Friday, July 03, 2015

The Marine, the Child Pornography and the Unallocated Space

This post examines an opinion recently issued by the U.S.Navy-Marine Corps Court of Criminal Appeals:  U.S. v. Kamara, 2015 WL 2438269 (2015) (per curiam). The opinion begins by explaining that a
panel comprised of both officer and enlisted members sitting as a general court-martial convicted [Kamara], contrary to his pleas, of two specifications of possession of child pornography, in violation of Article 134, Uniform Code of Military Justice, 10 U.S. Code § 934. The members sentenced [Kamara] to confinement for ten years and a dishonorable discharge. The convening authority (CA) approved the sentence as adjudged and ordered it executed.
U.S. v. Kamara, supra.
In his appeal, Kamara challenged his conviction, alleging “three assignments of error”.  U.S. v. Kamara, supra.  If you are interested, you can find the Manual for Courts-Martial – United States, here.  On appeal, he raised “three assignments of error”, i.e., he argued that the proceeding which resulted in his conviction was flawed due to the impact of one or more of those issues. U.S. v. Kamara, supra.  The three issues were
     1.     that [Kamara’s] conviction should be overturned because a general verdict cannot be upheld when the evidence offered to support the charge also includes constitutionally protected content; 2.     that [Kamara’s] conviction for possessing 14 DVDs containing child pornography cannot be sustained without amendment since one of the DVDs is not viewable; and,
3. that the files recovered from `unallocated space’ are legally and factually insufficient to sustain [his] conviction.
U.S. v. Kamara, supra.
The Court of Appeals addressed each of his arguments, in the order given above. U.S. v. Kamara, supra.  It began its analysis by explaining how the court-martial arose:
On 8 November 2012, an agent of the Naval Criminal Investigative Service (NCIS) executed a valid search authorization in [Kamara’s] workplace and residence. He seized a laptop computer, an external hard drive labeled `G drive,’ a tower computer, an Iomega external hard drive, and several thumb drives. These devices contained video clips and images of both adults and children engaged in sexual activity. The NCIS agent also retrieved a safe from [Kamara’s] residence; inside were 14 DVDs allegedly containing child pornography.

The contraband uncovered in [his] possession depicted children as young as five engaging in oral, vaginal, and anal sex, as well as digital and object penetration of their vaginas and anuses. While some of the evidence also depicted adult pornography and nudist images, the agent estimated at trial that approximately 70% of the images found were child pornography. . . .

Specification 1 of the Charge was based upon images allegedly found on the `external hard drives, computers, and thumb drives.’ Charge Sheet. The `G drive’ contained these images as saved files. The images found on the other devices were located in `unallocated space.’ The second specification concerned the 14 DVDs. The members received all of the electronic evidence, but it is unknown which DVDs or CDs they viewed during deliberations. One of the DVDs, Prosecution Exhibit 16, will no longer open for viewing.

Prior to closing arguments, the military judge properly instructed the members, inter alia, on the definitions of `child pornography,’ `sexually explicit conduct,’ and `lascivious.’ . . . He instructed that the evidence must go beyond mere child nudity, and must be `sexually suggestive’ and `designed to elicit a sexual response in the viewer.’ . . . During argument, trial counsel acknowledged that there was adult pornography mixed in with the child pornography, and urged the members to appropriately distinguish between the two when reaching a decision. . . . The members returned a general verdict of guilt without specifically indicating which pieces of evidence they relied upon to reach their decision.
U.S. v. Kamara, supra.  The opinion then notes that “[o]ther facts necessary to address the assigned errors will be provided” later in the opinion.  U.S. v. Kamara, supra.  The court then went on to analyze each of the arguments Kamara raised on appeal, in the order given above.  U.S. v. Kamara, supra.
It began with the issue of the general verdict.  U.S. v. Kamara, supra.  The court began its analysis of this issue by noting that
[r]elying on U.S. v. Barberi, 71 M.J. 127 (U.S. Court of Appeals for the Armed Forces 2012), [Kamara] contends that his conviction should be overturned because the members returned a general verdict where the evidence presented contained both child pornography and constitutionally protected material (adult pornography and non-prurient nudist pictures). He claims that, given the possibility the members may have based their verdict on constitutionally protected images, this court cannot affirm the conviction.

We may have found merit in this argument if Barberi was still an accurate reflection of the law. In U.S. v. Piolunek, 74 M.J. 107, (U.S. Court of Appeals for the Armed Forces 2015), the Court of Appeals for the Armed Forces (CAAF) held that Barberi `was wrongly decided.’ In Piolunek, which, like the instant case, dealt with a general verdict where the evidence contained both proscribed and constitutionally protected material, the CAAF `recognize[d] that properly instructed members are well suited to assess the evidence and make the . . . factual determination . . . whether an image does or does not depict the genitals or pubic region, and is, or is not, a visual depiction of a minor engaging in sexually explicit conduct.’ U.S. v. Piolunek, supra. Furthermore, `[A]bsent an unconstitutional definition of criminal conduct, flawed instructions, or evidence that members did not follow those instructions. . .  there is simply no basis in law to upset the ordinary assumption that members are well suited to assess the evidence in light of the military judge's instructions.’ U.S. v. Piolunek

Here, the prosecution offered hundreds of images and videos to prove [Kamara] possessed child pornography. While there was some amount of constitutionally protected content mixed in with the contraband, there is no reason to second-guess the ability of the members to distinguish between the two when reaching a verdict, particularly when the record shows that the military judge instructed them properly and trial counsel cautioned the members to be careful in making the distinction. Accordingly, we are confident that the members were able to properly identify child pornography and distinguish it from other content.
U.S. v. Kamara, supra. 
The court then took up Kamara’s next argument, i.e., that his conviction could not be affirmed because one of the DVDs allegedly containing child pornography was not viewable.  U.S. v. Kamara, supra.  More precisely, it noted that
[a]lthough not styled as such, [Kamara’s] second [assignment of error] is a question of whether the record of trial is incomplete. This is a matter of law we review de novo. U.S. v. Henry, 53 M.J. 108 (U.S. Court of Appeals for the Armed Forces 2000). `A substantial omission renders a record of trial incomplete and raises a presumption of prejudice that the Government must rebut.  U.S. v. Henry, supra.
U.S. v. Kamara, supra. 
It began its analysis by noting that Kamara claimed   that his conviction      
of Specification 1 cannot stand as it is based, in part, on files extracted from the unallocated space on the Iomega hard drive, and the Government failed to prove he knowingly possessed those files. We agree, but only to the extent the specification alleges knowing possession of child pornography images on any electronic device other than the `G drive’ external drive.                                                              
U.S. v. Kamara, supra. 
The Court of Criminal Appeals went on to explain that it reviews questions of
legal and factual sufficiency de novoU.S. v. Winckelmann, 70 M.J. 403 (U.S. Court ofAppeals for the Armed Forces 2011). The test for legal sufficiency is whether any rational trier of fact could have found that the evidence met the essential elements of the charged offense, viewing the evidence in a light most favorable to the Government. U.S. v. Turner, 25 M.J. 324 (U.S. Court of Military Appeals 1987); U.S. v. Reed, 51 M.J. 559 (New MexicoCourt of Criminal Appeals 1999). . . . The test for factual sufficiency is whether we are convinced of [Kamara’s] guilt beyond a reasonable doubt, allowing for the fact that we did not personally observe the witnesses. U.S. v. Turner, supra.
U.S. v. Kamara, supra. 
The court then explained the factual basis of Kamara’s argument on this issue:
[a]t trial, the Government's expert testified she reviewed 25 images provided by the NCIS agent. Of those, 19 were in saved files on the appellant's `G drive’ external drive. The remaining six were located in unallocated space on the Iomega external drive. The expert also located possible images of child pornography in unallocated space on one thumb drive and the laptop computer.

Using evidence of search terms used on 18 September 2012, the expert was able to link the images on the `G drive’ to the laptop computer. She was also able to show that the `G drive’ and Iomega drives were at some point connected to the laptop. However, due to her inability to discern the filenames of the images in unallocated space on the Iomega drive, the expert could not say when or whether these files were accessed.
U.S. v. Kamara, supra. 
The court then took up the issue of the extent to which the evidence supported Kamara’s convictions.  U.S. v. Kamara, supra.  It began by explaining that the elements of
possessing child pornography, as charged in the present case, are: (1) that the accused knowingly and wrongfully possessed child pornography; and, (2) that under the circumstances, the conduct of the appellant was of a nature to bring discredit upon the armed forces. MANUALFOR COURTS–MARTIAL, UNITED STATES (2012 ed.), Part IV, ¶ 68b. The Government charged [Kamara] with possessing the child pornography in question `between on or about 7 October 2012 and on or about 8 November 2012.’ Charge Sheet.
U.S. v. Kamara, supra. 
It went on to explain, initially, that
[v]iewing the evidence in the light most favorable to the Government, we find that the testimony of the NCIS agent and the Government's computer forensic expert, as well as the images contained in Prosecution Exhibit 1, support a finding that [Kamara] knowingly possessed child pornography in files found on his `G drive’ external drive when it was seized on 8 November 2012. Thus, we find the evidence to be legally sufficient for the images on that electronic device.
U.S. v. Kamara, supra. 
It reached a different conclusion
with regards to images found on the other devices. The [U.S. Court of Appeals for the Armed Services] has recognized that `knowing possession’ as it relates to child pornography means `”to exercise control of something.”’ U.S. v. Navrestad, 66 M.J. 262, (2008) (quoting MANUAL FOR COURTS-MARTIAL Part IV, ¶ 37c2)). Here, the Government's expert testified she would be unable to view the files found in unallocated space without using some sort of forensic device.
U.S. v. Kamara, supra. 
The court also pointed out that the prosecution in this case presented
no evidence to show [Kamara] possessed or knew how to use such a forensic device. Thus, the existence of the images in unallocated space on the thumb drives, IOMEGA external drive and computers is, alone, legally insufficient to prove [he] exercised `dominion and control”’ over the files on the date NCIS seized these devices. See U.S. v. Kuchinski, 469 F.3d 853 (U.S. Court of Appeals for the 9th Circuit 2006) (holding that in situation in which “a defendant lacks knowledge about the cache files, and concomitantly lacks access to and control over those files, it is not proper to charge him with possession and control of the child pornography images located in those files, without some other indication of dominion and control over the images. To do so turns abysmal ignorance into knowledge and a less than valetudinarian grasp into dominion and control’).

We find no other evidence in the record to overcome this shortcoming. While the record includes circumstantial evidence indicating [Kamara] downloaded these images, this evidence does nothing to show [he] `knowingly possessed’ the image during the period charged. See U.S. v. Flyer, 633 F.3d 911 (U.S. Court of Appeals for the 9th Circuit 2011) (citing U.S. v. Navrestad, supra, and holding that evidence was legally insufficient to prove knowing possession of child pornography in his computer's unallocated space on or about the date charged in the indictment).

The Government charged a specific, month-long period during which [Kamara] allegedly possessed child pornography. However, they produced no evidence to indicate when the appellant accessed the images found in unallocated space. Accordingly, we find the evidence to be legally insufficient to prove [he] knowingly and wrongfully possessed images depicting child pornography on any devices other than the `G drive’ external hard drive.
U.S. v. Kamara, supra. 
The court concluded its analysis by noting that, regarding the factual sufficiency of the evidence in the case:  “Based on a careful review of the record, we are convinced beyond a reasonable doubt both that [Kamara] knowingly possessed child pornography on the `G drive’ external hard drive and that such possession was of a nature to bring discredit upon the armed forces.”  U.S. v. Kamara, supra. 
Unfortunately for Kamara, the court also found
no reason to alter [Kamara’s] punishment in this case. Setting aside one of the 14 DVDs and the images found in unallocated space does not dramatically alter the sentencing landscape. See U.S. v. Buber, 62 M.J. 476 (U.S. Court of Appeals for the Armed Services 2006). The remaining evidence includes many dozens of videos involving young children engaging in sexual activity.

The nature and gravity of the offenses has not changed. There is no lessening of [Kamara’s] punitive exposure. Applying the analysis set forth in U.S. v. Sales, 22 M.J. 305 (Court of Military Appeals 1986), U.S. v. Moffeit, 63 M.J. 40 (U.S. Court of Appeals for the Armed Forces 2006), and U.S. v. Cook, 48 M.J. 434, 438, (U.S. Court of Appeals for the Armed Forces 1998), we are convinced the members would have imposed the same sentence in the absence of the fourteenth DVD and unallocated space images, and find that the sentence imposed is appropriate.
U.S. v. Kamara, supra. 
The court therefore affirmed the
decision of the United States Army Court of Criminal Appeals is affirmed as to findings and set aside as to sentence. The sentence is set aside. The record is returned to the Judge Advocate General of the Army for a rehearing on sentence.
U.S. v. Kamara, supra.  

Wednesday, July 01, 2015

The Laptop, ColorTyme Rental and Grand Larceny

After Charleston Alexandria Williams, Jr. “was convicted in a bench trial of grand larceny in violation of [Virginia] Code § 18.2–95”, he appealed.  Williams v. Commonwealth, 2015 WL 1782088 (Court of Appeals of Virginia 2015). As the Court of Appeals explained, in Williams’ appeal
he challenges the sufficiency of the evidence. Specifically, he argues that, as a matter of law, the Commonwealth failed to prove that the value of the item stolen was $200 or more, and therefore, his conviction of grand larceny should be reversed and remanded for further proceedings. . . .
Williams v. Commonwealth, supra.  (As Wikipedia explains, a few U.S. states define themselves as “Commonwealths”, rather than “States.”  The use of Commonwealth is apparently, as Wikipedia notes, a matter of history, since each of the Commonwealth states either were, or were parts of, one of the original colonies.)
The court begins its opinion by explaining how, and why, the prosecution arose:
On June 5, 2012, Aaron Rye, the store manager for ColorTyme Rental, discovered that a laptop computer was missing. This particular laptop recently had been returned to the store by a customer who had been renting it. The record reflects that the computer was infested with roaches upon its return. In keeping with ColorTyme's customary procedures for dealing with roach-infested electronics, Rye removed the battery and power cord, placed the computer in a plastic bag, and then put the laptop in the freezer over the weekend to kill the roaches. Rye did not test or otherwise inspect the laptop before placing it in the freezer.

Rye removed the laptop from the freezer on June 4, 2012, and he placed the laptop, still in the bag, on Jeff Temper's desk. Neither the power cord nor the battery were reunited with the computer before it was placed on Temper's desk. Temper then moved the bag from his desk to the top of a clothes dryer in the back of the store. Based upon the store's video surveillance, Rye determined that [Williams], an employee of ColorTyme, put the laptop inside the dryer and then moved the dryer onto a truck.

Temper, the owner of ColorTyme, initially testified [at Williams’ trial] that the computer was worth `like eight hundred and something dollars’ and that, without the power cord and battery, it was `absolutely’ worth more than $200 to him. Temper conceded on cross-examination that he was unaware of the brand of the laptop that had been taken and that his estimate of value was based on a conversation he had had with Rye. [Williams] moved to strike Temper's testimony, arguing that, because Temper did not know what property was lost, he could not testify as to its value.
Williams v. Commonwealth, supra.
The Court of Appeals goes on to explain that the Commonwealth (the prosecution)
attempted to rehabilitate Temper's testimony by refreshing his recollection by showing him a copy of the police report. After some questioning from the Commonwealth and arguments by the parties, the trial court granted [Williams’] motion to strike, expressly finding that the Commonwealth had successfully refreshed Temper's recollection as to the brand of laptop taken, but had not successfully established that Temper had knowledge of the value. The trial court stated that the fact that the laptop was a Compaq was in evidence, `but nothing else about value.’
Williams v. Commonwealth, supra.
The opinion explains that after the trial judge issued his ruling, the attorneys for the prosecution and defense
engaged in a brief colloquy that resulted in the trial court asking questions of the witness. In response to the trial court's inquiry regarding value, Temper testified that the computer was worth more than $800. On cross-examination, Temper conceded that this was the value for which he would have sold the laptop when it was new. After the trial court struck his initial testimony as to value, Temper was never asked about and never testified that the computer, in its condition at the time of the theft, had a value in excess of $200.

Ultimately, the trial court found Temper's testimony regarding value sufficient to establish that the laptop was worth more than $200 when it was stolen. Accordingly, the trial court found [Williams] guilty of grand larceny.
Williams v. Commonwealth, supra.  
As is explained below, the $200 figure was significant because one of the ways Virginia Code § 18.2-95 defines “grand larceny” is that a person “commits simple larceny not from the person of another of goods and chattels of the value of $200 or more”.  In other words, the prosecution in this case could prove Williams committed grand larceny if it could prove he took property valued at $200 or more from his employer, ColorTyme Rental, without the company’s consent. Williams v. Commonwealth, supra.  
On appeal, Williams challenged the sufficiency of the evidence to support his conviction.  Williams v. Commonwealth, supra.  The Court of Appeals then explained that, therefore,
we must `”examine the evidence that supports the conviction and allow the conviction to stand unless it is plainly wrong or without evidence to support it.”’ Commonwealth v. McNeal, 282 Va. 16, 710 S.E.2d 733 (Virginia Supreme Court 2011) (quoting Vincent v. Commonwealth, 276 Va. 648, 668 S.E.2d 137 (Virginia Supreme Court 2008)). . . . [W]e review the evidence in the light most favorable to the Commonwealth, as the prevailing party below, and determine whether `”any rational trier of fact could have found the essential elements of the crime beyond a reasonable doubt.”’ Vincent v. Commonwealth, supra (quoting Jackson v. Virginia, 443 U.S. 307 (1979)).

This means the trial court's decision cannot be overturned on appeal unless no `”rational trier of fact”’ could have come to the conclusion it did. Kelly v. Commonwealth, 41 Va. App. 250, 584 S.E.2d 444 (Virginia Court of Appeals 2003) (en banc ) (quoting Jackson v. Virginia, supra). . . . `An appellate court does not “ask itself whether it believes that the evidence at the trial established guilt beyond a reasonable doubt.”’ Williams v. Commonwealth, 278 Va. 190, 677 S.E.2d 280 (Virginia Supreme Court 2009) (quoting Jackson v. Virginia supra) (emphasis in the original). Instead, the only `relevant question is, after reviewing the evidence in the light most favorable to the prosecution, whether any rational trier of fact could have found the essential elements of the crime beyond a reasonable doubt.’ Sullivan v. Commonwealth, 280 Va. 672, 701 S.E.2d 61 (Virginia Supreme Court 2010) (emphasis added).

This deferential appellate standard `applies not only to the historical facts themselves, but the inferences from those facts as well.’ Clanton v. Commonwealth, 53 Va.App. 561, 673 S.E.2d 904 (Virginia Court of Appeals 2009) (en banc). . . . Thus, a factfinder may ‘draw reasonable inferences from basic facts to ultimate facts,’ Tizon v. Commonwealth, 60 Va.App. 1, 723 S.E.2d 260 (Virginia Court of Appeals (2012) (quoting Haskins v. Commonwealth, 44 Va.App. 1, 602 S.E.2d 402 (Virginia Court of Appeals 2004)), `unless doing so would push “into the realm of non sequitur,’” Tizon v. Commonwealth, supra (quoting Thomas v. Commonwealth, 48 Va.App. 605, 633 S.E.2d 229 (Virginia Court of Appeals 2006)).
Williams v. Commonwealth, supra.  
The Court of Appeals then took up the substance of Williams’ argument on appeal, explaining that
Larceny, a common law crime, is the wrongful or fraudulent taking of another's property without the owner's permission and with the intent to permanently deprive the owner of that property. Commonwealth v. Taylor, 256 Va. 514, 506 S.E.2d 312 (Virginia Supreme Court 1998). Code § 18.2–95 defines the offense of grand larceny. It provides, in part, that `[a]ny person who . . . (ii) commits simple larceny not from the person of another of goods and chattels of the value of $200 or more . . . shall be guilty of grand larceny. . . .’
Williams v. Commonwealth, supra.  
The Court of Appeals then began its analysis of Williams’ argument on appeal:
[Williams] does not dispute that he was the thief. Rather, he argues that the evidence was insufficient to prove, beyond a reasonable doubt, that the value of the property he stole was $200 or more. `The value of the goods specified in [Code § 18.2–95] is an essential element of the crime, and the Commonwealth must prove that element beyond a reasonable doubt.’ Walls v. Commonwealth, 248 Va. 480, 450 S.E.2d 363 (Virginia Supreme Court 1994). Further, `[t]he value of the stolen property is measured as of the time of the theft. . . .’ Parker v. Commonwealth, 254 Va. 118, 489 S.E.2d 482 (Virginia Supreme Court 1997).

`It is well established that “the opinion testimony of the owner of personal property is competent and admissible on the question of the value of such property, regardless of the owner's knowledge of property values.”’ Burton v. Commonwealth, 58 Va.App. 274, 708 S.E.2d 444 (Virginia Court of Appeals 2011) (quoting Walls v. Commonwealth, supra). The witness need only to have had an opportunity to become familiar with the property and to form an opinion as to its true value. Kerr v. Clinchfield Coal Corp., 169 Va. 149, 192 S.E. 741 (Virginia Supreme Court 1937).

Here, without the stricken testimony, the only evidence of the laptop's value was Temper's testimony that he would have sold the laptop new for more than $800. There was no evidence to establish how old the laptop was, what its capabilities were when new or at the time of the theft, whether it still worked, what software, if any, was installed on the laptop, what its memory capability was, or any other factor that could be used to allow a factfinder to divine a value for it at the time of the theft.

`”While the original purchase price of an item may be admitted as evidence of its current value, there must also be ‘due allowance for elements of depreciation.’” Dunn v. Commonwealth, 222 Va. 704, 284 S.E.2d 792 (Virginia Supreme Court 1981) (quoting Gertler v. Bowling 202 Va. 213, 116 S.E.2d 268 (Virginia Supreme Court 1960)). As this Court recognized in Lester v. Commonwealth, 30 Va.App. 495, 518 S.E.2d 318 (Virginia Court of Appeals 1999), `technical equipment generally depreciates in value over time and that equipment which does not operate properly has significantly reduced value.’
Williams v. Commonwealth, supra.  
It went on to explain that in
Dunn v. Commonwealth, supra, evidence that a 10–year–old typewriter originally had been purchased for $150 was held to be insufficient to establish that it was worth the then statutory threshold of $100 when stolen. . . . . Although the factfinder knew both the original purchase price and the age of the typewriter, the Supreme Court found that a jury could conclude that it met the statutory threshold only by relying on `speculation and conjecture’ because there had been no evidence offered regarding “the effect of age and wear and tear on the value of” the typewriter. Dunn v. Commonwealth, supra.  

Here, the factfinder did not even know the age of the laptop, let alone have any information about wear and tear or whether the laptop was even operable. Accordingly, the evidence of value was insufficient to demonstrate that the statutory threshold was met.

The Commonwealth conceded at oral argument that, absent Temper's testimony that the laptop was worth more than $200 to him, the evidence was insufficient to establish that the laptop was worth more than $200 at the time of the theft. The Commonwealth argues that although the trial court did strike this testimony initially, it implicitly reversed that ruling in rendering its decision, allowing the testimony to form the basis of the trial court's ultimate finding as to value. We disagree with the Commonwealth.

There is no dispute that the trial court initially struck the testimony, expressly ruling that Temper's initial testimony established the brand of laptop stolen, `but nothing else about value.’ The trial court never expressly revisited this ruling.

The Commonwealth's position that the trial court implicitly reversed itself is based on the Commonwealth's argument at trial in response to a motion to strike the evidence after the close of the Commonwealth's evidence.  That argument referenced both Temper's testimony that the laptop was worth more than $200 to him and that it was worth more than $800 new. In denying the motion to strike, the Court noted that it was doing so based on what the Commonwealth had `said’ and that the Commonwealth had `proved value of over two hundred dollars on the evidence.’
Williams v. Commonwealth, supra.  
The Court of Appeals therefore found that the
better reading of the record is that the trial court, in denying the motion to strike, was relying on the testimony as to the purchase price of the laptop when new rather than the reference to the stricken evidence. It is axiomatic that stricken evidence may not form the basis for a trial court's conclusion. Absent some express statement from the trial court that it was reversing its prior evidentiary ruling, we will not assume that the trial court based its decision on testimony that it had stricken. See Mason v. Commonwealth, 219 Va. 1091, 254 S.E.2d 116 (Virginia Supreme Court 1979) (`In non-jury cases, it will be presumed that[,] . . . in the absence of an affirmative showing to the contrary, that only material and competent evidence is considered’).

As noted above, the Commonwealth conceded that, without the stricken testimony, the evidence failed to establish that the value of the laptop at the time of the theft met the statutory threshold. While we are not bound by this concession, the concession, coupled with the utter lack of evidence about the condition and capabilities of the laptop at the time of the theft, makes clear that the evidence was insufficient to support appellant's conviction for grand larceny.
Williams v. Commonwealth, supra.  
It went on to explain that
[h]aving found that the conviction for grand larceny must be reversed, we must remand the case to the trial court for further proceedings. [Williams’] brief seeks only to have the matter `remanded back to the trial court for sentencing on the charge of petit larceny.’ Although the evidence at trial supports such a result, the Virginia Supreme Court's decision in Britt v. Commonwealth, 276 Va. 569, 667 S.E.2d 763 (2008), precludes that resolution on the record before us.
Williams v. Commonwealth, supra.  
The Court of Appeals then pointed out that in Britt v. Commonwealth, supra, the
[Virginia] Supreme Court set aside a conviction for grand larceny after finding that the evidence did not establish that the value of the goods stolen met the $200 statutory threshold. In overturning the conviction, the Court directed

`that the case be remanded to the circuit court for a new trial on a charge of petit larceny if the Commonwealth be so advised. We do not remand solely for imposition of a new sentence on the lesser offense as we did in Commonwealth v. South, 272 Va. 1, 630 S.E.2d 318 (Virginia Supreme Court 2006), because here, unlike in South, both parties have not consented to that relief.’
 Commonwealth v. South, supra (emphasis added).
Here, although [Williams] has affirmatively consented to remand for sentencing on the lesser-included offense, the record is silent as to whether the Commonwealth consents. Given these circumstances, it may be logical to assume that the Commonwealth would consent; however, we read Britt as requiring an affirmative indication of consent on the record. Without such an indication in the record before us, we must, consistent with Britt, remand the matter to the trial court for a new trial on the lesser-included offense of petit larceny if the Commonwealth be so advised. 

Williams v. Commonwealth, supra. The court therefore did just that, i.e., remanded “the case to the trial court for a new trial on the lesser-included offense of petit larceny should the Commonwealth be so advised.” Williams v. Commonwealth, supra.  

Monday, June 29, 2015

The SpyEye Trojan, Abuse.ch and the Motion to Suppress

This post examines an opinion a U.S. District Court Judge who sits in the Northern District of Georgia issued recently in a criminal case:  U.S. v. Bendelladj, 2015 WL 3650219 (U.S. District Court for the Northern District of Georgia 2015). The issue the judge addresses in the opinion involves a motion to suppress evidence; if you are interested in the charges, and the facts that gave rise to those charges, check out the news stories you can find here and here. And you can find the indictment here
The District Court Judge assigned Hamza Bendelladj’s motion to suppress to a U.S. Magistrate Judge. U.S. v. Bendelladj, supra.  Pursuant to Rule 59 of the Federal Rules of Criminal Procedure, the Magistrate Judge was to review the motion, analyze the arguments it made and the relevant law, and write a Report and Recommendation (“R&R”) reporting to the U.S. District Court Judge whether the motion should be granted or denied.  U.S. v. Bendelladj, supra.
In his motion to suppress, Bendelladj “challenge[d]” the
February 25, 2011 search warrant which authorized a search for

`Information associated with IP Address 75.127.109.16 and the domain name 100myr.com that is stored at premises owned, maintained, controlled, or operated by Global Net Access, LLC, a company headquartered at 1100 White St. S.W. Atlanta, Georgia, 20210.’
R&R - U.S. v. Bendelladj, supra.  
The Magistrate Judge began his analysis of Bendelladj’s motion by explaining what the FBI Agent who obtained the warrant, Special Agent Mark C. Ray, did to establish the probable cause on which the warrant had to be based.  U.S. v. Bendelladj, supra.  Under Federal Rules of Criminal Procedure Rule 41(d)(1), a District Court Judge must issue a search warrant if a federal agent submits an application for the warrant and an affidavit that establishes probable cause for issuing the warrant. You can, if you interested, find an example of a search warrant application and supporting affidavit here. In this case, the search warrant was issued by another U.S. Magistrate Judge, i.e., not by the one who is reviewing Bendelladj’s motion to suppress here.
The Magistrate Judge in this case explained that Agent Ray submitted an affidavit, in support of his request for a search warrant, in which he
recounted his training and experience in the computer crimes area, including both law enforcement training and experience and private industry. . . . He defined technical terms such as `server,’ `IP address,’ `domain name,’ `hot [sic] and botnet,’ `Banking Trojan,’ `keynote logging [sic],’ `form grabbing,’ and `malware.’ . . .He then alleged that in December 2009, a new malware toolkit called SpyEye v1.0 appeared for sale on Russian underground online forums. . . . Investigation revealed `Gribodemon’ to be SpyEye's creator. . . . The affiant concluded that Spy Eye was similar to another malware called Zeus Banking Trojan, in that each used keystroke logging and form grabbing techniques designed to steal financial and personally identifying information from unsuspecting computer users. . . .

The affidavit then recounted that the creator of Zeus Banking Trojan announced that he intended to hand over the source code for Zeus to Gribodemon, who indicated on online criminal forums that he intended to combine Zeus and SpyEye into a larger more malicious malware toolkit. . . .The affidavit then explained that thereafter a combined malware, SpyEye v1.3.05, was released. . . .

The affidavit continued that a SpyEye Command and Control (`C & C’) server is a computer system administered by one or more individuals that is used remotely to send commands to the victim computers (bots) under its control. . . . The affidavit related that several SpyEye C & C servers had been identified worldwide by their IP addresses, including one previously operating in this District and another which was currently active in this District and the subject of the search warrant application. . . .The affiant stated . . . that there are several websites available in the malware research industry designed to locate computers or servers connected to the Internet that are infected with or operating malware and botnets.

Specifically, the website called Spy Eye Tracker (https:// spyeyetracker.abuse.ch) identified SpyEye C & C servers worldwide, by searching for and locating files on computer systems that are uniquely associated with SpyEye. SpyEye Tracker was developed by the Swiss internet security research firm Abuse.eh. Abuse.ch developed the well known Zeus Tracker website (https:// zeustracker.abuse.ch). I have learned through discussions with members of the internet security industry and law enforcement that the Zeus Tracker website is utilized by corporations and law enforcement agencies worldwide for identifying Zeus C & C servers. In addition, I have learned from these discussions that many information security organizations and law enforcement agencies around the world recognize SpyEye Tracker as a reliable source of identifying SpyEye C & C servers. I am not aware of any instances in which SpyEye Tracker has misidentified a particular IP address as hosting a SpyEye C & C server.

18. On December 16, 2010, I obtained a similar search warrant for another suspected SpyEye C & C server hosted by a company in Omaha, Nebraska. The affidavit I submitted in support of the search warrant application relied, in part, on the fact that the suspected SpyEye C & C server had been identified as such on SpyEye Tracker.[ ] On January 26, 2011, I obtained three other search warrants for suspected SpyEye C & C servers hosted by companies in Orlando, Florida, Kansas City, Missouri, and New York, New York. The affidavits I submitted in support of those search warrant applications also relied, in part, on the fact that the suspected SpyEye C & C servers had been identified as such on SpyEye Tracker.[ ] The information obtained pursuant to all four search warrants confirmed that the suspected SpyEye C & C servers were, in fact, SpyEye C & C servers; thus, supporting the reliability of SpyEye Tracker in identifying SpyEye C & C servers.

19. Based on my training and experience, I know that malware research websites such as SpyEye Tracker use various methods for identifying and labeling servers connected to the internet as SpyEye C & C servers. For example, one common method is setting up a computer as a “honey pot.” A honey pot in the malware research field is a computer that is connected to the internet with the intention of becoming infected with malware such as SpyEye. The computer is intentionally left in a vulnerable state (that is, no anti-virus protection) so that the person who establishes the honey pot can identify the source of the vims such as a SpyEye C & C server once the computer becomes infected. This is done by capturing the IP Addresses associated with distributing and operating the malware. While I do not know the specific method SpyEye Tracker uses to identify any specific server as a SpyEye C & C server, based on my training and experience, I believe that the various methods of which I am aware are reliable.

20. On February 17, 2011, at 11:23 p.m., I reviewed the SpyEye Tracker website. The following information was observed:
SpyEye C & C
IP address
Level
Status
Files Online
Country
AS numb er
100myr.com
75.127.109.16
4
online
2
USA
AS16626
This information indicates that the server with IP address 75.127.109.16, utilizing the domain name 100myr.com, is being utilized as a SpyEye C & C server. . . . This IP address is owned, maintained, controlled, or operated by Global Net Access LLC, a web hosting company headquartered at 1100 White St, SW, Atlanta, Georgia 30310. SpyEye Tracker is updated on a daily basis, thus I have reason to believe that malicious code is still on this server.
R&R - U.S. v. Bendelladj, supra. (Unfortunately, Blogger truncates the full version of the information from the SpyEye Tracker site, which is given as a set of columns of figures, and I cannot find it anywhere online.) 
The Magistrate Judge noted that the affidavit
also related that the suspected Omaha SpyEye C & C server had been identified as such on another website, malwaredomainlist.com (http://www.malwaredomainlist.com), while the servers in this case and the ones in Orlando, Kansas City and New York had not been identified as such on malwaredomainlist.com. . . .

Finally . . .the affidavit provided that Global Net Access LLC is a business that maintains servers connected to the Internet and offers those servers for customers to use to operate websites, store and process information and perform other web-based activities. It also stated that a provider such as Global Net Access gives customers, for a fee, access to its servers and often offers related services such as domain name registration and e-mail service. . . .
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then noted that Bendelladj alleged, in support of his motion, that
the primary source of the information in the warrant application is from a website called Abuse.ch, which Bendelladj likens to a confidential informant. He argues that in effect Abuse.ch is just a blog, that is, an unfiltered personal internet account, with no identifiable contributor. Bendelladj submits that the unknown contributor associated with Abuse.ch lists IP addresses asserted to be malware, however, this information has not been shown to have been vetted, cannot be verified nor can it be recreated since Abuse.ch does not maintain an archive.

In addition, he alleges that although this website is associated with the `Swiss Information Security Research Association’ and `Bernet Monika,’ the only cross-reference to this information is the website itself. . . . Bendelladj also points out that the affiant conceded he was unaware of the methodology Abuse.ch used to obtain the IP addresses it puts on the suspected malware list, and argues therefore that the website's reliability or accuracy cannot be checked. He also argues that the bald statement that Abuse.ch is relied upon by security organizations and law enforcement agencies around the world is not sufficient, since these entities are not identified. . . .

Bendelladj next argues that the supporting affidavit's acknowledgment that the suspected malware in this case, SpyEye C & C, did not show up on another respected cyber-security website, www.malwaredomainlist.com, is another reason to suspect Abuse.ch's reliability. . . . Finally, he argues that the Abuse.ch webpage screenshot attached to the affidavit shows `no results’ for linking 100myr.com to the Atlanta-based IP address. . . .
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then addressed Bendelladj’s arguments, starting with Abuse.ch:
[t]he issuing magistrate judge was justified in concluding that the information from Abuse.ch was reliable and thus probable cause existed to issue the search warrant.

First, the affiant related that Abuse.ch was relied upon by other law enforcement officers (and private security organizations) in their efforts in detecting both Zeus Banking Trojan and SpyEye malware. Observations of fellow officers engaged in a common investigation are a reliable source for a warrant. . . .U.S. v. Kirk, 781 F.2d 1498 (U.S. Court of Appeals for the 11th Circuit 1986). . . . The fact that the law enforcement agencies were not identified does not render the information unreliable; after all, search warrants may be based upon information from anonymous lay informants. . . . See U.S. v. Brundidge, 170 F.3d 1350 (U.S. Court of Appeals for the 11th Circuit 1999). What is critical is that the confidential information be reliable. In this case, it was.
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then pointed out that the affiant whose statement supported issuing the warrant
asserted facts that corroborated the reliability of both Abuse.ch and the opinion of Abuse.ch's reliability held by the anonymous law enforcement agencies and private security organizations. First, the fact that Abuse.ch accurately identified IP addresses associated with the Zeus Banking Trojan makes it more likely that Abuse.ch's listing of the subject IP address as SpyEye malware also was accurate. See U.S. v. Morales, 238 F.3d 952 (U.S. Court of Appeals for the 8th Circuit 2001) (`Information may be sufficiently reliable to support a probable cause finding if the person providing the information has a track record of supplying reliable information, or if it is corroborated by independent evidence’); U.S. v. Ridolf 76 F.Supp.2d 1305 (U.S. District Court of Appeals for the Middle District of Alabama 1999) (recognizing that one way to test reliability and veracity is to examine the informant's `track record’ of providing reliable information in the past).
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then explained that Bendelladj’s arguments failed because,
[s]econd, Agent Ray utilized Abuse.ch's information in support of search warrants for suspected SpyEye C & C servers in Omaha, Orlando, Kansas City and New York, and the information was shown to be reliable as these IP addresses were discovered to be SpyEye.
R&R - U.S. v. Bendelladj, supra.
He also pointed out two more reasons why Bendelladj’s arguments did not succeed:
Third, it appears from the affidavit that Abuse.ch's SpyEye Tracker is just as reliable as another malware research tool, malwaredomainlist.com, that Bendelladj holds up as accurate. While he claims that the subject IP address appeared on Abuse.ch's list but did not appear on malwaredomainlist.com, the affidavit also recounted that the SpyEye C & C servers in Orlando, Kansas City and New York similarly did not appear on malwaredomainlist.com but were found to be malware. Thus, that the instant IP address did not appear on the other tracking list does not render SpyEye Tracker unreliable.

Fourth, the warrant is not fatal because Abuse.ch's methodology in creating its SpyEye Tracker list is unknown. There is no precedent or authority demanding that the reliability standard of Daubert v. Merrell Dow Pharms., Inc., 509 U.S. 579 (1993), be applied to investigative procedures used by law enforcement in order for the search warrant to contain probable cause for the search, nor does Daubert hold that this standard must be applied to the probable cause analysis. United States v. Pirosko, 2013 WL 5595224 (U.S.District Court for the Northern District of Ohio 2013).

Here the Court has found that the information from Abuse.ch was reliable, and thus the issuing magistrate judge was entitled to rely upon it in his consideration of whether probable cause to search existed. The same holds true for Bendelladj's argument that he cannot recreate Abuse.ch's results, since `probable cause must exist when the magistrate judge issues the search warrant,’ U.S. v. Santa, 236 F.3d 662 (U.S. Court of Appeals for the 11th Circuit 2000) (quoting U.S. v. Harris, 20 F.3d 445 (U.S. Court of Appeals for the 11th Circuit 1994)). The fact that the information cannot be duplicated or recreated does not mean it was not reliable at the time the warrant issued.      
R&R - U.S. v. Bendelladj, supra.
And, finally, the Magistrate Judge explained that the fact that Bendelladj
could not find sufficient information on the entity and person associated with Abuse.ch does not detract from the reliability of Abuse.ch's SpyEye Tracker list as demonstrated in the affidavit for the search warrant. The list is used by law enforcement and private security organizations to detect the SpyEye malware, and in using IP addresses listed on SpyEye Tracker, in addition to other information, the affiant was able to discover SpyEye malware in at least four other IP addresses. That is sufficient to demonstrate reliability.

Thus, the information from Abuse.ch was reliable and, under the totality of circumstances, that the subject IP address was listed on Abuse.ch's SpyEye Tracker list properly contributed to the issuing magistrate judge's conclusion that probable cause existed to issue the warrant.

Finally, the Court takes note of Bendelladj's argument that Exhibit A to the search warrant affidavit shows `no results’ for three of the URL searches performed by the affiant. However, it is Bendelladj's burden to show that the warrant was invalid, and the bare statement in his motion about these `no result’ entries, given that the same exhibit shows that there was a `hit’ for SpyEye malware on the IP address, is not sufficient to undermine the finding of probable cause in this case.
R&R - U.S. v. Bendelladj, supra.
For these and other reasons, the Magistrate Judge recommended that Bendelladj’s motion to suppress be denied.  R&R - U.S. v. Bendelladj, supra.
Then, as Rule 59(b)(3) of the Federal Rules of Criminal Procedure and 28 U.S. Code § 636(b)(1) require, the U.S. District Court Judge reviewed the Magistrate Judge’s recommendations and accepted them. U.S. v. Bendelladj, supra. He then denied Bendelladj’s motion to suppress.  U.S. v. Bendelladj, supra.