Proving the User Had Knowledge of and Manipulated the Files

An IP address was flagged in 2013 by the Saskatchewan Internet Child Exploitation (ICE) for downloading child pornography. The IP address was traced to Marcel Cole Beuker, a 26-year-old experienced programmer who was very tech-savvy.  Police executed a search warrant and seized an iMac and a connected hard drive. Cellebrite Inspector was used to examine the media.

When it came time for trial, Beuker testified that he did not know about the child porn, claimed someone must have downloaded it, or someone placed it on his system with a remote connection.  It was left for the ICE unit to disprove his statements.  In the end, Beuker was convicted of possessing 450 child pornography images and videos and sentenced to 18-months in prison.

Cellebrite Inspector was critical in this investigation; the .fseventsd feature was used to illustrate how the files in question were manipulated on the digital media. Additionally, using tools, including Cellebrite Inspector, there were able to show almost all of the communications originated from the Beuker’s system, not from remote devices.

Even more damning was ICE’s ability to prove Beuker had knowledge of the files in question.  Beuker installed programs to delete files from his hard drive and to provide notifications when downloads were complete.  Both of these programs Beuker admitted would only execute by user permission.

While finding the evidence, in this case, was important, of equal importance was presenting the findings in court. A Sergeant in the ICE unit stated “what really did it for me was Cellebrite Inspector allowed me to do in 2 days what it regularly took me 2 months to do back in 2013-15 with [other digital forensic software].

Not only did it help me interpret what I was looking at; it also created the report for me in an interface that a … the judge could understand.”  What became imminently clear from the .fseventsd was the tactic employed by Beuker when renaming child pornography files.  As stated in Judge Sherman’s decision, “the Cellebrite Inspector analysis showed that files within Danger Zone (Danger Zone is a DMG) were being manipulated in various ways including changing names.”

An explanation was written in Judge Sherman’s decision specifically mentioned metadata that is shown in Cellebrite Inspector.  Using com.apple.quarantine, Cellebrite Inspector showed the specific files in question were downloaded and quarantined, the existence of the files was acknowledged by the user before the download completed.   This information positively showed Beuker’s knowledge of the files on his system.

Saskatoon Police Service did a remarkable job of bringing down a child pornography criminal. Cellebrite Inspector aided in creating a picture of what happened on the system, how the user interacted with the files.

“Cellebrite Inspector was used to interpret the data and created a report a judge could understand.” -Sergeant, Saskatchewan Internet Child Exploitation Unit 


Main Takeaways:

  • Child Pornography possession cases require more than just the existence of files on the system.

  • Once a system is identified by IP address, analysis of the system should answer the questions of how the files arrived on the system and how the user interacted with the files.

  • Cellebrite Inspector’s ability to parse macOS files and data was used to show Beuker had knowledge of the files and interacted with the files, they were manipulated in various ways including the changing of file names.

  • Judge Scherman from the Queen’s Bench provided a well-written decision listing Cellebrite Inspector as the digital forensics tool to prove guilt.

Quick Facts

Features: 

Analyzing .fseventsd and com.apple.quarantine artifacts showing how a user interacted with files.

Problem Solved:

Analysis of macOS artifacts to interpret user actions on the system

Solution Provided:

Cellebrite Inspector parsed macOS artifacts not parsed and displayed by other forensic tools.

Overall Results:

Using the macOS artifacts, evidence was provided during the trial that the accused had knowledge of the files, and they were not placed on the system by a remote user.

Share this post