A great many cases involving child pornography stem from law enforcement personnel gathering evidence via the peer-to-peer networks. The Internet Crimes Against Children (ICAC) task force is aggressively funding federal, state, and local law enforcement agencies to enable them to perform investigations of child abuse including peer-to-peer network investigations of the distribution and receipt of child pornography.
In the fiscal year of 2008 and the first three quarters of fiscal year 2009, the ICAC trained 58,000 law enforcement personnel and 4,032 prosecutors. During that same time period ICAC investigations led to over 6,400 arrests. The ICAC program today is a national network of more than 3,000 federal, state, and local law enforcement agencies.
In addition to contraband material investigations, the Recording Industry Association of America (RIAA) has been aggressively pursuing persons sharing copyrighted music via the peer-to-peer networks for several years now and has filed thousands of lawsuits against file sharers.
Investigators and law enforcement agencies collect evidence during peer-to-peer investigations using various tools and techniques, some designed specifically for the purpose of locating files and gathering evidence about sharing computers.
36.4.1. Investigating file-sharing networks
Suppose you were interested in locating people who are sharing particular files. How would you go about finding out if those files were present on the peer-to-peer network and then how would you go about locating the source of those files?
If you wanted to find a particular file on the peer-to-peer network, you would develop a special software application that could search for files, not just by keyword, but also by the SHA1 hash. Hash values are covered in
Chapter 4 and
Chapter 26.
The SHA1 hash is like a fingerprint for a file. If you find a file on the network with a SHA1 hash matching your file of interest, you could be confident that the file had been present on the network at some point.
Another file-sharing program, Phex, shows how easy it is to find information about someone’s file sharing. In
Fig. 36.7, the search results window in Phex is
shown for the keyword Johnny Cash. The sharing host gives the IP address of the Internet connection in use by the computer sharing the files. The SHA1 column gives the hash value of the file being shared.
The highlighted file matches (in this imaginary scenario) the SHA1 you are looking for.
Now that you have located a matching file, your next step is to see if the computer sharing the file is in an area of interest to you.
The Sharing Host IP address here is the key. You can find out who owns the IP address by using tools available for looking up this information, such as the lookup tools provided by websites like DNS Stuff (
www.dnsstuff.com). This will typically lead to an Internet service provider like Time Warner, Verizon, or some other company that provides Internet access to consumers.
Meanwhile you might want to see if the computer sharing the one file has other files you are interested in. In Phex and many other file-sharing programs you can request that the program perform a
Browse Host to see what other files that particular computer is sharing. However, bear in mind that even performing a
Browse Host on a particular IP address is not a guarantee that the files listed are actually available to be downloaded. The results of a
Browse Host command executed using the Phex file-sharing program are shown in
Fig. 36.8.
In order to verify that the file of interest really is on the computer, a step that can be taken is to perform a direct download of a file from a particular sharing computer. Care must be taken to ensure that the file is downloaded only from the single host to verify that the file actually came from that host IP address.
Figure 36.9 shows a file being downloaded only from the host computer of interest.
In
Fig. 36.9, note that the # Candidates is shown as one / zero / one, meaning that the file is being downloaded from the single host and is not being assisted by other sharing computers.
However, it is important to remember that all of the evidence you have gathered in this scenario does not lead necessarily to an individual person, even if you can locate the physical address of the Internet subscriber assigned to the IP address at the time of the investigation. You would still need to locate the individual computer and perform a forensic examination to verify that the files are on the hard drive and that the files were in fact downloaded by the individual of interest.
36.1.Some other dude did it
A man was arrested for downloading child pornography on his girlfriend’s laptop computer using LimeWire. The computer was examined by law enforcement personnel and subsequently by the defense expert. The defense expert examined the hard drive and located the child pornography files along with the timeline of when the files were downloaded. He also examined the user profile information under which the downloads were made. It was discovered that the defendant did not have a password to access the profile that was logged in during the downloading and that the file-sharing program was installed under this password-protected user profile. The accused did have a user profile on the computer that was not password protected. However, the accused’s profile had not been logged on for some months prior to the downloading of the child pornography. Based on other evidence, it was learned that the accused did not have possession of the computer during the time in which the downloads occurred. This was a clear-cut case of a revenge setup, and all of the child pornography charges against the defendant were dropped.
WarningWe want to emphasize that the example scenario in this chapter is oversimplified and that the actual investigation of a peer-to-peer file-sharing case is complicated and must be analyzed on both sides with care to ensure that the evidence is authentic and verifiable.
Cases like the one shown in the case study tend to be the exception rather than the rule in file-sharing cases involving contraband files. And in many cases the evidence seems insurmountable when someone is arrested for downloading contraband files via the file-sharing networks. Even though evidence presented by a law enforcement examiner might seem cut and dried to someone not familiar with how peer-to-peer networking operates, depending on the claims made, the interpretation of peer-to-peer evidence in a case can have a significant impact on the outcome of the case. As with any form of digital evidence being presented, the evidence should be properly verified and not viewed in isolation without considering all of the facts that may come to light if the evidence is reviewed by another examiner. Based on experience as examiners in hundreds of cases, we have found that proper interpretation of evidence in light of the totality of the circumstances is a critical aspect of handling cases involving electronic evidence.