lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <433ED2BE.3020008@science.org>
Date: Sat, 01 Oct 2005 08:17:34 -1000
From: Jason Coombs <jasonc@...ence.org>
To: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Cc: isn@...rition.org, bugtraq@...urityfocus.com
Subject: Careless Law Enforcement Computer Forensics
 Lacking InfoSec Expertise Causes Suicides


34 people have killed themselves in the U.K. after being accused of 
purchasing child pornography using their credit card numbers on the Web 
between 1996 and 1999; and thousands have been imprisoned around the 
world for allegedly doing the same. Two of the first, and still ongoing, 
large-scale investigations of credit card purchases of child pornography 
through the Internet are known as Operation Ore (U.K.) and Operation 
Site Key (U.S.) -- tens of thousands of suspects' credit card numbers 
were found in the databases used by the alleged e-commerce child porn 
ring, and law enforcement's careless misunderstanding of the Internet 
and infosec (circa 1999) resulted in every single one of the suspects 
being investigated and thousands have so far been prosecuted and convicted.

Was your credit card number in the Operation Ore / Operation Site Key 
database? How would you know unless and until you've been arrested?

Over the last few years I have seen numerous cases in which the computer 
forensic evidence proves that a third party intruder was in control of 
the suspect's computer. More often there is simply no way to know for 
sure what might have happened between 1996 and 1999 with respect to the 
computer seized by law enforcement at the time of arrest years later.

If security flaws, porn spyware, or mistakes by an unskilled end user 
resulted, over the years, in some child pornography being downloaded to 
a suspect's hard drive, even in 'thumbnail' graphic formats and 
recovered only using forensic data recovery tools that carve files out 
of unallocated clusters, then the suspect is routinely charged, since 
the presence of child pornography on a hard drive owned by a person who 
is accused of purchasing child pornography is the best evidence law 
enforcement has to prove guilt of these so-called 'electronic crimes 
against children' -- crimes that are proved by the mere existence of 
data, where it matters not that a suspect did not and could not have 
known that the data existed on a hard drive that was in their possession.

I ask you this question: why doesn't law enforcement bother to conduct 
an analysis of the computer evidence looking for indications of 
third-party intrusion and malware? Some people have indicated to me that 
sometimes law enforcement actually does do post-intrusion forensics; 
though this decision is entirely up to the prosecutor or forensic lab 
director, and if they don't put in the time to do this they still get 
their conviction so there is presently no incentive to spend hundreds of 
hours analyzing large hard drives searching for evidence of intrusion 
just in case one might have occurred.

A substantial factor in the answer to this question is that it is nearly 
impossible to know what might have happened to a computer over the 
years, and most computers are used by more than end user to begin with. 
Not only is there no way to differentiate

Every person convicted of an electronic crime against a child based only 
on evidence recovered from a hard drive that happened to be in their 
possession should be immediately released from whatever prison they are 
now being held.

Law enforcement must be required to obtain Internet wiretaps, use 
keyloggers and screen capture techniques, and conduct other 
investigations of crimes-in-progress, because the current approach to 
computer forensics being taught by vendors such as Guidance Software 
(www.encase.com) and others (who just happen to sell products designed 
to analyze and search hard drives) makes the outrageous assertion that a 
person can be proven guilty of a crime based only on data that is found 
on a hard drive in their possession.

There is simply no way for law enforcement to know the difference 
between innocent and guilty persons based on hard drive data 
circumstantial evidence. Something must be done to correct this misuse 
of computer evidence, and whatever that something is, it is clear that 
only an information security organization is going to be able to explain 
it to law enforcement and legislators.

Regards,

Jason Coombs
jasonc@...ence.org

--

http://news.independent.co.uk/uk/legal/article316391.ece

30 September 2005 21:24

No evidence against man in child porn inquiry who 'killed himself'
By Ian Herbert
Published: 01 October 2005

The credibility of a major investigation into child pornography came 
under renewed scrutiny yesterday after an inquest into the death of a 
naval officer who was suspended by the Royal Navy despite a lack of 
evidence against him.

The Navy suspended Commodore David White, commander of British forces in 
Gibraltar, after police placed him under investigation over allegations 
that he bought pornographic images from a website in the US. Within 24 
hours he was found dead at the bottom of the swimming pool at his home 
in Mount Barbary.

The inquest into his death heard that computer equipment and a camera 
memory chip belonging to Commodore White had yielded no evidence that he 
downloaded child pornography, and a letter was written by Ministry of 
Defence police to Naval Command on 5 January this year indicating that 
there were "no substantive criminal offences" to warrant pressing 
charges. But the Second Sea Lord, Sir James Burnell-Nugent, feared that 
the media would report the case and on 7 January removed him from his 
post anyway.

Despite accepting the news in a "steady fashion", the commodore was dead 
the next day. His brother Rupert told the inquest that the news of his 
removal had caused his "mental collapse", and that he was in "a state of 
catatonic shock".

The head of the Royal Navy, the First Sea Lord, Admiral Sir Alan West, 
expressed his "deep regret" over Commodore White's death yesterday, 
after the inquest recorded an open verdict.

The coroner, Charles Pitto, said there was insufficient evidence to 
conclude whether the commodore's death was accidental or suicide. If it 
was suicide, it would have taken to 34 the total number of people who 
have killed themselves after being identified as suspects by Operation 
Ore, Britain's biggest child-sex probe. The nationwide police 
investigation was launched three years ago after a list of 7,200 British 
suspects was handed to British police by US authorities. The men on the 
list are accused of using credit cards to pay for child porn through 
Landslide, a sex website that operated in Texas from 1996-99.

The results have seemed impressive. Nearly 4,000 people have been 
arrested, some 1,600 have been charged and 1,200 convicted. But the 
operation has placed some apparently innocent individuals under 
suspicion. In one case at Hull Crown Court last year, a distinguished 
hospital consultant was acquitted after it emerged that hackers had used 
his credit card on Landslide. The judge dismissed some police evidence 
as "utter nonsense".

Robert Del Naja, frontman of the group Massive Attack, was also wrongly 
accused of downloading child pornography. His arrest in 2003 was leaked 
to the media, but the case was dropped. The Who guitarist Pete 
Townshend, the most high-profile name to emerge so far from the Ore 
list, was not charged because he had not downloaded any pictures, and 
said he had been doing research for a book about child abuse.

The inquest heard Commodore White had reached the peak of his military 
career. During the 1990s he was on the military staff at Nato HQ in 
Brussels and was promoted to Captain in 1997, when he became the 
assistant director for naval operations during the Kosovo conflict. In 
2001, he was appointed captain of the Second Submarine Squadron, and was 
in charge of Trafalgar class submarines. He never married, but was seen 
as very sociable.

The credibility of a major investigation into child pornography came 
under renewed scrutiny yesterday after an inquest into the death of a 
naval officer who was suspended by the Royal Navy despite a lack of 
evidence against him.

The Navy suspended Commodore David White, commander of British forces in 
Gibraltar, after police placed him under investigation over allegations 
that he bought pornographic images from a website in the US. Within 24 
hours he was found dead at the bottom of the swimming pool at his home 
in Mount Barbary.

The inquest into his death heard that computer equipment and a camera 
memory chip belonging to Commodore White had yielded no evidence that he 
downloaded child pornography, and a letter was written by Ministry of 
Defence police to Naval Command on 5 January this year indicating that 
there were "no substantive criminal offences" to warrant pressing 
charges. But the Second Sea Lord, Sir James Burnell-Nugent, feared that 
the media would report the case and on 7 January removed him from his 
post anyway.

Despite accepting the news in a "steady fashion", the commodore was dead 
the next day. His brother Rupert told the inquest that the news of his 
removal had caused his "mental collapse", and that he was in "a state of 
catatonic shock".

The head of the Royal Navy, the First Sea Lord, Admiral Sir Alan West, 
expressed his "deep regret" over Commodore White's death yesterday, 
after the inquest recorded an open verdict.

The coroner, Charles Pitto, said there was insufficient evidence to 
conclude whether the commodore's death was accidental or suicide. If it 
was suicide, it would have taken to 34 the total number of people who 
have killed themselves after being identified as suspects by Operation 
Ore, Britain's biggest child-sex probe. The nationwide police 
investigation was launched three years ago after a list of 7,200 British 
suspects was handed to British police by US authorities. The men on the 
list are accused of using credit cards to pay for child porn through 
Landslide, a sex website that operated in Texas from 1996-99.

The results have seemed impressive. Nearly 4,000 people have been 
arrested, some 1,600 have been charged and 1,200 convicted. But the 
operation has placed some apparently innocent individuals under 
suspicion. In one case at Hull Crown Court last year, a distinguished 
hospital consultant was acquitted after it emerged that hackers had used 
his credit card on Landslide. The judge dismissed some police evidence 
as "utter nonsense".

Robert Del Naja, frontman of the group Massive Attack, was also wrongly 
accused of downloading child pornography. His arrest in 2003 was leaked 
to the media, but the case was dropped. The Who guitarist Pete 
Townshend, the most high-profile name to emerge so far from the Ore 
list, was not charged because he had not downloaded any pictures, and 
said he had been doing research for a book about child abuse.

The inquest heard Commodore White had reached the peak of his military 
career. During the 1990s he was on the military staff at Nato HQ in 
Brussels and was promoted to Captain in 1997, when he became the 
assistant director for naval operations during the Kosovo conflict. In 
2001, he was appointed captain of the Second Submarine Squadron, and was 
in charge of Trafalgar class submarines. He never married, but was seen 
as very sociable.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ