Cell Phone Tracking Analysis Saves a Defendant in Child Pornography Criminal Investigation

I was recently retained in a case where a individual was accused of dissemination of child pornography. On the surface, even to the investigators, the case appeared to be a certain guilty verdict. Thankfully for the defendant, his cell tower tracking data was able to prove he didn’t commit the crime.

The facts of the case are as follows:

  • Internet Crimes Against Children (ICAC) law enforcement officers at the state level were investigating the distribution of child pornography via peer to peer (P2P) software.
  • ICAC officers utilized the Child Protection System (CPS) to identify an Internet Protocol (IP) address in their jurisdiction that was disseminating child pornography
  • A subpoena was issued to the Internet Service Provider (ISP) to determine the physical address that was associated with the IP address.
  • A search warrant was served at the defendant’s home.
  • A search of the home located a Personal Computer (PC) that had P2P software installed.
  • Child Pornography was located on the computer.
  • The defendant was in his 70’s.
  • The defendant was retired from a technology oriented profession.
  • The defendant denied any knowledge of P2P software or child pornography on his computer.
  • The defendant was the only person living in the home at the time of the search warrant.
  • At the time of the search warrant’s execution, the P2P software had already been disseminating the contraband material for several weeks.
  • The defendant has an adult son that stayed with him occasionally.
  • Law enforcement officers alibied the adult son as being at another location when they believed the crime occurred. (The alibi was a girlfriend.)

Despite denying being involved in the crime, the defendant was arrested for disseminating child pornography. He was later indicted by the State Attorney’s Office.

The defense issued a subpoena to the defendants cell phone provider for his call detail records and the locations of the cell phone towers that handled the phone calls. This provided raw data on the defendants physical location when his phone was active.

I was retained by the defense. I was provided with law enforcement forensic reports and the cell phone tower data. I analyzed CPS data, computer forensics, and cell phone tower data. I was able to come to the following conclusions.

  • Law Enforcement alibied the adult son for the wrong times. They misinterpreted the evidence.
  • The cell phone tower data placed the defendant in another state when the actual “hands on” computer activity occurred that resulted in the distribution of child pornography.
  • The computer had been continually running since before the “hands on” aspect of the crime occurred almost until the time of the search warrant.

I arranged to conduct a defense computer forensics exam of the defendant’s computer. I was able to show that the adult son was probably the one using the computer at the time the “hands on” aspect of the crime occurred. I located instant message (IM) chats in which another party discusses the adult son’s problems with pornography with him. I located web cam pictures of himself that the adult son had taken.

Once law enforcement was presented with the above evidence they recommended to the state attorney’s office that the case against the defendant be dropped. The case against the defendant was dropped.

Nashville Tennessee Computer Forensics

I have recently gotten some questions about what computer forensics work I have been doing in Tennessee, and to contrast it to Florida.  By and large, computer forensics is computer forensics but there does seem to be some different emphasis on the work areas.

I have had a lot of healthcare related work in Tennessee.  This has ranged from the individual doctor’s practice to large clinics.  The work has ranged from data breaches, employee’s stealing data, to data recovery work.   The cases generally haven’t been huge investigations, as in find the unknown bad act.  In interviews, I have generally been able to narrow things down to “X” act happened between these date and times on the specified computer(s).

I have made progress on making contacts with attorneys in Tennessee and Kentucky.  I have been retained in few child pornography cases as an expert witness.  So far, many of the issues in the cases are similar to those I saw in Florida and Virginia.  In Kentucky especially, they seem to be very backed-up on their forensic exams.

I had an investigation in Arkansas where an “ethical hacker” performed some work without having a written contract in place giving him permission.  The events that followed created some confusion and concern for a possible data breach.

Last week, I was at the Tennessee Bar Association’s office in Nashville for a live continuing education presentation.  This presentation was titled “Computer Forensics in a Mobile World.”  This presentation was streamed live throughout the state for attorneys to attend for CEU credit.  They also will be able to view the presentation on-demand for CEUs over the next year.

I hope to do some presentations at the Lebanon, TN chamber of commerce over the rest of the year. I will cover topics that will be of interest to small business owners.  The presentations will probably focus on firewalls, storage, HIPAA, and general security topics.  On the HIPAA/ HITECH act presentation I am hoping to have an attorney participate.

I am also going to do one on utilizing mobile device analysis in traffic accident investigations.  These seems to be a rapidly growing area of interest in litigation.  Not to mention a very real problem…as we have all seen first hand.  It will also serve to gauge interest locally in this area.

Peer to Peer Investigation and Probable Cause

P2Pa

I have recently been part of a couple court cases in which the defense has sought to compel discovery from TLO. This discovery is the direct and only probable cause for the search warrants in these cases.

TLO is a company name acronym that stands for “The Last One.” This is a reference to the last planned company of Hank Asher. Mr. Asher has since passed away. TLO has been split up and sold off.

TLO had at least two parts. A commercial portion that assembled data from various sources and made it searchable. Another portion, that purchased, acquired, and produced code that was used to monitor peer to peer networks. (Gnuettella, EDonkey, and others) The commercial portion was sold to TransUnion. The portion that owned and created code related to peer to peer networks was donated to a 501c3. This 501c3 is called the Child Rescue Coalition, abbreviated as CRC.

TLOs systems retrieved data potentially identifying persons distributing contraband material on peer to peer networks, including Gnuetella and eDonkey/ eMule. Originally the information obtained from their efforts was used as intelligence for law enforcement. Later they became a single source of information used in obtaining search warrants without corroborating evidence or further investigation.

To date discovery related to CRC in criminal cases has been sparse to non-existent. This is despite CRC playing a central role in thousands of criminal prosecutions around the country.

The current motions to compel discovery are seeking to verify their programs, systems, and evidence handling as it relates to criminal cases. These cases are ongoing.

Parrallel Construcion an Inside View

I saw a post on what I call “Parallel Construction” by Samuel Partida, Jr. a few days ago and took some time to think about it.

Parrallel Construction is where law enforcement identifies a criminal action by some means, but creates an alternative explanation of how they got there for the courts. Not saying the alternative story isn’t true, but it hides the “real” way they identified the criminal activity. The standard example is a drug arrest following a traffic stop. The police write up the reason for the stop as being a traffic offense. They leave out that an informant told them there were 5 kilos of cocaine in the car.

I am in the unique position of having been a police officer for 15 years and now doing defense work. I worked narcotics, street crimes, and eventually on a FBI CyberCrime Task Force.

The “parallel construction” situation exists a lot in law enforcement. It is most prominent in areas where you are working with informants or high tech information, and there is the desire to conceal a law enforcement capability.

I will elaborate on examples of each situation.

  • You have an informant on the inside that is able to point you to criminal activity. If you reveal anything to anyone that there is an informant involved, you place this person at risk of harm. Further, you jeopardize their ability to help with any future investigations.

  • Law enforcement has a high tech ability that criminals do not know about, and there is a desire to keep it secret. An example of this would be early in the days of night vision goggles. I was involved drug enforcement operations where officers observed drug activities from a concealed position utilizing night vision. Uniformed officers would then respond and engage in citizen contacts with individuals we knew to be holding drugs. It would not be unusual for dealers to run and simply throw down the drugs as they ran. One officer would collect the drugs, while others apprehended the fleeing dealer. The reports would not mention the use of night vision in identifying the member of the group who was holding drugs.

  • A law enforcement officer having access to a classified tool / information that provides information on a crime that would not be available to the general public. As a condition for receiving this information or using the tool, the local agency and / or officer is required to enter into an agreement with a federal agency or private company that forbids the disclosure of the tool. Example would be information originating from NSA intercepts or a Stingray. http://www.fiercemobilegovernment.com/story/fbi-keeps-police-mum-use-cellphone-trackers/2014-10-01

In some cases, the law enforcement officer when giving testimony is placed in the uncomfortable position of having agreed and/or being under orders not to disclose the above information. The “penalty” if there is a disclosure in some cases is their entire agency being cut off from having access to the tool or information.

Before anyone condemns the officers from not just volunteering this information, I want you to consider another situation that comes up in court all the time. Virtually every time I raised my hand to testify at a trial, I was under directions from a judge or attorney not to mention or talk about “X” issue when testifying. It always struck me at how this conflicted with the oath they had me take to tell the “whole” truth. It was a regular event that I had to carefully craft answers in such a way as to conceal information I had been directed to keep away from the jury.

There were times where both of these sets of issues would overlap in the same case.

But back to the “parallel construction” issue. In most cases an officer doesn’t have to lie to conceal the other information. This is because the attorneys involved simply do not know the right question to ask. This is part of where I help the defense out today.

Take Back Your Email

Own You Own Email

If you have followed the technology related privacy news at all in the last year, you know that your average free email service now has zero expectation of privacy. This isn’t even “tin foil hat” style speculation now. It is well established that the NSA indexes all the email traveling through the major free email services. Moreover, Google has changed their terms of service to essentially read that you have no expectation of privacy. They routinely scan and index your messages for ads before you even see the message. Now they scan any pictures for child pornography, and proactively report anything found to law enforcement. The follow on question is how long before they start scanning for copyrighted music, pictures, or a plagiarized essay?

I for one have reached the point where I don’t want to wait around in that environment anymore. I have always used my business domain email for major things such as attorney emails, but I have largely quit giving out my gmail address for anything except just total junk mail. In essence, you shouldn’t use your gmail address for anything that you wouldn’t be okay just posting on a public message board.

I know many people reading this will have the thought that you can’t possibly afford to, or know how to move off of gmail.

Well, I will give you a few steps to a simple alternative. I have been using FastMail now for about a year. Their email service is fast, always available, and very responsive. They include a built in function to import your previous email from gmail to FastMail. You can even configure FastMail to keep checking and pulling email from Google’s servers. You can even send using your Gmail address. Obviously, you want to start moving away from that gmail address; but, we all know that will take time.

Fastmail has assurances on their website that their team is entirely Austraila based, and intends to fight any NSA national security letters. They advise that Australia has no parallel to the National Security Letter. Any mass collection in Australia will have to go through the public courts there. There is no U.S. citizen with admin access to their servers.

The basic steps to migrate are as follows:

  1. Buy your own domain. ( GoDaddy is a cheap way to do it.)
  2. Buy a FastMail Account.
  3. Point your DNS at FastMail
    a. If all you doing is using the domain for email, just point your nameserver records at FastMail. They can handle the rest of the DNS then.
    b. If you are hosting a website somewhere else with the domain, then you will have to enter the MX and SPF TXT records.
  4. Migrate your old emails over using FastMails import tool.
  5. After the import finishes, set FastMail to check your old address.
  6. Start using and enjoying you own email that you own.
  7. If you ever decide to use a service other than FastMail, since you own the domain, you just point that domain’s email to end up somewhere else.

I hope this points someone in the direction of getting a little privacy back in their life. The even better system is to have your own server hosting all you email, currently a great server side software application for the average person just doesn’t exist yet. I am watching the Dark Mail project and MailPile. One of them may be the even better answer in time. And no I don’t want to hear about, if you don’t have anything to hide. If that is your position, just make a public bulletin board your email service, and tell people to post there to contact you.

Learn more about me on my website DataTriangle, or say Hi next time you are in the Nashville, TN area.

Note I am not affiliated, and make no money from FastMail. They are just an alternative I know and personally use.

Phone: (615) 208-6565 1633 W. Main St, Suite 902, Lebanon, TN