Monday, November 12, 2012

FTK, KFF and the Motion to Suppress

After he was “indicted on one count of possession of child pornography in violation of 18 U.S. Code §§2252A(a)(5)(B) and (b)(2)”, Christopher Schlingloff moved to suppress the evidence found on “his laptop and external storage device.”  U.S. v. Schlingloff, ___ F. Supp. 2d ___, 2012 WL 5378148 (U.S.District Court for the Central District of Illinois 2012).

The prosecution began on November 3, 2010, when federal “agents obtained a warrant to search the residence located at 1816 2nd Avenue, Rock Island, Illinois, for evidence of passport fraud and harboring an alien.” U.S. v. Schlingloff, supra.  The affidavit submitted in support of the application for the warrant “indicated there was reason to believe that computer devices found in the residence would contain records related to these crimes due to the fact that one target of the investigation had used computer devices in the past to generate, store, and print documents used in the passport scheme.”  U.S. v. Schlingloff, supra.

Schlingloff was not the target of the investigation but was “present in the residence” when the warrant was executed and “informed agents that he was living there with the targets.”  U.S. v. Schlingloff, supra.  The agents seized “[a]pproximately 130 media devices”, including “a laptop and external storage device belonging to Schlingloff”.  U.S. v. Schlingloff, supra. The “items were sent to the DSS Computer Investigations and Forensics Division office in Arlington, Virginia, for analysis.”  U.S. v. Schlingloff, supra.

In December, 2010, Agent Scott McNamee, a computer forensic analyst, examined the

seized devices. In doing so, [he] used a computer software program known as Forensic Tool Kit or FTK to index/catalog all of the files on the devices into viewable formats. The Known File Filter or KFF in the software was enabled to flag and alert during processing to certain files that are identifiable from a library of known files previously submitted by law enforcement, such as contraband or child pornography. McNamee described enabling the KFF alert as his standard operating procedure.

The KFF alert in this case identified two video files entitled `Vicky’ as child pornography. Based on his investigation of . . . child pornography cases in the past, McNamee suspected the files contained child pornography and briefly opened the[m] to confirm his belief. 

McNamee observed the image of a naked prepubescent girl and an adult male, closed the file, and stopped any further processing of both the laptop and the external storage device. He then notified Agent Michael Juni about his discovery.

U.S. v. Schlingloff, supra.

Based on what McNamee had observed, Juni prepared an application for a warrant

to search the laptop and external storage device for evidence of receipt and possession of child pornography. A warrant issued on February 4, 2011, and . . . 33 video files containing known child pornography were found on these devices. Files were also found indicating Schlingloff was the owner and operator of the two devices.

U.S. v. Schlingloff, supra.

On July 21, 2011, Schlingloff was interviewed and “admitted to downloading and viewing child pornography on the laptop in question.” U.S. v. Schlingloff, supra.  On August 17, 2011, he was charged with possessing child pornography. U.S. v. Schlingloff, supra. He then moved to suppress the evidence found on the laptop and external storage device. U.S. v. Schlingloff, supra.

The district court judge denied the motion to suppress based in part on his

mistaken belief that the filters in the FTK system had to be applied on an all or nothing basis and that the agent lacked the ability to disable the portion of the KFF specifically alerting to known child pornography or other contraband. . . . Schlingloff filed a Motion to Reconsider, bringing the factual error to the Court's attention and making it clear that the KFF alerts can be disabled or not affirmatively enabled as part of the processing with very little effort.

U.S. v. Schlingloff, supra.

The judge heard oral arguments on the motion to reconsider his denial of the motion to suppress and then issued this opinion. U.S. v. Schlingloff, supra. 

The 4th Amendment requires that search warrants “particularly describe the place to be searched, and the . . . things to be seized.  This is intended to outlaw “general warrants” and thereby “prevent a general exploratory rummaging through one's belongings.” U.S. v. Mann, 592 F.3d 782 (U.S. Court of Appeals for the 7th Circuit 2010).  Schlingloff argued that “the use of the KFF filter in the FTK program to flag known files containing child pornography enabled the agents to unreasonably broaden a limited search for evidence of passport fraud into a general search for evidence of any illegal activity.” U.S. v. Schlingloff, supra.  In other words, he claimed the warrant did not satisfy the 4th Amendment’s particularity requirement, which would make it unconstitutional.

The judge found that to “the extent” Schlingoff suggested that the use of the

FTK software in and of itself exceeded the scope of the warrant per se, his argument is unpersuasive. The 7th Circuit has held that the use of the FTK filtering software to index and catalogue files into a viewable format does not, in and of itself, exceed the scope of a warrant based on the fact that digital evidence could be found virtually anywhere on a computer. U.S. v. Mann, supra.

U.S. v. Schlingloff, supra. 

He also, though, found it necessary to address Schlingloff’s other two arguments:

(1) even if the use of the FTK software in and of itself is not problematic, enabling the KFF alerts in cases that do not involve suspected child pornography or some closely related cause of action necessarily broadens the scope of the search in an unconstitutional manner, and/or (2) the opening of the child pornography files by McNamee takes the search beyond the scope of the warrant.

U.S. v. Schlingloff, supra. 

The judge noted that, apparently when he testified on the motion to suppress or the motion to reconsider, McNamee conceded that despite the fact that he “was searching for evidence of passport fraud or identity theft, he consciously and affirmatively checked the box to include the KFF alerts for child pornography because that is his standard operating procedure.”  U.S. v. Schlingloff, supra.  He also testified as follows:

Q. (By Mr. Tasseff) [Y]ou wouldn't have received those alerts had you restricted your search for the objects of the warrant and clicked the hide button for KFF Alert, correct?

A. (By Agent McNamee) I would not have clicked on the KFF.

Q. You didn't in this instance, correct?

A. No, I clicked to include the KFFs. . . .

Q. You went ahead and did that because that's your standard operating procedure, isn't it?

A. Yes.

Q. The 30 some cases that you have done, you have done it every time, correct?

A. Correct.

Q. Does your agency investigate strictly child porn cases?

A. No, it does not.

Q. In fact, this child porn case is a rare exception to the general rule, isn't it?

A. Yes. . . .

Q. But you used the forensic tool that alerted you to the presence of child porn in a non-porn case, didn't you sir?

A. Correct.

U.S. v. Schlingloff, supra. 

The judge explained that McNamee’s testimony and the FTK User Guide revealed that

the user can either choose to apply an existing, predefined filter or customize a filter based on the purposes of the search with relative ease by checking various boxes in the setup menu. . . . [T]he Court now understands it is simple to make selections that allow the user to take advantage of the utility of the FTK program to categorize and sort out common known files such as program files, etc., without being required to flag the KFF alerts for child pornography files as part of the process.

The search did not end with flagging the child pornography files during preprocessing, however. After the KFF alerted to the two files in question, McNamee believed he recognized them to be part of the `Vicky’ series of child pornography based on their hash values and his experience. Rather than stopping at this point to obtain a warrant to search for images of child pornography, McNamee briefly opened each file in order to confirm his suspicions before stopping any further processing and notifying Juni. 

U.S. v. Schlingloff, supra. 

The judge found that given this information, it was necessary to grant Schlingloff’s motion to suppress.  U.S. v. Schlingloff, supra.  He noted that in U.S. v. Mann, supra, the Court of Appeals held that an agent who opened files the KFF alert flagged as child pornography exceeded the scope of a warrant to search for “images of women in locker rooms”.  U.S. v. Schlingloff, supra. 

And the judge found that by opening the “Vicky” files flagged by the KFF alert, McNamee

knew or should have known those files would be outside the scope of the warrant to search for evidence of passport fraud or identity theft, particularly as the warrant did not specifically refer to evidence found in video files. . . .

Additionally, in light of the admitted ability to confine the FTK search by not enabling the KFF filter for child pornography alerts, the Court finds McNamee took an affirmative additional step to enable the KFF alerts that would identify known child pornography files as part of his search for evidence of passport fraud or identity theft. In a case where the professed subject matter sought in the search bore no resemblance to child pornography, it is difficult to construe this as anything other than a deliberate expansion of the scope of the warrant, or at the very least, an affirmative step that effectively did so.

U.S. v. Schlingloff, supra. 

Since the judge rejected the government’s argument that the files were in plain view or would inevitably have been discovered in a manual search, he granted Schlingloff’s motion to suppress.  U.S. v. Schlingloff, supra. 

No comments: