By Charles L. Cohen, First Sergeant, Indiana State Police, Indianapolis, Indiana
n the last decade, computer forensics has quietly resolved cases that would otherwise have gone unsolved. Considering that computers and digital devices capable of retaining data are ubiquitous in modern society, and that criminals are using these devices with greater frequency and facility, it shouldn’t be a surprise that computer forensics is being used in more investigations. Computer forensics can provide evidence of motivation, a chronology of events, insight into an offender’s interests and activities, and links among multiple offenders. Nearly every type of investigation has the potential to benefit from computer forensics.
Challenges and Opportunities
GPS devices, vehicle data collectors, and so-called smart phones are just a few of the digital devices that can yield relevant information during investigations. Many U.S. homes contain computers, digital video recorders, digital cameras, gaming systems capable of storing data, digital music players, and other electronic storage media. Each device is a potential goldmine of useful evidence. As the variety of digital devices is exploding, the storage capacity of each is also growing exponentially and the prices are plummeting. In August 1996, for example, a two-gigabyte hard drive cost roughly $440.1 Ten years later, $440 bought a one-terabyte external hard drive2 with more than 500 times as much storage space, which means 500 times as much space for relevant evidence or 500 times as much innocuous material through which an examiner must sift in order to find that which is relevant to the investigation.
Communication by traditional hardwire telephone or through the post is now almost quaint. The modern criminal, using the same devices as today’s teenagers, communicates with Voice over Internet Protocol, video instant messaging, cellular camera phone, and text messaging in a computer slang that is foreign to most police officers and parents. The trail to uncover this valuable investigative resource often starts with a forensic examination, but this trail quickly grows cold as Internet Service Providers overwrite logs and data retention periods expire.
All police agencies are facing the same challenge when dealing with computer forensics. Police managers must find a way to examine an increasing number of digital devices, each containing an immense volume of data, in a timely manner and with limited resources. At the same time offenders are becoming more skilled at concealing both the devices themselves and the information contained within. A MicroSD card is roughly the size of a fingernail and can hold two gigabytes of information.3 One can easily purchase software, capable of wiping hard drives to Department of Defense specifications, 4 from the local convenience store or download it free online.5 Anyone with an Internet connection can find information on, and resources for, computer forensic countermeasures including encryption, steganography (hiding illicit files inside innocuous-looking ones), and rigging computer cases with incendiary devices.
The Indiana State Police started a cybercrime unit 10 years ago, and the unit has experienced both successes and setbacks. The competition for departmental funding and resources tends to focus institutional attention and support away from computer forensics. Computer forensic examiners, detectives, and prosecutors all have similar lamentations:
- There is an unacceptable backlog of computers and devices waiting for examination.
- By the time computers are examined, it is often too late to follow many of the leads that are produced.
- Most detectives do not understand computer forensics and what it can accomplish to further their investigations.
- Many computer forensic examiners do not understand the investigation, causing them to overlook relevant information and expend resources needlessly.
Two years ago, the Indiana State Police saw the opportunity to develop a new paradigm for computer forensics and its role in investigations. The goal was to address current challenges and design a foundation on which to build in the future. The last two years have been a time of experimentation, interaction, and growth that is rare in a large police agency.
In order to build a substantive and sustainable program, the Indiana State Police saw the need to form strategic alliances. The agency formed a partnership with the Purdue University Department of Computer and Information Technology and the National White Collar Crime Center (NW3C). The objective was to develop a beneficial dynamic among the three, with each reciprocally sharing its unique skills and attributes.
The NW3C, a congressionally funded nonprofit company, provides police training and networking in matters related to financial crime. It produces tailored training opportunities relevant to computer forensics and cybercrime investigations. In return, the Indiana State Police provides subject matter experts with real-world experience and an ideal environment to beta test the newly developed courses. Purdue University is rich in highly skilled computer science researchers who bring an academic perspective and credibility to the curriculum. In return, their students have access to practitioners working in this specialized field.
Among the faculty and students at Purdue are some of the brightest minds working in fields related to digital forensics, and they value opportunities to share their expertise with law enforcement. Investigators know that finite resources force proactive investigations to fall by the wayside as detectives and examiners react to a neverending stream of cases. Through graduate student internships, the Indiana State Police is able to undertake projects that have a real benefit to ongoing and future investigations while extenuating this isolation.
Criminals involved in online fraud tend to associate with others involved in related crimes. This association is no different from what takes place in other criminal subcultures except that it occurs in a virtual environment among cybercriminals. Electronic data inadvertently kept by a known offender hold links to other offenders. Due to the volume of data, time, and resource constraints, such links traditionally are not explored unless directly related to the incident offense under investigation. Student interns can extract this information from known offenders’ computers. At the same time, these students refine their skills and test various software tools.
The nature of cybercrime is such that associations among multiple offenders, and among offenders and victims, span wide geographic areas. Information sharing, facilitated by the NW3C, overcomes this. Through NW3C’s participation, leads can be sent to departments with jurisdiction over the newly linked offenders. Through collaborations with organizations such as the National Center for Missing and Exploited Children, investigators use this method to track down traffickers in child pornography.
Examiners sometimes uncover something outside their experience, such as a newly introduced small-scale digital device, an unusual storage medium, or proprietary software. The growth in online social networking has created several such situations. When trying to reconstruct the timeline of an individual suspect’s or victim’s online activity, investigators must understand how various activities on a particular networking site leave traces on a hard drive or other media. With more than 300 known online social networking sites6 no examiner can be familiar with the nuances of each, nor would it be justifiable to devote police resources to learning the nuances. Here is an opportunity for directed research by faculty and students that serves the dual purpose of academic advancement and positive investigative outcome. Through its networking and training capabilities, the NW3C can then share this information with others and advance the field of computer forensics.
The Indiana State Police formed a related alliance with the U.S. Attorney’s Office for the Southern District of Indiana. The citizens are a police department’s clients, but the prosecutor is the consumer of the results of an investigation. This partnership establishes benchmarks for both forensic outputs and outcomes. One of the primary goals set in conjunction with the federal prosecutors is the ability to conduct on-scene computer forensic examinations under certain circumstances and thus more quickly produce relevant results from all examinations.
Cybercrime investigation and computer forensics is an expensive undertaking. Today’s cutting-edge hardware is in next year’s discount bin. Programs such as the Internet Crimes Against Children Training and Technical Assistance Program and other federal mechanisms help mitigate this concern. The Indiana State Police and federal prosecutors are also working in partnership to both standardize and raise the standard of affidavits in support of computer-related search warrants and the search warrant language itself. The ability to properly articulate and document doing the right thing is almost as important as the act of doing the right thing itself.
The traditional model for computer forensics calls for an investigator, who is usually not a trained computer examiner, to seize computers, digital media, and electronic devices when encountered during a search. Customarily examinations are conducted later, in a remote location, after the material is packaged and transported, regardless of whether an examiner is present at the scene. There are many anecdotes of investigators being forced to wait more than two years to see examination results. That examination then sometimes produces more questions than answers for those conducting the investigation.
The Indiana State Police learned to view computer forensics as different from other types of forensics. Among other things, computer forensics requires more interaction between the examiner and the investigator. It is sufficient and proper for a detective to ask an examiner to “quantify the white powder and examine for the presence of controlled substances” or “compare document 1 to document 2 to determine whether they were created by the same individual or instrument.” It is not, however, sufficient or efficient to ask an examiner to “examine the hard drive for the presence of child pornography.” One examiner describes such a request as “being told to find the stolen property in a 20-story apartment building but without being told in which apartment to look.” There needs to be greater interaction so that both the investigator and examiner have a clear understanding of relevant issues.
Just a few of the pertinent issues are how many images are enough to prove the allegation, whether it is relevant that images were sorted or viewed, if it is important when the images were acquired and in what manner, and if it matters whether images were distributed to others and to whom. It is counterproductive for an examiner to spend days examining terabytes of data to locate every unlawful image when a smaller number of images might prove the case. It is even more important for the examiner to know the appearance of a likely molestation victim so that an attempt can be made to identify similar images.
In 2005 the Indiana State Police began a pilot program in which examiners conducted on-scene computer forensic examinations. The agency found that the model of exclusively conducting examinations in a laboratory setting was inferior in comparison to the ability to conduct examinations at the scene. There are also specific circumstances when an on-scene computer forensic examination is the only viable alternative.
Under a variety of other scenarios, on-scene computer forensic examinations are useful in conjunction with subsequent examinations in a centralized location and the combined examinations frequently achieve results unmatched by delayed examination alone. Along with an increase in drive storage capacity, the amount of volatile memory on many computers has drastically increased. Volatile memory can loosely be described as the immediately accessible memory that is lost if power is disconnected. Mass produced computers routinely come with as much as three gigabytes of volatile memory. It is standard operating procedure in most agencies to unplug computers found during a search preventing data alteration before examination in a forensically sound manner. If this procedure is followed on a running computer, all of the data in the volatile memory will be lost. What is lost may include that which was most recently done on the computer, the most recently viewed Web sites, unsaved work in various programs, the content of instant messaging sessions, and webcam uploads and downloads, to name just a few things. Along with the potential irretrievable loss of incriminating evidence, there is the theoretical possibility of lost exculpatory evidence. Everyone who has interacted with criminal defense attorneys knows that they tend to exploit effective tactics. Such a tactic could include an exchange like the following:
Defense Attorney: “Did you recover and preserve the volatile memory from my client’s computer?”
Defense Attorney: “Is there a way to recover and preserve the volatile memory in a forensically sound manner?”
Defense Attorney: “Why did you not recover and preserve the volatile memory?”
Examiner: “It was lost when the computer was unplugged.”
Defense Attorney: “Who unplugged the computer?”
Examiner: “The detective.”
Defense Attorney: “Is it true that about one thousand books’ worth of information can be stored in one gigabyte and that there were three gigabytes of information lost when this computer was unplugged?”
Defense Attorney: “Is it possible that the evidence of my client’s innocence was among those three thousand books’ worth of information?”
Defense Attorney: “So the detective destroyed the evidence of my client’s innocence.”
Prosecutor: “I object.”
Delayed examinations produce other, harsher consequences. Imagine a scenario in which the computer examiner discovers a folder in the file structure of a suspect’s hard drive containing homemade pornographic images of the suspect molesting a preteen girl. Further, imagine that this examination takes place one year after the computer’s seizure during the execution of a search warrant at a suspect’s residence. Finally, imagine that the images are of a neighbor and that there was insufficient evidence to establish probable cause for the suspect’s arrest before examining the hard drive. In this scenario, on-scene computer forensic examinations could have prevented the victim from being at risk for an additional year.
There are times when the failure to conduct on-scene computer forensic examinations can derail an investigation. A real investigation in Indiana in mid-2006 illustrates this point. (Some details of the case are omitted because it involves an ongoing prosecution.)
The suspect in this case has a prior conviction related to child pornography. He spent his period of incarceration diligently studying how to avoid another conviction. Fortunately, investigators knew that he was employing forensic countermeasures. Investigators executed simultaneous search and arrest warrants at his residence while the suspect was engaged in a conversation with an undercover police officer from another state. Detectives lured him away from his computer and to the front door by means of a ruse. The first words that the suspect said while being taken into custody were, “I want a lawyer.”
Investigators found that the suspect was using an effective but relatively simple encryption system. The suspect kept all of his unlawful material and evidence of criminality on fully encrypted external hard drives that did not contain the encryption software. In this way, he could transport the material with no fear of being interdicted by law enforcement. He had one desktop computer where no contraband was stored, but the encryption software resided there. To view his large collection of unlawful material, the suspect connected an external drive to the desktop computer. He decrypted images and material by dragging them to the desktop or any folder that did not have encryption enabled. To enable the encryption software, and decrypt an image, the suspect kept his encryption key on a USB thumb drive and had a log-on password that he memorized. The encryption is reactivated once the thumb drive is removed. In addition to the memorized password, which he cannot be compelled to reveal, the suspect had a mechanism to quickly destroy the thumb drive. If the thumb drive containing the encryption key is broken, all encrypted material is permanently irretrievable. The traditional procedure for preserving digital evidence includes unplugging the desktop computer before transport. If this had occurred, not a single contraband image or piece of digital evidence could ever be recovered. Fortunately, an on-scene computer forensic examination was already planned. In this case, investigators remained at the search scene for more than 36 hours because they knew that once power was interrupted to the desktop computer the data would be irretrievably lost.
It takes a significant amount of time and funding to train a computer forensic examiner. A department can expect to spend tens of thousands of dollars more in equipment, ongoing training, and capital expenses. For this reason, it is not practical to have an on-scene examination for every investigation or to have every piece of storage media from every search examined. It is also not practical to continue sending all computers from search scenes to examiners at remote locations, adding to an ever-increasing backlog. For this reason, the Indiana State Police, in conjunction with its partners, implemented a tiered approach to forensic computer examinations.
An approach that Assistant U.S. Attorney Steve DeBrota called “computer forensic field triage” has been extremely successful. In this approach, a number of experienced detectives receive specialized training that allows them to review the contents of digital storage media and computer hard drives in a forensically sound manner. The specialized training is coordinated through, and certified by, the NW3C and Purdue University.6 The detectives use hardware write-blockers to safeguard the integrity of the suspect hard drives’ contents. They also use external devices in conjunction with write-blocked ports on a laptop computer to review storage media.
The detectives can share their findings with other detectives on the scene. The information is often helpful in eliciting admissions from the suspect at a time when he is still predisposed to communicate with investigators. There have been instances where the mere sight of the hard drive being removed from a suspect’s computer’s case has induced a full confession and cooperation from a suspect.
Information obtained by the trained detectives can help establish the requisite probable cause to arrest a suspect. What an on-scene detective does is analogous to a field test on suspected controlled substances. In both instances, something less than a full examination is conducted in a forensically sound and nondestructive manner. Also, in both instances, more elaborate testing can be conducted when necessary. DeBrota, the chairman of the Indiana Project Safe Childhood, said, “On-scene triage is vital to my ability to assess the danger of a subject when deciding whether to have him taken into custody. Waiting to conduct computer exams in a remote laboratory unnecessarily delays the proper identification of an offender’s true interest and activities.”
Along with identifying contraband and evidence, forensic triage helps to eliminate the need to collect certain items. Many households now have several operational and nonfunctioning computers. Without some screening mechanism, each and every device must be seized and sent for examination. On-scene forensic triage helps to cull the virtual wheat from the chaff.
There are certain circumstances, such as those previously described, in which a full examination on the scene is warranted. For those, the Indiana State Police uses a mobile computer forensics laboratory, which is a converted recreational vehicle. This vehicle has room for at least three examiners to work and is equipped with a server, a generator, the equipment to review a variety of video media, and a secure temporary evidence storage area. A separate area of the vehicle can be used to conduct interviews. This allows examiners to feed timely information to those involved in an interview with the suspect, witness, or victim. Even with the help of federal funding, there is only one such vehicle in Indiana. It has been an invaluable tool at the scene of investigations of many kinds, including homicides and Hurricane Katrina fraud cases.
The tiered approach goes beyond creating first responders. The approach must be applied holistically and include increased training for all involved in the investigative process as digital evidence is relevant to every class of crime and plays a role in virtually every investigation. Figure 1 shows the categories of officers who come in contact with digital evidence. Each officer has a role to play in the safeguarding and examination of that material. It is the role of police managers to ensure that each officer has the requisite knowledge, training, and ability, as outlined in figure 2, to be effective.
Statutory and case law has failed to keep pace with changes in technology. There are many open questions regarding the reasonableness of digital forensic examinations as related to issues such as the scope of the search, the interception of communication, the doctrines of plain view and inadvertent discovery, and staleness. There is an emerging trend among the judiciary to set deadlines for the examination of seized material. The prolonged seizure of computers containing business or personal financial information can cause a real loss that is unrelated to, but caused by, the investigation. This means that there is potential not just for the suppression of evidence but also for civil exposure for agencies and officers.
Some who set computer forensics policy fear that if the judiciary fully appreciates the potential of on-scene and tiered examinations, it will be mandated for all cases. This is why it remains important to articulate both the advantages and limitations of these approaches.
The answer is not, however, to refrain from using these capabilities. Investigators have become adept at articulating to the courts the complexity of digital devices and the necessity to conduct thorough examinations over long periods of time. The challenge now is to explain that while this remains true it is also proper and necessary to engage in some computer forensic examinations on the scene and contemporaneous with the collection of other evidence. It is not an issue of on-scene or remote examinations in lieu of each other, but a need for on-scene and remote examinations to complement each other.
Police agencies traditionally change slowly, but technology is decentralized, experimental, and always changing. Computer forensics is at the mercy of the next script kiddie7 or black hat hacker8 that takes an interest in developing countermeasures. If departments want to catch more than the inept and the unlucky, they must continuously devote significant resources. What everyone must ask himself or herself is this: “If my son or daughter were missing would I want the detective to be able to examine computers on the scene? Would I want them to be able to break the encryption on the computer and track the people with whom my child was communicating through cyberspace? Would I want people working the case to have the knowledge, the skills, and the abilities to catch and convict the person responsible?” This is not a matter for a one-time capital expenditure or planning session, but a commitment to continued improvement.
The March 1949 issue of Popular Mechanics predicted, “Computers in the future may have only 1,000 vacuum tubes and perhaps weigh 1-1/2 tons.” In 2006 a Smart Phone that is less than 12 millimeters thick and weighs 4.2 ounces can take and transmit still and video images; surf the Internet; store, record, and play audio files; handle e-mail; and even function as a telephone.9 It is somewhat of a misnomer and understatement to refer to what examiners encounter as computer forensics. Graduates of the 2007 police academy will be eligible to retire in 2032. There is no way to predict what challenges they will face related to digital forensics. The only certainty is that it will continue to be an essential facet of successful criminal investigations. ■
1 “Historical Notes about the Cost of Hard Drive Storage Space,” April 17, 2004, www.alts.net/ns1625/winchest.html , November 12, 2006.
2 Online catalog of computer components from Newegg, www.newegg.com , November 12, 2006.
3 SanDisk Web site, www.sandisk.com/Products/Default.aspx?CatID=1099 , November 18, 2006.
4 U.S. Department of Defense, NISP Operating Manual (DoD 5220.22-M), February 28, 2006, www.dss.mil/files/pdf/nispom2006-5220.pdf , February 6, 2007.
5 Ian H. Witten, Alistair Moffat, and Timothy C. Bell, Managing Gigabytes: Compressing and Indexing Documents and Images, 2nd ed. (San Francisco: Morgan Kaufman, 1999), 34.
6 Marcus K. Rogers, James Goldman, Rick Mislan, Timothy Wedge, and Steve DeBrota, “Computer Forensics Triage Process Model,” Journal of Digital Forensics, Security and Law 1, no. 2 (2006): 19–37.
7 Usually a young and amateurish hacker who uses code, often developed by others, to do mischief for no tangible purpose.
8 Hackers who try to benefit society are known to their peers as white hats; hackers who might break the law but intend to do no harm are known as grey hats; and hackers who intentionally commit crimes and engage in malevolent activities are known as black hats.
9 Moto Q product description, Motorola Web site, www.motorola.com/motoinfo/product/details.jsp?globalObjectId=113 , November 30, 2006.