Computer Forensics and E-Discovery Blog | AVM Technology, LLC
AVM Technology Twitter
CYBERFORENSICSBLOG.NET
Illegal Child Pornography Case: Richmond, VA
Most cases involving computer evidence require the involvement of a computer forensics expert.
For example, the United States District Court, E.D. Virginia, Richmond Division in a case that could potentially involve computer expert testimony in Virginia, denied a defendant's (Mathew James Russo) Motion for Judgment of Acquittal, or, in the Alternative, Motion for New Trial (Docket No. 22). For the
reasons set forth below, the motion will be denied. In that case an Agent for Immigration and Customs Enforcement (“ICE”) conducted an investigation into a foreign child pornography website,
“Illegal.cp,” which, for $79.99, offered 21 days of access to material containing child pornography. When a user purchased such a 21-day membership, the charge to his credit card was discretely
labeled “AdSoft.”
Matthew Russo came to ICE’s attention during an investigation of the Illegal.cp website. Based on ICE’s investigative findings, two ICE agents conducted a “knock and talk” with Mr. Russo at his residence. Although the conversation was at first light and civil, the atmosphere intensified when the agents asked Mr. Russo about charges to his debit card. At that point, Mr. Russo said something to the effect of, “what are you here for-Guns? Child Porn? Money?,” without the agents having first mentioned the subject of child pornography. The agents then examined Russo’s debit card and seized two computers from the household.
An ICE Forensic Expert examined the two computers, one of which was found to contain several items of evidence. First, hundreds of child pornographic images were found in the AOL cache folder, having been downloaded to that folder between February and September 2007, based on the internet browsing of an AOL user with the username “rdendron.” Second, hundreds more images were found in the unallocated space of the computer’s hard drive. The ICE Forensic Expert testified that the computer’s operating system automatically transferred these images from folders such as the cache folder. Third, dozens of sites, with names advertising child pornographic content, were bookmarked as “favorites” on the rdendron profile. Fourth, the Internet Explorer web browser’s history revealed that several such child-pornographically named sites had been visited by a user on that computer.
In this case there was no defense computer forensics expert, which was a mistake. Russo called no witnesses; however, he vigorously questioned the sufficiency of the Government’s evidence at trial. He successfully argued for excluding some significant items of the Government’s evidence. He also presented alternative theories of how the hundreds of images and dozens of websites appeared on his computer. The court found that the Evidence that the Defendant attempted to access the illegal cp site was sufficient to sustain the verdict and that the additional evidence presented to and considered by the grand jury was also sufficient to sustain the verdict.
<< MORE >>
Matthew Russo came to ICE’s attention during an investigation of the Illegal.cp website. Based on ICE’s investigative findings, two ICE agents conducted a “knock and talk” with Mr. Russo at his residence. Although the conversation was at first light and civil, the atmosphere intensified when the agents asked Mr. Russo about charges to his debit card. At that point, Mr. Russo said something to the effect of, “what are you here for-Guns? Child Porn? Money?,” without the agents having first mentioned the subject of child pornography. The agents then examined Russo’s debit card and seized two computers from the household.
An ICE Forensic Expert examined the two computers, one of which was found to contain several items of evidence. First, hundreds of child pornographic images were found in the AOL cache folder, having been downloaded to that folder between February and September 2007, based on the internet browsing of an AOL user with the username “rdendron.” Second, hundreds more images were found in the unallocated space of the computer’s hard drive. The ICE Forensic Expert testified that the computer’s operating system automatically transferred these images from folders such as the cache folder. Third, dozens of sites, with names advertising child pornographic content, were bookmarked as “favorites” on the rdendron profile. Fourth, the Internet Explorer web browser’s history revealed that several such child-pornographically named sites had been visited by a user on that computer.
In this case there was no defense computer forensics expert, which was a mistake. Russo called no witnesses; however, he vigorously questioned the sufficiency of the Government’s evidence at trial. He successfully argued for excluding some significant items of the Government’s evidence. He also presented alternative theories of how the hundreds of images and dozens of websites appeared on his computer. The court found that the Evidence that the Defendant attempted to access the illegal cp site was sufficient to sustain the verdict and that the additional evidence presented to and considered by the grand jury was also sufficient to sustain the verdict.
<< MORE >>
Hacked Website Preliminary Injunction Standard
In a Virginia computer forensics case, the court had the opportunity to
examine the standard to determine whether to grant a preliminary injunction in the case. In order to prove that a website was hacked, computer forensics techniques are frequently applied. This post explains the standard that the court used for granting a preliminary injunction under the Computer Fraud and Abuse Act.
This was Physicians Interactive v. Lathiam,
The CFAA, although a criminal statute, provides for a private right of action. See 18 U.S.C. s 1030(g). A violation of Subsection (a)(2)(C) of the CFAA occurs whenever a person: intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains-… (C) information from any protected computer if the conduct involved an interstate or foreign communication. 18 U.S.C. s 1030(a)(2)(C).
A violation of 18 U.S.C. s 1030(a)(4) occurs whenever a person: knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value … 18 U.S.C. s 1030(a)(2)(C). In YourNetDating, Inc. v. Mitchell, 88 F.Supp.2d 870 (N.D.Ill.2000), the Northern District of Illinois held that the plaintiff had shown a likelihood of success on the merits of its CFAA claim when defendant was alleged to have hacked into its computer file server. In EF Cultural Travel BV v. Explorica, Inc ., 274 F.3d 577 (1st Cir.2001), the First Circuit held that the competitor’s use of a “scraper” computer software program to systematically and rapidly glean prices from a tour company’s website, in order to allow systematic undercutting of those prices,
“exceeded authorized access” within the meaning of the CFAA.
A violation of 18 U.S.C. s 1030(a)(5) occurs whenever a person “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.” 18 U.S.C. s 1030(a)(5)(A)(iii). The damage, or loss, must aggregate to at least $5,000 within a one-year period. 18 U.S.C. s 1030(a)(5)( (i). There was probable cause to demonstrate that a defendant's information technology employee directed two computer attacks against its website and computer file server. Plaintiff traced the first alleged attack to a website owned by defendant. Plaintiff traced the third alleged attack to an IP address assigned to an employee of defendant. Another attack was designed to obtain technical information about the workings and security vulnerabilities of its website. It used a “software robot” to obtain proprietary information from Plaintiff. Both alleged attacks, at this stage of the pleadings, appear more likely than not to fit within the definition of 18 U.S.C. s 1030(a)(4). These attacks were an unauthorized entry into the website. The activity was geared towards copying confidential data. The end result was the loss of something of value-a significant amount of its confidential customer list information.
Given this scenario, the preliminary injunction was granted. This computer forensics example has been presented by AVM Technology, LLC, a leading Computer Forensics, E-Discovery, and Computer Security consulting company located in Richmond, VA and serving clients throughout the United States. AVM technology can be reached at (804) 396-4443.
<< MORE >>
The CFAA, although a criminal statute, provides for a private right of action. See 18 U.S.C. s 1030(g). A violation of Subsection (a)(2)(C) of the CFAA occurs whenever a person: intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains-… (C) information from any protected computer if the conduct involved an interstate or foreign communication. 18 U.S.C. s 1030(a)(2)(C).
A violation of 18 U.S.C. s 1030(a)(4) occurs whenever a person: knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value … 18 U.S.C. s 1030(a)(2)(C). In YourNetDating, Inc. v. Mitchell, 88 F.Supp.2d 870 (N.D.Ill.2000), the Northern District of Illinois held that the plaintiff had shown a likelihood of success on the merits of its CFAA claim when defendant was alleged to have hacked into its computer file server. In EF Cultural Travel BV v. Explorica, Inc ., 274 F.3d 577 (1st Cir.2001), the First Circuit held that the competitor’s use of a “scraper” computer software program to systematically and rapidly glean prices from a tour company’s website, in order to allow systematic undercutting of those prices,
“exceeded authorized access” within the meaning of the CFAA.
A violation of 18 U.S.C. s 1030(a)(5) occurs whenever a person “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.” 18 U.S.C. s 1030(a)(5)(A)(iii). The damage, or loss, must aggregate to at least $5,000 within a one-year period. 18 U.S.C. s 1030(a)(5)( (i). There was probable cause to demonstrate that a defendant's information technology employee directed two computer attacks against its website and computer file server. Plaintiff traced the first alleged attack to a website owned by defendant. Plaintiff traced the third alleged attack to an IP address assigned to an employee of defendant. Another attack was designed to obtain technical information about the workings and security vulnerabilities of its website. It used a “software robot” to obtain proprietary information from Plaintiff. Both alleged attacks, at this stage of the pleadings, appear more likely than not to fit within the definition of 18 U.S.C. s 1030(a)(4). These attacks were an unauthorized entry into the website. The activity was geared towards copying confidential data. The end result was the loss of something of value-a significant amount of its confidential customer list information.
Given this scenario, the preliminary injunction was granted. This computer forensics example has been presented by AVM Technology, LLC, a leading Computer Forensics, E-Discovery, and Computer Security consulting company located in Richmond, VA and serving clients throughout the United States. AVM technology can be reached at (804) 396-4443.
<< MORE >>
Computer Forensics: A standard for providing image of hard drive containing child pornography
In a case involving computer forensics in Virginia the Court had the
opportunity to set the conditions under which the defense could receive an image of the hard drive. Said image could be provided to the defense's computer forensics expert for analysis. In the case of U.S. v. Knellinger's, heard in the United States District Court for the Eastern District of Virginia, Richmond
Division, the defendant requested a mirror image copy of his computer hard drive, which contained the child pornography images listed in the Superseding Indictment. The request was granted
subject to the entry of an appropriate protective order and a certification by counsel for Knellinger that he will use that copy for assessment and preparation of a defense.
Prior to the entry of this Order, the defendant was attacking the validity of 18 U.S.C. s 3509(m) (emphasis added), pointing out that the effect of the statute is to prevent the Court from ordering the United States to provide Knellinger with a copy of the child pornography. The Court avoided further challenge by ensuring that the United States made the material available to allow counsel to conduct the type of examination that he feels is necessary to assess effective defenses to the very serious charges of child pornography.
This computer forensics example has been presented by AVM Technology, LLC, a Computer Forensics, E-Discovery, and Computer Security consulting company located in Richmond, VA and serving clients throughout the United States. AVM technology can be reached at (804) 396-4443
<< MORE >>
Prior to the entry of this Order, the defendant was attacking the validity of 18 U.S.C. s 3509(m) (emphasis added), pointing out that the effect of the statute is to prevent the Court from ordering the United States to provide Knellinger with a copy of the child pornography. The Court avoided further challenge by ensuring that the United States made the material available to allow counsel to conduct the type of examination that he feels is necessary to assess effective defenses to the very serious charges of child pornography.
This computer forensics example has been presented by AVM Technology, LLC, a Computer Forensics, E-Discovery, and Computer Security consulting company located in Richmond, VA and serving clients throughout the United States. AVM technology can be reached at (804) 396-4443
<< MORE >>
Cyber Forensics in Tax Litigation
A computer forensics expert frequently has to examine evidence and deal with situations
involving potential spoliation of digital evidence. This was an issue in the Richmond Va computer forensics case involving
Trigon insurance against the United States. In that case, the Court had to determine issues involving spoliation of electronic evidence. Spoliation is the willful destruction of evidence or the
failure to preserve potential ...
<< MORE >>
Computer Forensics and Destruction of Evidence
A computer forensics expert is frequently called upon to recover deleted files and evidence. In situations when litigation is probable, some individuals may attempt to conceal evidence by deleting it from a hard drive or digital media. Such was the case in U.S. v. Henry, a 2008 case in the United States District Court for the Eastern District of Virginia. The full text of the Court's opinion may be found in the Virginia computer forensics site.
In this case the court denied a motion to quash and ordered that the subpoenaed computers be produced to a court appointed computer forensic expert for imaging and analysis. The computer forensics expert was asked to perform various computer searches for relevant data and to "examine and search the electronically-stored information produced to him for evidence of any destruction, deletion, erasing, overwriting or other compromising of data." The computer forensics expert reported an "unusual number of files deleted." Specifically, the computer forensics expert reported that his analysis of the computers revealed that 53,199 files located in the Recycler folder were emptied. This emptying of 59% of the Recycler folder was done three weeks after the subpoenas were served and eight days before the court hearing. In an email, the computer forensics expert was posed the following question by counsel for the United States Department of Justice ("DOJ") and made the following response:
[Question:]
Is your finding that 53,199 files were "emptied" on 2/24/2008 consistent with an effort by the user of the computer to intentionally delete or destroy certain data files on that date?
[Answer:]
Although, I cannot give an opinion on why the files were emptied, I can say that the deletion of the files, given the quantity and content would be consistent with an effort by the user of the computer to intentionally delete or destroy certain data files on that date.
The computer forensics examiner performed additional analysis and investigation concerning the deleted data pursuant to a court order. After further inquiry and email communication with counsel for the parties, the computer forensics expert was asked by counsel for the United States whether his further investigation provided him "any reason as yet to change your earlier conclusion that the condition of the PC drive is consistent with an intentional effort by the user to destroy files? The computer forensics expert responded as follows: I have no reason to change my earlier conclusion that the deletion of the files was consistent with an intentional effort by the user to destroy files. However, the additional information that is now available, such as the file
listings could assist the parties in supporting their arguments whether the evidence is not just "consistent," but whether or not the evidence supports or does not support the hypothesis that the deletion of the files were in fact an intentional effort by the user to destroy specific files.
The defense counsel questioned whether the large number of deleted files could be due to file compression or to free up disk space. The computer forensics expert provided a lengthy explanation that it "seems unlikely" that the deletions were done to free up disk space as the computer already had free disk space of "more than a third of the drive's capacity."
In my opinion, this is not determinative. Many computer users like to keep in excess of one third hard drive space free. However, the case shows how the testimony of a computer forensics expert can be critical in deciding issues such as whether an individual can be held in criminal contempt for purposely deleting digital evidence.
Spoliation or concealment of evidence is not only an issue in criminal cases, it also occurs in civil cases. An example of spoliation in a civil matter can be found here.
This computer forensics example has been presented by AVM Technology, LLC, a Computer Forensics, E-Discovery, and Computer Security consulting company located in Richmond, VA and serving clients throughout the United States.
In this case the court denied a motion to quash and ordered that the subpoenaed computers be produced to a court appointed computer forensic expert for imaging and analysis. The computer forensics expert was asked to perform various computer searches for relevant data and to "examine and search the electronically-stored information produced to him for evidence of any destruction, deletion, erasing, overwriting or other compromising of data." The computer forensics expert reported an "unusual number of files deleted." Specifically, the computer forensics expert reported that his analysis of the computers revealed that 53,199 files located in the Recycler folder were emptied. This emptying of 59% of the Recycler folder was done three weeks after the subpoenas were served and eight days before the court hearing. In an email, the computer forensics expert was posed the following question by counsel for the United States Department of Justice ("DOJ") and made the following response:
[Question:]
Is your finding that 53,199 files were "emptied" on 2/24/2008 consistent with an effort by the user of the computer to intentionally delete or destroy certain data files on that date?
[Answer:]
Although, I cannot give an opinion on why the files were emptied, I can say that the deletion of the files, given the quantity and content would be consistent with an effort by the user of the computer to intentionally delete or destroy certain data files on that date.
The computer forensics examiner performed additional analysis and investigation concerning the deleted data pursuant to a court order. After further inquiry and email communication with counsel for the parties, the computer forensics expert was asked by counsel for the United States whether his further investigation provided him "any reason as yet to change your earlier conclusion that the condition of the PC drive is consistent with an intentional effort by the user to destroy files? The computer forensics expert responded as follows: I have no reason to change my earlier conclusion that the deletion of the files was consistent with an intentional effort by the user to destroy files. However, the additional information that is now available, such as the file
listings could assist the parties in supporting their arguments whether the evidence is not just "consistent," but whether or not the evidence supports or does not support the hypothesis that the deletion of the files were in fact an intentional effort by the user to destroy specific files.
The defense counsel questioned whether the large number of deleted files could be due to file compression or to free up disk space. The computer forensics expert provided a lengthy explanation that it "seems unlikely" that the deletions were done to free up disk space as the computer already had free disk space of "more than a third of the drive's capacity."
In my opinion, this is not determinative. Many computer users like to keep in excess of one third hard drive space free. However, the case shows how the testimony of a computer forensics expert can be critical in deciding issues such as whether an individual can be held in criminal contempt for purposely deleting digital evidence.
Spoliation or concealment of evidence is not only an issue in criminal cases, it also occurs in civil cases. An example of spoliation in a civil matter can be found here.
This computer forensics example has been presented by AVM Technology, LLC, a Computer Forensics, E-Discovery, and Computer Security consulting company located in Richmond, VA and serving clients throughout the United States.
