LimeWire expertise

FederalEvidence blog has a good post on United States v. Caldwell, __ F. 3d ___ (5th Cir.  October 26, 2009).

For those of us doing a lot of CP cases – LimeWire, one of several peer-to-peer file sharing programs, is increasingly found to be the method by which CP is received or transmitted.  Typically the prosecution calls a forensic computer examiner as an expert witness (although I notice the Navy is trying to short-circuit this by calling the duty NCIS agent to testify about computers).  Anyway, FEB notes the difficulty courts are having in deciding whether testimony about computers and/or software falls within [Mil. ]R. Evid. 701 (lay) or 702 (expert).

[T]he line between lay and expert testimony is very hard to discern. A closer question would have been raised in the case if an objection had been made at trial and review was under the less deferential abuse of discretion standard. The issue of lay versus expert testimony arises in other contexts, including on computer forensic testimony, as noted in these prior posts: Drawing The Line On Computer Forensic Expert And Lay Testimony (Part I); Drawing The Line On Computer Forensic Expert And Lay Testimony (Part II).

In Caldwell the defense didn’t object to a LimeWire employee’s testimony, so the standard of review was “plain error” which is the easiest of all standards for the prosecution to beat.

Of interest was the testimony of the LimeWire employee in issue.  When asked if someone else using LimeWire can send you a file you didn’t request he answered no.  That is superficially correct.  The idea being that the file was a CP related file and the person searched for it, knew it was CP, and had it downloaded.  However, the question presumes that the downloaded file was correctly named (in the visible part) or that there were not additional files added to the file downloaded.  I’ll give you an example.

A certain actress with the initials CZJ is an attractive woman.  People will search for and find some risque pictures of her on LimeWire (or Kazaa, BitTorrent, etc.).  Most of the time they will get risque pictures and nothing else.  However, every now and again the person is likely to get a series of pictures of CZJ where a CP image is tacked on the end of the series.  You won’t know this until you view all the series on or off line.  And remember, at this point the images are automatically downloaded to a default folder.  (This is no different than CP distribution via VHS.  When VHS was a popular video medium CP’ers would cut-and-paste a CP video five or ten minutes into a regular movie.  That’s done with DVD now.  That’s why law enforcement seize the home movies and DVDs.  They are looking for embedded CP videos.  The same can happen with a series of apparently legitimate images on the web.)  You don’t know you are getting CP images because all you know is the displayed name of the file is CZJ nude.  When there is CP attached there is usually an extended file name that is not visible/displayed unless you examine the properties of the image.  That extended name has the typical CP search terms in the extended, but not visible/displayed, file name.  That hidden extended name is done by CP’rs to help other CP’rs find the images.  But in  process the innocent searcher and retriever of some risque photos of CZJ can unknowingly end up with CP.  But ask anyone to believe that if you will . . .  (Caution:  Please don’t try this at home yourself.)

Courtesy of my favorite forensic computer examiner, Eric Lakes at CyberAgents, Inc., he pointed me to a couple of items about LimeWire and forensic examination problems.  For example, DCFL has itself found an issue with LimeWire.

Lewthwaite, Joseph, & Smith, Victoria, Limewire examinations, Digital Investigation 5 (2008) S96-S104.  The authors are employed at the Defense Cyber Crime Institute and DCFL.

Here is the important part of the article which shows that a non-expert/lay-person (read duty NCIS agent) might misinterpret and therefore wrongly testify that a client has been searching for CP in LimeWire.

image The issue comes up most frequently with clients who have been actively searching for adult P., and who think that’s all they are getting or likely to get.

Back to Caldwell.  If you get a situation where a non-forensic computer examiner is going to testify about LimeWire and CP, consider filing a Houser motion to exclude the testimony.