March 23, 2023 (Austin, TX) We are proud to announce that Case Closed Software™ has achieved TX-RAMP Certification, a prestigious recognition that demonstrates our commitment to providing secure and reliable software solutions for our clients.
The Texas Risk Assessment and Mitigation Program (TX-RAMP) certification is awarded to companies that have met strict security standards and have implemented robust risk assessment and mitigation processes. This certification recognizes our dedication to providing our clients with the highest level of security and reliability in our software solutions.
At Case Closed Software, we understand the importance of protecting sensitive data and confidential information. That’s why we have invested heavily in developing a secure software platform that meets the rigorous security standards required by TX-RAMP certification.
We believe that this certification is a testament to our commitment to providing our clients with the best possible software solutions while maintaining the highest level of security and reliability. We are proud to have achieved this certification and look forward to continuing to provide our clients with the best possible service.
The project arose out of a need for a sophisticated tool to help the multi-jurisdictional ICAC unit effectively triage and investigate criminal activity involving child sexual abuse materials (CSAM). In particular, we needed to come up with an investigation tool that would work around evolving laws and The Wilson Ruling of 2021.
NCMEC then creates and distributes CyberTips to appropriate law enforcement agencies and specially-trained agents.
The Anatomy of a NCMEC CyberTip for ICAC Units
Without getting too granular, a CyberTip is made up of several sections. There’s a front page, and Sections A through D. The front page will contain the date it was received, its assigned report number, and an executive summary. The executive summary will say what type of incident the report refers to, such as “Apparent Child Pornography”, and the number of files that were uploaded.
The first section of a CyberTip, Section A, has information about the reporting agency – Google, Facebook, TikTok and so on. It will also include a brief incident description, the time of the incident, the webpage involved, and the email, username, and IP address of the person reported.
Spoiler Alert… Here’s a key to The Wilson Ruling: For each file, this section says whether the reporting ESP actually viewed the file and whether the file was publicly available. We’re going to come back to this shortly.
Section B is geolocation information for the offending IP address given in the report. This helps NCMEC know which ICAC Task Force should get the tip. The ISP who owns or controls the IP address will also be listed.
Section C is for any additional information and may reference other CyberTips that are associated with the same username or IP address.
Here’s another key point related to The Wilson Ruling. The images or videos associated with the CyberTip are provided to the appropriate agency along with a PDF report, but they are NOT shown in the body of the report.
Why the CyberTip Matters
The point of describing the CyberTip here is to reinforce just how much unstructured data exists on them and foreshadow some of the pain points that ICAC teams experience in getting these CyberTips triaged.
That’s a significant component of the partnership that Case Closed Software has developed with San Diego Police Department… how to manage, de-conflict, and triage the overwhelming volume of CyberTips that each ICAC task force or investigator receives.
The other significant component of what we’ve worked on together from a technology perspective is related to how courts have applied Fourth Amendment doctrines to CSAM investigations. The Fourth Amendment, of course, is an important piece of our Bill of Rights and is supposed to protect all of us from unreasonable searches and seizures by the government.
The ICAC Investigation into Luke Noel Wilson
Let’s look at The Wilson Ruling of 2021. This came out of the court’s application of the Fourth Amendment in the case of defendant Luke Noel Wilson who, in June 2015, attached several images containing CSAM to an email on his Gmail account. Google’s screening system – which scans uploaded images and checks for identical matches in a database of confirmed CSAM – immediately flagged Wilson’s attachments as “apparent child pornography”.
Without having an employee review the attachments first, Google’s system then sent an automated report to NCMEC that included the images. As is standard policy for ESPs, the report contained information about the date and time Wilson uploaded the images, along with his email address, login information, and the IP address of the device he used to upload the images.
NCMEC subsequently forwarded the report to local law enforcement – in this case, the fine team at San Diego ICAC – where an agent reviewed the NCMEC CyberTip and inspected each of the images, confirming that they were indeed CSAM.
Relying on Google’s report and his personal observations, the agent then applied for – and obtained – a search warrant for Wilson’s email account. The agent’s affidavit accompanying the search warrant request included descriptions of the images but didn’t specifically contain any mention of matching hash values, nor any description of Google’s screening process for CSAM.
When, with search warrant in hand, the agent searched Wilson’s email account, he discovered several email exchanges in which Wilson received and sent CSAM and additionally offered to pay a woman to molest and exploit children.
Law Enforcement then obtained a search warrant for Wilson’s residence and vehicle where they discovered devices containing thousands of images of CSAM including the original four attachments. Wilson’s alleged attempt at throwing a backpack over his balcony was noticed by assisting agents and was found to contain a thumb drive full of additional Child Sexual Abuse Materials.
It was later estimated that Wilson possessed 500 videos and 11,000 images of child sexual abuse, and – a few months later – he was arrested and charged with Distribution and Possession of Child Sexual Abuse Materials.
Wilson was convicted and sentenced to 45 years in prison.
So, this seems at this point like a fairly standard ICAC case. What then happened that fundamentally changed the way ICAC units operated to triage and investigate CyberTips?
The Motion to Suppress
After his trial, Wilson filed a motion to suppress the four original attachments (the ones included in the original CyberTip) AND all evidence subsequently seized from his email account and residence, arguing that San Diego ICAC’s initial review of his attachments was a warrantless search in violation of the Fourth Amendment.
The District Court denied his motion, however, reasoning that the government does not perform a ‘search’ within the context of the Fourth Amendment when it inspects something that is ‘virtually certain’ to contain contraband.
Wilson subsequently appealed that decision to The Ninth Circuit which reversed the lower court’s decision, concluding that the agent’s viewing of the attachments violated Wilson’s 4th Amendment rights and rejecting the position that there was ‘virtual certainty’.
Basically, the Ninth Circuit said that Google’s initial report specified only the ‘general’ age of the child and the ‘general’ nature of the acts shown, and had not been viewed by any Google employee.
By viewing the four attachments without a search warrant, therefore, the higher court concluded that law enforcement unlawfully obtained new, critical information, and then used that new information to obtain warrants to search Wilson’s home and email account.
Of key importance in the ruling was the assessment that, even though Google employees viewed images identical to Wilson’s to create Google’s database of suspected CSAM, they had not viewed the actual image itself.
By contrast, after viewing the images, law enforcement could describe “the number of minors depicted, their identity, the number of adults depicted alongside the minors, the setting, and the actual sexual acts depicted.” So, even though Google’s algorithm had flagged Wilson’s attachments to a mathematical certainty that his images were “bit-for-bit” duplicates of images identified by its employees as CSAM within their database, Wilson’s motion to suppress was granted.
The fallout for ICAC Task Forces has been tremendous because of this ruling. How are ICAC units and their respective affiliates, supposed to expeditiously review, triage, and investigate a massive and growing number of CyberTips while tip-toeing around an individual’s 4th Amendment rights?
Last year, San Diego ICAC approached Case Closed Software™ with this exact set of problems and we began work on a tool designed to systematically process CyberTips – one that automates what is currently a time-consuming chain of events.
The Trouble with Triage
For most ICAC Units, individual CyberTips must be downloaded as zip files via NCMEC or IDS. Those zip files contain PDF files with unstructured text that lists:
• Reporting Agencies
• Email Addresses
• Telephone Numbers
• IP Addresses
• Hash Values
• Physical Addresses
• Sender IDs
• Recipient IDs
• Suspect Names
• Victim Names
• … and much more.
Triage administrators must:
Download each CyberTip locally
Unzip the file
Begin a long process of putting those data elements together to create a connected view of those data elements to determine solvability
And then assign to an investigator – internal or affiliate.
Oh, and then do the same for the next CyberTip… and the next one… and the next one after that.
Problem Solving for ICAC
Working with San Diego ICAC, we created a tool that allows administrators to save CyberTips directly a CJIS-Compliant ‘black box’ server instead of downloading them locally. That black box contains proprietary logic that systematically opens those zip files, pulls all of those data elements from the PDFs, grabs all of the attachments and underlying hash values, and links them into a single interface for the administrator. Important to note is that this process happens quickly and virtually eliminates the manual efforts in existence now.
We have essentially created a unique, user-friendly system where investigators cannot view attachments until they purposely elect to.
They can see usernames, IP Addresses, filenames, and an array of other information… but not the images. Images cannot be revealed until investigators have proper authority in compliance of the Wilson Ruling. It’s a simple but brilliant addition to the process that protects all parties.
Just to tie a bow around Mr. Wilson, he was eventually convicted of child molestation on the Stateside and sentenced to 25 years. He was subsequently charged and convicted of possession and distribution of CSAM on the federal side and received an additional ten years. He is where he should be, but his entire case was thrown into jeopardy when one agent viewed four files that one court felt violated his rights.
August 1, 2022 (San Diego, CA) The National Center for Missing and Exploited Children (NCMEC) is on the front lines of the fight against online crimes against children. Their ‘CyberTipline’ is the country’s centralized system for reporting the online exploitation of children.
According to NCMEC’s website, “Concerned individuals and organizations make reports of suspected online enticement of children for sexual acts, child sexual molestation, child sexual abuse material, child sex tourism, child sex trafficking, and unsolicited obscene materials sent to a child.
In the United States, there are over 60 regional ICAC Task Force agencies representing almost 5,500 individual agencies.
Sergeant Garrick Nugent is commander of the San Diego ICAC Task Force. His task force consists of roughly 33 different agencies that endeavor to work together to investigate cybercrimes against children in San Diego, Imperial, and Riverside Counties. According to Nugent, most investigations begin with NCMEC, which contacts San Diego ICAC when it believes there’s a local case. These tips, referred to as CyberTips, number in the thousands each year for San Diego ICAC alone. And that number has risen consistently over the past five years.
“I truthfully believe there are more cases,” said Nugent in a 2020 interview with a CBS affiliate in San Diego. “I wish I could say we are (keeping up with the volume). We have both children and predators that are at home. They have unprecedented access to the internet. They’ve got lots and lots of time on their hands and therefore I think we’re seeing the increase as a result.”
Dealing With Growing Volume
With each CyberTip comes a host of investigation intelligence including perpetrator usernames, unique IP addresses, suspect information, Internet Service Provider details, and much more. CyberTips also include disturbing multimedia evidence of child sexual assault materials (CSAM) that must be verified by the task force. Each CyberTip must be downloaded, opened, reviewed, verified, prioritized, and assigned to investigators who already maintain a full plate of cases to investigate. To say the problem is overwhelming is an understatement.
Since 2020, however, Nugent’s ICAC task force has worked in partnership with Texas-based Case Closed Software to develop innovative new systems designed to simplify and speed up the entire process of triaging and managing CyberTips.
The new system was implemented last year and now, according to Nugent, “greatly helps his ICAC task force to efficiently triage the NCMEC CyberTips and to control, direct, organize, review, and track our multi-agency investigations into child abuse and exploitation.”
Working Hand in Hand to Solve Problems
A quote from Nugent on Case Closed Software’s website states “This software is a must-have for ICAC units.”
Douglas Wood is the founder and CEO of Case Closed Software. According to Wood, his company has unique functionality to allow near-instant triage of CyberTips.
“As a result of our unique partnership with San Diego ICAC, users can simply save CyberTips to our CJIS-compliant cloud service, and moments later view all pertinent information for quick and effective triage”, says Wood. “They can then be assigned to any task force case agent who can use the ICAC investigation case management system to work more efficiently through investigations and prosecutions.”
The Crimes Against Children Conference
In a joint announcement, Case Closed Software and San Diego ICAC Task Force stated support for the upcoming 34th annual Crimes Against Children Conference (CACC) in Dallas, TX beginning August 8, 2022.
According to Case Closed Software, conference attendees will be able to see the ICAC task force software in action at the Exhibitor’s Hall. CCAC is presented annually by the Dallas Children’s Advocacy Center and provides training to agencies in the fields of law enforcement, social work, child protective services, child advocacy, therapy, and medicine who work directly with child victims of crime.
(March 21, 2021) Because of The Exodus Road, using skilled operatives and anti-human trafficking case management software from Case Closed Software, a young woman is free today in India!
The Exodus Road uses trained, professional ‘search and rescue’ teams across the globe that to work alongside national law enforcement partners to bring rescue to victims of human trafficking and arrests of their perpetrators.
In this particular case, The Exodus Road team in India coordinated with local police to bring freedom to Kaija (not her real name). She is out of danger now, safe at home where her ongoing needs will be assessed.
Her three traffickers have all been charged and await legal action.
The Exodus Road team has been working closely with the Case Closed anti-human trafficking investigation software for several months, and credits the software for making search and rescue missions easier to manage across their global jurisdictions.
About The Exodus Road
The Exodus Road is a 501c3 nonprofit, registered with the U.S. government. We believe that one of the unique functions we serve in this field is to gather as many people as possible “around the table” for the sake of bringing justice to the enslaved. Our staff and teams around the world represent a variety of religions and cultures, as do the survivors we serve.