4/23/2014

I’m too weak

I’m fascinated by her looks of infinite sadness, despite her fake smile. The face of this little girl is filled, eaten up by her two big brown eyes. I have her face on dozens of photos, taken under different angles. Sometimes she looks the objective, sometimes she stares into emptiness. The hardest is when her eyes dive into mine.

In every picture of her, a man’s sex. Close to her face, in her mouth or in her hands. Without being a doctor, I think she is five or six years old. I’m fully into a forensic assessment on child pornography photos.

I’m alone in my office, at home, door closed, with ban on disturbing me to my children. I hear them pass near the window laughing. It’s shining, it’s a beautiful weekend of spring. 

New photo, always of her. Her big eyes obsess me. Her little naked body seems so fragile that we want to protect her, to go through the screen to prevent this man from approaching her, from hurting her, from raping her. But I’m powerless to act, I can only watch and take notes for my report.

I’m ashamed of my weakness, of my reactions, of my sensibility. So many people work in difficult conditions : doctors, firemen, “gendarme”, policemen etc. But they help each other, talk to each other, shares, evacuates in words all of the horrors they are next to.

Me, I’m alone. I don’t have any training to manage what I feel, what I see. I’m a simple IT that help the justice. I only have this blog.

Next photo. It has been three hours now that, my brain is absorbing those photos, I’m inventorying them. I’m taking a break, closing my eyes. Why can’t I contain my tears ? I am a human being, I consider nothing that is human alien to me (https://en.wikipedia.org/wiki/Terence).
I’m a weakling.

I return to my investigations, a little apathetic. Nothing force me to spend as much time on each photo. I accelerate the visualization. Other girls, other faces, other ages, other men, so many positions.

It’s late, the night is advanced. I finish my report, I write the annexes, burn the DVDs. To make easier the reading of the paper report by the “OPJ”, court recorders and magistrates, I avoid illustrations, I reject them at the end of the report, enclosed.
I chose some photos among the most significant. I chose those where this children looks the camera with her big sad eyes, with in her mouth that man’s sex as large as her head.

I still have this picture in my head.
I’ve to manage my emotions.
Other experts are able to do that.
I’m too weak.

--------------------------------------
Translation by TearsOfSky.
Photo credit chilloutpoint.com

The original note is here: http://zythom.blogspot.fr/2013/09/je-suis-trop-faible.html

9/26/2013

The hospital complex

Assigned to (yet another) pedophilia case, I was given instructions to “provide [the examining magistrate] with a list of all e-mail addresses found on the hard drive belonging to sealed exhibit X.” 

“Stick to the assignment, the whole assignment, and nothing but the assignment,” my major professor had always told me.

After several hours of research with the help of specialized open source search tools, I was able to bring up a set of e-mails which I then proceeded to analyze: X had written to Y, whose response was copied to Z, etc. On my notepad, a communication network had begun to emerge...two, in fact. One contained exchanges which included certain pedophilia-themed e-mails; the other was a set of e-mails discussing medical topics.

Doctors? Involved in a pedophile ring? But then why the two separate networks?

I took a closer look at the dates of both the current and deleted files on the hard drive. Further analysis, assisted by police findings, revealed that the computer had begun its trajectory in a hospital and was then sold second-hand, eventually winding up in the possession of a pedophile. Of course, the data that had been deleted before the computer was sold was still on the hard drive.

I had almost included in my report people with no relation whatsoever to the case.

But what about “the assignment, the whole assignment, and nothing but the assignment?” Mine had been fairly clearly to provide a list of ALL e-mail addresses found on the hard drive.  

I consulted the examining magistrate, who left it up to me: follow the assignment strictly or go out on a limb and report my findings selectively.

So I took a risk and made the executive decision to include only the first set of e-mail addresses. The Outreau Affair never ceases to haunt.

Still, whenever I think back on it, I feel a shiver in my spine – perhaps from lingering perspiration.

--------------------------------------
Translation by Jennifer.
Photo credit Australian Childhood Fondation

The original note is here: http://zythom.blogspot.fr/2007/03/un-rseau-bien-hospitalier.html

7/31/2013

Filling up on pr0n

Doug's PC is full of pornographic pictures and movies. The problem is, this computer is sitting at a desk at the REKALL company for which Doug works. Well, it was sitting on this desk, because right now it sits on mine, under seal, while Doug and REKALL are arguing in court about wrongful termination.

But let us go back in time.

Doug works every day on his professional desktop computer, like many employees of the REKALL company. From time to time, he complains about how slow his PC has become, but don't we all... The fact is, his computer is not in its prime any more, and renewal investments seem to have a hard time reaching Doug. But today, his computer seems done for: he cannot make it run any more, or restart it. Therefore, he calls upon REKALL's IT service.

The IT service sends out a technician who witnesses the reality of the issue. After some magical passes, the technician notes that the hard drive is full, which causes the malfunction of the operating system. Some time later, the technician discovers the presence of a folder filled with pornographic files. This is the start of Doug's troubles with the REKALL company: preliminary interview, suspension, then termination.

All along the procedure, Doug denies that he downloaded or placed the pornographic files. The REKALL company does not believe a word of it, and everyone ends up before a judge.

A court expert is picked, and given the mission to analyze the hard drive, to find and list any pornographic files present on it and establish their origin. So here I am, with the computer assigned to Doug by REKALL sitting on my desk, neatly wrapped and sealed. That week end looks good...

I break the seal, unwrap the computer and start investigating.

My method is always the same: I record on a paper notebook every operation that I perform, I check for physical presence of all possible data storage devices (CD-ROMs in readers, USB keys, SSD drives, hard drivers, etc.), I take pictures before opening, record the presence of dust, the state of jumpers if any, the location of ribbon cables... In the present case, the technical file seems simple enough: a single hard drive is connected to the motherboard. I extract it, proceeding with caution.

Then I turn the computer on and inspect the BIOS settings, recording the shift between the computer clock and the phone company' speaking clock. A computer's BIOS can sometime reveal interesting clues. Here, nothing noticeable.

I connect the hard drive to my imaging PC, behind a write blocker. Then I carry out the image copy as such, as described here. My personal NAS takes the whole night to fill, bit by bit, with an image of about 500 GB, a faithful replica of the original hard drive. The morning after, I put the drive back into its original PC, but only after I have photographed it and recorded all its characteristics (serial number, make, model, etc.) on my small paper notebook. I promise, in a few years, I'll buy an inker, a Hughes nib and the dip pen from my childhood.

I analyze the content of the hard drive and, not surprisingly, I find a directory named "nvrzkflg" which contains several hundreds of gigabytes of pornographic pictures and movies. There I go, with my study's door closed, diving into what is indeed not a study about prostitution. I'm filling up on pr0n...

The files seem to be organized by theme, from the most classical to the most exotic, but some technical details get my attention. The general storage organization is rather curious, with one-character directory names. And videos are in every language, sometimes with subtitles, in every language too. I record this on my notepad.

After a few hours spent sorting files out, I set forth working on the origin of the files. Did Doug abuse his Internet access, knowing that anyway, Internet is for porn ?

I check the browsing clues left in the various caches located on the hard disk: nothing inappropriate. Granted, Doug did some personal shopping on online sites, but nothing related to my missions. I look for hints that compressed archived (zip, etc.) were extracted, typical of mass file manipulation, but there too, nothing conclusive: only documents from the REKALL company.

I then boot up the hard drive image in a virtual machine and start analyzing it with several up-to-date antivirus. Bingo! The machine is infected... A Google search informs me that the infector in question is a bot from a storage cloud. In other words, the infected PC's hard drive is linked to a group of other computers (control servers and other infected PCs) which form a great storage area at the disposal of one or more persons. In the present case, the storage area seems devoted to pornography.

To validate my hypothesis, I connect my sandbox, where the virtual machine is running, to the Internet, right after I've started a good network traffic analyzer.

I must say it was quite fascinating to see my little virtual machine being contacted from a computer which I traced back to Taiwan (certainly an infected machine too) and receiving commands to execute in order to get itself up to date and fill up on pr0n.

My report was clear (as always) on the question: Doug could be exonerated. Who was responsible for his disagreeable situation? The antivirus, ineffective and not up to date?

The IT service ? Luckily, I had not been asked that question. Anyway, since then, I keep a keener eye on antivirus updates in my company, and on suspicious behaviors in our computer equipment. In an engineering school, that is not always easy.

But above all, I never accuse a user just because of what I can find on his workstation.

--------------------------------------
Translation by Albert ARIBAUD, checked by PrometheeFeu (thx to Clem).
Photo credit stupiditiz.com

The original note is here: http://zythom.blogspot.fr/2012/04/le-plein-de-pr0n.html

9/29/2012

After death… Nothing. Only nothing.

The facts:
A woman was found hanged.
Her husband had been away than evening.
Based on the first evidence the investigators suggested that she had committed suicide.
The husband refuses to believe the conclusions and insists that his wife’s murder must have been concealed as a suicide. He submits as evidence the absence of letter from the victim though she used to spend much time on the computer.
Could it be that the computer would contain useful information that could steer the investigation in one direction or another?
The judge orders a forensic analysis of the computer.

Output from the forensic analysis:
In this type of assignment, what are we looking for? Documents? E-mails? Images?
I went through the entire content of the hard drive.
I read all e-mails, sent or received, archived or deleted.
I visited the whole browsing history.
I studied every picture, stored and deleted.
I read all documents whatever the format.
I queried for every possible relevant keyword.
I spent more than a hundred hours in her intimacy, until I knew her like a friend.
And yet….

Nothing. Only nothing.
Not a single reference to suicide.
Not a single reference to any enmity.
The computer was switched off ordinarily two hours before the death. And I cannot say by whom.

When I think of it I can still sense her presence, mocking my inability to reveal the truth. I feel the husband who asks me questions that I cannot answer. I can sense the judge who wishes he could read something else than “I did not find anything” from my inquiries report.

That’s much contact from people I’ve never met.

The conclusion:
I charged the court ten hours of work.
I never learned what became of this case (Court experts are never told, [Translator’s note: they are kicked out of the process as soon as they have delivered their report])
I often think of it: Suicide or murder?
What help am I if the computer only contains casual stuff?
Yet…

PS: Ages, genders and links between the characters have been changed. Only the story and my dissatisfaction remain. This woman’s life still haunts me. Her death as well.


This article echoes this second article that I have written in a different manner.

--------------------------------------
Translation by No One, checked by PrometheeFeu.
Photo credit unspeakable.org

The original note is here: http://zythom.blogspot.fr/2007/10/aprs-la-mort-le-nant.html

7/08/2012

Seeking the truth

I delve into the contents of a computer, looking for the truth. So far the woman who owns this computer seems to lead a normal life.

The analysis of her web browsing history reveals various interests: chat rooms about politics, cooking, children and sports. Online shopping websites are mixed in with local and national news websites. A few online dating sites could lead one to believe she was not fully satisfied by her marital life or more likely that she played with her erotic fantasies. I’m not a psychological expert.

Reading her emails seems more relevant : she’s got several webmail accounts besides the one furnished by her Internet service provider. Three accounts actually. The first one she uses to talk with her family and friends. The second one seems to be used only when buying online. The third one is the same as her Internet pseudonym.

She seems to lead a normal and happy life with the ups and downs everybody goes through.

There are also digital photos, neatly sorted by year or event. Among them I discover weddings, the children, the family, the holidays.

My mission requires me to look at every document, to read every email, to open every document. I am required to look for all deleted files, to reconstruct the whole recent activity of this woman.

According to her husband, only she used the family computer. She spent an hour a day on it, no more, except on Sundays when she could surf the web for several hours while her husband was tinkering in the garage or in the house, was gardening or repairing the car. She was a geek even before the word became fashionable.

Instant messaging conversations are often personal and written concisely as appropriate to the tool. They deal with the weather, everyday life, work or the moods of the moment…

As usual I don’t feel comfortable. I don’t like prying into somebody’s private life without their consent. It’s something I loathe doing. I like privacy and I like it to be respected.

However the mission I’ve been given requires me to look for the truth.

So I search the hard disk and I dig out an unbelievable quantity of piled, arrayed, stacked and deleted data. I find administrative mail, certificates and bank statements; emails of all kinds, spam, chain letters, jokes, Christmas invitations and confidential talks with friends of both genders.

It’s getting late. I’ve been working on this case for several weeks, a little bit longer every night. This woman is becoming less and less a stranger to me as I get to know her habits, verbal tics, emotions, phobias, passions and little ways… I’m tired and I start confusing Internet commands with dating websites pop-ups, spams for magic pills, party invitations and unpaid bills.

I’ve been looking for the truth, searching into her computer for more than a hundred hours.

I’m doing this to find out why this woman died, hanged, two hours after her computer was switched off.

I’m doing this so that her husband can find out, so that the investigating magistrate can find out, so that her children can find out.

So that I can find out whether her death was a suicide or a crime.

I never found out.


--------------------------------------------------
Translation by Clem, checked by PrometheeFeu.
Photo credit Koscum

The original note is here: http://zythom.blogspot.fr/2012/06/je-cherche-la-verite.html

8/30/2011

Just a Regular Weekend

She is dressed in colorful clothes and is running along a dirt road. Several people are running with her. The video quality is not very good. It is difficult to identify what the people are holding in their hands.

The videographer zooms in awkwardly.

The woman comes into focus before me, a simple viewer watching a computer screen, and I see that the people running with her are men, armed with machetes, chasing her.

One of them catches up to her and plants his machete into her skull.

The woman's eyes bulge as she as she falls, screaming. This video has no sound but her cry jumps out at me. The man iterates his gesture shattering her skull.

Pieces of brains scatter on the road, while the remaining pursuers catch up.

They laugh.

And I, despite my ten years of experience as a legal expert, I cry.

I endured this sequence while examining the contents of a hard drive kept under seal. As is customary, I was commissioned by the magistrate to analyze the hard drive in search of images and movies containing child pornography. And as usual, I view a large number of images and films, among which there are a large number of pornographic images and movies, of which some could be child porn... as well as this clip, probably filmed during the massacres in Rwanda.

And I have to carefully view each and every film and image to do my due diligence.

Those who think that violence on TV shows or movies trivializes real violence are making a mistake. A movie like "The Silence of the Lambs," "Hannibal," "Alien", or any other slasher movie, sends shivers up my spine, but everything is false. It is always "just a movie". Even when it is based on a true story, the viewer knows it is staged.

But when you sense it is true, that the images are real, it's very different. You are witnessing the violent death of a person and are not prepared. Can one even be prepared for such a thing? Even the first 20 minutes of "Saving Private Ryan" did not prepare me for that, though they shook me.

I quickly scanned over the rest of the video to make sure that no child pornography had been inserted in the middle of the massacre scenes. There was none and I found none elsewhere on that disk, just pornography. This video of massacres was in a file labelled with the name of a pornographic film.

But this scene will remain etched in my mind.

Prime Minister Michel Rocard said that "France cannot accommodate all the misery of the world, but we must learn to do our part". I certainly had my share for that weekend.

It was just a regular weekend for a small provincial court expert.

---------------------
Translation by P., checked by PrometheeFeu.
Photo credit darkroastedblend.com

The original note is here: http://zythom.blogspot.com/2009/09/un-petit-week-end.html

7/27/2011

Manon13

Manon is thirteen. She works well in school, where she has many friends. She plays, she laughs like many children her age.

Her parents love her, pay attention to her education, buy her things, but not all she asks. Well, she does have a cell phone like everyone else and a computer in her room. But they are careful not to let her have TV in her room.

Manon loves to chat with friends at night on her computer. She is internet savvy and knows all the stuff like lol, smileys and emoticons. She uses Windows Live Messenger to easily follow a dozen simultaneous conversations. She has a webcam she uses from time to time when her friends have one. Her nickname is manon13from31 because she was 13 and she lives in Haute-Garonne (31st french county), and it's funny because 31 is 13 backwards.

Manon also uses the Windows Mail system to send her friends all the texts she finds fun. Her father does not like that, he calls that "chain-mails", but she finds it so funny. And isn't it true: if you do not forward the email to 15 people, you might not know who is in love with you the next day. And that's too important to miss out on. Of course, the parents cannot understand, they are too old. Her love is for Killian. But he isn't quite ready to kiss her yet.

Manon subscribes to several websites: the one where you can play with virtual animals, the one where her friends discuss the latest celebrity gossip. And of course, Manon has a blog where she puts online photographs of herself and her friends. But she changes often, because her father does not like her publicizing her life on the internet. He does not want her to open a Facebook account, and she thinks that sucks because Cindy, the popular girl at school, already has one. She regularly creates a new blog with a new nickname: manon13_from31, manonfrom31_13, manonLOL1331, manonXX13_31 ... She even created a blog cindy13from31 where she put a photo of Bob in the pool. Bob is the dumbest guy of the school, haha.

One evening, Manon speaks with her friends on Messenger. For several weeks, she has been nibbling a few extra minutes from her parents who want her to go to bed early. Gradually, she managed to stay later, and now she is the last to disconnect. She is currently discussing with her new girlfriend Celia, who is really nice and who she has known for a month.

What Manon did not realize was that this girl is a boy. A 20 yr. old man.

What Manon did not realize was that every time she used her webcam, her "girlfriend" recorded sequences. It was a pity they couldn't chat live because "her girlfriend"'s webcam was always defective.
What Manon did not realize was that the sequence where she goofs around in her room in ridiculous pajamas had been recorded by "Celia".

And now the boy threatened her to put it on YouTube! He tunes in on his perfectly functioning webcam, and she hears him speak clearly. He tells her that if she does not do what he wants, he will broadcast the video on YouTube...

So she does what he asks.
And he records.
And he records himself.
And she has to watch.

What Manon did not realize was that a police officer would also look at the videos, and a court too.
What she did not realize was that a computer forensic expert would look at all the videos, even those "Celia" had deleted, every chat, and all her emails, and all her pictures, and all her blogs.

What she did not realize was that her parents would have to see all this as well.

In fact, Manon, 13, from 31, did not know much.
But now she feels wrong.

---------------------

Name, age and department have been changed.
Translation by P., checked by PrometheeFeu.

The original note is here: http://zythom.blogspot.com/2009/11/manon13.html
Photo credit: Series Cold Case .

Starting point

I am working occasionally as a computer forensic investigator.
Since 2006 I've been writing some stories on Zythom's french blog about French justice. 
I have decided to try my best to translate some of these stories into English.