Canadian Criminal Law/Appendix/Model Examinations/Peer-to-Peer Investigation

From Wikibooks, open books for an open world
Jump to navigation Jump to search

This model examination covers the key witnesses of a peer-to-peer investigation for a possession and distribution of child pornography charge. This consists of the investigator who finds illegal files being shared, the officer who searches the house, and the forensic tech who analyses the computer.

Investigator[edit | edit source]

Personal Background[edit | edit source]

  • peace officer for X number of years
  • On <investigation date> officer was assigned to Internet Child Exploitation Unit / joined the unit in <date>
  • officer completed training courses relevant to the investigations of the unit / name, date, and duration of courses
  • other relevant experience and education
  • duties and responsibilities with unit relevant to present charges / investigations of P2P traffic for possess and sharing Child Pornography (CP)

P2P Terminology (may constitute expert evidence)[edit | edit source]

  • What is a file sharing/peer-to-peer network
  • What is file sharing software / name of programs / where they are found / how does one get the program
  • Purpose of file sharing network and software : to share files across

Tools Used in Investigating[edit | edit source]

  • software program used (e.g. Phex, SherazaLE) / officer was trained to use the program
  • purpose and functions of program
    • accesses database of IP address / GUID associated with making suspected CP files available for downloading
    • officer can examine IP address for potentially downloadable files
    • officer can identify if CP files are downloadable / possible download the file from the specific IP address

Searching Officer[edit | edit source]

  • location of each computer in residence
  • manner of connection to the internet
  • state of each computer when found
  • access to computer / password protected / number of accounts visible

Computer Analyst[edit | edit source]

See Canadian Criminal Law/Appendix/Model Examinations/Computer Forensic Analyst for details on general areas of questioning. You should also cover the following topics specific to P2P investigations.

P2P Software Found and Settings[edit | edit source]

  • what programs were installed / any filesharing programs installed / GUID number of each installation / creation and access dates for each program
  • was able to determine the settings of the filesharing program / were they different from what is set at default
    • partial or complete download folders
    • visibility of files being shared
    • ratio of upload to download
    • bandwidth permitted
  • what user account was all this associated with
  • review any P2P log files and what they mean (settings file, complete/incomplete downloads, search terms recently used)

Illegal Content Found[edit | edit source]

  • found any files that were CP
  • hash values and names of files / number of files found / total size of all the files / length of videos
  • location of files found / directories / unallocated space
  • if found in completed download directory or incomplete directory / does software label files that are incomplete
  • did you review the contents of the files / do the file names reflect the contents
  • dates of created, modified, and accessed / comment on accuracy of times and dates / other ways of determining date they were downloaded, opened or deleted / earliest and latest creation dates / earliest and latest access dates
  • files compared hash values to known CP files / files compared to investigator's downloaded files
  • normally files will either be found in collections, with some deleted or else all file deleted
  • search for CP related terms / how many hits were found from terms

Defence Evidence[edit | edit source]

  • education generally / education and training related to computers
  • employment / whether employment involves computers
  • computers owned at time of offence / date purchased / from whom
  • place computer was stored and used / who had access to place / room-mates, friends and family / period of time accessible
  • room-mates or other family own computers / when they had them / where they were kept
  • level of expertise with computers
    • checking emails / surfing web
    • installing and deleting programs / types of programs used
    • organizing files into directories / browsing files
  • use of P2P software / purpose / search terms used / results / method of downloading / familiarity of installation and set-up process