An IP address was flagged in 2013 by the Saskatchewan Internet Child Exploitation (ICE) for downloading child pornography. The IP address was traced to Marcel Cole Beuker, a 26-year-old experienced programmer who was very tech savvy. Police executed a search warrant and seized an iMac and a connected hard drive. BlackLight was used to examine the media.
When it came time for trial, Beuker testified that he did not know about the child porn, claimed someone must have downloaded it, or someone placed it on his system with a remote connection. It was left for the ICE unit to disprove his statements. In the end, Beuker was convicted of possessing 450 child pornography images and videos and sentenced to 18-months in prison.
BlackLight was a critical in this investigation; the .fseventsd feature was used to illustrate how the files in question were manipulated on the digital media. Additionally, using tools, including BlackLight, there were able to show almost all of the communications originated from the Beuker’s system, not from remote devices. Even more damning was ICE’s ability to prove Beuker had knowledge of the files in question. Beuker installed programs to delete files from his hard drive and to provide notifications when downloads were complete. Both of these programs Beuker admitted would only execute by user permission.
While finding the evidence in this case was important, of equal importance was presenting the findings in court. A Sergeant in the ICE unit stated “what really did it for me was BlackLight allowed me to do in 2 days what it regularly took me 2 months to do back in 2013-15 with [other digital forensic software]. Not only did it help me interpret what I was looking at; it also created the report for me in an interface that a … judge could understand.” What became imminently clear from the .fseventsd was the tactic employed by Beuker when renaming child pornography files. As stated in Judge Sherman’s decision, “the Blacklight analysis showed that files within Danger Zone (Danger Zone is a DMG) were being manipulated in various ways including changing names.”
An explanation written in Judge Sherman’s decision specifically mentioned metadata that is shown in BlackLight. Using com.apple.quarantine, BlackLight showed the specific files in question were downloaded and quarantined, the existence of the files was acknowledged by the user before the download completed. This information positively showed Beuker’s knowledge of the files on his system.
Saskatoon Police Service did a remarkable job in bringing down a child pornography criminal. BlackLight aided in creating a picture of what happened on the system, how the user interacted with the files.
Analyzing .fseventsd and com.apple.quarantine artifacts showing how a user interacted with files.
Analysis of macOS artifacts to interpret user actions on the system
BlackLight parsed macOS artifacts not parsed and displayed by other forensic tools.
Using the macOS artifacts, evidence was provided during trail that the accused had knowledge of the files, and they were not placed on the system be a remote user.