While peer-to-peer (P2P) networks are used by many people who like to share music, graphics, images and movies, they are also commonly used by offenders to share child pornography. The anonymity and ease of use that the Internet offers combine to make parts of it a hotbed of criminality and exploitation. P2P networks allow collectors of child pornography to download and trade movies and images with others in the network. In effect, individuals in these networks maintain “libraries” of images for others to share. Fortunately there are tools that can identify sharing of child pornography in P2P networks. This course provides the critical training you need in order to use the tools that are available to combat these crimes. You will learn about IP addressing, how to search for downloads and contraband, legal issues you need to consider when building your case, and much more.
Audience: All high-tech crime investigators
Prerequisites: Background in online investigations; Understand and have experience with the basic computer crime scene.
Length: 3 days
We begin by reminding you that the purpose of this course is to train you in methods to ultimately rescue children by removing child predators from the Internet.
We show you why Firefox—supplemented by our list of recommended add-ons—will soon become your favorite Internet browser to use for investigations. You’ll see a demonstration of some Firefox Add-ons that will speed up your investigations by increasing functionality. Many of these add-ons fall under the category of “You better hurry up and grab it now, because it might be gone later.”
We begin to lay the foundation for this course by defining peer-to-peer (P2P) networks. Then we identify major P2P software applications, and show you the methods used to trade files in a P2P environment. You’ll see how P2P networks are used globally to exchange images and videos depicting the sexual exploitation of children. We introduce you to two key law enforcement tools for P2P investigations: the Child Protection System (CPS) and ShareazaLE.
CPS is a suite of programs centered on a web-based interface; it provides access to investigative data that has been gathered by automated tools or law enforcement searches. The CPS web interface allows investigators to query the database, provide deconfliction, and create investigative jobs.
ShareazaLE is a version of the P2P client software, Shareaza, that has been modified for law enforcement use.
IP Addressing/ Digital Officer Safety
Our first general rule for law enforcement is this: always practice digital officer safety. This means that you need to understand the concept of Internet Protocol (IP) addressing and know your IP address when conducting undercover investigations. In this block we discuss IP addressing and how it can be used to identify suspects. You’ll learn what an IP address is and see the different ways IP addresses are assigned. You’ll also learn how IP addresses can be useful to law enforcement and how to resolve IP addresses back to a subscriber. Finally, you will participate in an exercise to identify an IP address and resolve it back to the Internet Service Provider.
Installing/Configuring Your System
We show you how to set up your computer so that your P2P undercover (UC) operations are conducted without risk of placing child pornography back into circulation. We discuss the requirements for a UC computing environment and you will participate in an exercise to install and configure a UC system.
Searching for Downloads/Contraband
During this hands-on lab, we’ll show you how to use Phex, a Gnutella P2P client, to locate and download files. You’ll use search terms to establish the likelihood of finding child pornography on the Internet, and SHA-1 values to identify prospective downloads. By matching digital signatures, you’ll verify which download opportunities will best match the prosecution criteria in your local jurisdiction. We show you how to browse a host and conduct a download from a single source. Your assignment will be to locate and download specific criminal files.
Peer Spectre 2
We introduce you to another tool—Peer Spectre 2—and demonstrate its capabilities for investigators. We walk you through installation and setup and show you how it integrates with CPS.
Child Protection System
After a quick review of what we covered yesterday, we launch into a demonstration of CPS and familiarize you with the CPS interface and the functions associated with the system’s features. We discuss data types and sources, and the types of queries and reporting available. We cover query scoring and IP logging, and the use of CPS to deconflict with other investigators.
Advanced CPS Tools – ShareazaLE
The next tool we show you is ShareazaLE, a P2P file sharing system. We explain its role in CPS and review how to launch jobs via CPS. We talk about single-source downloads and browses of target IPs, and show you the logs and documentation it generates. In the classroom you will use CPS and ShareazaLE to identify likely targets within your jurisdiction and launch jobs to browse and download identified files. You will retrieve generated log files and review the documentation created to support the case. You will also learn about Query Routing Protocol and how it relates to investigating P2P networks.
Advanced CPS Tools – Media Library
In this block we show you how to handle and categorize images and video files to create your Media Library, a supplement CPS application. Using material downloaded in prior exercises, you will use Media Library to view and locally classify images and videos. We’ll show you the proper storage of contraband, and introduce you to download magnets. You’ll see how to use ShareazaLE to accept jobs created in Media Library to obtain needed files.
We begin our legal discussion by helping you define the location of your crime scene. Is it on a laptop? Cell phone? In the cloud? We talk through the pros and cons of different types of searches: consent, warrant, and exigent circumstance. We show you the legal issues surrounding P2P cases and walk you through two different digital evidence collection scenarios. We show you what should be put in a warrant. You’ll learn about pre-search warrant execution activities and special precautions that you should take.
We talk about Federal privacy statutes, including the Electronic Communications Privacy Act (ECPA) and the Privacy Protection Act. Our discussion about evidence in cyberspace includes information on the Stored Communications Act, which is likely going to control most of the evidence you are looking for. When we’re finished, you should have all the information you need in order to complete your affidavit.
Building a Case
This is an opportunity to put your newfound skills to the test. If you were able to find information for your jurisdiction during this course, we’ll help you begin to build your case. For some investigators, that means conducting a live investigation while attending this course—a great way to multitask.
Mr. Andrew T. Owen is Director of Information Sharing Programs for SEARCH, The National Consortium for Justice Information and Statistics, where he oversees SEARCH initiatives to support justice and public safety information sharing nationwide. These initiatives focus on providing direct assistance to federal, state, local, and tribal organizations to improve their use of technology, information sharing, and communications interoperability in mission-critical projects. Initiatives include consultation and facilitation, strategic planning for information sharing and technology deployment, architecture development, business process modeling and analysis, service specification development, performance management, voice and data integration planning, application of technology standards, and developing effective governance and funding models.
Since joining SEARCH in 2006, Mr. Owen has worked on multiple projects focused on integrated justice information systems planning and implementation, including the National Information Exchange Model (NIEM), the Global Reference Architecture (GRA), and the Justice Information Exchange Model (JIEM®). He has provided programming and configuration assistance, consultation on implementation architecture, training, technical assistance, and research to jurisdictions nationwide in planning and implementing information sharing solutions, as well as developing information sharing standards and technical architecture. He has also played a key role in supporting members of the Open Justice Broker Consortium (OJBC).
Mr. Owen formerly was Lead Systems Analyst for the National Law Enforcement and Corrections Technology Center–Northeast (NLECTC-NE). In this role, he provided information sharing technical assistance and consulting services to many state and local law enforcement, courts, and corrections agencies.
Mr. Owen is experienced with JIEM, NIEM, and the IEPD development process. He has supported a number of Global and NIEM efforts, including developing corrections-related reference IEPDs, the New York State in-state Rap Sheet IEPD, California Courts IEPDs, , and several incident reporting projects that leverage the FBI’s Law Enforcement National Data Exchange (N-DEx) IEPD. Mr. Owen regularly serves as a presenter at conferences to discuss information sharing approaches and methodologies and has authored technical briefs on JIEM, NIEM, Web Services, XML, and related topics. He has led the policy and technology aspects of establishing identity management federations, using the GFIPM (Global Federated Identify and Privilege Management) guidelines and open source software, at the state level, allowing integrated justice initiatives to improve security while providing practitioners with seamless access to information.
Mr. Owen also has provided support to the U.S. Department of Justice’s Global Justice Information Sharing Initiative (Global). He participated on the Global Tech team and its XML Structure Task Force (XSTF), is actively involved in NIEM curriculum development, and is a NIEM training instructor. He has developed training materials, provided training to local and state justice agencies, and instructed at NIEM “train-the-trainer” events. In 2011, he was appointed co-chair of the NIEM Technical Architecture Committee (NTAC), representing state, local, and tribal organizations. Since becoming co-chair, he has played a lead role in establishing a Unified Modeling Language profile for NIEM and in developing the NIEM 3.0 technical architecture.
Mr. Owen has a bachelor’s degree in Applied Networking and Systems Administration from the Rochester Institute of Technology, New York. He has achieved SEARCH JIEM certification and is a Certified ScrumMaster® (CSM).
Mr. Timothy Lott is Director of the High-Tech Crime Training Services Program of SEARCH, The National Consortium for Justice Information and Statistics. He oversees a national program that provides expert technical assistance and training to local, state, and federal justice and public safety agencies on successfully conducting electronic crimes investigations.
These courses focus on teaching how to investigate Internet and computer crimes, online child exploitation, cellular devices, and social networking sites, and the proper search and seizure of home and small office networks. The High-Tech Crime Training Services team led by Mr. Lott also provides hands-on assistance in systems security and computer forensics.
Mr. Lott joined SEARCH in 2010 as a High-Tech Crime Training Specialist. He coordinated and provided training on high-tech crime investigations and forensics; provided technical assistance to law enforcement agencies in active cases; prepared training curricula; and presented at conferences throughout the United States. He was promoted to his current position in 2011.
Mr. Lott previously worked for 6 years as a Deputy Probation Officer for the Sacramento County (California) Department of Probation, and another 2 years as a Probation Assistant. He was assigned to the Sacramento Valley Hi-Tech Crimes Task Force, and helped conduct multijurisdictional investigations involving white-collar crime, organized crime, crimes against persons, and fraud when high-technology or identity theft is a factor. He also supervised a caseload of adult and juvenile probationers.
His assignment on the Task Force required him to conduct probation compliance checks on offenders who had been convicted and placed on probation for offenses involving the possession of child pornography, stalking via social networking sites or cell phones, and identity theft. In August 2009, Mr. Lott was cross-designated as a Special Deputy United States Marshal.
Mr. Lott is a member of the American Probation and Parole Association, American Criminal Justice Association, and High Technology Crime Investigation Association. He earned a bachelor’s degree in Criminal Justice from California State University-Sacramento. He is a certified Instructor through the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation / Instructor Development Institute (ICI/IDI).
Mr. Justin Fitzsimmons is a Program Manager in the High-Tech Crime Training Services (HTCTS) department of SEARCH, The National Consortium for Justice Information and Statistics. He helps coordinate training with law enforcement agencies, prepares budgets, oversees the HTCTS project staff, and develops high-tech crime training projects for justice, public safety, and homeland security agencies nationwide. He also conducts legal, policy, and regulatory research, prepares white papers, and provides assistance and instructional services to justice, public safety, and homeland security agencies, particularly in digital evidence recovery, investigation, and prosecution.
Mr. Fitzsimmons is conducting a national research effort to determine the current capabilities of law enforcement to investigate crimes with digital evidence and make recommendations to decision-makers about resources to assist law enforcement. He also presents at conferences and trainings, participates on advisory committees and task forces, and supports agencies and jurisdictions as they create and implement effective procedures, practices, and technology applications that seek to combat high-tech crime and recover digital evidence.
Before joining SEARCH in 2012, Mr. Fitzsimmons worked for the National District Attorneys Association, where he was Senior Attorney for its National Center for Prosecution of Child Abuse beginning in 2009. He responded to requests for assistance in child sexual exploitation cases from prosecutors and law enforcement around the United States, designed and presented training seminars, and published articles on emerging technological issues in child sexual exploitation. From 1998–2009, he was an assistant state’s attorney (ASA) in the State’s Attorney’s Offices for Kane and DuPage Counties, Illinois, where he prosecuted cases involving sexual exploitation and digital evidence. As an ASA for Kane County, he supervised the Special Prosecution Unit, responsible for investigating and prosecuting felony cases, including Internet crimes against children. He was also assigned to a Child Advocacy Center team that investigated and prosecuted cases of severe physical and sexual abuse against children, crimes of Internet solicitation of children, and child pornography. As an ASA for DuPage County, he worked in the Criminal Prosecutions Bureau and the Felony Domestic Violence Unit.
Mr. Fitzsimmons frequently presents and teaches at international, national, and regional conferences, workshops, webinars, and training courses on digital evidence collection, computer forensics, crimes against children, cybercrime, and human trafficking. He has published articles on digital evidence authentication, computer forensics for prosecutors, child sexual exploitation, and more. In addition, he has drafted legislation that was signed into law in Illinois on several technology-facilitated child sexual exploitation issues from 2006–08.
Mr. Fitzsimmons was a member of the U.S. Department of Justice (DOJ) National Strategy Working Group on Child Exploitation and co-chaired its Training Subcommittee. He also participated in the DOJ Office for Victims of Crime Working Group on Restitution for Victims of Child Pornography, the FBI Innocence Lost Working Group, and the Internet Child Exploitation Task Force. He has served as faculty of the National Children’s Advocacy Center, Huntsville, Alabama, and for the North-East Metropolitan Regional Training Center, Police Training, Aurora, Illinois.
Mr. Fitzsimmons is a graduate of the Illinois Institute of Technology’s Chicago-Kent College of Law, and earned a bachelor’s degree from Wittenberg University in Ohio.
Mr. Armstrong is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where he coordinates and provides training on high-tech crime investigations and forensics to local, state and federal justice agencies. He provides technical assistance to law enforcement agencies in active cases, prepares training curricula, teaches SEARCH investigative courses and speaks at conferences throughout the United States.
Before joining SEARCH in 2008, Mr. Armstrong was a System Specialist at Fox Valley Technical College, where he assisted with the management of the Internet Crimes Against Children (ICAC) International Database Network.
Mr. Armstrong retired from the San Diego (California) Police Department in 2006 after more than 27 years of service. When he retired, he was Lead Investigator for the ICAC grant in San Diego County. In this role, he was involved in both proactive and reactive investigations, forensic investigations, computer maintenance, office network and networking hardware, and grant financial planning. Immediately prior to his ICAC assignment, he spent 6-plus years as a Child Abuse Investigator, investigating every type of child abuse, up to and including child homicides. In 2007, Mr. Armstrong was the recipient of the United States Attorney General’s Special Commendation Award for a San Diego Police investigation.
Mr. Armstrong has taught numerous high-tech crime and law enforcement courses, to include Child Abuse Investigation, Sex Crimes Investigation, and Trends in High-tech Crime for universities, colleges in San Diego County, as well as the San Diego Police Department and the San Diego Regional Law Enforcement Academy.
Mr. Armstrong has earned certifications in White Collar Crime, Child Abuse Investigation, and Auto Theft Investigation from the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation (ICI), and is a certified Instructor from the ICI’s Instructor Development Institute. He attended National University, where he studied Administration of Justice; the Basic Law Enforcement Academy at Miramar Community College; City College of Chicago, where he became a Nationally Registered Emergency Medical Technician; and Grossmont Community College, where he received his Associate’s degree. He served as a Military Police Officer in the U.S. Army, and after completion of Officer Candidate School, as an Officer in the California Army National Guard, Armor Branch.
Mr. Lewis is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where he coordinates and provides training on high-tech crime investigations and digital forensics to local, state, and federal justice agencies. He provides technical assistance to law enforcement agencies in active cases, prepares training curricula, and speaks at conferences nationwide.
Before joining SEARCH in 2012, Mr. Lewis served for 23 years with the Lakewood (Colorado) Police Department, most recently as its Forensic Computer Analyst. He ran its forensic computer lab and was responsible for all aspects of digital evidence, from collection through analysis. He also was a Police Imaging and Technology Specialist, which involved analyzing images and creating imaging policies. He was a Police Photo Technician/Criminalist, operating and managing the department’s photo lab and conducting forensic imaging for its crime lab. He was also System Administrator of the department’s Mugshot System.
Mr. Lewis earned an associate’s degree in photography from Colorado Mountain College and a Computer Forensics Certificate from Marshall University (West Virginia). He is also a certified Instructor through the Colorado Peace Officer Standards and Training Board (POST). He has undertaken multiple computer forensics trainings, including forensic photography and technology, crime scene investigation, digital imaging, electronic/digital examination, data recovery and analysis, and computer crime investigations.
Mr. Lewis has taught numerous Lakewood Police Academy classes and at the Colorado Law Enforcement Training Academy in the Crime Scene Investigators course series. He also has taught law enforcement video analysis courses at Central Piedmont Community College (North Carolina), teaches cellphone forensics at the University of Colorado in the Master’s Program for the National Center for Media Forensics, and is an adjunct instructor for the Computer Science Program at the Community College of Aurora (Colorado), teaching computer forensics.
Mr. Lewis has provided consulting and training to agencies nationwide on techniques and procedures for conventional and digital imaging and analysis. He is a frequently published author on computer and digital forensics topics, and has presented at conferences, cybercrime summits, and trainings held by forensic sciences, computer evidence, and identification organizations. He writes a Forensic Bytes column for Digital Forensic Investigator News. In addition, he has been a court-qualified expert in forensic photography, video analysis, and computer and cell phone analysis for district courts in Jefferson County, Colorado, since 2002.
Mr. Lewis is a member of the International Association for Identification (IAI); the National Technical Investigators Association (NATIA); and the Digital Evidence Committee of ASTM International, a global standards organization. He is Past President of the Colorado Association of Computer Crimes Investigators (CACCI). He is also an appointed member of the FBI’s Scientific Working Group for Digital Evidence (SWGDE), which fosters cooperation among law enforcement agencies and recommends national standards and procedures within the forensic community. He has served as its Vice-Chairman and has chaired its Forensic Committee.
Ms. Elizabeth Tow is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where she coordinates and provides training on high-tech crime investigations and forensics to local, state and federal justice and public safety agencies. She provides technical assistance to law enforcement agencies in active cases, prepares training curricula, teaches SEARCH investigative courses and speaks at conferences throughout the United States.
Before joining SEARCH in 2010, Ms. Tow spent five years in local law enforcement in two states, as a Public Safety Dispatcher for the Grass Valley (California) and Helena (Montana) Police Departments. She gained experience in curriculum development and training and Internet Crimes Against Children peer-to-peer investigations. She is a Certified Trainer in the California Law Enforcement Telecommunication System (CLETS) and Department of Homeland Security (DHS) National Incident Management System/Standardized Emergency Management System (NIMS/SEMS). She is a Peace Officer Standards and Training-certified Public Safety Dispatcher in both California and Montana, and has received POST training in such areas as law enforcement response to terrorism, child abduction intervention and resource training, and domestic violence and sexual assault for dispatchers.
While working for the Grass Valley Police Department, Ms. Tow served as the CLETS Operational Trainer, the Communications Center CLETS Coordinator, and the Communications Training Officer. She also served on the department’s Recruitment and Retention Committee and Organizational Excellence Committee, and was a member and agency representative to the California CLETS Users Group.
Ms. Tow has additional experience as a Finance Assistant and Parks and Recreation Supervisor with the City of Grass Valley, in addition to a great deal of conference and training-related experience in the private sector beef industry from 1988–2005. She earned a bachelor’s degree in Criminal Justice Management from Union Institute and University and also studied Animal Science at Montana State University. In 2013, she earned a Masters of Forensic Psychology from Argosy University.
Ms. Tow is a certified Instructor through the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation / Instructor Development Institute (ICI/IDI).
Ms. Lauren Wagner is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where she coordinates and provides training on high-tech crime investigations and forensics to local, state and federal justice and public safety agencies. She provides technical assistance to law enforcement agencies in active cases, prepares training curricula, teaches SEARCH investigative courses and speaks at conferences throughout the United States. She has also authored and coauthored various high-tech crime investigative guides, which have been published by SEARCH.
Ms. Wagner previously worked as a Research Analyst for SEARCH, focusing on research and development projects on integrated justice information systems planning and implementation using the Justice Information Exchange Model (JIEM™) tool. She also worked on managing the online state and local integration profiles as part of SEARCH’s justice and public safety Information Sharing Initiatives program.
Ms. Wagner first joined SEARCH in 2005 as a student intern. She holds a bachelor’s degree in Physics from Allegheny College, a master’s degree in Forensic Science from the University of New Haven (UNH), and a master’s certificate in Forensic Computer Investigation from UNH.
She also has her Network Plus Certification, and is a certified Instructor through the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation / Instructor Development Institute (ICI/IDI). In 2009, Ms. Wagner was awarded the California POST ICI Award for Excellence in Instruction. In 2011, she completed and was certified in the Intermediate Level (Level II) of the California POST IDI Master Instructor program. She then completed and was certified in the Advanced Instructor Development Level (Level III) of this Master Instructor program in 2012.
Dean C. Chatfield
Mr. Dean Chatfield is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics. He coordinates and provides training on digital evidence investigations and forensics to local, state, and federal justice agencies. He also provides technical assistance to justice agencies in active cases, prepares training curricula and other resource materials, teaches SEARCH investigative courses, and speaks at conferences throughout the United States.
Before joining SEARCH in 2013, Mr. Chatfield worked for the National White Collar Crime Center (NW3C) for 14 years, first as a computer crime specialist, then as a Supervisory Computer Crime Specialist. He presented basic and advanced cyber investigative and computer forensic courses to local, state, federal, military and international law enforcement agencies; researched computer forensics issues; and provided advice to law enforcement agencies in computer seizure and analysis. As Supervisor of the NW3C Computer Crime Section, he managed 26 computer crime specialists and 7 support staff and developed curriculum for 16 cyber and forensic courses. He researched existing and new technology to enhance the courses and managed software development of NW3C products, including PerpHound™. He was NCW3C’s liaison with Microsoft’s Digital Crimes Unit on various projects, including programming of MS COFEE versions 1.1.2 and 2.1 (Computer Online Forensic Evidence Extractor).
Mr. Chatfield has 25 years of experience in law enforcement. He was a Criminal Investigator for the Maricopa County (Arizona) Attorney’s Office for 13 years, where he conducted major felony investigations, including criminal enterprises, financial crimes, political corruption, and analysis of computers and computer-generated data. He also was Chief of the Mancos (Colorado) Police Department for 6 years, and began his law enforcement career as a Police Officer and Field Training Officer for the Phoenix (Arizona) Police Department.
Mr. Chatfield is a lifetime member of the International Association of Computer Investigative Specialists (IACIS), a nonprofit organization of volunteer computer forensic professionals dedicated to training and certifying practitioners. He has served on its Board of Directors, as well as its elected President and Vice President. As an IACIS instructor for 5 years, he developed training courses on computer crime investigations and the methodology for seizing and analyzing computer-based evidence. He is a Board member of the American Society of Digital Forensics and eDiscovery (ASDFED) and has been an associate member of the Scientific Working Group for Digital Evidence (SWGDE) since 2005.
Mr. Chatfield was the first person certified as a Computer Forensics Expert by IACIS in 1992. He was selected to train the Commercial Crime Bureau of the Royal Hong Kong Police Force and NATO Intelligence organizations on computer forensics. He also represented state and local law enforcement on the NIST Computer Forensic Tool Testing committee.