I find this fascinating:
A central California man has been arrested for possession of child pornography, thanks to a tip from burglars who robbed the man’s property, authorities said.
I am reminded of the UK story of a burglar finding some military secrets on a laptop—or perhaps a USB drive—that he stole, and returning them with a comment that was something like: “I’m a crook; I’m not a bloody traitor.”
Phil • October 14, 2011 12:49 PM
What’s to keep a theif from robbing your house, and then loading child pr0n on your computer?
Metadata in the filesystem. A forensic analysis of the computer in question show when all those files were created. I think that would throw enough doubt on the story being told by the thief.
Dan McKinley • October 14, 2011 12:50 PM
There was an SVU episode with the same plot.
dob • October 14, 2011 12:52 PM
Metadata in the filesystem. A forensic analysis of the computer in question show when all those files were created.
As if it weren’t a trivial matter to reset the system clock, or forge the metadata with the desired timestamps.
Freiheit • October 14, 2011 1:01 PM
“As if it weren’t a trivial matter to reset the system clock, or forge the metadata with the desired timestamps.”
Or just that the local PD isn’t that sophisticated or the accused cannot afford the necessary forensic experts or the defense attourney advises the accused to plead to a lesser charge.
John F • October 14, 2011 1:02 PM
Sadly, “Metadata in the filesystem”, will not help this individual once the accusation has been made public and the media has gotten a hold of it.
“Innocent until proven guilty” only applies to the legal system. Guilty or not, the reality is that this guy has just been convicted in the minds of the general public, courtesy of the police department and the media. The monetary costs associated with defending against the accusation pale in comparison to the fact that every time a prospective employer, romantic interest, church member, etc, Googles his name in the future, the top 50 hits are going to be associated with “child porn”.
Jim • October 14, 2011 1:03 PM
Illegal search, no?
James M • October 14, 2011 1:08 PM
I think the UK story you mention dates back to World War 2, and that it was in fact a mechanical cipher machine – possibly even an Enigma – that the burglar had supposedly stolen and then returned.
Though possibly only after information was released to the effect that this device was important to national security, and would whoever stole it please return it?
(I cannot seem to find a source for this, however, so could be wrong.)
Chelloveck • October 14, 2011 1:08 PM
It’s the kind of trick that would only work once, though. The thieves aren’t going to be able to use it to dodge a second burglary charge without giving themselves away. If the porn was planted we can probably infer that (a) the “burglars” were in fact attempting to frame this specific individual, or that (b) they planted kiddie porn at all their victims’ locations to use as a bargaining chip in case they ever got caught. “Yeah, we robbed the guy, but HEY! We saw child porn in his house! Go get ‘im!” The article implies that the burglars went to the police on their own, so the second scenario can be ruled out.
(That’s assuming the bad guys are thinking rationally, of course. I admit that that’s not necessarily a given.)
Jason • October 14, 2011 1:11 PM
Absolutely an illegal search. If not, cops could simply send in their own “burglars” anytime they wished.
Phil • October 14, 2011 1:13 PM
As if it weren’t a trivial matter to reset the system clock, or forge the metadata with the desired timestamps.
So… this 2nd story guy is also a hacker with skills beyond most script kiddies? I mean, if I keep expanding and adding to the skills to guy who makes his living breaking into homes he could also siphon all your funds to an offshore account while he’s altering the metadata in your filesystem. And forging metadata and leaving no trace belongs in movies where hackers guess the password in 2 tries.
I can’t answer regarding what public opinion is going to be if this does happen. But these days any lawyer worth his salt is going to demand a copy of the forensic data and have a 3rd party go over with a fine tooth comb. For computer forensics, grabbing and analyzing the metadata is fairly routine and easy task.
tl:dr- NOT likely to happen in the first place, and even if it does it’s even more unlikely a thief will have the requisite skills to remove all traces of the “evidence” being planted.
Ian Woollard • October 14, 2011 1:14 PM
Metadata in the filesystem isn’t, by itself, enough to prove this, but you can correlate it with other events, some ISPs keep connection logs for example, and by correlating timestamps you can get pretty solid evidence.
Of course nothing digital is completely unforgeable, it’s just that it can end up being so expensive and difficult to forge that it can be essentially proven.
bode • October 14, 2011 1:21 PM
What I found most amusing about this story is that the thieves stole CDRs and then asked to have music burned onto them. I guess 2011 has not yet arrived in Merced? When was the last time anyone here listened to music burned to a CDR?
There are more details here:
Also, family pressure played a role in going to the police.
As far as everyone going nuts about illegal searches, the original burglars could actually be charged with a crime you know. The Internet is littered with tales of fake police burglaries and innocent people framed and then convicted of possessing CP, right? Oh wait, no. It is, however, apparently full of people defending child pornographers. I’m sure you’ll come back with your “innocent until proven guilty” hat in your hand when that man ends up in federal prison.
Dusty • October 14, 2011 1:23 PM
The UK story you recall follows the plot of the book the Fourth Protocol by Frederick Forsyth
Jonathan • October 14, 2011 1:57 PM
Regarding the illegal search, the burglers got the information illegally, but the police are still allowed to use it. The police aren’t obligated to turn down unsolicited evidence, regardless of how it was obtained. (Though it would be illegal for the police to ask someone to rob a house and search for stuff.) This is known as the “silver platter doctrine”.
Absolutely an illegal search. If not, cops could simply send in their own “burglars” anytime they wished.
No.
The 4th Amendment only protects against actions by the police (or agents of the police). If burglars discover something illegal upon entry into some random’s house, then what they find can be used as evidence against the random.
However, if the police hire fake burglars to find (or plant) evidence, then that’s unconstitutional and the evidence should be excluded*.
*check caselaw for exceptions to the exclusionary rule.
ike • October 14, 2011 2:14 PM
Heh, I saw this on Law & Order: SVU a while back 🙂
ike • October 14, 2011 2:18 PM
What’s to keep a theif from robbing your house, and then loading child pr0n on your computer?
Then he’s still guilty of possessing child porn even though he didn’t put it there. That’s the problem with making mere possession illegal.
Sean Palmer • October 14, 2011 2:28 PM
Maybe these discs couldn’t be used in court, but the testimony of the burglars could definitely be used to get a warrant for a more thorough search of the guy’s house.
keith • October 14, 2011 2:39 PM
Does anyone else feel like a burglar believing himself to be morally superior to anyone has missed the point?
kingsnake • October 14, 2011 2:40 PM
Guilt, or lack thereof, exists independent of any legal finding regarding the matter. Or, “I was found not guilty” is not the same as “I am not guilty”. Why? Because sometimes the guilty are found innocent, and the innocent found guilty.
Serious Listening Cat • October 14, 2011 3:00 PM
The tech side:
* You don’t need to be a “hacker with skills beyond most script kiddies” to change file metadata
* You don’t need to access the internet to copy files to a PC
The moral side:
* A burglar is a criminal (and a questionable witness)
* A victim is a victim
* A file on your PC doesn’t mean anything about you (doesn’t even mean you know it’s there)
* Where they forbid files, they will eventually burn books, etc.
The legal side:
* What do I know? They’ve evaporated Osama and almost nobody blinked. These humans are crazy 🙂
anon • October 14, 2011 3:09 PM
I wonder, if the guy had never filed a police report when the items were first stolen, it would have been harder to connect the “pr0n” produced by the burglars, with the items he reported as stolen.
Moral of the story: Never file a police report when your pr0n is stolen.
Joel Gordon • October 14, 2011 3:15 PM
A rational society would wait until the facts are presented before deciding if a person was guilty. Unfortunately for us our media presents small portions of evidence when a case begins, but generally fails to issue updates. So yes guilty or not he will be labeled by society as being guilty. However, unless his lawyer is dull, it’ll require more evidence to convict him.
When was the last time you thought someone was trying to hack you, when you misread a log file? When was the last time you filed an abuse complaint on a TOR endpoint?
My point of view is to always be a bit patient and wait/look for collaboration evidence.
Phil • October 14, 2011 4:50 PM
* You don’t need to be a “hacker with skills beyond most script kiddies” to change file metadata
To alter the metadata in such a way to disguise the fact that it has been altered sure as hell does require more than script kiddie skills.
mcb • October 14, 2011 4:53 PM
Contraband is a special case when it comes to search and seizure. If the sneak thieves had found bodies in the barn would we be arguing 4th amendment issues? Maybe. Anyway, small fish tell cops what the bigger fish are up to; that’s where informants – and affidavits for warrants – come from. Seems to me these burglars have short circuited any plans they might have had for a life of crime by becoming rather public police informants in this case. So, the alleged child p0rn possessor enters the system for adjudication and the small time burglars will never be trusted again by real criminals at any level. I’d say it’s a win-win.
As for those who complain about the publicity in this case, would you prefer secret evidence, nameless accusers, midnight disappearances, and star chambers? [I know, it sounds a lot like the GWOT] The news story reads like the usual extract from records of court proceedings which are public. This is a good because it’s our system and we have wisely decided transparency throughout the legal process is good.
Godel • October 14, 2011 4:54 PM
@Joel Gordon
“However, unless his lawyer is dull, it’ll require more evidence to convict him. ”
Um, no. He’s already confessed, but the homeowner would also have a hard time explaining his prints all over the disks.
There’s also the major question of motive. Why would a couple of teenagers put themselves at risk of a felony charge to set up some random stranger. Remember, THEY approached the police.
Also, where did they get the kiddie porn? And it would take a long time and much effort to fabricate 30 CDs full of pictures and movies.
Matt • October 14, 2011 6:42 PM
I’m by no means a CP collector, but if you ever find yourself arrested for CP after a burglar claims to find it on something they stole from you, keep your mouth shut and demand a lawyer.
Allowing evidence collected by burglars is a very scary precedent. Cops can simply start committing burglaries themselves (or hiring thugs to do it), and they’d no longer have to deal with those pesky warrants. Plus, the evidence chain of custody isn’t exactly what I’d call reliable here.
Matt • October 14, 2011 6:46 PM
Observation #2: If you have anything you don’t want anyone to get their hands on, wrap it up with AES256. In the USA, the Fifth Amendment says you don’t have to divulge the key, and TrueCrypt offers “duress keys” if you’re afraid a cop will force you to decrypt at gunpoint. Suddenly, the Evil Plans turn into pictures of cats.
Thomas Bridge • October 14, 2011 7:13 PM
I’m 99% certain the UK story is in John Major’s memoirs and refers to the loss of a laptop containing (some of) the plans for invasion of Iraq in January 1991. I don’t have my copy of the memoirs handy though!
Nick P • October 14, 2011 8:32 PM
@ Phil and dob
“As if it weren’t a trivial matter to reset the system clock, or forge the metadata with the desired timestamps.”
Proven in practice when I did it over ten years ago. That was back when I was in a small hacker gang. We often did wargames against each other’s systems. I used the metadata-mod’s technique to hide some files, among other things. The guy got me back by making porn pop up during a very bad moment on the business PC I was using and planting tons of porn with forged dates. It was obvious that metadata change was his technique: I left at 3pm, the machines were turned off around 5pm, and the images timing was every 15-30min all the way into 1am. Even showing them this, the morons still thought I was surfing porn on their computers. It was probably one of the most effective attacks anyone’s ever got on me. (Of course, I couldn’t secure it because they owned it & forbid me from modifying it.)
And, yes, it proves that the timestamps CANNOT be trusted. This even applies to an encrypted filesystem. Even with Tripwire-like functionality, a kernel- or DMA-style compromise can lead to forged timestamps.
Nick P • October 14, 2011 9:14 PM
@ Phil on timestamp spoofing & skill required
“To alter the metadata in such a way to disguise the fact that it has been altered sure as hell does require more than script kiddie skills. ”
When I did it, I was just starting as a Windows programmer. I had spent a few hours here & there learning Visual Basic 6. I looked up changing timestamps in search (i worded it differently). I found that there was a Win32 API function for changing the system’s time. Concept: get current time, store it, change the time, plant the files, change it back, delete traces. So, let’s look at the difficulty of the simplest approach: an amateur VB6 programmer cuts and pastes some code from the MSDN help files that came with VB6. Wow. That sounds hard. 😉
Further Proof (modern assessment)
I just typed the following into google: “how to change metadata timestamp windows”. This was the first link:
Attribute Magic
http://www.attributemagic.com/attributemagic-pro.html
“Utility can change file date/time stamps created, modified, accessed. You can set new date-time, relatively change date or time, copy one date-time stamp to another (created date=modified date), change the date but not touch the time, shift date from AM to PM and vice-versa, sequentially change date-time with user specified time step. With our utility you can set file date in a sequence in order to present files in the right order. Utility is for Windows only.”
Further down the results list it gets better.
“Whether you are going to play some nefarious prank on your friend/sibling or need a way to facilitate the organization of important files, being able to modify file metadata (e.g., created, last modified) is a useful capability to have. While Windows only enables you to remove file property information by default, there are third-party solutions that can offer increased flexibility.One such solution is the open source application SKTimeStamp. After installation, you can change the file created, modified and accessed date and timestamps via the File Properties window. Even better, you can modify these values for multiple files simultaneously.”
Q.E.D.
Best used in combination with something like Easy Cleaner. Install timestamp spoofer & EasyCleaner. Use spoofer. Uninstall. Use EasyCleaner. Uninstall it. Cops wouldn’t find anything suspicious about new dates if they weren’t looking for traces of these apps. Or if they read & believed your post. The counter evidence required literally one 30sec google search. That’s usually a good way to know someone is talking out of their ass. You should do a bit of research on a security-related topic before posting a personal guess, disguised as informed opinion, on a high-profile security blog that attracts people who know their stuff. Just a thought….
PiP • October 14, 2011 10:25 PM
Same exact thing happened in my neighborhood just a couple months ago, on the east coast. Evil neighbor robbed a neighbor. Evil neighbor then got robbed himself, then robber turned him in for child pornography. I call this the chain of comeuppance!
Nee • October 14, 2011 11:24 PM
For a blog that rants about security theater and hysteria, I am a little shocked to see the OP cheering at an arrest that is part of a moral panic,…. one that has not been shown to lead to an actual problem nor has the scale of the actual harm been shown to be anywhere NEAR as bad as the fear around it is….
Petrachus • October 15, 2011 12:19 AM
I’m very surprised by reactions to this. Did anyone actually read the story? So the thief put the files on the CDs he stole. Then he turned them in to frame the guy he stole from? Does this make any kind of sense? So then how did the thief get more files on the guy’s computers that he didn’t steal or have access to?
So child pornography is some kind of moral panic? We need to defend the child pornographers that exploit the helpless? This society is doomed when supposedly smart and moral people defend truly evil people. I’m sure a lot of people that are defending this sicko would sing a different tune if their kid was the target of his sick fantasies. Even thieves realize that children should not be the targets of sexual fantasy.
Martin Budden • October 15, 2011 12:38 AM
What I find interesting about this story is that it touches on codes of ethics among criminals. In this case the burglars are willing to risk prosecution in order to maintain their code.
Criminal organizations also have their codes of ethics (although those codes are different from society’s codes), and these codes are violently enforced. Criminal organization need these codes to operate effectively. @Bruce I wonder, is this something that you look at in your book?
Clive Robinson • October 15, 2011 9:42 AM
For those talking about meta-data in file systems it goes a lot lot further than just the time stamps.
You have to look at the files themselves how they are broken up (or not) and the position of each individual fragment of the file on the disk.
You also need to look as a minimum at the directory records and the order of the entries in there with respect to the timestamps and physical placment on the disk of the files and their fragments.
Then with modern file systems you need to look at the journaling caches etc, especialy if the file system also contains “snap-shots” as many NAS and other external drive systems have.
Then of course there is looking at the “tails” of files where the OS writes out the entire disk buffer, but the buffer may have been only partialy over-writen.
I could go on at length about the analysis of file systems, but I’m getting very out of date on it these days, partly because I did some research work back in the 80’s and 90’s on some *nix file systems and later MS, but mainly it would be a full time activity to keep up with the myriad of filesystems. For those who want to know a bit more have a google for Brian Carrier’s work, however his book on File Systems Forensics is getting a bit dated.
However one observation with regards the more extream forms of “questionable content”, the amount of it that the “press” and “other interested parties” say there is out there I’m realy surprised the courts are not compleatly full of cases just dealing with it. Or to put it more simply there appears to be an awful lot of noise but no real signal when it comes to some “questionable content” even with US law making it a crime to breach “terms of service agreaments” as opposed to actual criminal law.
Secondly for those that think people have not been set up by the police with regards to the extream forms of questionable content (ie CP) go and have a carefull look at the UK operation Ore. It was disgracefull as to how the UK police behaved it included the lead investigator and operation leader deliberatly misleading under oath not just Parliament but the Courts as well in order to obtain convictions (if you or I did the same it would be called perjury and we would be looking at serious jail time).
However dispite this disgraceful behavior by the lead investigator he has gone from strength to strength in various organisations selling his self interested version of what is actually happening with regards extream questionable content.
However independent research on his and his teams activities indicates they have actually caused considerably more harm and wasted considerable resources, and set “child protection” back several years if not a decade or so. The only benifit if it could be called that, from the whole disgraceful episode appears to be for him and some other team members going on to more prominent positions.
Thirdly the simple fact is, in general the very broad spectrum of what forms “questionable content”, is with a few notable extream exceptions more a question of the current “social norms” in a jurisdiction, and based on how far self interested parties can whip up hysteria for their own benifit (think the original “witch hunts” and the likes of “Anti-American behaviour” that gave rise to the “reds under the beds” hysteria).
The current classic example to see this has been and still is “Politicaly correct language” where simple discriptivly correct phrases and expressions can nolonger be used without fear of career terminating censure. Simply because one set of people say that other parties will find it offensive. Hence we no longer use the descriptivly correct term “black board”, however it is ok to use “white board”, because in PC terms “Black” is considered to be offencive in all contexts whilst “white” is not at all offensive (go figure)…
Thus when discussing things such as what the burglars did it is important to actually put the issue of the extream nature of the questionable content to one side. Otherwise you get into the situation of having double standards where “it’s ok to abuse due process” because you think somebody deserves it. This is the classic dishonesty prospering because honest people look the other way. And one way dictators and the police states that support them come about to everybodies cost. History has shown this over and over again since atleast as long as written records have been recorded.
Zith • October 15, 2011 10:03 AM
@Petrachus
I assure you nobody’s trying to defend child pornographers. We’re just talking about the security issues this story presents. It’s very much a problem if this level of incrimination is as simple as planting the data during a break-in, and I’m sure you can understand that. How is someone to clear their name to you if a burglar really did put it on their computer that way? How would you clear your own name if it happened to you? It’s very hard to get anyone to listen to you once they have word you were caught with that material. And that’s why it’s important to figure out whether that can be detected, and other matters surrounding the issue.
On the other matter, there are heavy repercussions in making mere possession of certain data (as opposed to production or distribution or other things) a major crime, so it’s really not so easy a decision to make, but I’ll agree that if it is right to outlaw simple possession of a kind of data, child pornography is the right kind of data to attack.
Liberty • October 15, 2011 1:28 PM
I just can’t see why the possession of child pornography is a more serious crime than burglary.
“Even thieves realize that children should not be the targets of sexual fantasy.”
So you would criminalize thoughts?
a nonny bunny • October 15, 2011 4:13 PM
@Liberty
I agree that thoughts should not be criminalized; however, child pornography is not a fantasy, it is a grim reality, and its existence shouldn’t be condoned.
And seeing as consumption helps drive production in “markets”, there is some merit to targeting possession as well as production and distribution. (Though one should distinguish unwitting possession from intentional collecting.)
If they want to fantasize, let them stick to fiction, not products of abuse.
Stephen Nicholson • October 15, 2011 5:33 PM
Interesting stuff.
First, the CDs. The CD with CP on them aren’t subject to the exclusionary rule because the burglars weren’t government agents. IIRC, CA’s exclusionary rule follows the federal rule. This doesn’t lead to cops hiring burglars because then the hired burglars are government agents. Of course the cop could lie about hiring them, but then the cop could lie about other things that’ll get the evidence illegally in just as effectively.
The problem with the CDs is that, by themselves, it’s not much. The burglars could have made the CDs themselves. The police did the right thing in getting a search warrant for the other computers, but the burglars took a risk. If there was no CP on the other computers, that would suggest that the burglars were framing the guy and now they’ve just confessed to burglary (and the other crimes that might go with those facts, including possession of child pornography). Fortunately for them, the guy admitted to possessing the porn on the CDs. So unless the confession was somehow in violation of the 5th amendment, the guy is going to prison for possession of child pornography.
But wait, what about the other computers? If they have CP on them, this bolsters the burglars story that they found the CP on the CDs and it wasn’t theirs. But how do we know that they didn’t put it not the computer? Dollars to doughnuts the guys attorney has already thought of that and it’s going to be issue at the trial (if there is one, remember the guy confessed to possession of CP on the CDs).
Timestamps and other metadata will help, but the defense will claim (like many here are) that those things can be forged. What will really be an issue is access. Specifically, did the burglars have access to the other computers or hardware were CP was found? If yes, that could create reasonable doubt and the DA fails to meet their burden. The burglars already admitted to breaking and entering the barn.
Of course, like so many cases, the guy shot himself in the allowing himself to talk to the police. Its possible that the confession was coerced, but still admissible (our society places a value on the idea that no one would ever admit to a crime they didn’t commit).
Nee • October 15, 2011 11:27 PM
@nonny bunny
Well, for starters, we are talking about possession, not production. The reason this is important.. how many other media contents are illegal to own if they are images of something illegal? The only other example is video taping a police beating.. outside that, media of a crime is not illegal, only the crime.
Secondly, this is the US. The fantasy is also illegal. Drawings of kiddy porn are prosecutable. I call that a moral panic.
Third.. the idea of demand driving production has never actually been shown, esp when taking into account the illegality of virtual material.
Fourth, there HAS been a demonstrated relationship between access to CP and NOT abusing actual children, so the moral crusade against the media is actually resulting in more actual victims. Which is the classic hallmark of security theather… not doing any good and often doing harm against the actual goal…
Liberty • October 15, 2011 11:34 PM
@nonny bunny
Except that these markets don’t exist. Child pornography is almost always shared, not sold.
Child abuse is not driven by financial motivations.
The films themselves are just data. Data are not moral or immoral, only actions may be.
There is no proof that watching child pornography makes people abuse children; it may actually prevent pedophiles from acting out their fantasies.
Just as watching horror movies does not make people go around murdering and cutting people into pieces.
Zaphod • October 16, 2011 1:22 PM
@Clive.
Good points – as always.
Question (to all) – would the skills/knowledge required for the detailed forensic examinations, as detailed by Clive, be beyond the wit (or brief) of a typical Prosecutor?
Z.
Will Sargent • October 16, 2011 2:20 PM
In the case of the UK theft, the computer was returned by the thief with a note “Dear Sir, I am a common thief and I love my Queen and country. Whoever lost this should be bloody hung. Yours, Edward.”
Paeniteo • October 17, 2011 2:11 AM
@Petrachus, Zith: “I assure you nobody’s trying to defend child pornographers.”
Not in that sense of the word, but we should agree that alledged child pornographers (or, to be more precise, alledged child pornography owners) have a right to a fair trial.
I don’t see that violated here, though.
The other question is, whether it is possible to incriminate somebody with posession of, as Clive puts it, ‘questionable content’ in a way that the typical prosecutor / defense attorney will not challenge the ‘evidence’ on purely technical terms. I would unanimously say yes.
However, courts base their decisions to a far lesser degree on technical evidence than we may think (I’m not sure whether I should dislike that, though).
In the case here, the courts would likely look at the burglar and quickly conclude that he is not able to perform the technical steps Clive has described and would have even less of a motive to do so – there would not be too much of a forensic examination.
Cédric • October 17, 2011 3:54 AM
All this proves is that ‘even evil has standards’. Robbery is wrong, but child abuse is way more destructive.
In any case, the police being tipped off about bigger crimes by criminals is nothing new. Since time cannot be extended, better spend it on the most dangerous threats – this is the basis of risk management after all. It does not mean that lesser crimes should go unpunished, just that you need priorities.
@Liberty: I’m concerned by what you are saying. The fact that the guy has just obtained ‘data’ does not clear-up the fact that kids, somewhere, were abused. Be it only for working up the chain of where these pictures / videos came from in the first place, it was really worth going to the police. As for the guy, do you have evidence that watching such material will prevent him from acting? If yes, then maybe works of fiction (japanese animation maybe?) could as easily replace real pictures, minus the real damage done to kids.
moo • October 17, 2011 2:26 PM
@ Clive:
Good points, however.. If someone wants to plant files on a Windows machine and modify the file timestamps, they can erase most of that other trace evidence by simply running a full disk defrag tool afterwards to eliminate “inconsistencies” in e.g. the placement or fragmentation of files. As long as you use one with a policy that’s not substantially similar to the default one, it should move a lot of things around, enough to confuse any patterns in the physical placement that would show the files had fake timestamps. E.g. jkdefrag -a 7.
Eric • October 17, 2011 3:18 PM
You know if you changed some of the paticulars in this story it would make a really good bank robber type movie. When I first read this I immediatly thought of snatch/lock stock and 2 smoking… for some reason.
As to guessing passwords in two tries in movies it was only funny/cool in patriot games, everything else its just insulting.
Jason • October 17, 2011 3:20 PM
There is honor among thieves where child abuse comes in. It’s such a well known cliche that I’m surprised when anyone doubts it.
Many many people in the prison system have sad tales of some sort of abuse in their childhood. Some of these people are all too eager to dispense vigilante justice on any known abuser in striking range. It is a form of catharsis and a powerful one.
I seriously doubt that any criminal known to have informed on someone for this class of crime will find their professional network diminished in any appreciable fashion.
dfgdfgfd • October 18, 2011 12:20 AM
Cédric and Jason… don’t conflate CP and child abuse. Possession of the former requires none of the latter.
LinkTheValiant • October 18, 2011 9:33 AM
don’t conflate CP and child abuse. Possession of the former requires none of the latter.
Um. . . for what value of abuse? Actual photographic/video depictions of children performing such things (as opposed to drawings) necessarily involve abuse. Unless you’d wish to argue that making children participate in such things is not abusive, possession of something that had to be created through abuse necessarily involves abuse.
But that’s off-topic. Someone made the point about the police “using” burglars. What is to keep an unscrupulous police official from using “burglars” as a threat for extortion etc? It doesn’t really matter whether anything can be tied to said official, since whoever the target is will already be destroyed, if not by the courts then certainly by the press.
There’s really nothing to keep it from happening in our present world, and unless the law’s electronic forensics departments make a massive jump in ability, there never will be.
Clive Robinson • October 18, 2011 9:39 AM
@ moo,
First off my apologies for not getting back to you sooner I’ve been having one or three medical problems just recently much to my anoyance.
With regards,
“If someone wants to plant files on a Windows machine and modify the file timestamps, they can erase most of that other trace evidence by simply running a full disk defrag tool afterwards to eliminate “inconsistencies”…”
That used to be true with earlier verisons of MS Win running on top of DOS (up to Win ME) and early versions of NT that would still boot off of a sub FAT32 file system or where the data was stored on a sub FAT32 filesystem.
It is not true of WinXP onwards for various reasons.
Firstly various versions of defrag have a couple of issues,
1, Most “defrags” have very very predictable behaviour.
2, Most “defrags” don’t overwrite what later becomes slack space on the free list etc.
This behaviour is compounded by the fact that most PC’s these days have +0.5TByte hard drives that are many orders of magnitude greater than either the OS default files, and the majority of user data.
As a general rule when defrag software is written it has a default mode that is optimised for a particular asspect, often file read access speed. This in turn effects the algorithm that copies the data. There are a number of stratagies for moving files from the likes of “Fill First”, “Best Fit” through more esoteric “Fill by geometry”. However most work to preserve file contiguousness, that is filling geometricaly adjoining cylinders first and orphand sectors later, if and only if the free list size gets below a certain threshold.
But the use of defrag tools is very much depreciated these days because by far the majority make assumptions about disk properties that are nolonger true.
This brings us to the next issue NT has had a number of journaling files systems, and MS have shown a consistant history of tweeking them not just from OS version to version but in Service Packs. Not all tweeks appear to have been just for file system performance, some have been to allow for “new features” but others have been said by others as an attempt to maintain a proprietory controll of the file system to prevent access by non-MS OS’s such as Linux.
However what can be said is that the journaling nature has changed for technical reasons one of which is the nature of the underlying physical properties of the storage media.
One such highly relevant change is solid state storage and the “associated wear leveling”. Effectivly this has caused extra layers of abstraction to be put into the storage stack, and also effectivly compleatly decoupled the actuall data storage within the storage media from that above the OS where the apps such as many defragers run.
One effect that has been seen is that defraging does not realy defrag a nearly empty drive, it simply re-writes the file data in “virgin sectors” further down the low level “free list” and directory entries get manipulated…
However it’s not just this that causes issues of “non deleation”, most users don’t actually delete files, at most they drop the occasional file into the “waste basket” where they stay. And again even if they empty the waste basket often the files just get hidden from view untill some point where on of the free lists gets to a limit and triggers “re-use”. One area this has been very visable is with file system “snap shots” not just on network attached storage but on file servers etc.
To successfully fake a new file system image these days is getting extreamly difficult due to the increased abstraction and alowance for file recovery and the peculiarities of increasingly diverse hardware on which filesystems are built.
But with windows it gets even harder, you also have issues with the registry and applications. Basicaly lots of meta-data about files gets stored away in either the registry or files local to the application or users “home directory” or the current “working directory” and temp files in cache of one form or another.
Some of these files have significant issues with being modified in any way shape or form, including where they are stored on the filesystem. The reason for this is DRM systems, that try to prevent more than one copy of software being run (I won’t even attempt to describe what goes on with some DRM, where even a legitimate restor from backup will fail)
Now the question arises at what point do you stop looking for “meta-data” to show the file system has been tampered with, and at what point will a court nolonger accept it as evidence that a third party (be it human or malware) has added data of “questionable content” to a users PC.
It is abundantly clear for those that care to look that many trials are not actually about justice but the pretence of “Justice being been seen to have been carried out”. That is guilt is decided by two things, emotian and a pile of mostly meaningless paper that has some pretence of turning opinion into evidence. And as is further abundantly clear the more money you have the better the quality of opinion you can purchase, and representative to present it in the correct emotional way to sway either the tribunal of truth or tribunal of justice.
However a final thought for you…
Hans Resier, wrote the Riser File system that was for some time very popular on Linux, however some years ago his wife disappeard, and he was subsiquently tried for Murder in the First degree and found guilty (later downgraded).
Ask yourself what fun and games there would have been in court if his supposed crime had been not for murder but for posession of data of a questionable nature?
We have in atleast one other case seen a judge recognise a defendant as an “expert witness” something that in theory should not be possible in a court as by deffinition and “expert witness” represents the court not either the prosecution or defendent and has a “duty of impartiality” to the court…
Now think of the fun and games that might occure if as is increasingly more likley a member of the jury has more technical knowledge in this domain than the supposed “expert witnesses” called by the prosecution or defence?
It is well known we have LEO’s testifying to the correctness of their assumptions because they have done a three or four day training course in some software suppliers “forensic data storage examination” suite and are just saying what in their opinion they think the suite output is telling them and cannot in any way back it up…
cvgbdf • October 19, 2011 12:00 AM
LinkTheValiant, you’ve misunderstood me. Obviously the production of CP requires child abuse – but this case involves none as such; the criminal offence that is CP possession doesn’t require the offender to abuse kids. Imprisoning this fap-happy dude doesn’t prevent child abuse… so Cedric and Jason were using the wrong term.
Nick P • October 25, 2011 12:49 AM
@ cvgbdf
“the criminal offence that is CP possession doesn’t require the offender to abuse kids. ”
That’s debatable. In the drug debate, celebrated undercover Michael Levine stated that all the time he spent targeting suppliers was wasted because more suppliers replaced them due to continuing demand. He said you have to hit the demand side of the equation, the buyers, because suppliers would always appear if there was a demand. This is why so many people are in jail for buying drugs.
Many law enforcement groups believe in the same thing for cp: the reason it’s a productive industry is because there are people trying to get it. Make people too afraid to get their hands on it & much of the motive for more public abuse goes away. That’s what they think, anyway. The sad fact is that, even if they’re right, child abuse will continue en masse, demand will continue, & people who aren’t involved will still be convicted due to poorly worded laws or questionable forensics.
Russell Coker • November 4, 2011 7:34 PM
In regard to the issue of whether the burglars planted CP:
The cited article reports that the burglars stole from the man’s barn and that the police later found further evidence of CP in his home. There was no claim that his home was burgled. As he had filed a police report about the barn burglary it seems clear evidence that his house was not burgled (a home burglary would be more visible) and therefore there is no reason to think that the burglars planted the CP.
In regard to the issue of producing CP requiring abuse. Under Australian law hand drawn pictures have been found to be CP. Recently in the US there was a case of a man convicted for digitally editing pictures to put children’s faces on adult’s bodies. Neither of these involves actually abusing children (although the latter would be if the children in question discovered the pictures).
Finally under Australian law the age of consent is 16 (in most states last time I checked) but the minimum age for porn is 18. There have been cases of consenting 16yo and 17yo couples photographing things that they willingly did together who were then arrested for CP. In those cases it seems that the only way one could claim that children were abused is if one claimed that the legal system abused them.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Bruce Ediger • October 14, 2011 12:45 PM
What’s to keep a theif from robbing your house, and then loading child pr0n on your computer? If the theif phones in a tip, the police righteously bust the victim, and at the very least, don’t follow up as vigorously as possible on the robbery. In fact, the robbery might just fall through the cracks, as a baby-raper doesn’t deserve any help from the police.