Forensic, General & Medical
Expert Witnesses

Targeting Internet Child Pornography


     By The MPM Group, Inc. Complex Litigation Support - Investigations - Corporate Compliance & Due Diligence

PhoneCall The MPM Group, Inc. & New Jersey Legal™ at (856) 234-5512


Are our law enforcement agencies effectively finding the real violators or are we simply identifying those who are slipping from Fantasy to Felony?
One can hardly pick up a newspaper lately without seeing a story of yet another individual being arrested for some sort of cybercrime involving underage children. In fact, in this country’s never ending need to watch the proverbial “train wreck,” we even have a nationally syndicated television show that takes great glee in videotaping some unsuspecting “pervert” showing up at what he believed was to be a sexual liaison with an underage girl and surprise, surprise. Unfortunately, this show also appears to spend more time simply humiliating the “target” than publicly emphasizing the fact that the attempt to meet with what is believed to be an underage child for illicit sexual purposes is a felony under both federal and state statutes – with the federal statute(s) being the most unforgiving. In that most, if not all, of these types of offenses are currently facilitated with computers, are internet providers not culpable in the dramatic increase of sexually related underage cybercrime or have federal and state law enforcement authorities overreacted by investing millions of dollars to target a relatively small percentage of real cyber-felons, while failing to objectively differentiate sexual fantasy seekers from sexual predators?

By way of background, electronic technology and resultantly, public computer use has grown dramatically in the last twenty-years. At the forefront of internet providers were the likes of Microsoft (MSN), America-on-Line (AOL), Yahoo and others. These providers not only allowed their users instant access to the World Wide Web (www), but they also provided “chat rooms” where subscribers could chat anonymously with other subscribers by typing messages back and forth in real-time cyberspace. Without any meaningful government or service provider oversight/controls, “conversations” in these chat rooms covered the gamut from political issues, extra-marital affairs to more graphic sexual content. As one might suspect, these chat rooms eventually became a “fantasy world” for some and arguably, an addiction for others.

In the mid-to-late nineties, during the height of chat room popularity, these service providers offered hundreds of different chat rooms with 20 to 30 “chatters” in each room at any given time. Thus, if one were looking, they could find almost any topic they wanted to chat about in any given room. According to previous Internet marketing researchers, a majority of the chatters were middle-age married men or stay-at-home moms who found a way to be anyone they wanted to be, look like anyone they wanted to, and live a “life” that they had heretofore only dreamed about. Consequently, some chatters lived in front of their computer screens spending countless hours living the “fantasy.” While in their on-line world, lonely unhappy housewives could shed their otherwise unfulfilled lives and could become the beautiful desirable woman they longed to be. Likewise, overweight middle aged men could be the object of every woman’s desire while escaping their dreary existence – even if for only a moment. It seemed like the perfect and harmless solution – the fantasy of a romance novel, but with the opportunity to mix fact and fiction in real-time with a “real” person. However, in recent years, these same internet marketing experts now suggest that the struggling economy, waning public interest and advances in other types of technology (texting) have taken huge numbers of traditional chat room users out of the market. However, both AOL and Yahoo marketing experts suggest that one of the most significant factors for the significant reduction in the use of conventional chat rooms has been the dramatic increase of World Wide Web Robots (“Bots”) that have flooded chat room servers. In fact, an Internet and web industry expert Blog recently published an article that confirmed in pertinent part:

“The industry has seen the total pull out by MSN, and a decline in users by AOL and industry leader Yahoo. Much of this is due to an overwhelming invasion by spammers using what is often referred to as “bots.” These “bots” are people that create fake profiles with the intent of sending people to another website in an attempt to make money. Often times these “bots” are using programs that give them the ability to log in hundreds of usernames at once and then blast a message to the rooms or by private message.

Yahoo Chat has recently made an attempt to battle back against the bots by implementing a “captcha” code each time you try to enter a chat room with the theory that “bots” will not be able to enter the code. Yahoo has also implemented a feature that logs a person out of chat every 3 hours forcing the user to re-enter the captcha code to get back into the chat room.

Obviously if anyone has been in Yahoo Chat recently you will have noticed these changes, as well as the fact that bots still fill the chat rooms, however not in as many numbers as before. It would seem that the implementation of this captcha feature has only added one more hassle to real legitimist users while only putting a minor dent in the bot problem.

It’s estimated that Yahoo Chat has only 30% of the users now that they did 3 years ago. This decline began when Yahoo decided to pull the option for users to create their own rooms due to the child predator scandal they endured, and continued as the bot infestation increased.” © 2010 Buzzle.com

Consequently, should one disregard the few remaining die-hard chatters, typical AOL, Yahoo and the other remaining chat rooms would now appear to be occupied by mostly “posers” (traditionally law-abiding men and women simply pretending to be someone they are not – young, rich, sexy, desirable, kinky, etc.), along with traditional bots or other sophisticated internet robots that are simply soliciting sex and romance, but more specifically, your personal credit card information. In fact, current service providers will no doubt confirm that a majority of the remaining active chat rooms are relegated to unwitting posers who are otherwise harmlessly soliciting other posers/robots in the deteriorating world of internet fantasyland. Unfortunately, what these unwitting “posers” fail to consider is that, in their continuing, albeit desperate, pursuit of the ultimate fantasy, some of these other “posers” are now, in fact, federal/state cybercrime law enforcement personnel who are constantly “patrolling’ the internet for those relatively few chatters that step over the proverbial line from make-believe to reality and consequently, finding themselves (sometimes too late) transitioning from fantasy to felony. Make no mistake about it, federal and state law enforcement is watching!!

Of late, but certainly unlike the relatively harmless posers previously described, the conspicuously uncontrolled internet market has now been manipulated into a fertile national and international breeding ground for sexual deviants – indeed, sexual predators of minor children and the booming market for the child pornography that usually accompanies it. One would hope that the federal and state governments would spend the lion’s share of our tax dollars seeking out, dismantling and incarcerating these sexual deviants and not on the pursuit of the relatively harmless “posers” previously described herein. Unfortunately, in fairness to the many cyber-law enforcement groups currently in operation; the identification, apprehension and successful prosecution of these sophisticated international sexual predators is not as easy as one might suspect. First, cyber law enforcement personnel assigned to these types of investigations would appear to be far outnumbered by the number of sexual predators on the Internet and secondly, although great progress has been achieved with the technology and sophistication of investigative techniques, the complex internet and computer programming that is involved in this extremely sophisticated and secretive criminal society remains somewhat problematic for even the most sophisticated of law enforcement techniques to infiltrate.

Internet Child Pornography

Federal and state law enforcement “affiants” (writers for federal/state arrest and search warrants) know from their training and experience that child pornography comes from many sources. They also are aware that computers have revolutionized the way in which those sources and users interact. Computers have also revolutionized the way in which collectors and users of child pornography can store their collections. It’s a given that the development of computers and the Internet has greatly changed and added to the way in which child pornography is disseminated, collected, and viewed. Computers have facilitated the ability of child pornography collectors and traders to keep their collections hidden. Photographs and videos that were previously stored in boxes are now traded and collected as digital images which can be stored and maintained on digital media, such as a digital storage device called a “Micro-Secure Digital Card”, that is smaller than a postage stamp. Computers now aid and serve in the production of child pornography, the distribution of child pornography, the viewing of child pornography, the storage of child pornography and communication between child predators.

One of the fastest growing areas that facilitate the many practices used by child predators is the Peer-to-Peer (“P2P”) networks like FastTrack, Bit Torrent and the Gnutella networks. These various P2P networks have become ideal for traders to openly exchange “collections” and share those collections. The P2P network has convinced child pornography traders that they have an open and anonymous distribution and trading network for their child pornography. This network enables trading on a world-wide basis with upload and download speeds never before seen.

Many cybercrime affiants have personally worked undercover P2P investigations and have closely worked with National Internet Crimes Against Children (ICAC) undercover initiatives that are targeting those sharing files on the Gnutella network. Law enforcement affiants spend countless hours reading, studying and trying the various Gnutella client software programs in an effort to perfect on-going research and understand the P2P system of file sharing. Some cyber experts have even served on the prestigious National ICAC Task Force Technology Committee. Consequently, affiants doing undercover P2P cases will usually employ both software and undercover techniques developed exclusively by/for the ICAC Task Force.

In 2003, North Carolina law enforcement authorities developed a single internet undercover operation called Operation Peerless that quickly (almost effortlessly) identified over 3,000 computers around the world that were trading images of known child pornography – disquieting to say the least. While examining the Gnutella P2P file sharing network in that complex investigation, law enforcement authorities learned that computers on the Gnutella network have software installed on them that will facilitate the trading of pornographic images. When installed properly, the software allows the user to search for pictures, movies and other digital files by entering text as search terms. Some names of this specific software include, but are not limited to, BearShare, LimeWire, Shareaza, Morpheus, Gnucleus, Phex and other software clients. Those software programs that interface with the Gnutella Network are called Gnutelliums.

More recent innovative investigative techniques have established undercover cases on the Gnutella P2P network that Gnutella P2P users can find images and movies of child pornography by using specific text search terms. Some examples of search terms that locate files containing child pornography are “PTHC”, which stands for “Pre-Teen Hard Core” and “babyj.” The “pthc” search term typically results in the user being presented with a list of files that include movie files, commonly referred to as an MPEG file, which has a digital signature or Secure Hash Algorithm – Version 1 (SHA-1) value. This MPEG file will usually depict a series of short clips of very young children with adults engaged in explicit sexual conduct. Law enforcement personnel have monitored such movies that have the SHA-1 value described above and know it to be dominated by child sex abuse images. These same law enforcement personnel have tested other search terms and results and have been able to usefully identify other potential child pornography systems on the P2P network.

Successful undercover cases involving the P2P Gnutella network have confirmed that the system allows the user to select a file from the list of files returned during a query, and then receive that file from other users around the world. Often these users can receive the selected movie from numerous sources at once. The software can balance the network load and recover from network failures by accepting pieces of the movie from different users and then reassemble the movie on the local computer. Certain versions of the Gnutella software can also be configured to “ignore” or specifically block all but one user’s computer from sending the file. This provides a way for the cyber-investigator to target a specific computer suspected of containing child pornography.

According to these various computer experts, the Gnutella P2P network client software can only succeed in reassembling the movie from different parts if the parts all originate from the same (exact) movie. In order to confirm this, the Gnutella network has a built-in functionality to ensure precise file matching. Precise file matching is done through the use of SHA-1, which was developed by the National Institute of Standards and Technology (NIST), along with yes, the National Security Agency (NSA). It has been accepted and adopted as the Digital Signature Standard (DSS) as specified within the Secure Hash Standard (SHS) by the United States of America as a Federal Information Processing Standard. In layman’s terms, a SHA-1 value can be likened to DNA – in that it is a mathematical fingerprint of a computer file that will remain the same for an unchanged file no matter where the file is found or on which computer the file is located. Admittedly, changing portions or pixels of the image will change the signature; however changing the file name will not make a change to the actual digital file. Experts in the field have learned that digital files can be processed and have processed files during testing by this SHA-1 process, resulting in a digital signature. By comparing these digital signatures, affiants can conclude that two files are identical with a precision that greatly exceeds 99.9999 percent certainty.

Law enforcement experts have been able to validate through testing the fact that users attempting to trade files on the Gnutella file sharing network could choose to place files from their local computer into a shared folder. If that same user then starts the Gnutella software, that local computer could then calculate the SHA-1 signature of each file in the shared folder and provide that information to other users wishing to trade files. These experts have learned that the Gnutella P2P network software clients that connect and share files on the network calculate the SHA-1 value of files in the user’s shared folder upon start up of the software. The Gnutella Client Software makes those values available on the network for comparison through the ultra-peers so that multiple persons sharing one movie or file can deliver different pieces of that movie or file to the local software and the local software can ensure a complete and exact copy can be made from the parts. When a user connects to the Gnutella network, those connections are made to ultra peers who are the backbone of the network handling most, if not all, Gnutella traffic. These users make connections upload a listing of their files and associated SHA-1 values of those files and keep active open connections to those ultra-peers. When a request for a search goes out, the search goes through from the IP address that has the file because the ultra-peers only have the file listing and not the actual file. As a result there are many “open connections” to ultra peers during a peer-to-peer session and during the transfer of a file there is a direct connection to the computer transferring the file. Law enforcement experts are now becoming more adept at confirming child pornography transfers with their use of this new and sophisticated software as well as tracking these “open connections” with downloads of files containing the same SHA-1 values containing the same content. As stated, each of the files may be named differently, but they contain the exact same file and content as long as the SHA-1 values are identical for each file.

Affiants have confirmed that entering search query terms in the Gnutella software can result in a list of file names and their associated SHA-1 values that investigators can compare the offered SHA-1 values with known SHA-1 values associated with a specific movie or image files known by the investigator to be child pornography. Once a file with a SHA-1 value matching the SHA-1 value of a known or suspected child pornography file is located, the investigator can use the client software to obtain a list of specific Internet Protocol Addresses (IP address) where computers are offering that same file. Those computers are called hosts and are offering the file which contains the identical child pornographic file and are participating in the trade of known images that match known SHA-1 values of child pornography. This feature allows cyber-investigators to conduct undercover operations that involve images known child pornography and often involve identified child victims. Succinctly, this feature allows the investigator to identify the specific IP address of a computer that has connected to the Gnutella network and contains a file in the shared folder with a SHA-1 value associated with known or suspected child pornography at the precise time this specific computer was connected to the Gnutella P2P network. Law enforcement experts have learned that by conducting undercover investigations and research querying the Gnutella P2P network as described above, they can develop a list of IP addresses identifying locations where a computer has Gnutella P2P sharing software installed. The client software can be used to identify and locate unique IP addresses sharing individual files with the same SHA-1 values that match the SHA-1 values of known child pornography. The client software shows and returns lists of IP addresses where those SHA-1 values of known child pornography files have been reported as available for download.

The ICAC Task Force agents across the country are known to use software (not publicly available) that facilitates the automated comparison of SHA-1 values to SHA-1 values known to be child pornography. The software in use simply compares SHA-1 values found by the public software in the suspects’ shared folder with SHA-1 values in the list of known or suspected child pornography held by the undercover operation. That operation could conceivably be done by looking at each SHA-1 value offered and comparing visually known SHA-1 values of child pornography. The undercover software merely speeds up the comparison. It also helps facilitate the geographical lookup of IP addresses sharing those files.

All internet computers are identified by their IP address and these IP addresses are then queried by law enforcement personnel to locate a particular computer on the Internet. These IP addresses typically lead the law enforcement officer to a particular Internet Service Company (“service provider”) and that service provider can typically identify the account that uses the IP address to access the Internet. IP addresses belong to an assigned user much the same as residential telephone numbers except that they are assigned for shorter periods compared to typical telephone numbers. Service providers purchase blocks of IP addresses and then supply them to customers as they connect to the Internet. A customer can not get access to the Internet except through a uniquely assigned IP address and no two computers on the Internet have the same IP address. A customer of a service provider can be identified by logs kept by their individual Internet Service Provider which details the unique IP address assigned to them just like a customer of a telephone company can be identified by their personal telephone number. Affiants then typically serve subpoenas to the service providers to easily identify the user assigned that specific IP address along with their a home address, billing information and a complete record of that addressee’s use of that IP address, dates, times and duration of use. Consequently, affiants armed with the “irrefutable” computer forensics collected, as well as the specific address of the user, are armed with more than enough probable cause to secure a federal or state search warrant for the premises housing the “target computer.”

Obviously, the ultimate goal of any such child pornography investigation is designed to positively identify the specific user of the identified trading computer, but this sometimes proves to be problematic for obvious reasons. Consequently, most internet cyber-investigations will continue with a collateral undercover operation to specifically identify as many users as possible. However, notwithstanding their best efforts to identify these sexual predators through their prolonged investigations, more often than not, law enforcement personnel usually identify the target user by simply knocking on the door and speaking to the occupants of the residence housing the target computer – an investigative technique commonly referred to as a “knock & talk.” Amazingly, a very large percentage of these child pornographers (users) are so clueless, they readily admit both verbally and/or in writing what they have been doing on-line and do so in spite of the fact that they are “usually” properly Mirandized prior to doing so. Obviously, the “coincidence” clearly escapes these users that these experienced law enforcement officials, who can routinely talk a starving dog off of a meat wagon, just happen to have a Waiver-of-Rights Forms and a Consent to Search Form in their pocket when they knocked on the door for this routine “off-the-record” chat. Child pedophiles, dangerous they are – bright they aren’t. Luckily for our children, these are the essential ingredients for a defense attorney’s nightmare.

Unfortunately, not all child pornography investigative techniques are so target specific. For example, the Federal Bureau of Investigation (FBI) adopted the “novel” investigative technique of posting undercover hyperlinks that purported to contain illegal videos of minors having sex, and then raiding the homes (IP addresses) of anyone willing to simply click on them with little or no investigative follow-up to identify the specific user.

In a specific case close to home, Roderick Vosburgh, a doctoral student at Temple University who also taught history at La Salle University, was raided at home in February 2007 after he allegedly clicked on one of these FBI undercover hyperlinks. The following day, FBI agents knocked on the door around 7 a.m., claiming they wanted to talk to Vosburgh about his car. Upon opening the door, they threw him to the ground and handcuffed him. He was charged with violating federal law, which criminalizes the mere “attempt” to download child pornography which is accompanied by a sentence of up to 10 years in federal prison (pedophiles do not quality for a minimum-security Federal Prison Camps). Unbelievably, Vosburgh was found guilty on that count and his appeal is pending.

Undercover FBI agents have successfully used this undercover hyperlink-enticement technique to stage armed raids of homes in Pennsylvania, New York, and Nevada. Interestingly, the supposed “pornographic” video files actually were gibberish and contained no illegal images. Furthermore, a CNET News.com review of formally filed legal documents on PACER shows that courts have approved of this technique, even though it raises questions about entrapment, the problems of identifying the specific user using an open wireless connection. Succinctly, should anyone who simply “clicks” on a FBI link that admittedly contains no child pornography be automatically subject to a dawn raid by federal agents?

Civil libertarians are having a field day with this one. Obviously, the implications of such hyperlink-enticement techniques are sweeping. Should one use the same logic and legal arguments used in the FBI cases, Drug Enforcement Administration (DEA) agents could send unsolicited e-mail messages to millions of Americans advertising illegal narcotics and then raid people’s homes who simply click on the links embedded in the spam messages – where would it end?

Whether the child pornography investigative techniques are as sophisticated as the P2P/Gnutella network law enforcement efforts or as constitutionally “questionable” as the FBI undercover hyperlink techniques just described, both would appear to have a common goal – to protect our children and thwart the exploding commercial success of child pornography.

Whether one agrees or disagrees with the techniques used to accomplish this goal:

“All that is necessary for evil to succeed is for good men to do nothing.”
-Edmund Burke

© Copyright 2010 – The MPM Group, Inc.

ABOUT THE AUTHOR: The MPM Group, Inc. & New Jersey Legal™
The MPM Group, Inc. are nationally recognized and court adjudicated experts in complex investigative and litigation support matters, federal sentencing mitigation issues, as well as being nationally recognized and court adjudicated experts in prison and inmate advocacy matters.

New Jersey Legal™ are nationally recognized litigation support experts in all matters of computer and digital forensics who offer computer forensic experts holding CCE certifications. In addition to their computer forensic expertise, New Jersey Legal specializes in eDiscovery, document services and most courtroom trial litigation support services.

Copyright The MPM Group, Inc.

More information about The MPM Group, Inc.


While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.
For specific technical or legal advice on the information provided and related topics, please contact the author.

Find an Expert Witness