In my "Where is the science?" entry I questioned the decisions on two cases of child pornography possession and that our ability as examiners to find images is just not enough. In an interesting reversal on the Diodoro case, the Pennsylvania superior court decided that viewing images is in essence exerting control or possession of CP.
To quote the article:
"[Diodoro's] actions of operating the computer mouse, locating the Web sites, opening the sites, displaying the images on his computer screen, and then closing the sites were affirmative steps and corroborated his interest and intent to exercise influence over, and, thereby, control over the child pornography,
He added that while Diodoro was viewing the pornography, he had the ability to download, print, copy or e-mail the images."
Wow, now that is actually an interesting way of looking at things. That you have the image displayed on screen means you have the ability to do something to or with it, and therefore you have control over the image.
Here's how I'm viewing this...
If I am viewing an image, it's true that I can do what I wish with it, except modify the original as displayed on the website. I am in possession of a digital copy of the original, which is as good as the original file as displayed on the website.
The copy that has been automatically downloaded to my computer's temporary internet cache and is being displayed is under my possession and control at that point in time when I am viewing the image. My actions (visiting the website willingly, and possibly expanding a thumbnail image) affirm the fact that I wanted to view the image and therefore I have the ability to exert control over it; I have the ability to manipulate the image as I see fit - which is to say I can save, copy, email, print, crop, etc...
Let's hope that other Courts can use this during prosecution of these types of cases where the law states that anyone who "possesses or controls" these images is guilty. Chalk one up for the good guys.
Thoughts?
Showing posts with label crime scene. Show all posts
Showing posts with label crime scene. Show all posts
Monday, August 27, 2007
Tuesday, February 20, 2007
Digital crime scene walkthrough
I was recently fishing through myriad sites related to criminology and crime scene processing for criminalistics folks and decided to take a peek at the technical working group for crime scene investigation documents. I came across Crime Scene Investigation: A Guide for Law Enforcement on the FBI's site and decided to read a bit of it. Note that this is different than what the DOJ put out for electronic crime scene investigation. One of the more interesting sections in the CSI document is that not only are CSI's directed to conduct a "walk through", they are encouraged to do so. The principle listed in section 2 on page 20 states "the scene walk through provides and overview of the entire scene, identifies any threats to scene integrity and ensures protection of physical evidence". Compare that to traditional digital crime scene teachings that say "if it's off, leave it off. Don't do anything to modify the scene. If it's on then pull the plug and wait for the expert to arrive".
Locard teaches us that transference is a natural by-product of interacting with crime scenes and evidence. "real world" CSI's therefore modify the crime scene as they walk through it and process the scene and the evidence. The key to investigating a crime scene is to avoid or minimize the impact that an investigator has on the scene and its evidence.
The CSI doc states that an investigator should "Avoid contaminating the scene by using the established path of entry"...."Identify and protect fragile and/or perishable evidence. Ensure that all evidence that may be compromised is immediately documented, photographed, and collected".
What can we take away from this when it comes to computer related incidents? I take away that we need to make live investigations not only a bonus feature of incident response and forensics, but it needs to become a mandatory function in any investigation. Fact is, there is a lot of fragile and perishable evidence that can become compromised if we don't collect it while the system is live. By "following an established path of entry" I think we need to use a standard methodology of live investigation that minimizes the impact to a system or network. Is it ok to stick your USB key in to a system to collect live evidence? This, and other similar issues have been debated time and time again. In my personal opinion, the answer is yes, most definitely yes. Plug in a USB key if and only if:
It has been sanitized.
Your procedure is defensible.
You have documented the state of the system/network before you plug it in.
The evidence to be collected outweighs the changes you may make to the system
It is your last or best option.
The industry has identified the order of volatility for electronic evidence but this type of "live" evidence is not often collected and is rarely used to maximum effect.
Instead of pulling the plug, why not get every last drop of evidence from the victim system before you destroy it. By immediately pulling the plug investigators are compromising the very evidence that may solve the case. Harlan Carvey's concept that the chief surgeon arrives on the scene and promptly kills the victim in order to assess the nature of the evidence rings very true here.
At the very least we need to preview the system in question and conduct a digital walkthrough of the scene before we collect evidence from the primary source.
And now for a concept...
Digital walk through: the digital walk through provides an examiner with the opportunity to assess the victim system for potential sources of digital evidence that are relevant, and to overview the entire system, in order to identify any threats to data integrity and to ensure protection and collection of volatile digital evidence that would otherwise be lost.
Locard teaches us that transference is a natural by-product of interacting with crime scenes and evidence. "real world" CSI's therefore modify the crime scene as they walk through it and process the scene and the evidence. The key to investigating a crime scene is to avoid or minimize the impact that an investigator has on the scene and its evidence.
The CSI doc states that an investigator should "Avoid contaminating the scene by using the established path of entry"...."Identify and protect fragile and/or perishable evidence. Ensure that all evidence that may be compromised is immediately documented, photographed, and collected".
What can we take away from this when it comes to computer related incidents? I take away that we need to make live investigations not only a bonus feature of incident response and forensics, but it needs to become a mandatory function in any investigation. Fact is, there is a lot of fragile and perishable evidence that can become compromised if we don't collect it while the system is live. By "following an established path of entry" I think we need to use a standard methodology of live investigation that minimizes the impact to a system or network. Is it ok to stick your USB key in to a system to collect live evidence? This, and other similar issues have been debated time and time again. In my personal opinion, the answer is yes, most definitely yes. Plug in a USB key if and only if:
It has been sanitized.
Your procedure is defensible.
You have documented the state of the system/network before you plug it in.
The evidence to be collected outweighs the changes you may make to the system
It is your last or best option.
The industry has identified the order of volatility for electronic evidence but this type of "live" evidence is not often collected and is rarely used to maximum effect.
Instead of pulling the plug, why not get every last drop of evidence from the victim system before you destroy it. By immediately pulling the plug investigators are compromising the very evidence that may solve the case. Harlan Carvey's concept that the chief surgeon arrives on the scene and promptly kills the victim in order to assess the nature of the evidence rings very true here.
At the very least we need to preview the system in question and conduct a digital walkthrough of the scene before we collect evidence from the primary source.
And now for a concept...
Digital walk through: the digital walk through provides an examiner with the opportunity to assess the victim system for potential sources of digital evidence that are relevant, and to overview the entire system, in order to identify any threats to data integrity and to ensure protection and collection of volatile digital evidence that would otherwise be lost.
Subscribe to:
Posts (Atom)
