Child Pornography Case Study 1:

Samuel Petersons Actions:

-

Discuss Fees & determine urgency of forensic investigation with

Mathew.
Get court approval if required to start the investigation.

Information Gathering:
1. Collect and Secure the Disc Duplicating Machine from Mathew.
2. Acquire Movie DVDs for Warner Brothers, Paramount Pictures and
Universal Studies from Atlantas market.
3. Acquire Child Pornography DVD suspected to be produced from the
Atlanta branch offices disc duplicating machine.
4. Get the investigation report from the Insurance Company.
5. Get the Inventory records from Mathew.
6. Get CCTV Footage from Mathew if available.
7. Get shipping track records from Mathews EBay account.

Preparing the Investigation

1.
2.
3.
4.
5.

Make an image of the disc duplicating machines hard drives.

Make images of all the DVD discs acquired
Make a copy of all records.
Build a forensics toolkit with the required tools.
Build an investigation team if required.

Investigation & Analysis:

1. Analyze movie DVD burn from the disc duplicator & child
pornography DVD.
a. Extract the Unique ID Field from DVDs using PxScan Tool and a
Plextor Drive.
i. The unique ID Field is an identification for the drive
which was used for a DVD is defined in ISO/IEC 23912
standard for recordable DVD media. [1]
ii. The unique ID field is written in a specified area
previous to the lead-in. The size of the Unique ID Field is
32 bytes for the manufacturer, 16 bytes for the serial
number and 16 bytes for the model name. [1]
b. Compare the Unique ID Field Codes from the Movie DVDs &
Child Pornography DVD.

c. Does the Code match the Dell Disc Duplicators serial number
and model?
2. Analyze the Disc Duplicating Servers Hard Disk Image.
a. Try to recover deleted items on the hard disk using tools such
as DMDE, Recuva, PhotoRec etc.
b. Search the drive for all .ISO files which was used to burn DVD
copies.
c. Examine the .ISO files, does they contain child pornographic
content.
d. Search the hard drive using keywords like child, naked child,
sex, etc.
3. Check the EBay Account which was used to sell the disc duplicating
server.
a. Get court approval to investigate with the help of the Ebay &
the ISP.
i. Who created the account, was it by Robert?
1. Is the IP address of the machine used to create
the account from a US domain or Pakistan
domain?
2. What kind of machine / browser was used to
create that account?
a. Does Robert uses the same?
4. Check the Server shipping tracking.
a. From where was it shipped?

Generate a Forensics report and deliver it to Mathew.

Testified on Court, if required to as a forensics expert.