Monday, May 13, 2013

Peer Spectre, Evidence and Child Pornography

After he was convicted, after a bench trial, of 32 counts of pandering sexually oriented matter involving a minor in violation of Ohio Revised Code §§ 2907.322(A)(2) and 2907.322(A)(1) and one count of possessing criminal tools in violation of Ohio Revised Code § 2923.24(A), Carlos Diaz appealed.  State v. Diaz, 2013 WL 1501046 (Ohio Court of Appeals 2013).  On appeal, Diaz argued that the prosecution’s evidence at trial was

Insufficient to support his convictions. [Diaz] believes there was insufficient evidence as to his identity as the perpetrator of the crimes. He also contends that the state did not establish that he knew there was peer-to-peer software on his computer equipment or that his computer was used to advertise or disseminate the prohibited material.

State v. Diaz, supra.

The Court of Appeals began its analysis of Diaz’s arguments by noting that when it 

reviews a claim of insufficient evidence, `”the relevant inquiry is whether, after viewing the evidence in a light most favorable to the prosecution, any rational trier of fact could have found the essential elements of the crime proven beyond a reasonable doubt.”’ State v. Leonard, 104 Ohio St.3d 54, 818 N.E.2d 229 (Ohio Supreme Court 2004) (quoting State v. Jenks, 61 Ohio St.3d 259, 574 N.E.2d 492 (Ohio Supreme Court 1991)).

State v. Diaz, supra.  It also explained that this standard required the court to determine

whether there was any evidence that, if believed, would support convictions against defendant for violations of Ohio Revised Code §§ 2907.322(A)(1) and (2), which provide:

(A) No person, with knowledge of the character of the material or performance involved, shall do any of the following:

(1) Create, record, photograph, film, develop, reproduce, or publish any material that shows a minor participating or engaging in sexual activity, masturbation, or bestiality;

(2) Advertise for sale or dissemination, sell, distribute, transport, disseminate, exhibit, or display any material that shows a minor participating or engaging in sexual activity, masturbation, or bestiality[.]

State v. Diaz, supra.

The court then reviewed the evidence presented at Diaz’s trial, noting that one of the witnesses, Rick McGinnis is “an investigator assigned to Ohio's Internet Crimes Against Children Task Force (`ICAC’).” State v. Diaz, supra. McGinnis “participated in the investigation that led to [Diaz’s] arrest . . . and he utilized law enforcement software known as Peer Spectre.” State v. Diaz, supra. As this court explained, Peer Spectre is a

search program that operates on the Gnutella network, which is a public peer-to-peer network where people share their computer files back and forth. The Gnutella network enables people to log onto the Internet to search, find, retrieve, and download shared files from other computers, including child pornography. 

The search will reveal an IP address and SHA1 values, and from this information, the user can download the desired file from the computer(s) that offered to share it. Peer Spectre conducts an automated search that identifies file sharing of known or suspected child pornography associated with a specific IP address.

Each time Peer Spectre is used by a law enforcement agency anywhere in the world, the results are compiled in a centralized server. The information logged into the central database includes the IP address, the port it came from, and the date and time of the search. Law enforcement agencies are then enabled to query the information that Peer Spectre recorded into the central server.

State v. Diaz, supra.

(In a footnote, the court explained that “SHA1 stands for Secure Hash Algorithm 1, which consists of 32 digits and functions as a file's digital signature or unique identifier, which cannot be altered.” State v. Diaz, supra. McGinnis testified that “SHA1 values are accurate in identifying a file to the 160th degree, which is `better than DNA.’” State v. Diaz, supra. And it added that there is a

certainty exceeding 99.99 percent that two or more files with the same SHA1 value are identical copies of the same file regardless of the file name. If any part of a file is altered in any way, the SHA1 is changed.

State v. Diaz, supra.)

When he testified for the prosecution in Diaz’s case, McGinnis identified state’s exhibit

No. 1 as being an IP activity report, which references a specific IP address, SHA1 values, and contains dates ranging from April 28, 2009 to May 6, 2009. From that, he was able to identify movies and images of child pornography being associated with that IP address. 

McGinnis created state's exhibit No. 13, which is a disk with copies of the child pornography files that he had identified from state's exhibit No. 1.

State v. Diaz, supra. He also testified that “the files identified by Peer Spectre are located in a person's computer in a `shared file’ after being downloaded from the Gnutella network.”  State v. Diaz, supra.

The Court of Appeals then explained that, at Diaz’s trial, after a “few of the videos” were

played in open court, the defense stipulated that state's exhibit No. 13 showed `a minor participating or engaging in sexual activity, masturbation or bestiality’ for purposes of Counts 1 through 31 of the indictment. However, the defense did not stipulate that the videos and images belonged to [Diaz] or that he had recorded them.

State v. Diaz, supra.

Getting back to McMinnis’ investigation, he also learned, from records he subpoenaed

from Time Warner, that [Diaz’s] son, Randy, was the subscriber for the relevant IP address. Randy's address was an apartment in Brook Park, Ohio. Police conducted surveillance of that residence and obtained a search warrant. 

McGinnis participated in executing the warrant on September 10, 2009, at 9:19 a.m. During the search, the following items were seized: an Enermax black computer, a Buffalo hard drive, and a Hitachi hard drive.

State v. Diaz, supra.

Another witness -- Luis Vargas -- testified that Diaz is related to his stepfather. State v. Diaz, supra. Vargas and his cousin Julio spent the night at Diaz’s residence five or six times in 2009, when they were “about 12 and 15 years old, respectively.” State v. Diaz, supra. Diaz lived at the apartment where the officers executed the warrant, and Vargas

said [he] lived alone in this one-bedroom apartment. [Diaz] had a computer in his bedroom and would show the boys adult pornography. [He] would not allow the boys to use his computer. Although [Diaz] told Vargas he `didn't have the internet,’ Vargas . . . saw [Diaz] accessing YouTube and Google. Vargas never saw anyone besides [Diaz] using the computer.

State v. Diaz, supra.

Another witness -- Investigator Rice – “is an investigator with the Cuyahoga County Prosecutor's office and is assigned to the ICAC task force.” State v. Diaz, supra. Rice istrained as a computer forensic examiner, and the defense stipulated to his expertise in computer forensic analysis. State v. Diaz, supra. He was present at the search of the residence in September 2009 and testified at Diaz’s trial that child pornography was

found on several computer drives seized during the search. He was able to determine the file names, the date they were created on the computer hard drive, and when each was last accessed from that computer. For example, one file on the Western Digital hard drive was created on May 11, 2009, at 1:48 p.m. and was last accessed on August 13, 2009, at 7:30 p.m. The defense stipulated to the contents of the videos as involving children engaging in sexual activity for purposes of Counts 9 through 32.

State v. Diaz, supra.

Rice also found file-sharing programs on the equipment seized from the residence. State v. Diaz, supra. The court explained that, when LimeWire

is installed, it creates a folder that is called `shared.’ This is the file that is used when a person is online to connect with, and share content, with other peers. `Carlos port’ was the file path associated with it on the hard drive. Rice also found FrostWire, another file-sharing program, on an HP Pavilion desktop computer.

During cross-examination, Rice indicated it is possible for viruses to be placed in people's files where data can be disguised and sent without the recipient's knowledge of its content unless they opened it. In this case, the child pornography files were downloaded, accessed again at later times, and none of them had been deleted.

State v. Diaz, supra.

In testifying Rice also confirmed that those with “training and skill” can

hack into computers and place things on other people's computers without their knowledge. Rice has seen computers that have been remotely accessed, which leaves artifacts that evidence the remote access. 

He used the Forensic Tool Kit created by AccessData to determine whether [Diaz’s] equipment had been remotely accessed. Rice did not find any artifacts or evidence that defendant's equipment had been remotely accessed by anyone.

State v. Diaz, supra. So the Court of Appeals noted that “there was no evidence that someone else was using [Diaz’s] wireless connection without his knowledge because the actual files were found on his equipment.” State v. Diaz, supra.

The opinion also says that (perhaps in testifying at trial) Diaz told investigators he had “two computers: a laptop and a PC.” State v. Diaz, supra.  He told Detective Bonnette, who assisted with the search of his apartment and interviewed him, that “he was the only person who used the computers.” State v. Diaz, supra. Diaz “denied using FrostWire or LimeWire . . . because they caused viruses” but Bonnette “felt [Diaz] was being evasive.”  State v. Diaz, supra.

The Court of Appeals then reviewed Diaz’s defense and the trial judge’s finding of fact after all of the evidence was presented at Diaz’s bench trial:

The court noted that [his] primary defense was that he was not the person who imported or placed the child pornography on the computers. The court found the state had proved that he was the person who downloaded the child pornography beyond a reasonable [Diaz] told police he lived alone. 

The court also cited Vargas's testimony, which indicated [Diaz] did not allow him to use the computer and Vargas only saw [Diaz] using the computer. While there was some evidence other people had lived in the apartment, the court expressed `no substantial belief that they had any access to the computer.’

The evidence establishes that the child pornography files were downloaded and re-accessed at a later time. That fact, coupled with the evidence [Diaz] was the only person who used the computers, provided evidence as to [his] knowledge of the . . . contents of the files.

While [Diaz] suggests a computer virus could have caused the child pornography to be placed on his computer without his knowledge, there is no evidence to support this theory. The computers were searched for evidence of remote access, and none was found.

State v. Diaz, supra.

The Court of Appeals therefore held that there was “sufficient evidence to support [Diaz’s] convictions”, and so affirmed his convictions and, I assume, sentence.  State v. Diaz, supra.  The opinion does not say what the sentence was.

No comments: