Sample Order for EMR Site Inspection
November 27, 2019
As Justice Department Pressures Apple, Investigators Say iPhone Easier to Crack
January 14, 2020
Sample Order for EMR Site Inspection
November 27, 2019
As Justice Department Pressures Apple, Investigators Say iPhone Easier to Crack
January 14, 2020
Show all

Child Pornography Defense Forensics – Countering the Prosecutions Limits on Access to Evidence – Part 5 of 8

 

 

I often get asked if there is a standard protocol for examining Child Pornography, Child Abuse and Child Exploitative material in the possession of law enforcement.  The answer is no and according to one FBI lab supervisor there is no need for one because access is grounded in law.  I find that this is somewhat of a problem, because courts, prosecutors and law enforcement are not on the same page.  I don’t know how many times a court has ordered law enforcement to ship CP material to our lab for analysis without a protective order and even in one case used Dropbox to store the files.  Other times I have had courts enter a protective order regarding the material and make a record that law enforcement is not to arrest or intercede in the analysis of the data and that all data is to be destroyed afterwards.  I get this feeling that no one wants to address this issue from a wider perspective.  I have personally performed numerous examinations of material containing Child Pornography, Child Abuse and Child Exploitative material and no two law enforcement centers treat it the same.  I have seen everything from absolute professionalism from places like Lake County, Illinois to a DA’s office where I was threatened for taking notes and once when I forgot my pen on the desk and walked back in the room and found an officer removing a covert video camera they had installed and recorded conversations I had with defense counsel while defense counsel was in the room for the end of the examination.  We have a problem and hopefully this article will assist you in framing arguments as to access and includes a protocol for examination (you might have caught that I did not say protective order) that has been vetted by more than one law enforcement lab and a State’s Attorney.

*DISCLAIMER: I am not an attorney and therefore any information below is not legal advice and is for informational purposes only.

 

FEDERAL LAW: DISCOVERY RIGHTS AND OBLIGATIONS

Rule 16 reads as follows:

(a) Government’s Disclosure.

(1) Information Subject to Disclosure.

(A) Defendant’s Oral Statement. Upon a defendant’s request, the government must disclose to the defendant the substance of any relevant oral statement made by the defendant, before or after arrest, in response to interrogation by a person the defendant knew was a government agent if the government intends to use the statement at trial.

(B) Defendant’s Written or Recorded Statement. Upon a defendant’s request, the government must disclose to the defendant, and make available for inspection, copying, or photographing, all of the following:

(i) any relevant written or recorded statement by the defendant if:

  • statement is within the government’s possession, custody, or control; and
  • the attorney for the government knows—or through due diligence could know—that the statement exists;

(ii) the portion of any written record containing the substance of any relevant oral statement made before or after arrest if the defendant made the statement in response to interrogation by a person the defendant knew was a government agent; and

(iii) the defendant’s recorded testimony before a grand jury relating to the charged offense.

(C) Organizational Defendant. Upon a defendant’s request, if the defendant is an organization, the government must disclose to the defendant any statement described in Rule 16(a)(1)(A) and (B) if the government contends that the person making the statement:

(i) was legally able to bind the defendant regarding the subject of the statement because of that person’s position as the defendant’s director, officer, employee, or agent; or

(ii) was personally involved in the alleged conduct constituting the offense and was legally able to bind the defendant regarding that conduct because of that person’s position as the defendant’s director, officer, employee, or agent.

(D) Defendant’s Prior Record. Upon a defendant’s request, the government must furnish the defendant with a copy of the defendant’s prior criminal record that is within the government’s possession, custody, or control if the attorney for the government knows—or through due diligence could know—that the record exists.

(E) Documents and Objects. Upon a defendant’s request, the government must permit the defendant to inspect and to copy or photograph books, papers, documents, data, photographs, tangible objects, buildings or places, or copies or portions of any of these items, if the item is within the government’s possession, custody, or control and:

(i) the item is material to preparing the defense;

(ii) the government intends to use the item in its case-in-chief at trial; or

(iii) the item was obtained from or belongs to the defendant.

(F) Reports of Examinations and Tests. Upon a defendant’s request, the government must permit a defendant to inspect and to copy or photograph the results or reports of any physical or mental examination and of any scientific test or experiment if:

(i) the item is within the government’s possession, custody, or control;

(ii) the attorney for the government knows—or through due diligence could know—that the item exists; and

(iii) the item is material to preparing the defense or the government intends to use the item in its case-in-chief at trial.

(G) Expert Witnesses. At the defendant’s request, the government must give to the defendant a written summary of any testimony that the government intends to use under Rules 702703, or 705 of the Federal Rules of Evidence during its case-in-chief at trial. If the government requests discovery under subdivision (b)(1)(C)(ii) and the defendant complies, the government must, at the defendant’s request, give to the defendant a written summary of testimony that the government intends to use under Rules 702703, or 705 of the Federal Rules of Evidence as evidence at trial on the issue of the defendant’s mental condition. The summary provided under this subparagraph must describe the witness’s opinions, the bases and reasons for those opinions, and the witness’s qualifications.

(2) Information Not Subject to Disclosure. Except as permitted by Rule 16(a)(1)(A)-(D), (F), and (G), this rule does not authorize the discovery or inspection of reports, memoranda, or other internal government documents made by an attorney for the government or other government agent in connection with investigating or prosecuting the case. Nor does this rule authorize the discovery or inspection of statements made by prospective government witnesses except as provided in 18 U.S.C. §3500.

(3) Grand Jury Transcripts. This rule does not apply to the discovery or inspection of a grand jury’s recorded proceedings, except as provided in Rules 6, 12(h), 16(a)(1), and 26.2.

 

However, there is a special exception regarding cases involving child pornography, child abuse and child exploitative material.

18 U.S.C 3509(m) is as follows:

(m) Prohibition on Reproduction of Child Pornography. —

(1) In any criminal proceeding, any property or material that constitutes child pornography (as defined by section 2256 of this title) shall remain in the care, custody, and control of either the Government or the court.

(2)

(A) Notwithstanding Rule 16 of the Federal Rules of Criminal Procedure, a court shall deny, in any criminal proceeding, any request by the defendant to copy, photograph, duplicate, or otherwise reproduce any property or material that constitutes child pornography (as defined by section 2256 of this title), so long as the Government makes the property or material reasonably available to the defendant.

(B) For the purposes of subparagraph (A), property or material shall be deemed to be reasonably available to the defendant if the Government provides ample opportunity for inspection, viewing, and examination at a Government facility of the property or material by the defendant, his or her attorney, and any individual the defendant may seek to qualify to furnish expert testimony at trial.

(3) In any criminal proceeding, a victim, as defined under section 2259(c)(4), shall have reasonable access to any property or material that constitutes child pornography, as defined under section 2256(8), depicting the victim, for inspection, viewing, and examination at a Government facility or court, by the victim, his or her attorney, and any individual the victim may seek to qualify to furnish expert testimony, but under no circumstances may such child pornography be copied, photographed, duplicated, or otherwise reproduced. Such property or material may be redacted to protect the privacy of third parties.

However, 18 U.S.C 3509(m) binds federal courts only and does not preclude State Courts from ordering discovery.

State courts have made some efforts in resolving issues of access:

  • g., State v. Allen, 2009 WL 348555 (TN Ct. Crim. App. 2009)18 U.S.C. §3509(m) “does not apply to proceedings in Tennessee state courts.” Trial court’s protective order requiring provision of a copy was reasonable and appropriate.

In cases where all the data belongs to the defendant, FRCrP 16(a)(1)(E) the material should be available to the defense consultants as to not violate your client’s due process rights.  Although state courts can place protective orders upon your client’s data those orders are restricted to limited access, use, distribution and that the material must be stored in a secure facility. These protective orders are placed with the presumption that law enforcement would never copy or take the contraband out of the control of government; but an expert examiner would.

 

What materials should you expect to receive from the prosecution?

    • I have yet to see a prosecutor turn over all the investigative materials in any matter involving Child Pornography, Child Abuse or Child Exploitative material. It is obvious that there is a huge disconnect between the detectives and prosecution when it comes to what “all material” means. For instance, when investigating cases involving use of BitTorrent to download child pornography the law enforcement software used such as Torrential Downpour Receptor, Roundup Torrential Downpour, Roundup Ares, Roundup eMule/Ares etc, create log files showing the actions of the law enforcement software, the material being downloaded and the IP address from which is was communicating with.   These materials are needed and to be examined by an expert BEFORE the expert decides to examine the digital media.  You may ask why?  Because if there is any defense found prior to examining the digital media it needs to be made known as to not risk having your expert on the witness stand explaining to the court what he or she saw during the examination.

Some of the common items we request prior to examination is below:

  1. Investigative Notes
  2. Investigators File
  3. ICAC Deconfliction Records
  4. Roundup Logs
  5. Bench Notes
  6. All Forensic Imaging Reports
  7. All Forensic Examination Reports
  8. Government Expert CV, Case History, Timecard for the day or days of investigation
  9. User Guides for the version of software used and the copyright
  10. Software used
  11. ICAC training guide and video training (this shows where law enforcement has been given training that they should not disclose to the court or defense certain items within their possession)

 

Recording of Defense Expert

Law enforcement cannot record the screen of the forensic examiner as he may be taking notes that are attorney work product and considering law enforcement had not recorded their screen during examination of the evidence it creates unequal due process.

 

WHAT IS A DEFENSE EXPERT LOOKING FOR?

In cases involving CP possession and distribution there is a lot of exculpatory information subject to Brady that is necessary to be viewed and copied that does not contain contraband that can be used to establish motive, logged in user, owner of the device among hundreds of others that are needed in order to advise you as to the charges.

There are two ways that forensic experts examine evidence and whether they work for law enforcement or the defense does not matter.  Most law enforcement use tools such as Encase, Magnet Axiom and Xways examine the digital media for evidence that a crime has been committed and as soon as that is established, they stop their analysis.  The problem in using modern forensic tools is that they are not all equal and can be ran quickly as a surface scan or a deep analysis.  Law enforcement has special versions of most commercially available software that conducts what I would consider a quick analysis and if they find evidence of possession or distribution of CP, they charge the client.  Considering that most of these types of cases either plead guilty or accept a plea deal there is no need to conduct a deep analysis to put the evidence into context.  Some of the questions that need answered is:

  1. Who was the logged in user?
  2. What keywords did they use on the internet in the past and to obtain the contraband material?
  3. Did the accused download one file or multiple at the same time?
  4. When was the material downloaded, ingested by other media, shared, created?
  5. Who else had custody, control or use of the computer?
  6. Was the file ever opened, played, for how long?
  7. What exculpatory evidence is on the computer as to the habits, whereabouts, friendships and family?

Defense experts conduct a deep analysis of the digital media in order to advise defense counsel of the content.  This is very important as there is always the off chance that law enforcement may process the evidence again performing a deep analysis and uncover more evidence that could be harmful to your client.

 

DEFENSE EXPERT PROTOCOL

The following protocol we had vetted by one of the largest ICAC shops in Illinois and the State’s Attorney weighed in outside of a case:

  1. Examiner obtains contact information for who will be presenting the evidence for examination.
  2. Examiner contacts the law enforcement personnel and cc in all parties to the matter to share the proposed protocol for examination and schedule the examination.

Protocol for Examination

  1. Examiner brings one or multiple sterile hard drives to store the files created by the forensic software (cache, case, index).
  2. Examiner will bring their own forensic hardware and software for analysis.
  3. Examiner will be provided a space to work and if necessary, a secure place to store equipment overnight.
  4. At no times will the examiner’s equipment be connected to the internet.
  5. At no times will any contraband files be stored on the examiner’s forensic hardware absent the hard drive that will be left with law enforcement for wiping or destruction.
  6. All exports of files needed for analysis will be placed onto a USB Drive and will remain in the law enforcement facility or the prosecutor’s office.
  7. If agreed, law enforcement will forensically wipe any media left with them that was used to store cache files created by the forensic software and return to examiner. Examiner must provide a prepaid shipping label, box or container and packing materials for return shipping.
  8. Once the examiner is done with his or her work, the files needed that do not contain contraband such as excel spreadsheets, csv files, pdf’s without pictures and exculpatory evidence will be placed onto a USB thumb drive that will be taken with the examiner. Law enforcement can review the drive only to determine whether there are contraband files.
  9. Once the protocol is approved, examiner should schedule a date and time to meet law enforcement at an approved location usually within the law enforcement center to start the examination. It is suggested that the examination start the afternoon of one day and allow the forensic software and hardware to process the data overnight until the next morning. The process of setting the equipment in place and starting the examination is usually less than 45 minutes burden.  The next morning the analysis can commence as the indexing and processing is complete.
  10. When completed, the examiner should contact all parties to let them know he or she is completed and that he or she has left certain media in the care and custody of law enforcement and that no contraband has been taken and the files taken as exculpatory can be displayed to law enforcement and counsel to ensure there is no contraband.

The process above is the same process used by the Regional Computer Forensic Labs across the US.

 

LAW ENFORCEMENT TACTICS TO RESTRICT ACCESS

I find that many law enforcement officers are obstructionists when it comes to access the contraband material.  Below are some tactics I have seen used before:

  1. Limiting access to one hour
  2. Limiting access to only the computer they provide with Windows 95 on it
  3. Having to sit with the prosecutor’s expert to monitor
  4. Recording audio and video in the room
  5. Threatening the defense expert with prosecution for even taking notes
  6. Placing the forensic images on a very slow hard drive
  7. Not allowing the defense expert to use his own software
  8. Turning off and on the power to the room the defense expert is using
  9. Threatening to dig into the defense experts background to find anything to ‘bury’ them with

I recently was informed that the FBI conducted a two-person three-month investigation into one expert to try and discredit them and did so by a simple typographical error as to a date of graduation from college.  Defending these types of a cases surely makes some very upset.

The problem with making a long lengthy protective order to try and mitigate these types of issues is that it assumes law enforcement will do the above.  I have found that most of the law enforcement try to do a good job and are accommodating, but you do have to watch out for the above.  The same is true for when the prosecutor wants to place a protective order as to the defense expert including things such as qualifying them as an expert prior to analysis which is a Daubert issue reserved for trial and this type of tactic assumes defense experts would do something wrong.  If a defense expert were to copy and take with him or her contraband, there is laws against that and does not need to be spelled out in a protective order.

 

WHAT DO YOU DO IF LAW ENFORCEMENT OR THE PROSECUTOR IS NOT COOPERATING?

Shift the burden to someone who will follow the rules!

The Department of Justice created Regional Computer Forensic Labs (RCFL’s) across the United States to assist law enforcement in areas where they do not have the resources, are understaffed, not trained or lack of funding to conduct forensic examinations in support of criminal investigations.

Each RCFL has a viewing room that is designed for defense attorneys and defense experts to view contraband material.  There is no charge to law enforcement for using their services and all services are funded by the DOJ.

Each RCFL has multiple computers in the viewing room and in most cases has forensic software installed for viewing.  Although your expert may want to use his or her own equipment, I have found that the RCFL has been more than accommodating with allowing an expert to bring his own equipment as long as that equipment will not retain any of the contraband material.  It is best practice to share an examination protocol with the lab supervisor prior to showing up as gain a level of trust between the parties.  I have even left equipment overnight to process and the RCFL has signs in most labs that are placed on your equipment that states “do not touch” as a courtesy to keep others whom use the room for viewing from touching your equipment as it runs overnight.

Having a forensic copy of the contraband shipped to the RCFL is a sure way to gain access, reduce costs for travel and avoid the discord in law enforcement’s approach.