How an abused child was located and rescued using obscure clues
A few years ago I wrote about the extreme security practices of the YardBird child abuse media trading group. The security rules they developed and, for the most part, followed enabled a significant portion of the group to evade capture even though they were thoroughly penetrated by law enforcement who passively collected data for about a year.
This post is not going to examine the security procedures they used, but rather look at the investigative work that police conducted in order to rescue one child who was being abused. I will state up front that I do not know if the media documenting her abuse was available via other channels or exclusively to the YardBird group. Also, I will admit that I am not entirely sure that this investigation is related to the YardBird group, although it seems to be an exact match. Finally, given the nature of this crime, I will not be providing any suggestions on mitigations to protect against these investigative techniques.
Anyone that would learn from decade old investigation did so long ago, and anyone else is unlikely to use this post as a guide.
The affidavit is here: http://media.timesfreepress.com/docs/2009/03/Husky_Complaint.pdf
And an unredacted version is here (warning, significantly more disturbing): http://www.northwestgeorgianews.com/affidavit-in-bart-huskey-child-porn-case/article_89a08ef4-b5d7-5f94-9fb6-48208ee12e9e.html
Probably linked to YardBird
There are a few things which stand out in the description of the group which I think sound remarkably similar to the YardBird group. In particular the use of Usenet, procedure to join the group, and the security rules governing members actions. The original investigation was conducted by the Australian police which also matches with the YardBird investigation.
The police have nothing but the content of the pictures to go on. Somehow, they link the location of the abuse victim to the state of Georgia in the US. Fortunately the press filled the details of the process that the investigators followed. Analyzing the complaint, affidavit and article allows us to extract the critical elements which were used to locate the abuser and rescue the child victim.
At each step remember that the police are constructing a sieve that they can pass data through which narrows down the potential suspects. They have only the content of the media produced by the abuser, and he took security precautions to protect himself (wearing a mask, pixelation, staying out of frame, etc.) Essentially, the only data available to the police is the background content of the videos and images. With persistence and the assistance of experts on very mundane items, it is enough.
The Investigation Process: Track One
To start with, the investigators know that the abuser and the victim are somewhere in the US. That narrows the potential pool of suspects, but clearly they need a much more specific sieve to locate and rescue the child.
The Blue Ribbon
The first significant data point is a blue ribbon visible on a wall. The image
is enhance and manipulated to clarify it. The words “It’s a boy!” are visible. Clearly this is an item given to a new mother. Using their resources the police locate the manufacturer of the ribbon which provides their customer list: hospitals and florists in the 17 south eastern states
Selector: 17 South Eastern Stats
One sequence of abuse images was produced in a hotel room. The police use the extremely limited number of unique identifiers visible in the images to attempt to identify which hotel. Firstly determining the hotel chain, and if possible the room. Given how generic and bland most hotel rooms are anyway, plus the limited views available in the images, this is a daunting task.
During the course of the investigation the police gain access to someone who works at a fabrics company. This person is an expert on fabric and provides crucial information about some of the content visible — the fabric.
The photos show the hotel room’s bed linen and drapes. The fabric expert is able to identify the hotel chain via their bed linen — The Jameson Inn. This gives the investigators another data point from which to build their sieve.
Selector: The Jameson Inn
Additionally the hotel chain only used that bed sheet in South Carolina and two locations in Georgia — Carrollton and LaGrange.
Selector: Carrollton, Georgia
Selector: LaGrange, Georgia
The Artwork: “Inspired Hillsides”
In the background of one series of images from a hotel room a piece of artwork is visible. The painting is “Inspired Hillsides.” Police used a spreadsheet of all sales of the artwork and contacted the hotels in Georgia and South Carolina.
Selector: Inspired Hillsides
The Jameson Inn in Carrollton, Georgia, had purchased a print of “Inspired Hillsides.”
The series of images taken in the hotel was titled: “2007 [Victim is abused] July 21, 2007”
Police contacted the manager of the Carrollton Jameson Inn who confirmed that they had the print and the bed linen. The manager said that on July 21st 2007 a “kinda creepy guy” paid cash for a room. The room was registered to James Bartholomew Huskey of Highway 193, LaFeyette, Georgia. He drove a white van.
The background content of the images provided sufficient data identify a potential suspect.
- blue ribbon sold only in south eastern states
- bed linen and drapes used by a hotel chain
- only a few hotel properties in those states used those fabrics
- artwork was only present at one hotel property
- metadata provided timeframe during which the suspect stayed at the hotel
Additional content from the images and videos produces a additional sequences of selectors that identify the same suspect. This is sufficient for a warrant.
Investigation Process: Track Two
This used the content produced when the victim was abused at home or in a car.
A series of images produced in a bedroom show a distinctive bed spread. The fabric expert identifies it as the product of a mail order company. The police contact the company which produces a customer list who purchased that bedsheet.
Selector: purchased bedsheet from mail order company
The Car: Sunburst Orange Aztek 2003–2005
In the background of some images the interior of a car is visible. Police extract the interior and show it to a car dealer who is able to positively identify the car as being a particular model, year, and paint job. Bear in mind that the police probably asked a lot of car dealers before they found one who could identify it.
With this information about the car they trawled through the sale logs of all
vehicles and got a list of owners of this particular model and color.
Selector: Sunburst Orange Aztek 2003, 2004, 2005
The police correlate the bed sheet customers in Georgia with owners of a Sunburst Orange Aztek which produces: Sherri Huskey of 193 Highway, LaFeyyette. They find her MySpace page which contains pictures of the inside of her home which match the background of some of the child abuse images.
Sherri’s husband is registered as owning a white van. The have a daughter who’s name is the same as the victim.
In certain images the abuser had pixelated his face to obscure his identity.
This pixelation obviously would leave certain traits still visible, primarily
coloration (e.g. hair color, beard vs shaved, possibly eyeglasses, etc.). The
police took the drivers license photo of the suspect and matched the picture
against the pixelated images to see if there was any resemblence. There was.
What I find so interesting about this investigation is how law enforcement officers were able to extract clues from the background data of the images and use that to construct a series of lists of potential suspects. Those lists were correlated and the suspect was identified. I picture this style of investigation as essentially constructing a sieve that eliminates people who can’t be suspects, creating a smaller and smaller set of potential suspects until only one remains.
Appendix: Its YardBird
The group employs highly technical and advanced security measures to avoid law enforcement detection. Such techniques include, but are not limited to, password protection to the group’s pre-designated newsgroup where they conduct text postings (i.e. chat) with each other, PGP encryption of text and binary files, and the swapping of file extensions which subsequently must be re-swapped in order to successfully download a particular picture or movie file.
This individual identified a newsgroup titled “alt.anonymous.message” as the location where members of the group conduct/upload text postings to communicate with each other. At this same newsgroup location, members inform each other as to the location of where they have uploaded child pornography for members to go to download for their own personal collection. The child pornography binary files, either still pictures or video files, are never uploaded to the newsgroup reserved for text communications between members. The child pornography is uploaded to other innocuous newsgroup locations were members can go to download.
The group currently consists of approximately 48 members. There is a defined hierarchy or structure to the group and all members must abide by strictly enforced written security measures and standard operating procedures in order to retain their membership status. To become a member of the group, one must be invited in by an existing member, and must pass a timed written test to determine their knowledge of child pornography material (e.g. knowledge of the names of various child pornography series; must be able to describe a particular series in question, etc.). The test also serves as an measure to assess whether the interested party could be a law enforcement officer attempting to infiltrate the group. Members of the group are told to never provide their true identities to another member of the group. They are never to communicate with one and other using traditional email, chat, Yahoo!, ICQ, or telephone. For the security of the group as a whole, their relationship with other members of the group is strictly cyber in nature. This way, if one of the members of the group is ever arrested by law enforcement, they cannot provide any identifying information to law enforcement on other members of the group.