Monday, September 14, 2009

"Evidence Elimimator" and Possession

This post is about the extent to which the finder of fact in a trial can infer mens rea from the use of data erasing software.

As I assume we all know, it is a crime to possess child pornography under both state and federal law. The possession of child pornography statutes often use “knowing” as the mens rea; that is, they often require that the defendant have “knowingly” possessed the child pornography.

I explained in an earlier post how U.S. criminal law defines “possession.” The definitions fall into two categories: actual and constructive. Constructive possession exists when you know you have control of the thing (here, child pornography) and had time and the ability to get rid of it, but didn’t.

That brings me to the case this post is about: People v. Scolaro, 391 Ill. App.3d 671, 910 N.E.2d 126 (Illinois Court of Appeals 2009). According to the opinion, a Department of Homeland Security investigation of online child pornography identified Scolaro as someone who subscribed to child pornography websites. People v. Scolaro, supra.

The DHS sent that information to the Westchester, Illinois police and Detective Dominick Luciano followed up on it by going to Scolaro’s home. People v. Scolaro, supra. Luciano told Scolaro he was investigating “inappropriate images on the Web that” might be on Scolaro’s computer and asked if he could enter Scolaro’s home. People v. Scolaro, supra. Scolaro let him in. Luciano then asked if he could conduct “`an image scan on his computer, which would pull images off his computer and let [police] view them.’” People v. Scolaro, supra. Scolaro agreed, signing a consent form authorizing Luciano or other officers “`or their agents, to conduct a complete search’” of his computer. People v. Scolaro, supra.

Luciano then installed a flash drive. . . Using software called `ImageScan,’ developed and owned by the Federal Bureau of Investigation, Luciano attempted to `pull’ images of child pornography from [Scolaro’s] hard drive. When Luciano booted up [the] computer, it froze. On a second try, the program started to produce certain nonpornographic images, but would not allow access to certain folders on the computer, so Luciano sought [Scolaro’s] permission to send it out for a forensic examination. [He] agreed. In addition to the computer, police officers confiscated pornographic videos and discs, none of which contained child pornography. According to Luciano, [Scolaro] told the officers he `had viewed images, but had never saved any on his computer.’

People v. Scolaro, supra.

A DHS Special Agent named Jarrod Winkle conducted the forensic examination of Scolaro’s computer using EnCase,

which is designed to perform complete forensic analysis on computers and/or computer-type equipment, or media, without altering the computer media itself. Winkle found a program on [Scolaro’s] computer hard drive called `Evidence Eliminator,’ which is . . . designed to eliminate files and/or evidence from a computer. Using EnCase, Winkle was able to obtain and recover some of the deleted computer files. Winkle found 689 images of child pornography in the unallocated section of [Scolaro’s] hard drive and 1 image in a temporary file. The unallocated section of a hard drive is considered the “free space” of the hard drive and is the area to which computer data or images are sent, sometimes automatically, by the Web site the user is visiting.

People v. Scolaro, supra.

Based on this, and other, evidence, Scolaro was charged with possession of child pornography. People v. Scolaro, supra. He was tried by a judge (in what I’ve noted is called a bench trial) and convicted, after which he appealed. People v. Scolaro, supra.

On appeal, Scolaro argued that the state failed to prove him guilty beyond a reasonable doubt. He based that argument on two contentions: (i) “no evidence was presented that he ever downloaded, saved, or printed, or in any other way exerted control over the images”; and (ii) “no evidence was presented that he knew such images existed on his computer”. People v. Scolaro, supra. The Illinois statute under which he was charged provided, in part, that the criminal provisions of the statute do “not apply to a person who does not voluntarily possess . . . [a depiction of] child pornography. . . . Possession is voluntary if the defendant knowingly procures or receives a . . . depiction for a sufficient time to be able to terminate his or her possession.” 720 Illinois Statutes 5/11-20.1(b)(5).

The Illinois Court of Appeals rejected Scolaro’s arguments. It found that the evidence presented at trial showed he “knowingly” possessed child pornography:

[T]he record shows that the child pornography was saved as temporary files on [his] home computer. Defendant `reached out’ for images by subscribing to Web sites that contained images of child pornography. Defendant admitted to forwarding images to others and receiving images of fully naked boys. Even if there had been no indication in the record that defendant had copied, printed, e-mailed, or sent images to others, defendant had the . . . Furthermore, . . . officers found the program `Evidence Eliminator’ installed on defendant's computer, which indicates that defendant knew the images were being automatically saved on his computer. See Bass, 411 F.3d at 1202. [V]iewing this evidence in the light most favorable to the prosecution, we find that the State proved that defendant had dominion and control over the images found in his cache and, therefore, that he `possessed’ child pornography within the meaning of the statute.

People v. Scolaro, supra.

I find the Court of Appeals’ use of Evidence Eliminator interesting. The court apparently believed Scolaro’s use of Evidence Eliminator supported the inference that he knew he had illegal material on his computer. It cited a federal case – U.S. v. Bass, 411 F.3d 1198 (U.S. Court of Appeals for the Tenth Circuit 2005) – as support for that proposition. In the Bass case, the Tenth Circuit Court of Appeals (a federal court of appeals) found that Bass’ use of History-Kill and Window-Washer “to delete child pornography because `he didn’t want his mother to see those images’” supported the same inference, i.e., that the use of software which erases/conceals data inferentially establishes that the user knows the computer contains illegal material.

Those are the only two reported cases I can find that specifically address this issue. Both of these courts found this to be a permissible inference from using data-erasing software. The defendant in the Bass case apparently admitted that he used the two programs for the specific purpose of concealing his possession of child pornography. I don’t know if Scolaro made such a concession or not, since the appellate briefs for the Scolaro case aren’t available online (at least not where I can find them).

I can see the logic behind the inference. I wonder, though, if the inference could be rebutted? That is, if a defendant said he/she used data-erasing software for purposes other than concealing the use of illegal data (such as contraband.). If a defendant said something like, “I used the software regularly to clean out files and data I thought were just taking up space on my computer” . . . something like that . . . would that rebut the inference of knowing possession?

Whether testimony like this could be used to rebut the use-of-data-erasing-software-as-showing-knowledge inference might also depend on a defendant’s ability to show the general purposes for which that particular software is used. If a defendant could show that a sizable number of computer users regularly ran a program – Disk Kleen-up, say – to clear useless or aggravating data off their hard drives, that MIGHT help rebut the inference the Scolaro and Bass courts relied on. It might also help if the program had a more innocuous name than Evidence Eliminator; while I’m perfectly willing to assume it’s a legitimate program commonly used for innocuous purposes, I can see where courts (and prosecutors) might at least implicitly rely on the name as further supporting the use-of-data-erasing-software-as-showing-knowledge inference.


John Burgess said...

Good post.

IANL, but I think there might be some ground for rebuttal, though not quite what you proposed.

The 'eraser' doesn't actually free up any more space, it overwrites data on the disk, already in a position to be overwritten by new data. So, the space is actually unaffected.

What is left is a potentially unreadable data trace.

That the tool he used was called Evidence Eliminator does not help his argument, though. It channels all further thoughts, as you suggest, in one, unfavorable direction.

There are plenty of similar program that emphasize the security of the erasure. They're touted as tools for business and businesses have all sorts of legitimate reasons to securely erase data from hard drives.

Had he argued that he used the program to remove, say, his income tax filings, he could have made a stronger argument.

But, as they say, the totality of the evidence was really stacked against him.

Anonymous said...

A page of child pornography blows out of your neighbor's trash and sticks in your rosebush, exposing you to the possibility of a felony charge. And the state wants to infer that since you have a box of matches and a fireplace, you had them for the purpose of destroying evidence.

In this case, the state wants it both ways. The statute refers to "sufficient time to be able to terminate his or her possession", but wants to draw an incriminating inference from possession of the tool necessary to "terminate possession."

Don said...

Actually, XP routinely "destroys evidence" and good practice calls defragging hard drives which also "destroys evidence".

Although not specifically used for erasing deleted data, defragmentation can destroy much of the deleted data on a hard drive.

Good practice also calls for the "destruction of evidence" when a computer or hard drive is taken out of service. At such times, low level formats (which replace all data with 0's) are done to insure that private information (HIPPA, FERPA and the rest of the alpahbet soup) aren't compromised.

This is sorta reminiscent of Oliver North's comment about his paper shredder when he said that the government bought him the shredder for a reason.

Craig Ball said...

The quote from People v. Scolaro contains a glaring factual error.

The quote:
"The unallocated section of a hard drive is considered the “free space” of the hard drive and is the area to which computer data or images are sent, sometimes automatically, by the Web site the user is visiting."

The quote confuses the unallocated clusters with the temporary Internet file cache. No web site "sends" data or images to the unallocated clusters. If data were stored in the unallocated area, that area would be allocated space (i.e., active data). It's not a trivial distinction.

When temporary Internet file cache is emptied, or when parts of cache are rotated out because time or size limits are exceeded, the areas where the data was stored are released for reuse and, thus, their content becomes part of the unallocated space.

Unfortunately, even many forensic examiners have a spotty appreciation of how data is really stored on computers, especially those who rely too heavily on forensic suites that allow them to think it's all done with a click and a script. The quote may be an example of technobabble being trotted out to mask confusion.

David Schwartz said...

Craig Ball: You are incorrect. Data and images are sent to the unallocated area. They *can't* be sent to the temporary Internet file cache because that contains files *already* cached.

"If data were stored in the unallocated area, that area would be allocated space (i.e., active data)." Correct. The data is not stored in the unallocated area yet. That's why that's where it gets stored when it is stored.

"When temporary Internet file cache is emptied, or when parts of cache are rotated out because time or size limits are exceeded, the areas where the data was stored are released for reuse and, thus, their content becomes part of the unallocated space."

Exactly. So finding data in the unallocated space supports the claim that it was once part of the Internet cache.

Craig Ball said...

Mr. Schwartz:

I'm not incorrect. You need to check your facts. No web site stores data in the unallocated clusters. Not possible. Data and images are not "sent" to unallocated clusters by the website the user is visiting. It's an important distinction.

Yes, emptied cache content, old data or data in excess of quota will rotate out of the temporary Internet file cache to the unallocated clusters, but that is not the same thing as suggesting that web sites store or send data to the UAC. They do not do so, and they cannot do so.

In fact, nothing "stores" data in unallocated clusters (we can debate shadow volumes, but that's not at issue here).

Anonymous said...

When the computer saves a file, it allocates some previously unallocated space, and saves the file there. There is little use in arguing over whether that constitutes "saving the file in unallocated space" or not.

The point is that "temporary internet cache" is not a particular space on the drive, but a designation for what it's used for at a particular time. When the file is erased, the space may be used for some other computer purpose.

It's not clear to me that if an examiner finds a fragment of .jpg in unallocated space whether he can tell it was previously in internet cache, or saved email cache, or user folder.

David Schwartz said...

Craig, you're refuting your own understanding of what was said and now what was actually said. Again, what was said was:

"The unallocated section of a hard drive is considered the “free space” of the hard drive and is the area to which computer data or images are sent, sometimes automatically, by the Web site the user is visiting."

The sending process is done by the web site. Yes, the web site doesn't choose the ultimate end point, but the suggestion neither says nor implies that it does.

The statement is just as correct as saying "Jack called my desk phone" even though the number Jack dialed is for a company whose internal phone system routed the call to your desk phone.

"In fact, nothing "stores" data in unallocated clusters (we can debate shadow volumes, but that's not at issue here)."

By that logic, you can't store something in an empty box, because if there was something stored in it, it wouldn't be empty. But in fact, empty boxes are precisely where people store things, which then become something other than empty boxes.

You are hyper-technically parsing something that is perfectly correct in common usage, and if there's some mistake in the reasoning, you haven't pointed it out.

Craig Ball said...

Mr. Schwartz:

In computer forensics, I suppose I'd rather be thought hypertechnical than resort to the metaphysical to try to make true that which simply is not.

Part of what we deal with in forensics is the link between human behavior and electronically stored information. Whether an event occurs as a consequence of an automatic process locally, remotely or initiated by the user or another actor is important. Sometimes it's the heart of the issue.

It's simply wrong to state that a website sends or stores data to unallocated clusters. That is my point now, and has been my point all along. Other readers can judge for themselves.

Here's an example of a more accurate statement for, say WinXp and IE, so others can see the distinction:
The computer's file system, working in conjunction with a web browser, stores data retrieved from a web site in an active file area called Temporary Internet Files. When a user empties their Temporary Internet File area, the contents are deleted and typically reside in the unallocated clusters until overwritten. In addition, the oldest items in the file cache may be automatically deleted and reside in the unallocated clusters when the space allocated to Temporary Internet Files exceeds a limit defined by the user or by the browser's default configuration.

People's liberty, property and reputation hinge on our being precise and accurate in computer forensics. Stating that 'a web site sends data to the unallocated clusters' is inaccurate and imprecise. It wrongly elides over the roles of the file cache, browser settings and user intervention.

If I were forced to put this difference in the context of your "Jack called my desk phone" analogy, it would be like saying "Jack urinated on my rug" when what you really mean is that the ringing phone startled the dog who soiled the rug.

Professor Don said...

Just another $0.02.

The original statement,

"The unallocated section of a hard drive is considered the “free space” of the hard drive and is the area to which computer data or images are sent, sometimes automatically, by the Web site the user is visiting."

is a fairly severe oversimplification of the process.

It omits the heavy lifter doing the work, namely the operating system (Craig's dog). Any description of a process that omits the operating system can be dangerously flawed because of the many hacks, options and other wrinkles that could be added.

For example, the cache could be redirected off of the hard drive. Or the browser could have the cache turned off. The original statement implies that the website has some control over these actions. It does not. Cache contents are controlled on the client end.

Admittedly, most users allow the OS and browser to operate with default settings which makes the original statement fairly descriptive of the process. But the devil often resides in the details.

Anonymous said...

I use Evidence Eliminator. The guy must not have been using his correctly or often enough if files were recovered from his free space. Good habits make for good security. That's another reason why I use PGP Whole Disk Encryption; in case my data wiping habits get sloppy I have a back-up protecting me. And, no, I just don't have it because of child porn. I have a law practice and you just cannot be too careful with data these days. Old or thrown out hard drives have a way of turning up at inconvenience times.