Cyber Agents has assisted in hundreds of military trials over the last 20 years. Sometimes it’s not necessary to take a case all the way to trial. We were contacted by a military attorney who requested our services to review a cell phone, computer, and a hard drive. The case involved contraband (CSAM) and the charges were possession. The case started when a service provider reported contraband to NCMEC (National center for Missing and Exploited Children). The images were found in the users cloud storage then reported to NCMEC.
We were provided reports of what the government found on the seized items. No images were found on the phone. Upon examination the primary hard drive which contained the OS (Operating System) and secondary hard drive contained a only few images of contraband. However when the government’s examiner carved the secondary external hard drive more than three million, mostly pornographic, images were returned. Carving is a way to recover deleted content from digital media. This is necessary when the reference to a file has been destroyed. Imagine a card catalogue at the library, the file reference is like the card in the index. If you loose that card the book doesn’t disappear from the shelf. Carving allows digital forensic examiners like us to find the book with no reference. Those references could have been recovered by the governments examiner, which would have revealed full file names and paths, but they didn’t use the correct tool. That is a discussion for another post.
Since I have worked a large number of contraband cases it was a strange there were so few images of contraband found on these items. On the main hard drive using our forensic software, I recovered internet history and link files. Internet history can show us where the user went online and link files can show file knowledge. Knowledge is a necessary component of proving someone knew a file existed and interacted with it. It is necessary in most situations and jurisdictions to prove a user knew a file was there to convict them of possession. In this case I was able to recover many internet artifacts and link files. From the internet history I was able to show the user didn’t search for CSAM. From the many recovered link files I was able to conclude that the user didn’t access the contraband or even the folder containing the images. The user also didn’t open any files with CSAM titles.
From this I concluded that the user probably had no idea there was even CSAM on the device. The user of this computer was also dual booting Ubuntu – KDE with grub, so I knew they were an advanced user. It looks like they used a script to download posts from porn forums and just happened to dump the wrong forum. I wrote a note about my findings for the defense attorney (TDS) to share with the government and the governments examiner. The government’s examiner agreed with my assessment and the case turned from a courts-martial to a Chapter 10.