Computer Discovery Issues

Child pornography cases are unique in that law enforcement builds their case upon the information gained from the contents of the computers seized from a suspect. Just a warning here, this info gets a tad more technical than other parts of this website, so read on at your own risk.

In general terms, law enforcement uses computer software to extract digital images/video from the hard drive of the defendant’s computer. This is not a process which the average person is qualified to perform. Even deleted images can be rescued through expert technology (that’s why they say that, when you delete something, you’re not really deleting it). This recovery software can, sometimes, tell us when (or if) the images were ever viewed. Defense Counsel must request these reports, and be able to conduct appropriate testing to confirm or dispute the findings of the State’s experts. The bottom line is, defending a child porn case will require hiring a computer expert to dispute the findings of law enforcement’s expert.

Remember, law enforcement is using computer “software” to extract images and information from a seized computer. How accurate is this software? Our expert may use different software, which may come to different conclusions. Obviously, law enforcement’s findings are only as dependable as their detection devices and computer software. These findings will result in expert opinions concerning the volitional actions of the defendant in acquiring the child pornography as these actions pertain to his possession of the material. Thus, these findings as to the internal contents of the targeted computers are dependent on still more computer technology. Still with me? While this technology may be familiar to those few who have spent the time to gain such expertise, it is for the most part unintelligible to the lay person.

An interesting dissent is found in Com. v. Klinghoffer, 564 A.2d 1240 (Pa. 1989) which expresses these issues. During a police investigation of a vehicular homicide, the defendant had told the detectives that he had been traveling at about “fifty five to sixty miles per hour”. The state’s expert witness in “vehicular dynamics” testified that in his expert opinion the defendant had been traveling at approximately seventy five miles per hour. This expert opinion was generated by a computer using a program known as “Applecrash.” The jury’s determination of the actual speed at the time of the accident was critical to guilt or innocence. Preliminarily, the judge questioned,

“When an expert opinion on a crucial issue in a trial is generated by a computer program, how much information about that program and the data that went into it should the trial court require of its proponent in order to prima facie establish the reliability of that computer opinion, i.e., what is an adequate evidentiary foundation to permit the introduction of such an expert computer opinion? Also, how much pretrial discovery of such information and data is the opponent entitled to, and when is he entitled to it, in order to ensure a fair and adequate basis on which to challenge the accuracy of the computer generated opinion?”

When defending a case of obscene materials, it may be important for the defense to have a meaningful opportunity to examine the computer program used by law enforcement to recover the images in question. Law enforcement should not be permitted to testify as to the results of their computer analysis without having the program available to opposing counsel. Remember all the ongoing problems created in DUI cases with the Intoxilizer 8000’s software, and that company’s failure to disclose the source code of their software? We’ve got a similar situation here.

In addition to potential software problems, there are important discovery issues surrounding law enforcement’s handling of a seized computer which allegedly contains child pornography. We’re talking about the ‘physical components’ here–hard drives, ipods, ipads, smart phones, laptops, CD Roms, thumb drives, etc etc. Typically, the contents of a hard drive may be the central issue in a possession of obscene materials case. Thus, its important that the defendant’s expert run an independent analysis of the hardware. This is typically accomplished at the police station, and the defense digital forensic expert will be supervised during the examination. I have used Richard Connor of ESI Consulting as my digital forensic expert on numerous occasions, and he is excellent.

For example, one court found a lower court to be in error when they failed to order the production of the actual hard drive in question, noting that “[m]ere inspection of the images or even of the EnCase report is not the same as an inspection of the drive itself (or an exact copy thereof),” Taylor v State, 93 S.W.3d 487 (Tex.App. 2002). Further, the court felt, “[i]t is certainly not the same as an independent forensic examination of the contents of the hard drive by an expert.” With this in mind, the court continued,

“A drug defendant has the right to have an independent chemist review the ‘contraband’ in the presence of a representative of the state to determine its chemical makeup. Citing, Mendoza v State, 583 S.W.2d 396 (Tex.App. 1979) It is no different in this instance to require the State to produce its evidence, i.e., the hard drive, for independent review, subject to the State’s right to have a representative present. Accordingly, at the very least, an exact copy of the duplicate of Taylor’s hard drive should have been produced for review by an expert of Taylor’s choosing, in the presence of a representative of the State.” Id.

Computer forensics can now dig up files that have been deleted for years. To make matters worse, it can be difficult to determine whether or not these files were even viewed or accessed. So, here’s the common scenario. Police typically use a program called the Child Protection System (CPS). CPS monitors child porn files that are exchanged on file sharing networks like eDonkey. Local law enforcement who are authorized to access CPS will then look for files downloaded in their area of the country. CPS will reveal the IP Address associated with the activity, and law enforcement will eventually obtain a warrant to search the home of the offending IP Address. Once the home search warrant is served, the detectives will use a program like “OS Triage” to scan all the home computers for child pornography. Assuming no illegal images are found on this first scan, the computers will then be seized and given a more thorough examination with programs like Forensic Tool Kit (FTK, and I’m not talking about the free versions you can find online, the versions used by law enforcement cost thousands of dollars).

So, if OS Triage doesn’t uncover any accessible child pornography, the government will then spend days analyzing the hard drives, with programs like FTK, that can recover deleted images and put them back together. Keep in mind, we common folk cannot access these files uncovered by the likes of FTK. We have no access whatsoever. But, if the government succeeds in finding files after days of searching, may find images in a Windows thumbnail database, or the System Volume Information file used for Windows Restore. Of course, if images are found in such tucked away places, the average computer user will have no way to access these images, absent a very expensive program like FTK. However, regardless of where deleted images may be found, it is common for the State Attorney’s office to file felony charges against the computer user–even though everybody knows the computer user has no access to these images. Of course, the problem with such “carved” images is that there is no way to tell whether or not the images were ever viewed, or even wanted, by the computer user. The State can, however, show that these images were wanted if they can uncover incriminating search terms, as certain search terms may indicate a desire on the part of the computer user to possess child porn images.

The bottom line is this: knowledge is an element of the crime. The government should not be permitted to reach into a citizen’s computer to retrieve images he did not intend to possess or even know were on his computer when seized. The State cannot construe the possession of child pornography laws so as to eliminate the knowledge element of the crime. When computer forensics do not reveal accessible images, there may be insufficient evidence to demonstrate a Defendant’s intent to download or possess the images carved out of his computer. Indeed, there will be little evidence that the user ever viewed or knowingly saved the images, much less retrieve and view them.