Worst hiding spot ever: /NSFW/Nope/Don’t open/You were Warned/

Last Friday, a Michigan man named David Bartels was sentenced to five years in federal prison for “Possession of Child Pornography by a Person Employed by the Armed Forces Outside of the United States.” The unusual nature of the charge stems from the fact that Bartels bought and viewed the illegal material while working as a military contractor for Maytag Fuels at Naval Station Guantanamo Bay, Cuba.

Bartels had made some cursory efforts to cover his tracks, such as using the TOR browser. (This may sound simple enough, but according to the US government, only 12.3 percent of people charged with similar offenses used “the Dark Web” at all.) Bartels knew enough about tech to use Discord, Telegram, VLC, and Megasync to further his searches. And he had at least eight external USB hard drives or SSDs, plus laptops, an Apple iPad Mini, and a Samsung Galaxy Z Fold 3.

But for all his baseline technical knowledge, Bartels simultaneously showed little security awareness. He bought collections of child sex abuse material (CSAM) using PayPal, for instance. He received CSAM from other people who possessed his actual contact information. And he stored his contraband on a Western Digital 5TB hard drive under the astonishingly guilty-sounding folder hierarchy “https://arstechnica.com/NSFW/Nope/Don’t open/You were Warned/Deeper/.”

Not hard to catch

According to Bartels’ lawyer, authorities found Bartels in January 2023, after “a person he had received child porn from was caught by law enforcement. Apparently they were able to see who this individual had sent material to, one of which was Mr. Bartels.”

Captain Samuel White, who was the commanding officer at Guantanamo Bay at the time, approved a “command authorized search and seizure” of Bartels’ gear. As NCIS investigators grabbed his computing equipment, others sat Bartels down for some questioning. He cracked immediately, telling them that he had in fact owned the PayPal account, which had “been locked for at least one year,” and he admitted to buying CSAM while stationed on the base.

Forensic investigation showed that /NSFW/Nope/Don’t open/You were Warned/Deeper/ contained “41,026 images and videos.” When the hash values of these files were run against the main National Center for Missing and Exploited Children database, 285 “known victims” of CSAM were identified in 1,500 images and videos—including children who were under 12 at the time.

These “known victims,” now much older, can file restitution claims against people who view their abuse images. In Bartels’ case, 19 people did so, asking courts for a total of $151,500 from him. The judge gave them $63,000 instead—$3,000 apiece.

The forensic search of Bartels’ drives is also a good reminder of just how many traces people leave when doing anything on modern digital computing systems:

• Jump Lists. Windows creates “Jump Lists” that allow people to quickly access recently opened files. These Jump Lists, which had not been purged, showed that CSAM files from the 5TB hard drive had been opened on Bartels’ laptop.
• Browser data. Microsoft Edge had not been purged. Its “WebCachev01.dat” and “History” files likewise showed the laptop’s user accessing CSAM video files from the Western Digital drive.
• Registry data. This was further confirmed by data from the “USBSTOR” key in the Windows Registry, which identified a 5TB “WD Elements 2620 USB Device” as having been last connected to the laptop on December 31, 2022.
• Bookmarks. CSAM websites had been bookmarked within the TOR browser and stored in its “places.sqlite” file.
• Prefetch. The Windows Prefetch tool—meant to increase application load/run speed—also stores data on the last eight times each piece of software was run. The data was used by investigators to show exactly when Bartels had run tools like Megasync, Telegram, and VLC.

30 Comments