Susan did a good job discussing the weirdness of the court's handling the issue of the Adam Walsh Act in regards to the prosecutor not allowing the police to provide a copy of the digital evidence to the defense via a state protective order.
Here is a link to the opinion in PDF format. STATE OF TENNESSEE v. RE´LICKA DAJUAN ALLEN
I personally agree with the Adam Walsh Act that prohibits law enforcement from making copies of child pornography evidence that can be taken outside of the court's control.
But that is not what this post is about. I am going to highlight the testimony from the defense expert in this case. I am trying to decide if he was intentionally being misleading, or just didn't know any better. Either possibility is chilling.
Here is what the prosecution was willing to do:
"In [Defendant’s] case, a hearing on his motion to compel was held at which the State presented one witness, Carlton Bryant, an attorney employed at the Knox County Sheriff’s Department. Bryant testified that his understanding of the law was that the sheriff’s department could not allow counsel to take a copy of the computer hard drive from the department because the sexual exploitation statute did not contain any exemption for defense counsel to be given child pornography. He said they would, however, accommodate counsel and counsel’s computer experts by mirror-imaging the hard drive and allowing them to examine the copy while it remained in the “custody and control” of the department. He testified that they contemplated setting aside a conference room for that purpose and would arrange a schedule that was convenient for counsel and his experts."
That seems perfectly reasonable to me. That is the way that I work with law enforcement on these cases.
Here is what the defense's computer expert had to say about that:
"Herbert Mack, [Defendant’s] expert computer witness, described in detail the various programs and viruses by which material can be both deliberately and inadvertently downloaded into a computer and estimated that it would take him approximately one week of intensive twelve-to fourteen-hour days to complete an examination of [Defendant’s] computer hard drive. He testified he would probably require the assistance of support personnel from his office and, in addition, would need to consult regularly with counsel with respect to whether any sexually explicit files he found on the computer qualified as child pornography."
First of all, the defendant was charged with 3 counts, not hundreds.
And he apparently never heard of making notes.
He said that, given the large number of images allegedly contained on the computer, he would not be able to remember the specifics of the information without taking the computer hard drive from the sheriff’s department."
He goes on to testify:
"Mack expressed concern about working from a “mirror image” rather than the hard drive itself, testifying that the computer programs in existence did not create true mirror images:
A. Well, the question-what I heard before was providing me with a mirror image. Okay. If we’re talking about me working on the original computer, no, I don’t need another computer as long as I can, you know, load my tools and take my tools off. If what you’re going to give me is a mirror image, my concern there is that I’m not getting all of the data that’s there.
Q. And why is that? If it’s a mirror image wouldn’t you just get everything that’s in the mirror?
A. No, sir.
Q. Why not?
A. A mirror image is a misnomer, okay. The computer programs that you have right now, okay, are for the purpose of recovering good data. Okay. So if a file has been ordered damaged or erased it’s not going to be on the image."
What? The ability to create bit-stream forensic mirror images of hard drives has been around for years. And is the only method that should be used to examine digital evidence. You NEVER work on the original evidence.
Here's more:
"Mack conceded that his examination of the actual hard drive would entail reconnecting the original personal computer equipment, turning the computer on, and loading his software file-searching tools, and he agreed that in the process of booting up the Windows operating system the contents of the hard drive would be changed."
No knowledgeable expert would ever make a statement like the one above. You never, ever load tools onto an original hard drive to examine it.
- You never boot a computer containing evidence into the native operating system.
- You always protect the original evidence by using a hardware or software write blocking method to guarantee that you don't modify evidence.
- You always make a forensic mirror image of the drive to examine. A forensic mirror image is an exact duplicate of the physical hard drive, containing a bit by bit copy. That includes the entire physical area of the hard drive, not just the data areas.
"However, according to his testimony, booting the computer would not alter either the file creation date or last accessed date of the images in question."
While maybe just booting up the computer might not alter these dates and times on these particular files, opening them would. This shows a basic lack of understanding of how Windows handles file system date and times. You cannot "examine" a file without touching it in some way. That touching will alter the MAC dates and times. (MAC = Modified, Accessed, Created)
"Mack testified he was familiar with “EnCase,” a forensic examination software utility available exclusively to law enforcement, but he was not aware that it had been approved by
several federal district and appellate courts as a “non-invasive forensic examination tool.”
Encase is not law enforcement only. I own and use two copies of Encase in my practice.
Encase has been used extensively world wide in court cases; a quick look at the Guidance Software web site would verify this to be true.
"In addition to the testimony above, Mack further testified that the risk of transmitting inaccurate information was high if defense counsel was dependent upon Mack to tell defense counsel what he had seen on a computer disk image."
That is exactly why the defense hires experts. To tell them what the expert found.
"Mack stated that there was an increased risk of disclosing non-discoverable information because the State’s expert would be able to determine what tools had been run on Defendant’s computer hard drive and what information had been recovered before Defendant was obligated to disclose its expert report. Mack also stated that Defendant would have no choice but to involuntarily disclose information that was not subject to discovery and that Defendant did not intend to use at trial."
This is not an issue at all if you are using proper forensic tools, such as Encase, to perform your examination. You do not have to leave a copy of your case file with law enforcement, so they cannot tell what you did or what you found. It is also common practice to put security tape over the connections on the drive to insure that it is not tampered with or reviewed in the defense expert's absence.
Also, any information you need to keep or other data, as long as it is not contraband, you are free to store on your examination computer and take it off site for further analysis and review for your report.
In the end, the Judge suppressed the evidence and dismissed the case against the defendant because the prosecutor refused to allow the expert to examine the evidence off site.
In my opinion, this shows the sad state of education in handling digital evidence by the courts, since no one showed any knowledge to ascertain whether or not the defense expert's comments were correct within the standards of the industry.
It also shows the difficulty of dealing with the duo-jurisdiction created by the Adam Walsh Act making it a federal offense to possess contraband material, where in the past, the states had the power to issue protective orders.
I am not an attorney, but I do know how to handle these types of cases as far as my part of the case is concerned. I have standard language I give to attorneys to put into their motions to allow proper access to the material to be examined that both complies with the Adam Walsh Act and protects the defense from disclosure issues.
4 comments:
Where on earth did these people come from? This shows a complete lack of expertise, how can this guy be considered an expert in the field of digital forensics? Taking a bitstream image is one of the most fundamental areas of knowledge.
Something's wrong here. In paragraph 4 of the opinion, Mack is indeed asking for a "copy" of the hard drive to examine. The state responds that he's not getting one, but they'll make the original drive "available for inspection." Mack responds, correctly, that this won't permit an adequate examination. This sounds like they were offering to let Mack come in and browse folders and even load his tools on the defendant's machine but no more.
When they're discussing "mirror image", notice that Mack never calls it a mirror image of the DRIVE. He correctly describes the problem of using file copies. He also refers to "the computer programs that YOU (the sheriff's office?) have right now...". I think the sheriff offered to make a big xcopy for him, calling it a "mirror image". Everything he says makes a lot more sense in that context.
This goes exactly to the post I had about quotes from so called "experts". It's a shame that the court system is so uneducated about something they're using to convict people on.
I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.
Joannah
http://linuxmemory.net
Post a Comment
I have unmoderated my comments. I reserve the right to remove any comment that is spam or that I consider offensive. Keep them on topic please.