We're Hiring!

Mattermost, Inc.

How to track down which user has posted an illegal image on your Mattermost server? Like child porn?

After listening to a very upsetting and disturbing Podcast by Sam Harris today, on the prevalence of Child Pornography/Child Sexual Abuse Material (CSAM) on the internet, it got me wondering: what if some criminal user posted some CSAM on my Mattermost server, and I, the administrator, had an obligation to notify the authorities? Or, what if I was merely suspicious that there might be CSAM on my server somewhere, unbeknownst to me, and I wanted to quickly scour all the attached image files, for all users, to see if any were detected, which the authorities should be notified about?

What would I do? How could I track those criminal users down? I wanted to know a clear procedure I could follow, because once the stress of an ugly situation strikes, it can be much more difficult at that time to keep a cool head. Having a good procedure ahead of time can make things much smoother. It’s also good Public Relations, if you can set the tone ahead of time to all your users (by having a posted procedure), that you are ready to deal with such criminals as these in a quick and efficient manner.

After some digging around, and testing, I would like to share a method (no doubt there is room for improvement in this method, but this is a start) which can backtrack from a detected illegal image, to a specific Mattermost user (and we could at least know their email address).

First of all, let’s clarify, that for every Mattermost user on a server, they have a 26-character “User ID”, composed of lowercase letters, and numbers. An example would be “txqo4o397qkgmpy7ucd9qby6ra”. When a Mattermost user attaches an image file, it will be filed under some folder (having this “User ID” for its name), under /opt/mattermost/data somewhere.

So here’s how I went hunting for illegal images. Note: I have MX Linux on my laptop, and these instructions should work for anyone who uses any version of Linux on both their Mattermost server, and their local machine. Also note that I have “Magic Wormhole” installed on both.

  1. I logged in as the root user on my Mattermost server, on the command line.

  2. cd /opt/mattermost

  3. tar cvfz data.tar.gz data/

  4. wormhole send data.tar.gz

  5. Copy the suggested wormhole command to be used on the laptop…

Then on my Linux laptop, where I have an image viewer called “fim” installed (which can open images in a folder, after recursing down into any and all subdirectories):

  1. In a terminal, paste accordingly:

  2. wormhole receive 1-some-codeword

  3. tar zxvf data.tar.gz

  4. fim -R data

  5. A window appears, showing the first image from Mattermost. Tap “PageUp” and “PageDown” to cycle through the images. I suggest “PageUp” to start viewing the most recently-posted images (progressing backwards in time, from the present). “fim” is wickedly fast in rendering images, so you can go really fast. You really only need a split-second to know if there is a CSAM picture there or not, before moving on to the next picture.

  6. Should you find such a picture, now you know the filename. (look in the titlebar). Let’s say the bad picture was called “bad_pic.jpg”

  7. Back on the command line:
    find . -name "bad_pic.jpg"
    …and now you have the pathname to that picture. The folder which that file was in (under the “users” folder), tells you the 26-character User ID.

  8. Now that you have the User ID, you can search for it as the Administrator user within Mattermost. Go to the Burger Menu (in the upper left) -> System Console -> Users - > Paste the User ID into the textbox where it says “Search users” (greyed out), and the Username of your criminal should appear, as well as their email address.

Now you have something to go to the authorities with!