SEC 350 – Computer Forensics Scenario

John Smith from the Collections Department has been accessing child pornographic websites from the company computer.

What laws and crimes are involved?

The major laws and crimes involved in this scenario are The Computer Security Act of 1987, 18 U.S.C. § 225, 18 U.S.C. § 2252, and 18 U.S.C. § 2252A. The Computer Security Act of 1987 was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information. 18 U.S.C. § 2251 involves the sexual exploitation of children. 18 U.S.C. § 2252 involves certain activities relating to material involving the sexual exploitation of minors (possession, distribution and receipt of child pornography). 18 U.S.C. § 2252A involves certain activities relating to material constituting or containing child pornography.

What equipment do you need to perform the exam?

Various equipment can aid a forensic investigator. It’s definitely necessary to have a target drive to clone to so I don’t do anything with the source drive. Typically, I would want a forensic lab with controlled entry and storage for evidence that also has controlled access so that it’s known who could have possibly accessed the evidence at any given date and time. It’s also helpful to have a good forensic computer. For example, something like a Forensic Airlite VIII I7, at an affordable $7,399.99.

It includes an external hard drive enclosure and write protection. There are also forensic password breaking computers that can work many times faster than a typical computer in file decryption or password recovery.

What legal matters need to be addressed?

Legal matters that need to be addressed include violating a company’s terms of use for their network and internet resources. I would need to obtain a copy of the business’s rules for internet and computer use for employees. Of course, other legal matters involve violating of the previously mentioned laws above. There are also legal considerations based on the type of company I’m working with.

How are you going to handle John Smith’s computer in a forensically sound manner?

Certain fundamentals must be adhered to in computer forensics. The following are important steps that I would do first.

  • Request that the company shut down and hold John Smith’s computer for me to come retrieve.
  • Determine if there are any special legal or privacy considerations such as HIPAA, clergy, journalism/publishing, etc.
  • Verify that I have a legal ability to seize the computer (consent from the company).
  • Preserve the evidence on the computer by copying the drive’s contents to another drive

I would also document each step. It’s important to write in such a way that even less technically-minded people can understand, and also so that I can still understand exactly what happened months or years afterward. Important information to enter into that documentation includes but is not limited to the following:

  • Who was present when I picked up the computer?
  • What devices was it connected to?
  • What forensic procedures did I follow while onsite?
  • Who has access to the evidence from seizure to trial (if it comes to that)?

I would try to keep in mind that the evidence I collect is useful only if it’s admissible in court. It’s important to maintain a proper chain of custody or the work that I perform could be a waste of time.

After securing the computer I would copy the contents to a destination drive rather than touching on the original source drive (that is in John’s computer). I would run scanning software such as Known File Filter to search for data related to child pornography. I may also run duplicate searches with another software to compare results. The type of data analyzed would likely include images, email, downloads, and website data on the computer. Additionally, router/firewall logs from the equipment that John’s computer was connected to could be used as evidence of the child pornography.

 In this instance, the categories of forensics investigated would be network, internet, and software forensics. I would follow that line of evidence. I could search through John’s browser history and make note of any pornography I find. It’s likely there would be more than just child pornography, and if so, even if it is legal porn, it would be a violation of what John is allowed to use the business network for. Also, some of the files may be stored on John’s computer. They may be encrypted in which case I may need his cooperation, or they could be hidden, and I would need to check for those kinds of file settings.

There are considerations for how evidence may appear to the court that would affect how I look for evidence. I would need to identify that the user (John’s computer account) was the account used to access child pornography. It is possible that someone else used his computer on another account. Sometimes computers have different accounts and are shared. I may also want to look for patterns of activity. If the user is frequently accessing a website dedicated to child porn then that’s more incriminating than accessing an adult website and occasionally obtaining child porn that way (which could be accidental and I’m sure lawyers involved would want to know of evidence that indicates that one way or another due to the way intent works in child pornography cases

After I complete the investigation, I would write a report for the collections department as to what I found, and make sure that any documentation I have is in order on my end for future reference as I’d rather not spend a week digging through an old case.