Below is a typical letter I will send to a client "after" their home or business has been raided by police or federal Agents for child pornography. It is for informational purposes only and not specific advice. Many facts can alter the situation but below is a typical bit torrent scenario.
I wanted to touch base with you to give you an idea of where you stand. I just spoke to Detective XXXXX in Baltimore XXXXX and she indicated that your information is still at the lab and it would be released in a couple more months. It has not been referred to the Baltimore XXXXX states attorney’s office as of yet, and depending upon what is found that may or may not occur.
I know we went over some this before when we met in my office but I am going over again. The Detective indicates that on XXXXXX, she was conducting an online investigation with a shareware P2P Bit Torrent program. The Detective also indicates that your IP address was only associated with one info hash piece of data which had been associated with CP in the past. The Detective further indicates that a partial download was available. What is interesting here is that the detective then associates that partial download with a video previously known child pornography. The question here is, if you read between the lines of the probable cause search warrant statement, is whether or not they actually were able to retrieve the download itself.
At some point in time when the forensics come back from the lab, I have an expert that we will send this material to in order to make a determination about the probability of the successful download and the Torrent that made up same.
We discussed the basics of these investigations but I thought I would add some info below.
Fundamentally, how these cases work is that the law enforcement agencies, albeit a Sheriff’s Department or some federal or agency, each case varies, typically will start with a "reach out investigation".
File Sharing Programs and Bit Torrent Programs
Usually these detectives will go after the "low hanging fruit" on the Bit Torrent peer to peer networks. These programs are very common and there are many different types.
An example of some of the programs are, BitTorrent, Shareaza, eMule, KCeasy, Ares, Gnutella, Vuze, FrosWire, LimeWire, Kazza, Bearshare, Piolet, Ants. These are just some examples.
You may be knowledgeable or not very knowledgeable about computers, but these "peer to peer" programs are very interesting. A bit torrent is really not a program. It simply a method of downloading files using a distributed peer to peer file sharing system. The programs that you use to download files via the Bit Torrent protocol are called Bit Torrent clumps. There is a difference between the new Bit torrent programs and some of the programs listed above which are old material such as LimeWire, Kazza, Napster and other peer to peer programs. The new programs are updated and much more efficient and faster.
What makes the new BT protocol unique is that it distributes the sharing of files across all users who have downloaded or are in the process of downloading a particular file. Bit Torrent breaks up and distributes files in hundreds of small chunks, you don’t even need to really download the entire file before you start sharing. In other words, other individuals can grab what you have before it’s even completely downloaded. That’s really what makes this particular Bit Torrent type of program so fast.
Many of the traditional client/server downloading methods are different than the Bit Torrent programs. With Web browser software the client simply tells the server, a central computer that sponsors or holds the web page that you want to download and transfer a copy to your computer. This transfer is handled by a protocol or set of rules or something called HT to be, hypertext transfer protocol.
What really makes the peer to peer sharing process different from traditional downloading is that the Bit Torrent program has software that goes out and looks for other computers that have stored information of a particular type that you’re looking for. Your computer sends out a request for the particular file you want to download. To locate that file the software queries other computers that are connected to the Internet and running the file sharing software. The key there is that the program has to be connected to the Internet. When the software finds a computer that has a file you want, the hard drive download process automatically begins. Obviously, other people sharing the software can obtain files from your computer’s hard drive as well.
The file transfer load is distributed between the computers exchanging files, but file searches and transfers from your computer to others can cause a slowdown or bottleneck.This type of networking, Bit Torrent is a very popular method for peer to peer file sharing. This software has been around since about 2006 when the primary purpose was to share music, digital books and movies.
You have to remember that simple file sharing is different than Bit Torrent file sharing. It’s technically different than simple peer to peer networks. Torrent network systems are not supposed to be a published prescribed model, instead Torrents are true peer to peer networking where the users themselves do the actual file serving. The programs encourage people to allow others to view the materials on their computer’s of the system works. The amount of Torrents that could be sent is amazingly fast.
Torrent sharing is really about something called swarming and tracking where users download many small bits of a file from many different sources at once. This is why in some situations I see that the police did not actually have the entire file, they only have pieces. Swarming is defined as large files broke it up into smaller bits and ensuring that is bits across a swarm of dozens of late users. Specific servers track the swarms when a request is made. While the swarms are in use, torrent tex files act as Pointer’s during this process helping uses the find the swarms and enforcing quality controls with the share files.
Why is all this important? Because federal and state courts need to make a determination as to whether or not a person is "intentionally" sharing the material via these programs. In federal court this could be the difference in a mandatory 5 years in prison or something much less.
The origin of your investigation
Most of these investigations start on the local level such as the Sheriff’s Department, Child Abuse centers, the State police, etc. However, many times they originate on the federal level. Just like the state level the federal government has various investigative units in different agencies such as the FBI, Homeland security, ICE, Secret Service, etc. Most of the local units are in the County police systems. Many of the small counties utilized the Sheriff’s Department.
Technically, what happens is that these investigators will continually search using these sharing programs to see if you have materials on your computer. From my knowledge and experience there are typical search words such as "teen, preteen, PT, etc", I wont get into more detail at this time.
Here is a link to a good article from the Washington Post.
After these investigators send out request via these programs to other computers they will get back many results. Sometimes the results are incomplete because people tried to turn off the file sharing program quickly. I’ve noticed over the last decade or so people have become much more adept at understanding how these peer to peer programs work. So what they would do is they will use it and try to turn it off so no one can detect that they are requesting this material from other parties.
Once the detective is able to locate material on other hard drives and the parties appear to be local, in other words if you live in Maryland and not France, they will watch to see whether or not it occurs again. At that point in time what they will do is request a search warrant for the IP address from Verizon or Comcast or some company similar, and obtain your physical address.
But what’s important here is what they obtained from the initial download.
In your particular situation this detective requested a search warrant to search their home or property based upon the following rendition he gave to the court.
He alleges that he began conducting an online investigation on the Bit Torrent network for offender sharing child pornography. They focused on a particular IP address, assuming it was yours but we will verify, because the torrent referenced 1 file being identified of interest to child pornography investigations. These detectives have a list of known info related to existing CP.
The detective avers that they connected directly to your IP address. They indicated that the computer successfully reported that your IP address was in possession of 1 file of the torrent of known CP. The detective avers that he was able to compare this torrent to other identical Torrents contained in their investigative library. In other words, they are saying that these numbers are the same as known past CP they have seen.
So, as I discussed with you in the office, my thought process is that I can see from the search warrant that they actually did not see the videos that they downloaded from you. They are simply comparing the numbers that they have to past child pornography.
This is why at some point in time we will need to have our investigator do a full report to see if there numbers and possibilities match.