Child Pornography Defense Forensics – Search Warrants – Part 1 of 8

It is not uncommon to find false or misleading statements in search warrants involving child pornography and there is good reason why.  You may take this article that I am critical of the process used by law enforcement and you would be right.   I have mentored law enforcement and support them in their efforts, but it must be transparent and ethical.

It has been a few years, but for a few months ICAC had all their training online for anyone to see as long as they knew the correct URL.  I don’t know if they intended to do this, but I found postings on the deep web regarding the training and watched and took notes on the videos.  Most of the videos were based on university created software funded by various organizations and governments.  The materials they referenced are not law enforcement sensitive.  I attended a trial in which I bought the transcript where an ICAC trainer attempted to assert that the user guide for one of the detection software used by law enforcement was deemed ‘law enforcement sensitive’ and that it contained methodologies on how they investigate people on the BitTorrent network.  The assertion fell flat as the University that created the software had copyrighted the material, law enforcement never applied for a law enforcement sensitive designation, students had leaked the user guide and the same source code can be found in programs detecting copies of intellectual property such as Sony movies.

The ICAC training videos actually instruct law enforcement to be secretive and withhold information form the court when applying for search warrants for fear they will be denied.

I often see the same canned prescriptive language that states, “I directed my investigation to this computer at IP address xxx.xxx.xxx.xxx as it had recently detected investigative files of interest by investigators conducting keyword searches or hash value searches for files related to child abuse material including child pornography on the (eMule, Ares, BitTorrent) networks.”

The problem with those types of statements routinely found is that they are untrue.

With the user guides and additional discovery by obtaining the payroll records of the law enforcement officer whom applied for the search warrant, user guides, ICAC Cops IP Profile, IP logs, Netstat logs, etc. you will find the useful nuggets that determine whether or not the search warrant was based on sound evidence.

Let me take you through a few common scenarios:

1. Detective EB (I always use EB as Easter Bunny) ran Torrential Downpour Receptor 24/7 until he received a notification that files were downloaded from a target.
2. Detective Smith applied for a search warrant and stated that on Tuesday he directed his computer toward the suspect’s computer.
3. Detective Smith was on vacation on Tuesday and could not have done this and to add insult to injury it was Detective EB who ran the program from two states away and gave the referral to Detective Smith.

You’re probably thinking, how likely is this?  I have consulted or served as an expert in many cases where the above scenario applied and my clients have filed Motions in Limine to Franks Motions for misleading the court.

You may be questioning why law enforcement would take this risk.  The only rationale that I can think of is that types of investigations are conducted by larger ICAC centers and then handed down to the local PD’s to finish.  The local PD’s simply follow the prescribed training of ICAC and apply for a search warrant.  Now there is a difference between withholding information from the court and not being truthful in the application.

These types of discovery requests and defenses are the low hanging fruit, but require intimate knowledge of the various online detection systems such as Roundup Ares, Torrential Downpour Receptor, Roundup eMule and eD2k.