripper, who tried the case with LaFayette attorney Mary Jane P. Melton. "Maybe he's just being splattered with pop-ups."

There are a few more examples of implications of poor forensics in the article. These issues didn't seem to be addressed by the forensic examiner.

Mark McKinnon said...

To hogfly's point about the "deeper understanding" here are two earlier posts on my blog and his respectively:


Keystone Kops

The automated tools are great but if we do not have a understanding of what is going on and why then these kind of stupid decisions are made into law.

As an example in my life as a database administrator the company I was working for was looking to hire another DBA. When all the canidates came one of the first things we would do is tell the canidate we do not use any automated tools like "Toad" or "Oracle enterprise manager". We would then ask them what they would do in certain situations. The blank look on there faces said it all (we never filled that position).

In one of the cyberspeak podcasts I remember Ovie and Bret stating that when they would look to hire someone they would sit them down in front of a computer and tell them to acquire an image. Now how many people failed that small test which no one calling themselves a forensic examiner should ever fail.


hogfly said...

If the files were deleted that proves knowledge of the files

I need to edit this statement...
If the files were deleted and the configuration for temp internet files is different than the default then it proves knowledge of temporary internet files and therefore should constiture knowingly storing CP files.

Bill said...


This isn't a case of bad forensics?
The agent said the files' existence meant that Barton had viewed the images on the Internet but hadn't taken any additional steps to save them on his computer -- and couldn't retrieve the images again without special software he didn't have.

I'm just not willing to say that someone did "bad forensics" based on a reporters interpretation of an event/conversation that he is interpreting. I've been on the other side of a reporter's interpretation, and I know how "facts" reported are often not the "facts on the ground." I'm not saying that what was done was right, or that the exam/examiner did a good job either, but I just think it's a stretch to take a news article, which may (or may not be) quoting a judge's interpretation, or testimony elicited on cross examination, or a reporter's interpretation of a judge's opinion that was gathered from a witnesses testimony, and call that bad work. It's entirely possible that the information has been interpreted two or three times before you read it.

Reading the article, it seems that the article itself was based on a judicial ruling on appeal, so that would mean that the judges' interpretation was based solely on the record, so we have 1. Appeals court judges interpreting and writing about 2. the written record of a trial that was 3. based on testimony that may have been elicited on cross examination and then 4. interpreted by a reporter.

That just doesn't hold sufficient credibility with me to say that the agent did a bad job either testifying or doing a forensic exam. It doesn't give me enough to say that the exam was done right either. It could be either one, but courts aren't about either side getting to tell the truth, and appeals are about issues of law. It still seems to me that the judges were following what a lot of other courts have been doing; namely, prohibiting the government from prosecuting people for browsing CP images. Whatever their reasoning, it may well have been a flawless examination and they latched on to a statement on cross that would support their arguement. Again, I don't think that anyone can say one way or the other without taking a closer look at the record, or knowing more about the case.

The only things that I'm sure of is that I've sat in a number of courtrooms, and the questioning was rarely two-sided - and I've spoken to a number of reporters where I've said that "the sky is blue" only to have them report that the "sky was falling." ;-)

hogfly said...

Great points Bill. All well received.

Jim Gordon said...

In the UK we have a stated case of R V Jayson which covers such occurances. "In Jayson [2002] EWCA Crim 683, the defendant was prosecuted on the basis of child abuse images found on his computer in the temporary cache created by his Internet browser application. On appeal, defence counsel argued that the concept of a ‘photograph’ under the Protection of Children Act 1978 required that the image be stored for subsequent retrieval, which it was agreed was not the case in respect of the temporary cache. In contrast to the earlier decision in Atkins [2000] 2 All ER 425, the defendant was aware of the caching function within the browser application. However, the court held that the mere act of knowingly downloading an illegal image constituted a form of ‘making’ under the 1978 Act, irrelevant of the period of time for which it was held and whether it was for subsequent retrieval".

There are several other judgements which may be of interest to readers across "the pond".

Anonymous said...

comments reading in new window is a big pain.. can you please change it??