Skip to main content
Synced from an Obsidian vault

For graph and advanced features, download the full Intel Codex Vault and open it in Obsidian.

Sensitive Crime Intake & Escalation

Purpose: Emergency procedures for handling child safety concerns, terrorism, human trafficking, and other sensitive crimes requiring immediate escalation to law enforcement or specialized agencies.

Table of Contents

  1. Overview
  2. Escalation Triggers
  3. Golden Rules
  4. Immediate Response Procedures
  5. Crime-Specific Protocols
  6. Escalation Contacts
  7. Evidence Preservation
  8. Investigator Safety
  9. Documentation Requirements
  10. Post-Escalation Procedures

Overview

When to Use This SOP

Immediate escalation required for:

  • Child Sexual Abuse Material (CSAM) or child exploitation
  • Imminent threat to life (suicide, violence, kidnapping)
  • Terrorism or national security threats (attack planning, extremist recruitment)
  • Human trafficking indicators (forced labor, sex trafficking)
  • Active violent crime (ongoing assault, active shooter)
  • Mass casualty planning (bombings, chemical attacks)

This SOP does NOT apply to:

  • Standard criminal activity (fraud, theft, drug sales) - continue normal investigation
  • Historical crimes with no ongoing threat - document and report through normal channels
  • Regulatory violations or civil matters - handle per organizational policy

Mandatory Reporting Laws:

  • United States: Federal law (18 U.S.C. § 2258A) requires reporting CSAM to NCMEC
  • European Union: GDPR Article 6(1)(d) permits processing for vital interests (life-threatening situations)
  • United Kingdom: Section 47 Modern Slavery Act 2015 requires reporting trafficking
  • Australia: Commonwealth Criminal Code Act 1995 (Division 474.22) CSAM reporting

Good Samaritan Provisions:

  • Reporting in good faith generally protected from liability
  • Privilege applies to mandatory reporters (varies by jurisdiction)
  • No duty to investigate beyond reasonable belief

Investigator Responsibilities

You MUST:

  • Stop active collection immediately upon discovering sensitive content
  • Escalate to appropriate authority within required timeframe (often <24 hours)
  • Preserve minimal evidence necessary for law enforcement action
  • Protect your own psychological safety (secondary trauma risk)
  • Document all actions taken during incident

You MUST NOT:

  • Download, view, or store illegal content (especially CSAM)
  • Continue investigation without law enforcement guidance
  • Share sensitive content with unauthorized persons
  • Delete evidence before law enforcement takes custody
  • Attempt to contact suspects or victims directly

Escalation Triggers

Tier 1: Immediate Escalation (Within 1 Hour)

Child Sexual Abuse Material (CSAM):

  • Images or videos depicting minors in sexually explicit situations
  • Grooming conversations with sexual intent toward minors
  • Distribution networks for child exploitation material
  • Live-streamed abuse or real-time exploitation

Imminent Threat to Life:

  • Credible suicide threats with means and timeline
  • Active violence or kidnapping in progress
  • Specific, credible threats against identifiable individuals
  • Medical emergency requiring immediate intervention

Active Terrorism:

  • Specific attack planning with date/time/location
  • Acquisition of weapons or explosives for attack
  • Real-time coordination of terrorist cell activities
  • Imminent threat to critical infrastructure

Emergency Contact:

  • US: 911 (local emergency), FBI tips.fbi.gov (terrorism)
  • US (CSAM): NCMEC CyberTipline 1-800-843-5678 or CyberTipline.org
  • UK: 999 (emergency), 101 (non-emergency), CEOP (child safety)
  • EU: 112 (emergency)

Tier 2: Urgent Escalation (Within 24 Hours)

Human Trafficking Indicators:

  • Evidence of forced labor or sexual exploitation
  • Movement of victims across borders or states
  • Control through debt bondage, threats, or violence
  • Recruitment or advertisement for trafficking purposes

Violent Extremism:

  • Radicalization and recruitment activities
  • Propaganda distribution for terrorist organizations
  • Financing of terrorist activities
  • Travel to conflict zones for extremist purposes

Child Endangerment:

  • Evidence of physical abuse or severe neglect
  • Exposure to dangerous situations or substances
  • Abandonment or missing children
  • Non-CSAM exploitation (labor, begging)

Contact:

  • US: National Human Trafficking Hotline 1-888-373-7888
  • US: FBI field office or tips.fbi.gov
  • UK: Modern Slavery Helpline 08000 121 700
  • International: INTERPOL, Europol (via national contact points)

Tier 3: Standard Escalation (Within 72 Hours)

Serious Crime (Non-Imminent):

  • Historical CSAM distribution (no active abuse)
  • Completed violent crimes with ongoing investigation
  • Large-scale fraud or organized crime
  • Cyber attacks or data breaches affecting critical infrastructure

National Security Concerns:

  • Foreign intelligence activities
  • Espionage or classified information leaks
  • Cyber warfare or state-sponsored attacks
  • Export control violations (weapons, dual-use technology)

Contact:

  • US: FBI field office, IC3.gov (cybercrime), State Department
  • UK: National Crime Agency (NCA), GCHQ (cyber)
  • Follow organizational escalation chain

Golden Rules

Rule 1: DO NOT Possess Illegal Content

CSAM and Contraband:

  • NEVER download CSAM images or videos to your device
  • NEVER view CSAM content beyond what's necessary to identify it
  • NEVER create copies of illegal material (even for evidence purposes)
  • Legal risk: Possession is a felony (US: 18 U.S.C. § 2252, UK: Protection of Children Act 1978)

What you CAN collect:

  • URL/link to illegal content (do not click)
  • Screenshot of file listing or thumbnail (if no explicit content visible)
  • Metadata (filename, file size, hash, upload date)
  • Account information (username, profile, timestamps)
  • Text of conversations (grooming, planning, coordination)

Example:

✅ ALLOWED:
- URL: https://example.com/file/abc123.jpg (DO NOT OPEN)
- Filename: "IMG_2024_child.jpg"
- SHA-256: a1b2c3d4e5f6... (if already computed by platform)
- Account: @suspicious_user_123

❌ PROHIBITED:
- Downloading file to local disk
- Opening file to view content
- Taking screenshots of explicit imagery
- Sharing file with colleagues

Rule 2: Prioritize Life Safety

Imminent Harm Protocol:

  • If you believe someone is in immediate danger, call emergency services (911, 999, 112) FIRST
  • Provide dispatcher with:
    • Type of emergency (medical, violence, kidnapping)
    • Location (physical address if known, or last known location)
    • Description of victim and suspect (if applicable)
    • Your contact information
  • Then escalate internally per organizational policy

What constitutes "imminent"?

  • Specific threat with timeline (e.g., "tonight at 10 PM")
  • Ongoing violence or medical emergency
  • Credible suicide threat with means (e.g., "I have a gun, I'm going to end it")
  • Real-time tracking of victim in danger

What does NOT require immediate 911 call:

  • Historical events (abuse that occurred in the past)
  • General threats without specific timeline or target
  • Suicidal ideation without plan or means
  • Suspected trafficking without immediate harm

Rule 3: Stop Standard Collection

When escalation triggers are met:

  1. STOP all active collection activities immediately
  2. DO NOT continue investigating the sensitive matter
  3. DO NOT attempt to gather more evidence (law enforcement role)
  4. DO NOT engage with suspects or victims
  5. Record only minimal identifiers (URLs, usernames, timestamps)

Why stop?

  • Legal risk: Exceeding authorized scope, possessing illegal content
  • Evidentiary risk: Chain of custody issues, admissibility concerns
  • Safety risk: Alerting suspects, endangering victims
  • Psychological risk: Secondary trauma from prolonged exposure

What to do instead:

  • Preserve evidence you've already lawfully collected
  • Document your findings in escalation report
  • Transfer responsibility to law enforcement
  • Wait for law enforcement guidance before resuming

Rule 4: Document Everything

Required documentation:

  • Date/time of discovery (UTC + local timezone)
  • What you found (description without illegal content)
  • Where you found it (URL, platform, account)
  • What actions you took (preserved, escalated, stopped)
  • Who you escalated to (name, agency, contact info, reference number)
  • Any law enforcement instructions received

Use Escalation Report Template (see below)

Rule 5: Protect Yourself

Secondary Trauma Risk:

  • Viewing traumatic content (CSAM, violence, terrorism) causes psychological harm
  • Symptoms: intrusive thoughts, nightmares, anxiety, emotional numbness
  • Effects can be delayed (hours, days, weeks after exposure)

Immediate Self-Care:

  • Stop viewing traumatic content immediately
  • Take a break (walk, fresh air, talk to colleague)
  • Notify supervisor of exposure
  • Access Employee Assistance Program (EAP) or mental health resources

Organizational Support:

  • Mandatory debriefing after CSAM or violent content exposure
  • Access to licensed counselor/therapist
  • Rotation out of sensitive investigations (if needed)
  • Peer support groups for OSINT analysts

Immediate Response Procedures

Step 1: Recognize & Stop (0-5 Minutes)

Recognize escalation trigger:

  • Immediately identify content type (CSAM, terrorism, trafficking, etc.)
  • Assess imminence of threat (active danger vs. historical event)
  • Determine appropriate escalation tier (Tier 1/2/3)

Stop collection:

  • Close browser tabs or applications displaying sensitive content
  • Do NOT download, screenshot, or save illegal material
  • Pause automated collection scripts or tools
  • Step away from workstation if needed for psychological safety

Secure workstation:

  • Lock screen to prevent unauthorized viewing
  • Ensure no sensitive content visible to others
  • If working remotely, ensure privacy (no family members nearby)

Step 2: Initial Notification (5-15 Minutes)

Notify supervisor immediately:

Subject: URGENT - Escalation Required - [Case ID]

Supervisor,

I have encountered [CSAM / terrorism threat / human trafficking / imminent danger] during investigation of [brief case description].

Imminent threat assessment: [YES - life in danger / NO - historical or non-imminent]

I have stopped collection and am standing by for escalation guidance.

Case ID: [ID]
Discovery time: [UTC timestamp]
Platform/location: [URL or platform name - DO NOT include illegal links]

Awaiting instructions.

[Your Name]
[Contact: phone/email]

If imminent threat:

  • Call supervisor immediately (do not rely on email)
  • If supervisor unavailable, escalate to next in chain of command
  • If imminent life threat, call 911/999/112 FIRST, then notify supervisor

Step 3: Preserve Minimal Evidence (15-30 Minutes)

What to preserve:

For CSAM:

Platform: [e.g., Telegram, forum, file host]
Account/Username: [suspect account]
URL (DO NOT OPEN): [paste URL without clicking]
Filename(s): [if visible in file listing]
File size: [if visible]
Upload date/time: [if visible]
Context: [how you discovered it, e.g., "found in Telegram channel about CP trading"]
Hash (if available): [SHA-256 from platform, do not compute yourself]

For Terrorism:

Platform: [e.g., Twitter, encrypted chat, forum]
Account(s): [suspect accounts]
Threat description: [specific attack plan, timeline, target]
Imminence: [when is attack planned?]
Location: [target location if known]
Associated accounts: [co-conspirators, group members]
Evidence preserved: [screenshots of text only, URLs]

For Human Trafficking:

Platform: [e.g., classified ads, social media, dark web]
Victim details: [age, gender, location - if known]
Trafficker details: [account, contact info, location]
Evidence of control: [threats, debt bondage, movement restrictions]
Type: [labor trafficking, sex trafficking]
Evidence preserved: [screenshots, archived pages]

Preservation methods:

# Archive web page (text only, no images)
wget --no-check-certificate --page-requisites --html-extension \
     --convert-links --restrict-file-names=windows \
     --exclude-directories=images,photos,media \
     "https://example.com/page"

# OR use web archiving services (safer for sensitive content)
# Submit URL to: https://archive.is/ or https://web.archive.org/

# Calculate hash of URL (not file itself):
echo -n "https://example.com/illegal_file.jpg" | sha256sum
# Result: 5f8d... (use this as evidence identifier)

DO NOT:

  • Download files containing illegal content
  • Click on URLs leading to CSAM or extreme violence
  • Take screenshots of explicit imagery
  • Attempt to verify content by viewing it

Step 4: Escalate to Authority (30-60 Minutes)

Select appropriate contact (see Escalation Contacts section below)

Escalation call script:

"Hello, my name is [Your Name] from [Organization]. I am calling to report [CSAM / terrorism threat / human trafficking] discovered during an authorized OSINT investigation.

[If imminent threat]: This is an IMMINENT THREAT requiring immediate response.

Discovery details:
- Date/time: [UTC timestamp]
- Platform: [platform name]
- Type of content: [brief description]
- Imminence: [active/ongoing/historical]
- Evidence preserved: [metadata, URLs, screenshots of text]

I have stopped all collection and am awaiting your guidance. Can you provide a reference number for this report?

Contact: [Your phone/email]"

Information to provide:

  • Your identity and organization
  • Legal authority for investigation (if applicable)
  • What you found (describe, do not show illegal content)
  • Where you found it (platform, URL, account)
  • When you found it (timestamp)
  • What evidence you've preserved (metadata only)
  • Whether threat is imminent
  • Your contact information

Information to request:

  • Reference number or case ID
  • Next steps and timeline
  • Whether you should continue investigation or pause
  • Evidence transfer procedure
  • Follow-up contact and timeline

Step 5: Document & Standby (60-120 Minutes)

Complete Escalation Report (use template below)

Await law enforcement guidance:

  • Do NOT resume investigation without authorization
  • Do NOT delete evidence without authorization
  • Do NOT discuss case with unauthorized persons
  • Remain available for follow-up questions

Secure evidence:

  • Ensure preserved evidence is stored securely (encrypted, access-controlled)
  • Do NOT email evidence (use secure transfer method provided by LE)
  • Maintain chain of custody log

Crime-Specific Protocols

Child Sexual Abuse Material (CSAM)

Legal Definition (US - 18 U.S.C. § 2256):

  • Visual depiction of minor (<18 years) engaged in sexually explicit conduct
  • Includes real children, not computer-generated imagery (CGI) or drawings (varies by jurisdiction)
  • Possession, distribution, and production are federal crimes

Recognition Indicators:

  • Images/videos depicting children in sexual situations
  • File names with terms: "pthc" (pre-teen hardcore), "child," age indicators
  • Trading or discussion of "CP" (child pornography) or coded language
  • Password-protected folders with suspicious names
  • Use of Tor, encrypted messaging, or secure file hosts

Immediate Actions:

  1. STOP viewing immediately - close tab/window
  2. DO NOT download or screenshot content
  3. Record metadata only: URL (do not open), filename, account info
  4. Call NCMEC CyberTipline (US): 1-800-843-5678 or https://report.cybertip.org/
  5. Notify supervisor and complete escalation report

NCMEC CyberTipline Reporting:

Online form: https://report.cybertip.org/

Required information:
- Type of incident: CSAM, child sex trafficking, online enticement
- Where found: URL, platform, username
- When found: Date/time
- File info: Filename, hash (if available - DO NOT COMPUTE)
- Reporter info: Your contact details
- Additional details: Context of discovery

DO NOT upload CSAM content - provide metadata only

UK Reporting (IWF):

Post-Report:

  • NCMEC provides reference number (save in case file)
  • NCMEC forwards to appropriate law enforcement agency
  • You may be contacted for follow-up (provide cooperation)
  • Do NOT continue investigation without LE clearance

Secondary Trauma Protocol:

  • Mandatory debriefing with supervisor within 24 hours
  • Access to EAP/mental health resources
  • Option to rotate off case
  • Peer support group referral

Terrorism & National Security

Escalation Triggers:

  • Specific attack planning (target, date, method)
  • Acquisition of weapons, explosives, or chemical/biological agents
  • Radicalization and recruitment to terrorist organizations
  • Financing or material support for terrorism
  • Foreign intelligence activities or espionage
  • Classified information leaks

US Reporting:

  • FBI Tips: https://tips.fbi.gov/ or 1-800-CALL-FBI (1-800-225-5324)
  • Terrorism-related: FBI Joint Terrorism Task Force (JTTF) via tips.fbi.gov
  • National security: Report via organizational chain to FBI/DoD/IC as appropriate

FBI Tip Submission:

Online: https://tips.fbi.gov/

Required information:
- Threat type: Terrorism, espionage, cyber attack
- Imminence: Immediate, near-term, long-term
- Target: Location, organization, individual
- Suspect info: Name, online accounts, location
- Evidence: URLs, screenshots of planning (text only)
- Reporter: Your contact info

Priority flags:
- Imminent attack (immediate FBI response)
- WMD materials (chemical, biological, radiological)
- Critical infrastructure targets (power grid, water, transportation)

UK Reporting:

International Coordination:

  • INTERPOL: Via national contact point
  • Europol: Via national law enforcement agency
  • Five Eyes intelligence sharing (US/UK/CAN/AUS/NZ)

Evidence Preservation:

  • Screenshots of text discussions (no images of violence)
  • Account information and timelines
  • Network diagrams (associate mapping)
  • Archive web pages (propaganda, recruitment sites)
  • Do NOT download files (potential malware or illegal content)

Human Trafficking

Indicators (US - Homeland Security Blue Campaign):

Labor Trafficking:

  • Debt bondage (workers unable to leave due to "debt")
  • Withholding of wages or identification documents
  • Restricted movement (locked in workplace, transported in groups)
  • Threats of deportation or violence
  • Poor living/working conditions (overcrowding, lack of safety)

Sex Trafficking:

  • Commercial sex involving minors (any age <18)
  • Adults forced into commercial sex through force, fraud, or coercion
  • Advertisement language ("new to town," "young," "fresh")
  • Third-party control (pimp, trafficker managing victim)
  • Signs of branding or tattoos indicating ownership

Online Evidence:

  • Classified ads (Backpage successor sites, encrypted messaging)
  • Social media recruitment ("modeling opportunities," "work abroad")
  • Escort advertisements with trafficking indicators
  • Victim posts indicating control or coercion
  • Financial evidence (wire transfers, cryptocurrency payments)

US Reporting:

  • National Human Trafficking Hotline: 1-888-373-7888 (24/7)
  • FBI Human Trafficking: tips.fbi.gov (select "Human Trafficking")
  • Homeland Security Investigations (HSI): Via FBI or local field office

UK Reporting:

  • Modern Slavery Helpline: 0800 0121 700
  • Crimestoppers: 0800 555 111 (anonymous)
  • National Crime Agency (NCA): Via 101 or online

Evidence Preservation:

# Archive classified ad
wget --page-requisites "https://classifiedsite.com/ad/12345" -O trafficking_ad.html

# Screenshot (capture ad text, posting details, contact info)
# Save to: /Evidence/CASE-ID/trafficking/screenshot_20251005.png

# Document metadata:
# - Ad ID, posting date, location, language
# - Contact info (phone, email, encrypted messaging handle)
# - Photos (save, but do not analyze if potentially underage)
# - Associated ads (same phone number, similar language)

Post-Report:

  • Hotline provides reference number and next steps
  • May refer to FBI, HSI, or local law enforcement
  • Victim identification and rescue (law enforcement role, not yours)
  • Continued monitoring may be requested (only under LE guidance)

Imminent Threat to Life

Examples:

  • Credible suicide threat with specific plan and means
  • Kidnapping or hostage situation in progress
  • Active violence (assault, shooting, stabbing)
  • Medical emergency requiring immediate intervention

Immediate Actions:

  1. Call 911/999/112 FIRST (emergency services)
  2. Provide dispatcher:
    • Nature of emergency
    • Location (physical address or last known location)
    • Victim and suspect description (if applicable)
    • Your contact information
    • Source of information ("discovered online during investigation")
  3. Notify supervisor after emergency call
  4. Document emergency call (time, dispatcher, incident number)

Geolocation Assistance:

# If you have IP address or online account, attempt geolocation
# IP geolocation (approximate only):
curl -s "https://ipinfo.io/8.8.8.8/json" | jq

# Provide to emergency services:
# - IP address
# - ISP/carrier
# - Approximate location (city, state)
# - Timezone (may narrow down region)

# Social media geolocation:
# - Check profile location
# - Check recent posts for geotagged photos
# - Check language, local references, visible landmarks

Information to Provide 911:

"I am calling to report an imminent [suicide / violence / kidnapping].

Location: [physical address OR last known online location]
Person at risk: [name, age, description if known]
Threat: [specific details: weapon type, threat content, timeline]
Source: I discovered this during an authorized online investigation
Suspect: [description, location if different from victim]

My contact: [your phone number for follow-up]"

Post-Emergency:

  • Obtain incident/case number from dispatcher
  • Document call in escalation report
  • Continue cooperation with responding officers
  • Preserve all evidence related to threat

Escalation Contacts

United States

Child Safety:

Terrorism / National Security:

  • FBI Tips: 1-800-CALL-FBI (1-800-225-5324) | https://tips.fbi.gov/
  • Department of Homeland Security: 1-800-BE-ALERT

Human Trafficking:

  • National Human Trafficking Hotline: 1-888-373-7888 | Text: 233733

Cybercrime:

Emergency:

  • 911 (imminent threat to life)

United Kingdom

Child Safety:

Terrorism:

Human Trafficking / Modern Slavery:

  • Modern Slavery Helpline: 0800 0121 700
  • Crimestoppers: 0800 555 111 (anonymous)

General Crime:

  • 999 (emergency)
  • 101 (non-emergency police)

European Union

Child Safety:

Terrorism:

  • Europol Counter-Terrorism: Via national law enforcement
  • 112 (emergency)

Human Trafficking:

  • EU Anti-Trafficking Coordinator: Via national authorities

Australia

Child Safety:

Emergency:

  • 000 (police, ambulance, fire)

Canada

Child Safety:

Terrorism:

Emergency:

  • 911 (most regions)

France

Child Safety:

Terrorism:

Human Trafficking:

Cybercrime:

General Crime:

  • Police: 17
  • Gendarmerie: 17
  • Emergency: 112 (European emergency number)
  • Non-emergency: Local commissariat or gendarmerie

Legal Framework:

  • Article 40 CPP: Obligation to report crimes to authorities (mandatory reporting for serious crimes)
  • Code pénal Article 227-23: CSAM possession, distribution, and production are criminal offenses
  • Loi du 21 février 2022: Digital platform obligations to report CSAM and terrorism content

International

INTERPOL:

Europol:

Evidence Preservation

What to Preserve

Metadata (Always Safe):

- URL or link (do not open if illegal content)
- Platform name (Telegram, Twitter, forum, file host)
- Account username / user ID
- Post or message timestamp (UTC)
- Filename (if visible, do not download file)
- File size (if visible)
- File hash (if provided by platform - SHA-256, MD5)
- IP address or geolocation (if available)
- Associated accounts (followers, contacts, group members)

Text Content (Safe):

  • Conversation transcripts (grooming, planning, threats)
  • Post text or captions
  • Profile bios or descriptions
  • Comment threads
  • Hashtags or keywords used

Screenshots (Use Caution):

  • ✅ Screenshots of text conversations (no illegal imagery)
  • ✅ Screenshots of profile information
  • ✅ Screenshots of file listings (no thumbnails of illegal content)
  • ❌ Screenshots containing CSAM or extreme violence
  • ❌ Screenshots containing victim identifying information (unless necessary)

Web Archives (Recommended):

# Submit URL to Archive.is (creates snapshot without downloading content)
# https://archive.is/
# Paste URL, click "Save"
# Result: https://archive.is/abc123 (permanent link)

# OR submit to Wayback Machine
# https://web.archive.org/save/
# Paste URL, click "Save Page"

# Document archived link in evidence log:
# Original: https://example.com/threat
# Archive: https://archive.is/abc123
# Archived: 2025-10-05 14:30 UTC

What NOT to Preserve

Never download or possess:

  • CSAM images or videos
  • Extreme violence or torture imagery (snuff content)
  • Terrorist propaganda containing graphic violence
  • Any content illegal to possess in your jurisdiction

Do not create:

  • Local copies of illegal files
  • Screenshots of explicit illegal content
  • Forensic images of devices containing CSAM
  • Decrypted versions of encrypted illegal content

Chain of Custody

Evidence Log Template:

# Evidence Log - Escalation Case

**Case ID:** ESC-2025-1005-001
**Escalation Type:** [CSAM / Terrorism / Trafficking / Imminent Threat]
**Date/Time:** 2025-10-05 14:30:00 UTC
**Investigator:** [Your Name]

## Evidence Items

### Item 1: Account Metadata
- **Type:** Account information
- **Source:** Telegram
- **Username:** @suspicious_user_123
- **User ID:** 987654321
- **Profile:** "Selling content, DM for prices"
- **Joined:** 2024-05-10
- **Location:** [Location field]
- **Collected:** 2025-10-05 14:25 UTC
- **Method:** Screenshot of profile (no illegal content visible)
- **File:** ESC-2025-1005-001_telegram_profile.png
- **Hash:** SHA-256: a1b2c3d4e5f6...

### Item 2: Illegal Content URL (NOT OPENED)
- **Type:** URL to suspected CSAM file
- **Source:** Telegram chat message
- **URL:** https://filehost.com/files/abc123 (DO NOT OPEN)
- **Filename:** [redacted - indicates underage content]
- **Context:** Sent by @suspicious_user_123 in response to request
- **Collected:** 2025-10-05 14:26 UTC
- **Method:** Copy URL from message (did not click link)
- **File:** ESC-2025-1005-001_url_log.txt
- **Hash:** N/A (text file containing URL only)

### Item 3: Conversation Transcript
- **Type:** Text conversation
- **Source:** Telegram
- **Participants:** @buyer_account, @suspicious_user_123
- **Content:** Discussion of pricing for "CP" and file sharing
- **Collected:** 2025-10-05 14:27 UTC
- **Method:** Screenshot of text only (no images)
- **File:** ESC-2025-1005-001_conversation.png
- **Hash:** SHA-256: f1e2d3c4b5a6...

## Chain of Custody

| Date/Time | Action | Custodian | Notes |
|-----------|--------|-----------|-------|
| 2025-10-05 14:30 | Evidence collected | [Your Name] | Initial collection during OSINT investigation |
| 2025-10-05 14:45 | Escalated to NCMEC | [Your Name] | Reported via CyberTipline, Ref: 123456789 |
| 2025-10-05 15:00 | Evidence secured | [Your Name] | Files moved to encrypted storage, access restricted |
| 2025-10-06 10:00 | Transferred to FBI | FBI SA John Doe | Evidence transferred via secure portal, Case: 2025-FBI-1234 |

Secure Storage

Before law enforcement takes custody:

# Create encrypted evidence container
# Windows (BitLocker):
manage-bde -on E:\Evidence\ESC-2025-1005-001 -RecoveryPassword

# Linux (LUKS):
cryptsetup luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 evidence_esc_001
mkfs.ext4 /dev/mapper/evidence_esc_001
mount /dev/mapper/evidence_esc_001 /mnt/evidence

# Create evidence directory structure:
/Evidence/ESC-2025-1005-001/
├── metadata/          (account info, URLs, text logs)
├── screenshots/       (text conversations, profiles)
├── archives/          (web archives, saved pages)
├── chain_of_custody.md
└── SHA256SUMS         (hash verification file)

# Calculate hashes:
sha256sum -b * > SHA256SUMS

Access control:

  • Restrict access to case investigator and supervisor only
  • Log all access attempts
  • Ensure backups are encrypted
  • Never transmit via unencrypted email or cloud storage

Investigator Safety

Secondary Trauma Recognition

Symptoms of Secondary Trauma:

  • Immediate: Shock, disbelief, emotional numbness, nausea
  • Short-term (hours-days): Intrusive thoughts, difficulty concentrating, irritability, sleep disturbance
  • Long-term (weeks-months): Nightmares, hypervigilance, avoidance behaviors, burnout

High-Risk Content:

  • CSAM (child sexual abuse material)
  • Graphic violence or torture
  • Mass casualty events (terrorism, mass shootings)
  • Prolonged exposure to traumatic content (cumulative effect)

Immediate Self-Care

If you view traumatic content:

  1. Stop viewing immediately

    • Close browser tabs or applications
    • Step away from computer
    • Take 10-minute break minimum

  2. Grounding techniques

    • Deep breathing (4-7-8: inhale 4 seconds, hold 7, exhale 8)
    • 5-4-3-2-1 sensory grounding (name 5 things you see, 4 you hear, 3 you feel, 2 you smell, 1 you taste)
    • Physical movement (walk, stretch)

  3. Social support

    • Talk to colleague or supervisor (do not describe traumatic content in detail)
    • Call friend or family member
    • Avoid isolation

  4. Document exposure

    • Note date/time, content type, duration of exposure
    • Report to supervisor for formal record
    • Request follow-up support

Organizational Support

Mandatory procedures:

  • Debriefing with supervisor within 24 hours of CSAM/extreme violence exposure
  • Access to Employee Assistance Program (EAP) or mental health counselor
  • Option to rotate off case or take administrative leave
  • No retaliation for requesting mental health support

Peer Support:

  • Peer support groups for OSINT/CSAM investigators
  • Regular check-ins with team members
  • Buddy system for high-risk investigations

Long-Term Wellness:

  • Limit exposure time (no more than 2-4 hours/day reviewing traumatic content)
  • Mandatory breaks every 45-60 minutes
  • Regular mental health screenings (quarterly)
  • Rotation out of sensitive cases (every 6-12 months)

Resources

US:

  • National Suicide Prevention Lifeline: 988 (call or text)
  • Crisis Text Line: Text HOME to 741741
  • SAMHSA Helpline: 1-800-662-4357 (mental health, substance abuse)
  • EAP: Contact your organization's HR department

UK:

  • Samaritans: 116 123 (24/7)
  • Mind: 0300 123 3393
  • NHS Mental Health Crisis: Text SHOUT to 85258

International:

Documentation Requirements

Escalation Report Template

# Escalation Report

**Report ID:** ESC-2025-1005-001
**Date/Time:** 2025-10-05 14:30:00 UTC (09:30 EST)
**Investigator:** [Your Full Name]
**Case ID:** [Original investigation case ID]
**Classification:** [SENSITIVE - LAW ENFORCEMENT ONLY]

---

## Executive Summary
[1-2 sentence summary of what was found and why escalation is required]

Example: During OSINT investigation of Telegram channels related to Case XYZ-123, I discovered suspected CSAM distribution and immediately ceased collection. This report documents the escalation to NCMEC CyberTipline.

---

## Discovery Details

**Date/Time of Discovery:** 2025-10-05 14:25:00 UTC
**Platform:** [Telegram / Twitter / Forum / Website]
**Investigation Context:** [Brief description of original investigation scope]

**What was found:**
[Describe findings WITHOUT reproducing illegal content]
- Type of content: [CSAM / Terrorism planning / Human trafficking / Imminent threat]
- Location: [URL, channel name, account - DO NOT include direct links to illegal content]
- Imminence: [Active / Ongoing / Historical]

Example: "I discovered a Telegram channel (@channel_name) where users were trading files with file names indicating child sexual abuse content. I did not download or view any files. I observed text conversations discussing pricing and file sharing."

**Indicators observed:**
- [Specific indicators: file names, conversation content, account behavior]
- [Language or code words used]
- [Number of participants or files (if visible)]

---

## Actions Taken

**Immediate actions:**
- [ ] Stopped collection at [timestamp]
- [ ] Closed browser tabs / applications
- [ ] Preserved metadata (see evidence log)
- [ ] Notified supervisor at [timestamp]

**Escalation:**
- **Escalated to:** [NCMEC / FBI / Local Police / Other agency]
- **Contact method:** [Phone / Online form / Email]
- **Date/Time of report:** 2025-10-05 14:45 UTC
- **Contact person:** [Name, if applicable]
- **Reference number:** [Agency case/reference number]
- **Guidance received:** [Any instructions from agency]

---

## Evidence Preserved

**Evidence items:** [See attached Chain of Custody log]

Summary:
1. Account metadata (username, profile, timestamps)
2. URLs to suspected illegal content (NOT OPENED)
3. Text conversation screenshots (no illegal imagery)
4. Web archives of public-facing pages

**Evidence location:** /Evidence/ESC-2025-1005-001/ (encrypted, access restricted)

**Hashes:**
- evidence_item_1.png: SHA-256: a1b2c3...
- evidence_item_2.txt: SHA-256: f3e4d5...

---

## Imminence Assessment

**Is there an imminent threat to life or safety?**
- [ ] YES - Immediate law enforcement response required (911 called)
- [x] NO - Historical or non-imminent threat

**If yes, explain:**
[Describe specific threat, timeline, target, and actions taken]

---

## Investigator Exposure

**Duration of exposure to sensitive content:**
[X] minutes (approximate)

**Type of content viewed:**
- [ ] CSAM (child sexual abuse material)
- [ ] Graphic violence
- [ ] Terrorism propaganda
- [ ] Other traumatic content

**Self-care actions taken:**
- [x] Took break immediately after discovery
- [x] Notified supervisor
- [ ] Requested EAP/counseling referral
- [ ] Other: ___________

**Debriefing scheduled:** [Date/time with supervisor]

---

## Next Steps

**Awaiting:**
- [ ] Law enforcement guidance on whether to continue or pause investigation
- [ ] Evidence transfer procedure
- [ ] Follow-up contact from reporting agency

**Status:**
- [ ] Investigation paused pending LE guidance
- [ ] Investigation continuing under LE supervision
- [ ] Investigation closed, transferred to LE

**Follow-up contact:** [Name and contact info of LE liaison]

---

## Attachments

1. Chain of Custody log (ESC-2025-1005-001_chain_of_custody.md)
2. Evidence hash verification (SHA256SUMS)
3. [Any supporting documents]

---

**Report prepared by:** [Your Name]
**Title:** [Your job title]
**Contact:** [Email, phone]
**Date:** 2025-10-05

**Reviewed by:** [Supervisor name]
**Date:** 2025-10-05

---

**Distribution:**
- [X] Supervisor
- [X] Legal/Compliance
- [ ] Law Enforcement (upon request)
- [ ] Other: ___________

Post-Escalation Procedures

Awaiting Law Enforcement Guidance

Do:

  • ✅ Remain available for follow-up questions
  • ✅ Preserve all evidence in secure storage
  • ✅ Document any new developments
  • ✅ Comply with law enforcement requests
  • ✅ Maintain confidentiality

Do NOT:

  • ❌ Resume investigation without LE authorization
  • ❌ Delete or modify evidence
  • ❌ Discuss case with unauthorized persons
  • ❌ Attempt to contact suspects or victims
  • ❌ Publicize case details (social media, blog, etc.)

Evidence Transfer to Law Enforcement

Transfer methods:

Option 1: Secure file transfer portal

# Law enforcement provides secure upload link
# Upload evidence files via HTTPS portal
# Verify successful transfer with LE contact
# Maintain local copy until LE confirms receipt

Option 2: Encrypted email (if authorized)

# Encrypt evidence archive with password:
7z a -p[PASSWORD] -mhe=on evidence.7z /Evidence/ESC-2025-1005-001/*

# Email encrypted archive to LE contact
# Provide password via separate channel (phone call)
# Confirm receipt

Option 3: Physical media handoff

# Copy evidence to encrypted USB drive
# Hand-deliver to LE contact at secure location
# Obtain chain of custody receipt
# Maintain backup copy until case closed

Chain of custody documentation:

I, [Your Name], hereby transfer custody of evidence in Case ESC-2025-1005-001 to [LE Officer Name, Badge Number] of [Agency] on [Date] at [Time].

Evidence transferred:
- [List of items]

Transfer method: [Portal / Email / Physical media]

Investigator signature: _______________  Date: _______

LE Officer signature: _______________  Date: _______

Continued Investigation (If Authorized)

If law enforcement requests continued monitoring:

  1. Obtain written authorization

    • Scope of continued investigation
    • Legal protections or immunity
    • Reporting frequency and method
    • Duration of monitoring
    • Contact person for questions

  2. Establish clear guidelines

    • What to collect (metadata only? text conversations?)
    • What NOT to collect (illegal content)
    • Escalation triggers (new victims, imminent threats)
    • Communication protocol with LE

  3. Document all activity

    • Daily logs of monitoring activities
    • Regular reports to LE contact
    • Immediate escalation of new sensitive findings

Example authorization:

[Law Enforcement Agency]
Authorization for Continued OSINT Monitoring

Case Number: [LE Case Number]
Date: 2025-10-05

[Your Organization] is hereby authorized to continue OSINT monitoring of [specific accounts/platforms] related to [brief case description] under the supervision of [LE Agent Name].

Scope:
- Monitor public posts and messages for [specific indicators]
- Collect metadata and text content only (no illegal imagery)
- Report new findings to [LE Contact] within [timeframe]

Prohibited actions:
- Do not download illegal content
- Do not engage with suspects
- Do not publicize investigation

Duration: [Start date] to [End date or "until case closure"]

[LE Supervisor Signature]
[Date]

Case Closure

When investigation concludes:

  1. Final report to law enforcement

    • Summary of all findings
    • Total evidence collected
    • Timeline of activities
    • Final chain of custody log

  2. Evidence retention

    • Follow organizational retention policy
    • Typically: retain until LE case closed and any appeals exhausted
    • Secure deletion procedure when authorized

  3. Debriefing

    • Team debrief to capture lessons learned
    • Individual debriefing with supervisor
    • Mental health check-in for exposed investigators

  4. Secure deletion (when authorized)

# Verify law enforcement authorization to delete
# Cryptographically wipe evidence files:

# Linux (shred):
shred -vfz -n 7 /Evidence/ESC-2025-1005-001/*

# Windows (sdelete):
sdelete -p 7 E:\Evidence\ESC-2025-1005-001\*

# Document deletion:
# Date: [deletion date]
# Method: 7-pass DoD wipe
# Authorization: [LE case closure letter or email]
# Verified by: [Supervisor name]

Appendix

Common Code Words & Indicators

CSAM (Child Sexual Abuse Material):

  • "CP" (child pornography)
  • "PTHC" (pre-teen hardcore)
  • "Cheese pizza" (code for CP)
  • "Jailbait" (underage but post-pubescent)
  • Age indicators: "5yo," "12yo," etc.
  • "Loli" or "shota" (anime-style child sexual content)

Terrorism:

  • "Martyrdom operation" (suicide attack)
  • "Hijrah" (travel to conflict zone)
  • "Bay'ah" (pledge of allegiance to terror group)
  • Specific acronyms: "AQ" (Al-Qaeda), "IS" (Islamic State)
  • "Ghazwa" (raid or attack)

Human Trafficking:

  • "New to town" / "Fresh" (newly trafficked victim)
  • "Roses" or "donations" (payment for sex)
  • Third-party posting (pimp advertising for victim)
  • Multiple women at same location (brothel or trafficking ring)
  • "Can't host" (victim has no control of location)

Reporting Checklist

Pre-Report:

  • Escalation trigger identified
  • Imminence assessed
  • Collection stopped
  • Supervisor notified
  • Evidence preserved (metadata only)

During Report:

  • Appropriate agency contacted (NCMEC, FBI, etc.)
  • Reference number obtained
  • Next steps clarified
  • Evidence transfer method established

Post-Report:

  • Escalation report completed
  • Chain of custody documented
  • Evidence secured
  • Investigation paused or continued per LE guidance
  • Debriefing scheduled (if traumatic content)
  • Follow-up timeline established

Version: 2.0 Last Updated: 2025-10-10 Review Cycle: Yearly

Related SOPs: Legal & Ethics | OPSEC Planning | Collection Log | Reporting & Disclosure