By New York State Police Department
Editor’s note: Digital evidence1 has helped police solve crimes as varied as child pornography, identity theft, and murder. Yet few police departments have the resources to collect and analyze digital evidence on their own. According to the results of a recent survey of law enforcement agencies, 72 percent of the state, local, and tribal police departments in the United States have no dedicated digital evidence unit. Almost 60 percent have no digital evidence policy. Half of the departments have had no training in digital evidence. And most of the departments that responded to the survey report recovering digital evidence in less than 5 percent of their cases.2 Fortunately, agencies that have developed digital evidence labs are sharing their resources with others. One such agency, the New York State Police, is helping municipal and county law enforcement agencies and even some federal police field offices collect and analyze digital evidence. Their program could serve as a model for other police departments in other states.
nvestigators have found digital evidence useful in felony investigations that seemingly had nothing to do with computers. Consider these three murder investigations conducted by local police departments in New York:
• Local police investigating a homicide in Upstate New York during 2005 found a weird combination of evidence in the home of the chief suspect: an old, war-relic hatchet, a note written in Italian, and a personal computer. Investigators from the New York State Police (NYSP) Computer Crimes Unit (CCU) were called in to see if they could shed any light on the puzzle. Their analysis of the PC showed the online search engines Google and Ask had been used to research methods of committing a homicide. A review of the Web sites the suspect had visited disclosed several that featured Italian-Mafia axe murders with letters left behind. Combining this information and a timeline of the searches, CCU members were able to provide evidence supporting premeditation, invalidating several spurious defense theories, and leading to a conviction for second-degree murder.
• An axe-wielding assailant savagely attacked a state supreme court clerk and his wife as they slept, killing the man and grievously wounding the wife. During the ensuing investigation, police secured computer evidence from the victims’ residence and from that of their son’s college residence in Rochester. Police ultimately submitted a total of 12 computers and assorted digital devices to the NYSP Computer Forensic Laboratory for analysis. Forensic analysis disclosed extensive e-mail communications between the victims and their son, depicting a relationship dominated by financial and educational disagreements. A CCU member’s testimony at trial regarding the recovery and analysis of these messages was accepted into evidence, displaying important prosecutorial information to the jury. The jury wasted little time in deliberation, convicting the son of second-degree murder and attempted murder.
• Detectives probing the murder of a police informant and potential witness in a local drug trial suspected that the victim, a construction worker, had been done in by three conspirators who conned him with a promise of renovation work but instead lured him to a vacant lot and killed him. CCU members helped the local police department prepare and execute a search warrant at the prime suspect’s residence, where they seized computers and other electronic storage media. Forensic analysis of these items showed that the defendant had methodically researched the location of the ambush online, with multiple temporary Internet files disclosing real estate listings scanned in search of an appropriately vacant site. One of these featured the exact address of the property where the homicide occurred. The three suspects were indicted for first- and second-degree murder and second-degree conspiracy. CCU members testified in their trials, and all were convicted of murder and sentenced to 50 years to life.
More and more, information vital to solving such cases and obtaining criminal convictions is turning up in computer systems, on the Internet, and in portable digital computing devices. Only a few years ago, police and prosecutors typically regarded crimes involving high technology as the exclusive domain of a few specialized investigative units. Today, however, every police officer conducting an investigation needs access to resources that can help identify and access digital information. Even large law enforcement agencies can find it difficult to maintain the resources these complex and technically challenging investigations demand.
The NYSP started down this path in 1992 when it established its Computer Crime Unit, consisting of two sworn members from its Bureau of Criminal Investigation (BCI) and a room full of jumbled PCs and electronic components seized in conjunction with various investigations.
Its commitment has grown almost exponentially since then, and now the NYSP CCU constitutes a fully equipped investigative unit:
• A computer forensic laboratory at division headquarters in Albany with 20 terabytes of storage
• A network of investigators regionally deployed throughout the state specially trained in cybercrime and cyberterrorism investigations as well as digital evidence field examinations
• A new computer incident response vehicle that can bring the lab’s specialized skills and services on site to support the collection and forensic examination of digital evidence at major crime scenes, businesses, critical incidents, and government offices anywhere in the state
The unit gives the state police a coordinated, comprehensive response to cybercrime. Additional expansion soon will bring the unit’s full complement to 52 sworn investigators and nonsworn forensic computer analysts, all supported by continual training and advanced equipment. Augmented staff in the computer forensic laboratory also is enabling the agency to address the growing volume of cases associated with investigations into methamphetamine trafficking, illegal firearms, identity theft, and Internet fraud.
In addition to these forensic resources, CCU investigative personnel have been dedicated to the New York Internet Crimes Against Children Task Force (ICAC), which coordinates statewide investigations involving child pornography and the online exploitation of children. One of the three most successful units of its kind in the country, with more than 1,000 yearly referrals from the National Center for Missing and Exploited Children, ICAC encourages communities to adopt a multidisciplinary, multijurisdictional response to the threat of online child sexual exploitation. It ensures that participating law enforcement agencies can acquire the necessary knowledge, equipment and personnel to prevent, interdict, and investigate ICAC offenses, while providing assistance to parents, teachers, law enforcement officers, and other professionals working to stop child victimization.
Building on the state’s successful school resource officer initiative, the Computer Crime Unit works to deliver more education and training activities to students, teachers, and parents. These activities build a rapport with schools that can lead to earlier detection of child predators and provide faster response to threats of school violence.
• During 2005, the Albany-based ICAC headquarters received 126 complaints of a subject uploading child pornography to Internet host sites. Investigative efforts enabled the task force to identify the suspect as a 35-year-old Bronx resident. Case facts were forwarded to the NYPD’s Computer Crime Squad, resulting in the execution of a search warrant at the suspect’s residence and his arrest for promotion and possession of a sexual performance by a child.
• The NYSP Cyberterrorism Unit received a complaint from a wheel chair-bound man’s roommates regarding child pornography on the man’s computer. The complainants said they had recently shared an apartment with a 22-year-old man. They could not provide any screen names or e-mail addresses controlled by the suspect, however, and the county district attorney declined to authorize a search warrant request, based on the imprecision of the information. But ICAC staff members were able to subpoena the local Internet service provider based on the subject’s name and address, and this enabled an investigator to make undercover contact with him in the guise of a 15-year-old girl. The suspect was arrested when he arranged to meet the “girl” for sex. He also was charged with possession of child pornography.
Computer Incident Response Vehicle (CIRV)
The CCU’s new computer incident response vehicle (CIRV) enables the NYSP to provide specialized on-site response to incidents anywhere in the Empire State. The CIRV is configured with state-of-the-art computer laboratory equipment that trained and certified CCU personnel use to provide technical support at major crimes scenes, and highly sensitive investigations involving businesses and government locations, where networks or other sophisticated computing devices require on-scene forensic examinations.
The unit’s increased forensic capability supports the activities of other state, county, and local agencies, which now account for approximately 30 percent of all cases submitted to the unit. When requests for assistance are received from outside agencies, unit personnel do everything possible to assist them. Agencies requesting CCU services can do so directly to the unit commander, or through regional state police commanders.
State police supervisors and investigators ensure that all appropriate NYSP resources (including the services of the Forensic Investigation Center, the Community Narcotics Enforcement Teams, the Violent Crime Investigation Teams, and the Troop Forensic Investigation Units) are offered and made available to any agency requesting CCU assistance.
Cybercrime and Infrastructure Response
Identity theft and fraud affect the financial security and privacy of all citizens and businesses in New York State. Likewise, investigating and responding to incidents where foreign nationals, organized criminals, or terrorists seek to disrupt our networks, steal intellectual property, or compromise government data or personal information is necessary to protect our society. To combat these threats, CCU investigators partner with federal agencies and initiatives like the Internet Crime Complaint Center to carry out proactive investigations on the Internet that target and arrest the highly organized high-tech criminals involved in these activities.
In cases involving threats to state security, CCU investigators work closely with the NYSP Office of Counterterrorism’s Counterterrorism Intelligence Unit (CTIU) and Upstate New York Regional Intelligence Center (UNYRIC), and the New York Office of Cybersecurity and Critical Infrastructure Coordination to provide an effective statewide response.
CCU investigators also are in demand for training and outreach activities, lectures, and interviews with other law enforcement agencies and with the media.
Because computers and technology change so rapidly, the CCU is responsible for developing and delivering training to meet several objectives. The unit supports NYSP Academy training on the investigation of crimes involving computers, mobile computing devices, digital evidence, and the Internet for recruits, investigators, supervisors, and outside agencies.
A Computer Crime Unit Training Program ensures that CCU personnel have the latest investigative, technical, and forensic training to respond to any incident involving technology. Internal training for CCU personnel is being developed to keep all unit personnel up-to-date and fully competent in all aspects of criminal investigation involving the Internet, computer networks, mobile devices, and digital evidence. Instructor development in the CCU also ensures that technical competency and proficiency testing is professionally and efficiently delivered to state police members and other agency personnel assigned to the unit.
The unit also continues to provide external training for outside law enforcement agencies, the public, and the private sector. These are critical elements in the agency’s commitment to fostering local and interdepartmental cooperation.
1 Digital evidence, according to the Forensic Resource Network, a project of the National Institute of Justice, is “any information of probative value that is either stored or transmitted in a binary form. This field includes not only computers in the traditional sense but also digital audio and video. It includes all facets of crime where evidence may be found in a digital, or binary, form.” Information stored in binary form is information stored as a series of ones and zeros.
2 Ed Appel, Christ Kacoyannakis, Michael Levin, and James Emerson, “Computer Crime, Internet Investigations, and Digital Evidence Solutions,” presentation, IACP Law Enforcement Information Management Conference, Greensboro, North Carolina, May 25, 2005, www.iacptechnology.org/LEIM/, December 14, 2006.