mailing list archives
RE: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides
From: "dave kleiman" <dave () isecureu com>
Date: Mon, 3 Oct 2005 14:51:49 -0400
From: Jason Coombs [mailto:jasonc () science org]
Sent: Saturday, October 01, 2005 14:18
Cc: bugtraq () securityfocus com; isn () attrition org
Subject: Careless Law Enforcement Computer Forensics Lacking
InfoSec Expertise Causes Suicides
34 people have killed themselves in the U.K. after being
accused of purchasing child pornography using their credit
card numbers on the Web between 1996 and 1999;
I have known hundreds, that law enforcement seized and examined a computer
and after the examination returned the system due to lack of evidence. None
of those people attempted suicide. As a matter of fact the LEA's never file
charges until after the examination.
have been imprisoned around the world for allegedly doing the
same. Two of the first, and still ongoing, large-scale
investigations of credit card purchases of child pornography
through the Internet are known as Operation Ore (U.K.) and
Operation Site Key (U.S.) -- tens of thousands of suspects'
credit card numbers were found in the databases used by the
alleged e-commerce child porn ring, and law enforcement's
careless misunderstanding of the Internet and infosec (circa
1999) resulted in every single one of the suspects being
investigated and thousands have so far been prosecuted and convicted.
The key here is every one being investigated and thousands being arrested.
Do you happen to know the number of CC's in the operations, was it not close
Was your credit card number in the Operation Ore / Operation
Site Key database? How would you know unless and until you've
After an investigation proved, through other means, that a person was the
one using the card and arrest would be facilitated.
Over the last few years I have seen numerous cases in which
the computer forensic evidence proves that a third party
intruder was in control of the suspect's computer. More often
there is simply no way to know for sure what might have
happened between 1996 and 1999 with respect to the computer
seized by law enforcement at the time of arrest years later.
I have asked you this before, can you please cite these "numerous cases in
which the computer forensic evidence proves that a third party intruder was
in control of the suspect's computer". I have several LEA's who will gladly
help re-review the cases and help get them overturned.
If security flaws, porn spyware, or mistakes by an unskilled
end user resulted, over the years, in some child pornography
being downloaded to a suspect's hard drive, even in
'thumbnail' graphic formats and recovered only using forensic
data recovery tools that carve files out of unallocated
clusters, then the suspect is routinely charged, since the
presence of child pornography on a hard drive owned by a
person who is accused of purchasing child pornography is the
best evidence law enforcement has to prove guilt of these
so-called 'electronic crimes against children' -- crimes that
are proved by the mere existence of data, where it matters
not that a suspect did not and could not have known that the
data existed on a hard drive that was in their possession.
I have NEVER seen a case that some was convicted, or even gotten as far as
filing charges based merely on presence and items in unallocated space
without other circumstances.
The LEA's are trained to be responsible, they look for file structure, and
most of the time they find external copies, (Carom's, DVD's etc) of the
I ask you this question: why doesn't law enforcement bother
to conduct an analysis of the computer evidence looking for
indications of third-party intrusion and malware?
They absolutely do. As an ex-LEA an and someone who reviews cases before
they go to court, I can tell you a hundreds occasions where charges were
Most LEA's will not even look at Temp Inet file or Unallocated cluster until
after they find more substantial items.
have indicated to me that sometimes law enforcement actually
does do post-intrusion forensics; though this decision is
entirely up to the prosecutor or forensic lab director, and
if they don't put in the time to do this they still get their
conviction so there is presently no incentive to spend
hundreds of hours analyzing large hard drives searching for
evidence of intrusion just in case one might have occurred.
The DA's a LEA's are compelled to turn over evidence to exonerate the
Funny it the Defense attorneys are the one I cannot get to buy off on my
ethics. That is my rule that both parties get a copy of my report no matter
if they like the results or not.
A substantial factor in the answer to this question is that
it is nearly impossible to know what might have happened to a
computer over the years, and most computers are used by more
than end user to begin with.
Not only is there no way to differentiate
Every person convicted of an electronic crime against a child
based only on evidence recovered from a hard drive that
happened to be in their possession should be immediately
released from whatever prison they are now being held.
And this is based on the fact that????????
Law enforcement must be required to obtain Internet wiretaps,
use keyloggers and screen capture techniques, and conduct
other investigations of crimes-in-progress, because the
current approach to computer forensics being taught by
vendors such as Guidance Software
(www.encase.com) and others (who just happen to sell products
designed to analyze and search hard drives) makes the
outrageous assertion that a person can be proven guilty of a
crime based only on data that is found on a hard drive in
They go through much greater training than that, and it takes much more than
just data on a H/D to get them to effect and arrest. Most go through FLETC
and receive at a minimum DEASTP and SCERS. Many additionally have their
CFCE, that is one of the better examinations for certification I have seen.
There is simply no way for law enforcement to know the
difference between innocent and guilty persons based on hard
drive data circumstantial evidence. Something must be done to
correct this misuse of computer evidence, and whatever that
something is, it is clear that only an information security
organization is going to be able to explain it to law
enforcement and legislators.
Hard drive evidence is not circumstantial, there must be many factors that
go along with it.
Sorry I cannot speak for how they handle cases in the UK.
jasonc () science org
And as for your subject line "Careless Law Enforcement Computer Forensics
Lacking InfoSec Expertise Causes Suicides" people who commit suicide tend to
have underlying problems to strart with.
Dave Kleiman, CAS,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/