Cell Phone Tracking Analysis Saves a Defendant in Child Pornography Criminal Investigation

I was recently retained in a case where a individual was accused of dissemination of child pornography. On the surface, even to the investigators, the case appeared to be a certain guilty verdict. Thankfully for the defendant, his cell tower tracking data was able to prove he didn’t commit the crime.

The facts of the case are as follows:

  • Internet Crimes Against Children (ICAC) law enforcement officers at the state level were investigating the distribution of child pornography via peer to peer (P2P) software.
  • ICAC officers utilized the Child Protection System (CPS) to identify an Internet Protocol (IP) address in their jurisdiction that was disseminating child pornography
  • A subpoena was issued to the Internet Service Provider (ISP) to determine the physical address that was associated with the IP address.
  • A search warrant was served at the defendant’s home.
  • A search of the home located a Personal Computer (PC) that had P2P software installed.
  • Child Pornography was located on the computer.
  • The defendant was in his 70’s.
  • The defendant was retired from a technology oriented profession.
  • The defendant denied any knowledge of P2P software or child pornography on his computer.
  • The defendant was the only person living in the home at the time of the search warrant.
  • At the time of the search warrant’s execution, the P2P software had already been disseminating the contraband material for several weeks.
  • The defendant has an adult son that stayed with him occasionally.
  • Law enforcement officers alibied the adult son as being at another location when they believed the crime occurred. (The alibi was a girlfriend.)

Despite denying being involved in the crime, the defendant was arrested for disseminating child pornography. He was later indicted by the State Attorney’s Office.

The defense issued a subpoena to the defendants cell phone provider for his call detail records and the locations of the cell phone towers that handled the phone calls. This provided raw data on the defendants physical location when his phone was active.

I was retained by the defense. I was provided with law enforcement forensic reports and the cell phone tower data. I analyzed CPS data, computer forensics, and cell phone tower data. I was able to come to the following conclusions.

  • Law Enforcement alibied the adult son for the wrong times. They misinterpreted the evidence.
  • The cell phone tower data placed the defendant in another state when the actual “hands on” computer activity occurred that resulted in the distribution of child pornography.
  • The computer had been continually running since before the “hands on” aspect of the crime occurred almost until the time of the search warrant.

I arranged to conduct a defense computer forensics exam of the defendant’s computer. I was able to show that the adult son was probably the one using the computer at the time the “hands on” aspect of the crime occurred. I located instant message (IM) chats in which another party discusses the adult son’s problems with pornography with him. I located web cam pictures of himself that the adult son had taken.

Once law enforcement was presented with the above evidence they recommended to the state attorney’s office that the case against the defendant be dropped. The case against the defendant was dropped.

Nashville Tennessee Computer Forensics

I have recently gotten some questions about what computer forensics work I have been doing in Tennessee, and to contrast it to Florida.  By and large, computer forensics is computer forensics but there does seem to be some different emphasis on the work areas.

I have had a lot of healthcare related work in Tennessee.  This has ranged from the individual doctor’s practice to large clinics.  The work has ranged from data breaches, employee’s stealing data, to data recovery work.   The cases generally haven’t been huge investigations, as in find the unknown bad act.  In interviews, I have generally been able to narrow things down to “X” act happened between these date and times on the specified computer(s).

I have made progress on making contacts with attorneys in Tennessee and Kentucky.  I have been retained in few child pornography cases as an expert witness.  So far, many of the issues in the cases are similar to those I saw in Florida and Virginia.  In Kentucky especially, they seem to be very backed-up on their forensic exams.

I had an investigation in Arkansas where an “ethical hacker” performed some work without having a written contract in place giving him permission.  The events that followed created some confusion and concern for a possible data breach.

Last week, I was at the Tennessee Bar Association’s office in Nashville for a live continuing education presentation.  This presentation was titled “Computer Forensics in a Mobile World.”  This presentation was streamed live throughout the state for attorneys to attend for CEU credit.  They also will be able to view the presentation on-demand for CEUs over the next year.

I hope to do some presentations at the Lebanon, TN chamber of commerce over the rest of the year. I will cover topics that will be of interest to small business owners.  The presentations will probably focus on firewalls, storage, HIPAA, and general security topics.  On the HIPAA/ HITECH act presentation I am hoping to have an attorney participate.

I am also going to do one on utilizing mobile device analysis in traffic accident investigations.  These seems to be a rapidly growing area of interest in litigation.  Not to mention a very real problem…as we have all seen first hand.  It will also serve to gauge interest locally in this area.

Peer to Peer Investigation and Probable Cause


I have recently been part of a couple court cases in which the defense has sought to compel discovery from TLO. This discovery is the direct and only probable cause for the search warrants in these cases.

TLO is a company name acronym that stands for “The Last One.” This is a reference to the last planned company of Hank Asher. Mr. Asher has since passed away. TLO has been split up and sold off.

TLO had at least two parts. A commercial portion that assembled data from various sources and made it searchable. Another portion, that purchased, acquired, and produced code that was used to monitor peer to peer networks. (Gnuettella, EDonkey, and others) The commercial portion was sold to TransUnion. The portion that owned and created code related to peer to peer networks was donated to a 501c3. This 501c3 is called the Child Rescue Coalition, abbreviated as CRC.

TLOs systems retrieved data potentially identifying persons distributing contraband material on peer to peer networks, including Gnuetella and eDonkey/ eMule. Originally the information obtained from their efforts was used as intelligence for law enforcement. Later they became a single source of information used in obtaining search warrants without corroborating evidence or further investigation.

To date discovery related to CRC in criminal cases has been sparse to non-existent. This is despite CRC playing a central role in thousands of criminal prosecutions around the country.

The current motions to compel discovery are seeking to verify their programs, systems, and evidence handling as it relates to criminal cases. These cases are ongoing.

Parrallel Construcion an Inside View

I saw a post on what I call “Parallel Construction” by Samuel Partida, Jr. a few days ago and took some time to think about it.

Parrallel Construction is where law enforcement identifies a criminal action by some means, but creates an alternative explanation of how they got there for the courts. Not saying the alternative story isn’t true, but it hides the “real” way they identified the criminal activity. The standard example is a drug arrest following a traffic stop. The police write up the reason for the stop as being a traffic offense. They leave out that an informant told them there were 5 kilos of cocaine in the car.

I am in the unique position of having been a police officer for 15 years and now doing defense work. I worked narcotics, street crimes, and eventually on a FBI CyberCrime Task Force.

The “parallel construction” situation exists a lot in law enforcement. It is most prominent in areas where you are working with informants or high tech information, and there is the desire to conceal a law enforcement capability.

I will elaborate on examples of each situation.

  • You have an informant on the inside that is able to point you to criminal activity. If you reveal anything to anyone that there is an informant involved, you place this person at risk of harm. Further, you jeopardize their ability to help with any future investigations.

  • Law enforcement has a high tech ability that criminals do not know about, and there is a desire to keep it secret. An example of this would be early in the days of night vision goggles. I was involved drug enforcement operations where officers observed drug activities from a concealed position utilizing night vision. Uniformed officers would then respond and engage in citizen contacts with individuals we knew to be holding drugs. It would not be unusual for dealers to run and simply throw down the drugs as they ran. One officer would collect the drugs, while others apprehended the fleeing dealer. The reports would not mention the use of night vision in identifying the member of the group who was holding drugs.

  • A law enforcement officer having access to a classified tool / information that provides information on a crime that would not be available to the general public. As a condition for receiving this information or using the tool, the local agency and / or officer is required to enter into an agreement with a federal agency or private company that forbids the disclosure of the tool. Example would be information originating from NSA intercepts or a Stingray. http://www.fiercemobilegovernment.com/story/fbi-keeps-police-mum-use-cellphone-trackers/2014-10-01

In some cases, the law enforcement officer when giving testimony is placed in the uncomfortable position of having agreed and/or being under orders not to disclose the above information. The “penalty” if there is a disclosure in some cases is their entire agency being cut off from having access to the tool or information.

Before anyone condemns the officers from not just volunteering this information, I want you to consider another situation that comes up in court all the time. Virtually every time I raised my hand to testify at a trial, I was under directions from a judge or attorney not to mention or talk about “X” issue when testifying. It always struck me at how this conflicted with the oath they had me take to tell the “whole” truth. It was a regular event that I had to carefully craft answers in such a way as to conceal information I had been directed to keep away from the jury.

There were times where both of these sets of issues would overlap in the same case.

But back to the “parallel construction” issue. In most cases an officer doesn’t have to lie to conceal the other information. This is because the attorneys involved simply do not know the right question to ask. This is part of where I help the defense out today.

Mini-DVD Data Recovery

I just did a data recovery job that involved a mini-dvd that had been accidentally re-formatted. I got the DVD in with no active files. My usual go to for these recoveries has been ISObuster. I have had many successful recoveries with ISObuster. In this case it did recover movie files that had been on the drive. It incorrectly assembled lots of the MPEG fragments a few large VOD files. This resulted in a jumpy video with a lot of unintelligible audio.

Well I knew my friends from England, CNW recovery, had been working hard on their DVD data recovery routines. I decided to give CNW a try. It has a very user friendly menu that guides your through each step of the process. It recommends at each step the next step in the recovery. I watched as it imaged the disk, carved the MPEGs, then did its best guess at reassembly. The process was very easy to understand and smooth for a low-level data recovery tool.

The resulting MPEGs were much cleaner than the VOB’s produced by ISObuster. There were segments, that by manual review, I could tell needed to be reassembled. There were none that were incorrectly put together though. (A much harder thing to deal with.)

I manually re-assembled the MPEGs together that were really part of one continuous shoot. The resulting product was very good.

I am very impressed with the progress of CNW recovery in this area!!

Phone: (615) 208-6565 1633 W. Main St, Suite 902, Lebanon, TN