Monday, November 12, 2012

Scope of warrant at issue

This just in from CyberCrime Review: "In United States v. Schlingloff, 2012 U.S. Dist. LEXIS 157272 (C.D. Ill. Oct. 24, 2012), Judge Shadid held that use of Forensic Toolkit's (FTK) Known File Filter (KFF) to alert on child pornography files was outside the scope of a warrant issued to look for evidence of identity theft.

The defendant in this case lived at a location that was searched pursuant to a valid warrant; the warrant was issued to find evidence of identity theft. During the search of the residence, multiple media devices and computers were retrieved, including a computer and external storage device belonging to the defendant. When the items were sent for forensic analysis, the computer forensic analyst did a search of the devices not only for identity theft (likely image and string searches), but also for child pornography using FTK's KFF option.

A short explanation on KFF. To make forensic analysis easier, files that are known to be valid (system files, DLLs, etc.) are hashed, and those hash values are compared against a disk image to exclude known valid files from further forensic analysis. Conversely, known malicious or illegal files are also hashed, and if those files are found on the computer, the KFF alerts on those hashes, indicating to the investigator that those files should definitely be investigated further. Per FTK's own literature, the KFF can be pared to certain file lists (i.e. hashes of child porn files, virus-related files, etc.) relevant to the current investigation. Additionally, the forensic investigator does not have to use KFF - it is merely an option.

Here, the investigator chose to use the KFF, and within its alerts were hashes of child pornography. While searching the defendant's computer, child porn alerts generated by the KFF showed up. The analyst took the next step and (to confirm the files were in fact CP), opened a few to confirm the results. As the court stated:
The search here did not end with flagging the child pornography files during preprocessing, however. After the KFF alerted to the two files in question, [the agent] believed that he recognized them to be part of the "Vicky" series of child pornography based on their hash values and his experience. Rather than stopping at this point to obtain a warrant to search for images of child pornography, [the agent] briefly opened each file in order to confirm his suspicions before stopping any further processing..

Based on this evidence, the defendant was charged with possession of child pornography. The defendant filed a motion to suppress the evidence, arguing that it was outside the scope of the warrant. The initial motion was denied because the court was under the impression that KFF was an all-or-nothing option. Upon learning that the KFF can be turned on and off in a motion to reconsider, the court granted the motion to suppress.

Continue reading the article by clicking here.


No comments: