CASE STUDY

BlackLight Helps Convict Child Pornography Criminal

Proving the User Had Knowledge of and Manipulated the Files

An IP address was flagged in 2013 by the Saskatchewan Internet Child Exploitation (ICE) for downloading child pornography.  The IP address was traced to Marcel Cole Beuker, a 26-year-old experienced programmer who was very tech savvy.  Police executed a search warrant and seized an iMac and a connected hard drive.  BlackLight was used to examine the media.

When it came time for trial, Beuker testified that he did not know about the child porn, claimed someone must have downloaded it, or someone placed it on his system with a remote connection.   It was left for the ICE unit to disprove his statements.  In the end, Beuker was convicted of possessing 450 child pornography images and videos and sentenced to 18-months in prison.

BlackLight was a critical in this investigation; the .fseventsd feature was used to illustrate how the files in question were manipulated on the digital media.  Additionally, using tools, including BlackLight, there were able to show almost all of the communications originated from the Beuker’s system, not from remote devices.   Even more damning was ICE’s ability to prove Beuker had knowledge of the files in question.  Beuker installed programs to delete files from his hard drive and to provide notifications when downloads were complete.  Both of these programs Beuker admitted would only execute by user permission.

While finding the evidence in this case was important, of equal importance was presenting the findings in court.  A Sergeant in the ICE unit stated “what really did it for me was BlackLight allowed me to do in 2 days what it regularly took me 2 months to do back in 2013-15 with [other digital forensic software]. Not only did it help me interpret what I was looking at; it also created the report for me in an interface that a … judge could understand.”  What became imminently clear from the .fseventsd was the tactic employed by Beuker when renaming child pornography files.  As stated in Judge Sherman’s decision, “the Blacklight analysis showed that files within Danger Zone (Danger Zone is a DMG) were being manipulated in various ways including changing names.”

An explanation written in Judge Sherman’s decision specifically mentioned metadata that is shown in BlackLight.  Using com.apple.quarantine, BlackLight showed the specific files in question were downloaded and quarantined, the existence of the files was acknowledged by the user before the download completed.   This information positively showed Beuker’s knowledge of the files on his system.

Saskatoon Police Service did a remarkable job in bringing down a child pornography criminal.  BlackLight aided in creating a picture of what happened on the system, how the user interacted with the files.

BlackLight was used to interpret the data and created a report a judge could understand.

Sargeant, Saskatchewan Internet Child Exploitation Unit

Main Takeaways:

  • Child Pornography possession cases require more than just the existence of files on the system.
  • Once a system is identified by IP address, analysis of the system should answer the questions of how the files arrived on the system and how the user interacted with the files.
  • BlackLight’s ability to parse macOS files and data were used to show Beuker had knowledge of the files and interacted with the files, they were manipulated in various ways including the changing of file names.
  • Judge Scherman from the Queen’s Bench provided a well written decision listing BlackLight® as the digital forensics tool to prove guilt.

Quick Facts

Features: 

Analyzing .fseventsd and com.apple.quarantine artifacts showing how a user interacted with files.

Problem Solved:

Analysis of macOS artifacts to interpret user actions on the system

Solution Provided:

BlackLight parsed macOS artifacts not parsed and displayed by other forensic tools.

Overall Results:

Using the macOS artifacts, evidence was provided during trail that the accused had knowledge of the files, and they were not placed on the system be a remote user.

Add BlackBag To Your Toolkit

See how easy it is to make BlackBag part of your everyday carry with a free trial or quote.