Man with face in hand behind computer
Child Pornography Defense Forensics – ICAC Deconfliction – Part 3 of 8
August 28, 2019
FBI Network Investigative Technique Case – Motions and Briefs
September 3, 2019
Show all

Child Pornography Defense Forensics – Child Victim Identification Program – Part 4 of 8


Once files are found on a digital device that law enforcement thinks is child pornography or suggestive, they usually flag those and add them to a report labeled as ‘suspect notable’.  I have not found a criteria, protocol, or checklist that states the rules for classifying these files.

How does law enforcement know the digital file is child abuse / exploitative / pornography?

The digital files are matched against multiple databases of ‘known’ files.  If you’re seeking an answer of who and how these files are classified and added to the database you’re probably going to be disappointed.  For instance, in the case of known files in the ICAC database one person up until 2016 was the sole authority for deciding what constitutes child pornography and added the files to the database and his name is Robert Erdely.  In many cases I worked on, the prosecutor always made comments I think to try and scare the defendant by saying “I am bringing in the guy who is in charge of the whole ecosystem Robert Erdely”.  After many cases and only after one of my clients was attempting to paper the record with the user guide for one detection software did they fly Mr. Erdely in overnight and delayed the trial.  I learned a lot that day from Mr. Erdely as he explained how he was the sole authority to decide what constitutes child pornography as he manages the BitTorrent database of infohash files in the Pennsylvania state barracks.  I also learned that for the case in Illinois the investigation actually started in one of his classes in PA despite the officers investigative file and search warrant showing nothing about PA.

Numerous times including under oath, I have asked the same question of law enforcement “who decides what is child pornography” and received the same answer “I do”, but when asked using what criteria there were none.

When law enforcement, social media companies and email providers find material they believe is child pornography, they submit the hashes to the Child Victim Identification Program (CVIP) which is managed by the National Center for Mission and Exploited Children (NCMEC).

You may be asking yourself what is a hash about now.  I am going to use an analogy here, but if you want to learn more, click here.

For example, if you take the digital picture of the Mona Lisa and drew lines on it vertically and horizontally every one inch and grabbed the exact pixel where the lines crossed, then went to Sherwin Williams paint store and had them give you the paint codes for each line crossing and wrote them down.  Then strung the paint code numbers together into a long number that would be a hash.  Now take an exact duplicate of the file and do the same thing and you will get the same hash value.  If law enforcement has files they believe are child pornography they only need to hash the files and then compare the hashes with the hashes of all files on a computer to surmise whether or not the files on the computer are exact duplicates of the files they have in their library.

The databases law enforcement relies upon are not perfect as they have relied on humans to make the determination as to whether or not the files contain child pornography.  There are many issues that I cannot address in this article such as ethnicity causing confusion as to age such as Malaysian and Asian women and men appear to be much younger than they are, fake or simulated acts, enhanced images etc.

NCMEC operates a Child Victim Identification Lab.  It is this lab that matches the hash values submitted by law enforcement through the CVIP program. NCMEC employees make a determination of whether or not the image or video is child pornography.  This is typically done quickly at United States Postal Inspector Offices, Regional Computer Forensics Lab, Attorney General Offices, Crime labs and other various places NCMEC has installed specialized computers with a VPN connected to their database for matching purposes.  The alternative is shipping a CD, DVD or hard drive to CVIP for processing and waiting for the results.

The CVIP Submission form link is below:

Why are CVIP requests and responses important?

The CVIP results tell law enforcement whether or not they have deemed the files child pornography and whether or not there is a known victim.  I have had discussions with law enforcement that sometimes the files all come back as not child pornography despite a case being filed.  I have even seen files that were submitted that were from ESPN’s homepage and somehow were misclassified in the NCMEC database of a cheerleader’s backside.  Although the system is not perfect it is effective.  Discovery of the CVIP requests and results is a very important element in any child pornography defense case.

I will continue to write more about Child Pornography Defense forensics in the next posting.