Monday, August 27, 2012

The Thumbcache, Malware and Child Pornography

After being convicted of 65 counts of “possession of materials portraying a sexual performance by a minor” in violation of Kentucky law, Samuel Crabtree appealed.  State v. Crabtree, ___ S.W.3d ___, 2012 WL 3538316 (Kentucky Court of Appeals 2012). 
This is how the prosecution arose:
In late October 2009, Crabtree was a student at Eastern Kentucky University (EKU). He experienced problems with his computer -- primarily, that it was running too slowly. Believing his computer was infected with malware, he took it to Resnet, a vendor that provides computer services for EKU's students.

While working on Crabtree's computer, one of the Resnet technicians discovered some suspicious filenames. Resnet contacted the campus police. EKU police then confiscated the computer and transported it to the Kentucky State Police laboratory in Frankfort.

When Crabtree contacted Resnet to retrieve his computer, he was advised to contact EKU police. He went to the station unannounced and spoke to Detective Collins, who told Crabtree that his computer had been confiscated.

Crabtree readily admitted he had used the internet to look up shock videos and had viewed some videos and still images that were child pornography. Crabtree told Collins the material sickened him; and so he had tried to delete them. Crabtree wrote down his account of what happened for Collins.

State v. Crabtree, supra. 
Crabtree was indicted on 67 counts of possessing matter portraying a sexual performance by a minor, convicted of 65 counts of that offense and one count of criminal attempt to possess matter portraying a sexual performance by a minor. State v. Crabtree, supra.  He was sentenced to 5 years in prison for each possession count and 1 year for the attempt account—all to be served concurrently. State v. Crabtree, supra. 
The Kentucky State Police’s Electronics Branch conducted a
forensic analysis of Crabtree's computer. Even though it had already been partially cleaned by Resnet, the technician discovered five videos containing child pornography in a system file labeled `Saved.’ She also identified sixty-two images in some hidden files that she flagged as child pornography.

State v. Crabtree, supra.
Crabtree’s first argument on appeal was that the evidence did not “support a charge that he knowingly possessed the illegal materials.”  State v. Crabtree, supra. The Court of Appeals began it analysis of that argument by outlining standards articulated by the U.S. Court of Appeals for the 9th Circuit.  In U.S. v. Kuchinski, 469 F.3d 853 (9th Circuit 2006), the court held that knowingly receives and possesses child pornography images “when he seeks them out over the internet and then downloads them to his computer.”  And in U.S. v. Romm, 455 F.3d 990 (9th Cir. 2006), the 9th Circuit held that in “the electronic context, a person can receive and possess child pornography without downloading it, if he . . . seeks it out and exercises dominion and control over it.” 
The Kentucky Court of Appeals noted that the prosecution’s evidence was
threefold, consisting of: the videos, the still images, and Crabtree's confession. The videos were discovered in the Saved and Incomplete folders in an application called Limewire, a now-defunct `peer-to-peer’ sharing network. Such a network allows users to share files with other users -- be they music, photographs, documents, or videos. Special software was required in order to access that network.

Users obtained files on Limewire by typing in search criteria. Limewire returned a list of files related to the search words. A user would click on the file he wished to download. Limewire would respond with a dialog box asking if the user was sure he wanted to download the file.

The download would not commence until the user confirmed the instruction by again clicking on the `yes’ button. Thus, the application gave the user two opportunities to consider whether he actually wanted a file to be downloaded to his computer.

When a user downloaded a file through Limewire, the download would be automatically stored in the Saved folder. If a file failed to download even a miniscule piece of information, the application would place it in the Incomplete folder.

However, many files could still be viewed even if Limewire labeled them as Incomplete. Crabtree argues that the crime lab was unable to conclusively say he had watched the videos. Neither, however, could the lab determine that the videos had not been watched.

The still images were found in the thumbcache of Crabtree's computer. Thumbcache is a type of file that is automatically generated with certain versions of the Windows operating system. The catalogued images include photographs that were viewed as well as the opening frame of videos that had been watched, generating a `thumbnail’ marker of the original file. 

Thumbnails are reduced versions of larger images; they are stored in files and used for identifying and organizing photo and video files.

Thumbcache files are hidden; most casual computer users are not aware of their existence, and special software is required to view the contents. Because thumbcache creates a brand-new, separate file of an image that is viewed, the thumbnail remains stored in the thumbcache even if the original file is deleted. It is essentially a collection of fingerprints of images that have been on the computer.

State v. Crabtree, supra (emphasis in the original).  The opinion notes that
Crabtree's laptop had the Windows Vista operating system. In earlier versions of Windows, the thumbcache was known as thumbs.db; the new filename is thumbcache.dll.

State v. Crabtree, supra. 
The court also explained that the KSP’s Electronics Branch

flagged 67 images from the thumbcache of Crabtree's computer. Some were recognized as opening frames of videos which are well-known to collectors of child pornography and to law enforcement specialists. The KSP expert testified that it was impossible to determine which ones had been watched or viewed. However, in order to be located in the thumbcache, the images had to have appeared on the screen: thus, to have had possession.

State v. Crabtree, supra (emphasis in the original).
The Court of Appeals therefore found that the “evidence was `beyond mere suspicion that Crabtree had possessed the images found.” State v. Crabtree, supra. 
As noted above, the prosecution also relied on Crabtree’s confession.  State v. Crabtree, supra.  Crabtree signed the following statement:
`A while ago, out of boredom and curiosity I looked at some mature content using limewire [sic ]. . . . I looked to find disturbing images or videos that would shock me. Some of these could be classified as child pornography. I tried to delete these things from my laptop. . . .

I realize that looking at this type of stuff was wrong and I feel sick because I did look at things that I should not have looked at. However I did not realize that anyone would find out.

State v. Crabtree, supra. 
The Court of Appeals found that this statement “corroborated what was found in the Limewire folders and in the thumbcache.”  State v. Crabtree, supra.  It also noted that the thumbcache images corroborated
Crabtree's assertion that he deleted illegal images of child pornography. Furthermore, in his discussion with Collins, Crabtree described a video he had watched in detail. Traces of this video were not found on the computer. The expert testified that it was possible that an innocuous image in the thumbcache could have been the opening frame of that video, causing it to not be flagged in the forensic analysis.

State v. Crabtree, supra. 
Based on all this, the court found that Crabtree’s
confession -- along with the Limewire content and the thumbcache images -- demonstrated that it was reasonable for a jury to believe that Crabtree had sought out and had either downloaded or viewed the illegal images. He had control of them and he possessed them.

State v. Crabtree, supra. 
Crabtree also “urge[d]” the Court of Appeals to }consider that his merely viewing child pornography images before deleting them should not be deemed to constitute actual possession.”  State v. Crabtree, supra.  The court concluded, however, that after
reviewing the facts . . . we are not persuaded that this is a valid argument in light of the 9th Circuit's definition of possession in Romm, supra: that the act of seeking out child pornography and exercising control over it constitutes criminal possession -- regardless of whether it is downloaded.

Crabtree admitted to seeking out the material and to having it on his computer. Some of the videos remained, and numerous videos and images left their traces in the thumbcache. His attempt to clean up the computer by deleting the files does not purge him of the crime committed.

Rather, it clearly illustrates an attempt at a cover-up after the fact. Furthermore, as Romm holds, Crabtree had the images in his control: he could have saved, printed, or shared them before he deleted them.

While Crabtree alludes to the possibility that the files mysteriously appeared on his computer by some accident, he did not present any evidence at trial to support this theory. On the contrary, in order for the videos in the Limewire folders to have been downloaded, Crabtree had to click twice -- once on each file name, and then again to confirm the download. The filenames were explicit.

They are too vulgar to be repeated in an opinion of this Court, but it is beyond dispute that the filenames clearly stated sexual content and included the ages of the children depicted in them.

State v. Crabtree, supra. 
For this and other reasons, the Court of Appeals affirmed Crabtree’s conviction and sentence.  State v. Crabtree, supra. 
The court also included a rather cryptic passage in its opinion, one I, at least, wish it had expanded to provide more details on the issue it was concerned about:

We note that this case demonstrates a need for technical training among legal professionals. There were several instances during the trial when it appeared that counsel for each party attempted to elicit testimony from the experts but failed because of confusion of technical terms.

 In this particular case, the evidence of guilt was overwhelming, but we anticipate that this communication gap could be damaging in cases with weaker evidence.

State v. Crabtree, supra. 


Anonymous said...

What the court meant by that passage you referred to is that both of the attorneys were n00bs and clueless ones at that. (In part, a n00b is "An insult describing a person who is not only lacking in knowledge of something, but also blatantly refuses to learn about it and even berates those who would benefit him with experience."

This is the EXACT reason why old people have no business writing laws about anything having to do with computers or crimes involving computers or the interwebs. Or even being DAs or defense counsel in said matters.

This guy is sooo stupid I hope they NEVER let him out of jail. This line here captures just how stupid this guy is: "I feel sick because I did look at things that I should not have looked at."

Having laws that tell you what you are allowed to look at and not allowed to look at is the stupidest thing ever in the history of the world. Why can I look a murder videos and videos of women being raped (not play acting rape, but the REAL deal - and u can tell the difference!), but why can I watch stuff like that and it is all legal?

Anonymous said...

His confession crucified him. This man is a fine example of why one should never speak to the police. I doubt the images alone would have been used to convict him as the governments forensic expert could not testify for certitude where the CP on the laptop was viewed.