Tuesday, May 7, 2013

CYB3RCRIM3: FTK, Experts and Daubert


The case began on November 6, 2010, when an agent from

[Immigration and Customs Enforcement's Homeland Security Investigations directorate] logged into his undercover peer-to-peer account and discovered a user who was identified by the online name `thegeta? utilizing an account on the same peer-to-peer Gigatribe program. (`thegeta? was a userame utilized by Springstead.) The agent sent an invite request to `thegeta? . . . for permission to trade images.

On November 8, Springstead accepted the invitation and gave permission for the agent to access and download the files [he] made available for trading. On November 18, HSI downloaded approximately 26 images and 5 videos of minors engaging in sexually explicit conduct . . . from Springstead's account. . . .

Brief of the United States, supra.

Springstead was, apparently coincidentally, also the object of an FBI investigation:

On December 11, 2010, a Task Force Officerwith the FBI in Texas also downloaded multiple images of minors engaging in sexually explicit conduct from Springstead's peer-to-peer account. Specifically, the FBI downloaded 256 files from Springstead's account, which included images of minors engaging in sexually explicit conduct and cartoons and drawings that depicted obscene visual representations of the sexual abuse of children.?

Brief of the United States, supra.

On December 21, 2011, officers executed a search warrant at Springstead?s residence, where they seized a computer from which they later seized ?numerous pictures and video containing child pornography?.? ?Brief of the United States, supra.

HSI Special Agent Paul Wolpert conducted the forensic examination of the computer media seized . . . at Springstead's house. . . . Wolpert has been with ICE HSI for approximately eight years and investigates crimes involving children, including sex tourism, production and other child pornography-related crimes, and other online crimes involving minors. . . . He has been involved with online child exploitation investigations since 2006 and virtually all of his . . . investigations involved the Internet in one way or another.?. . .He has performed computer forensic examinations since 2006. . . .

Brief of the United States, supra.

(The prosecution?s brief on appeal notes Springstead lived with his parents and used the computer in the home?s family room.? Brief of the United States, supra.? The computer ?had three accounts, `Mom,? `Dad,? and `Bob, which were associated with Martha Springstead, David Springstead, and [Robert] respectively.?? Brief of the United States, supra.? Springstead?s account was ?described on the computer as the `Owner? account? and the ?`Bob?/`Owner? account contained a jpeg . . . entitled `Me,? and the picture in that file was of? Springstead.? Brief of the United States, supra.)

In his appeal, Springstead argued, in part, that the federal judge who presided at his bench trial erred in admitting Wolpert's testimony regarding his forensic examination of Springstead's computer. Specifically, Springstead posits that Wolpert lacked the requisite knowledge and training to explain how the Forensic Tool Kit (`FTK?) software used in this case was designed and functioned and that the Government failed to offer testimony regarding the reliability, peer review, error rate, and standards of the industry for the software as required by Federal Rule of Evidence 702.?

U.S. v. Springstead, supra.

Federal Rule of Evidence 702 governs the admission of expert testimony in federal trials.? Rule 702 states that a witness ?who is qualified as an expert by knowledge, skill, experience, training, or education? can testify ?in the form of an opinion or otherwise? if four conditions are met:?

(a)?the expert?s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;

(b)?the testimony is based on sufficient facts or data;

(c)?the testimony is the product of reliable principles and methods; and

(d)?the expert has reliably applied the principles and methods to the facts of the case.

The? judge who presided over the trial decides whether testimony should be admitted under Rule 702 and, in so doing must require that the prospective witness ?`explain how his experience leads to the conclusion reached, why his experience is a sufficient basis for the opinion, and how his experience is reliably applied to the facts.???U.S. v. Springstead, supra (quoting U.S. v. Wilson, 484 F.3d 267 (U.S. Court of Appeals for the 4th Circuit 2007)).

According to this opinion, at Springstead?s trial Wolpert testified about his qualifications as a

certified computer examiner as an expert in using Forensic Took Kit (FTK), which is an AccessData software program used by forensic analysts all over the world to analyze computers and computer media. . . . ICE sanctions the use of only FTK and Encase, another forensic analyst software program, for its computer forensics specialists. . . . Wolpert is trained on how to use FTK and receives periodic, semiannual ongoing training on FTK and any updates associated with it. There is a certified examiner course that he participates in to stay current in the field. . . .

Wolpert used the FTK program to identify the illicit materials on Springstead's computer. But [he] also testified that he could have located all those same illicit materials without the use of FTK by painstakingly?going through each file and folder of Springstead's computer. This process would take months, possibly even a year. . . .

By using FTK, Wolpert made an exact copy (or `mirror image?) of the computer hard drive prior to examining the item by using `hash values? to ensure that no data has been altered during the evidence analysis. . . . Then, [he] uses the FTK program to more easily view the contents of the computer. For example, FTK allows Wolpert to see all of the picture images on the computer regardless of where they are stored, whereas manually locating all of the same pictures in the various files in which they could reside would be much more time consuming. . . . Wolpert has been admitted as an expert in forensic analysis in two state court trials and two federal court trials, and he has testified in countless other federal court hearings concerning his forensic expertise. . . .

Wolpert explained how FTK works in great detail. [He] has attended an AccessData . . . course for certified examiners. Accessdata gave him a body of work to perform using FTK. After [it] was completed, they evaluated his results and certified that he is able to use the FTK software. . . . After that he has engaged in ongoing AccessData training to make sure he is current with the FTK program. . . . Regarding?FTK, Wolpert discussed the need for the mirror image copy, the imaging of the hard drive, the verification of the copy of the hard drive, and that FTK software is used to parse information from the hard drive. . . .

U.S. v. Springstead, supra.

In his appellate brief, Springstead said Wolpert?s testimony was ?the only evidence offered by the United States regarding the forensic examination of Government Exhibit 41, the computer hard drive on which images of child pornography was located.? U.S. v. Springstead, supra. Springstead?s brief also noted Wolpert?s testimony that he used FTK to analyze the hard drive and had undergone training in the use of the software.? U.S. v. Springstead, supra. But Springstead claimed that Wolpert

did not know what the error rate on the software was, if any, did not know how the software was designed, did not know how the software purported to obtain and sort the information from the hard drive, and indicated that his work was not peer reviewed.

testified there were no professional standards on guidelines that applied to his purported area of expertise. He also testified that he had not reviewed and was not familiar with the report from the National Institute of Standards and Technology (NIST) that analyzed and discussed the issues regarding the reliability of the FTK software. Finally Wolpert testified that he was not an expert in computer hard drives or any type of computer software and had not undertaken any inquiry into the manufacturer of Springstead's hard drive. . . . ?i

Brief of the Appellant, U.S. v. Springstead, 2012 WL 2602658.?

reliable and in doing so should consider the following factors `(1) whether the particular scientific theory ?can be (and has been) tested?; (2) whether or the theory ?has been subjected to poor review and publication?; (3) the ?known or potential rate of error?; (4) the ?existence and maintenance of standards controlling the technique's operation?; and (5) whether the technique has achieved ?general acceptance? in the reluctant scientific or expert community.? This analysis should apply to both technical and scientific expertise.?. . .

Brief of the Appellant, supra.?

Springstead then argued that in this case, the judge let Wolpert testify about

matters that clearly did not meet th[is] legal standard . . . and for which he did not have the required specialized knowledge. In essence, Wolpert said he knew the FTK software was reliable because he knew someone who worked for this company that manufactures the software told him so.?

He had no independent training in computers or computer software that would permit him to express expert opinions. He simply relied on the data the software produced. This lack of expertise that meets the legal standard is highlighted by the fact Wolpert could not explain significant anomalies like how images could allegedly be on the hard drive before it was created and how certain files could have a date of transfer that was before the date the file was created, per the report that FTK produced.

Brief of the Appellant, supra.?

Springstead?s brief also argued that the prosecution had not addresses these issues:

The United States pointed out at trial that in some other cases a proper foundation has been paid for the admission of testimony and reports based on FTK. . . . This fact does not make the testimony of Wolpert admissible. He simply was not possessed of the specialized knowledge? through?training or experience to testify as an expert.?

The fact someone who has a financial interest in selling this software told him that it worked but did not disclose how it worked, which scientific principals were pertinent to what standards were used to create the software goes not rise to the level required for expert qualification or testimony. The fact that in other cases a properly qualified expert may have testified is not pertinent to the evidence in this case.

Brief of the Appellant, supra.?

Springstead?s brief therefore argued that ?[f]or all these reasons the appellant contends that it was an abuse of discretion to admit the reports and testimony based on the FTK software.? Brief of the Appellant, supra.?

The Court of Appeals, though, did not agree:

The district court heard considerable evidence regarding Wolpert's education, experience, expertise, and personal involvement in this case. The district court qualified Wolpert as an expert in internet and computer forensics, finding that Wolpert had `the requisite knowledge and training, experience, and because of the certification process, there's been a method . . . whereby he's been tested on his familiarity and ability to operate the [FTK] that he uses in his computer forensic investigations.?

Having reviewed the record with the appropriate standards in mind, we conclude the district court's decision to qualify Wolpert as an expert did not constitute an abuse of discretion.?. . . To the extent Springstead challenges the reliability of Wolpert's testimony on the ground that the district court inadequately considered factors such as testing, peer review, error rates, and acceptability in the relevant scientific community,?Daubert v. Merrell Dow, supra, the test of reliability is `flexible,? and Daubert's?list of specific factors neither necessarily nor exclusively applies to all experts or in every case.? Kumho Tire Co. Ltd. v. Carmichael, supra.

U.S. v. Springstead, supra.

This news story provides a little more information about Springstead and the case.

Source: http://cyb3rcrim3.blogspot.com/2013/05/ftk-experts-and-daubert.html

glamping forgetting sarah marshall taraji p. henson shuttle discovery bonnie raitt internal revenue service intc

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.