Rich, tell us about how you first got into digital forensics, and the evolution you've seen in the field over the past 17 years. What has interested you most and kept you in the field?
I spent 22 years in law enforcement working for the Milford Police Department in Connecticut. It is here I was given the opportunity to take my passion for computers and focus it on digital investigations and forensic examinations.
In the late 90’s Milford started one of the first computer crime units in the state and I was selected to be the forensic examiner. I already had a little computer experience and at that time a little was a lot. From that point forward it was from within the LE community that I learned about digital forensics, with entities such as IACIS, SEARCH, and NW3C.We were a small but very busy unit, assisting nearby agencies that did not have digital capabilities or training. We were a two-man unit, both conducting investigations. My partner focused his time pursuing online undercover investigations, and I took care of forensics. This setup allowed me to be involved in cases from inception to closure so I learned where we could improve our capabilities as time marched on.
We always had numerous devices coming into the lab: assisting other agencies, supporting the online undercover investigations, Cybertips, and day to day investigations from our own department. The amount of digital data and technology changes are the biggest factors for today’s forensic professionals, be it cloud storage/interaction, smartphone apps, drones, etc. The trick is keeping up with the changes, this truly is a field where listservs, blogs, and research are vehicles for staying up to date.
I love the thrill of the chase, the drive for the facts, and satisfaction of the results. The camaraderie of the people involved in the forensic and law enforcement communities, and the teamwork involved to get the job done, it was a natural progression from the reasons I joined law enforcement in the first place. Leaving law enforcement was not easy, but the family at ADF is just as awesome and allows me to stay involved in the community, listen to the community as to what they need and want, and to share the knowledge and experiences I have collected over the years. It is all about improving and coming together for one common goal.
Tell us more about Connecticut's Fast Track Computer Forensics courses. How did that experience inform your approach to ADF training?
Connecticut, like other states, had a surplus of computer crime and a lack of examiners. The fast track program was put together to increase the number of examiners throughout the state to help chip away at the backlog the State Lab was experiencing.
The fast track program brought together the State of CT and the National White Collar Crime Center (NW3C) to provide training for 20+ examiners with a new class every 60-90 days. The training was tool agnostic and gave the examiners a strong foundation to build upon. Now at ADF, along with our standard training on our tool, we incorporate lectures, webinars, and training sessions that are tool specific as well as tool agnostic, giving investigators a solid basis to begin from.
Our latest lecture was Rapid Triage and Digital Investigations, given at Techno Security. With a solid understanding of Triage/On Scene Investigations, and Early Case Assessment, a user can understand where the ADF family of tools can bridge the gap between the field and the lab by lessening workload in the lab and giving the investigator the ability to continue on with a case instead of waiting for results due to a backlog. Preservation orders, search warrants, referrals, are all timely and important post-search action items.
Your abstract talks about how 90% of cases can be made with 10% of data. Tell us about Mobile Device Investigator (MDI) and how it helps make those quick decisions on scene.
In many cases the investigator knows exactly what they are looking for and where to find it. Good old-fashioned police work leads an investigator to the devices. When you have unique keywords, specific images, and known messages in a case, using a tool such as Mobile Device Investigator (MDI) allows you to circumvent the “noise” on a device and collect or parse exactly what you are looking for. Uniqueness and specificity allows for the investigator or examiner to make upfront decisions, make an arrest, and in many cases will result in a plea deal. Should the case require further examination, the device is still available for a full physical examination to be conducted.
Speed is a factor that is needed on the front line. Investigators need the ability to quickly get to the information that is required to make an informed decision. Not all cases are based on a digital device, but many have an element from digital devices that may supplement a case. In those cases, the evidence requires collection of things such as call logs, messages, WiFi connections, etc. Information like this can be collected on scene, from the mobile data terminal installed in the cruisers, or a computer on a School Resource Officer’s (SRO) desk, fast and efficiently.
Let’s say you have an investigation revolving around a specific application that does not necessarily get parsed out automatically – Drone Data and Cryptocurrency can fit into this category – MDI can be configured to quickly collect that data for a later review by the forensics team. Cases involving specific items of interest, such as chat messages or call logs, can easily be collected first, and then a comprehensive scan can be conducted after the items of importance are collected.
Collection of specific data can be obtained from cooperating witnesses or victims, or on consent collections, and the phone returned on scene with little inconvenience.
Device encryption and cloud storage could be challenging on scene. How do you advise your students and customers to consider and address these issues?
ADF software’s tools are all about getting you information to continue your case. In mobile cases we deal with logical Android and iOS, where access and credentials are required. With computers we give you the ability to Live Scan or Boot Scan devices. Encryption detection and access with credentials are features that we offer specifically with BitLocker and FileVault.
Having access and credentials along with ADF tools running from a signed OS allows for the ability to gather information upfront. APFS, T2, BitLocker and FileVault are technologies we have targeted with our tools. ADF tools collect and link artifacts in such a way that the investigator can immediately see whether Cryptocurrency, Anti-Forensics, Remote Access, Cloud Storage or Encryption are issues that will need to be dealt with. This is another way of bridging the gap and allowing the appropriate collection methods to be deployed.
For those 10% of cases where a deeper dive is needed, how does MDI set up the evidence for deeper analysis and investigation, and improve the quality of communication between the field investigators and forensic examiners?
A good on-scene investigation or early case assessment can determine in what fashion a device will be seized, such as “I found the evidence, made a decision/arrest, seized the device, collected enough information to continue my investigation and sent the device to the lab.” Or “I found some evidence, I cannot make a decision, this will need a deep dive investigation”. And the last “There is no evidence, leave the device.”
In each of these scenarios the investigator has learned what types of issues there may be (Crypto, Cloud, Remote), made a decision on the correct collection method, and has the ability to complete a profile or report for each device, thereby allowing the examiner to better plan for the correct order of devices, and to decide which tools they are going to need to complete the examination. This approach offers clear benefits. It reduces the number of devices coming back into the lab, gives examiners the ability to plan next steps in the examination without going into it blindly, and most importantly, they can focus on examining the most important items first.
Teamwork starting on-scene distributes the work and lets everyone make better decisions, faster.
Recently a taskforce was executing a warrant at a business with 75 computers. With one license of ADF software, they scanned all 75 computers simultaneously, analyzed the data on scene, and determined which computers to image. Less time on scene, less computer images, less work at the lab, less down time for the business. Win win.
MDI can filter out non-suspects, which isn't something we often see from forensic tools – most of the emphasis is on catching bad guys. What in your experience drives the importance of focusing on a suspect's family?
This is a policy I instituted going way back in my career, when we started on-scene investigations. The main goal is still catching the bad guy, and should be. However, when possible, taking the family into consideration is also paramount. Most search warrants are not “soft entries” and come with a level of shock and confusion. Most families, spouses, parents, children, etc. are innocent bystanders and have no idea of what has been going on. Losing a digital device nowadays, more than ever, causes a lot of disruption in one’s life, be it work, school, or personal. It can be very difficult and time-consuming to get digital devices cleared and released back to the owner.
Everyone’s life, in one way or another, is tied to a digital device, and if it is caught up in a seizure, the results for a family can be devastating. How many of us remember more than a handful of phone numbers today? The only way we call people now is often just pressing their name in our smartphones. Innocent bystanders can lose immediate access to the people they need support from most. Without their devices, they may be unable to communicate with their family or friends, or even get access to a search engine to ask a support group or find out what to do next.
Officers go to great strides to comfort and take care of children and family in all other frontline calls – domestic disputes, accidents, burglaries, etc. – so why not make the effort to do it during evidence collection? Using ADF software allows officers to quickly scan multiple devices simultaneously – not adding any additional on-scene time. Officers can then seize only the devices with evidence, thereby reducing workload for the lab and friction points for the family as well as the officers on-scene.
How can investigators ensure they got the right person, when multiple people in a home might share devices, teens share their mobile passwords with one another, etc.?
Conducting a search warrant always starts with good old-fashioned police work, getting into the weeds of the case and picking out the unique and specific components of the case. Digital investigators can use what they know about the case on-scene to craft a keyword search, gather typical artifacts (many are standard in every case), and specific hashes, to get an accurate profile of the computer and its user(s).
A digital device is a window into one’s world, it tells you a lot about the person using it. Looking at a computer with just a generic scan will allow you to determine a “day in a life,” or what this person does on their computer every day: where they work, what they search for, and how they communicate. By looking at specific artifacts such as user logins, user accounts, and linked artifacts, together in our timeline, investigators can make informed decisions on user activity.
Further to this, investigators can see conversations, media sharing, documents, email, and recently deleted data. Pair that with specific case-related keywords, child exploitation related keywords, web history, hashing and media collection, and it allows the investigator to determine if the computer should be seized or left behind.
Mobile Device Investigator, Digital Evidence Investigator, and all the ADF tools allow for quick visualization of the unique keywords and linked artifacts, speeding up the analysis process on scene. When a family is advised that you not only found the evidence you were there for, but you also took the time to eliminate their phones or personal computers, it lessens the blow to the family. It is also gratifying to be able to testify in court that you did not overreach and handled the search efficiently and professionally.
You now volunteer to coach IACIS students. What's the most important piece of advice you like to impart to them?
Listen and learn! That’s the one I always fall back on. No matter how long you have been investigating or examining, there is always something new to learn, or a new way to look at something. Don’t get caught up or stuck in a rut of doing things a certain way “because that’s how I was taught”. There is no room to grow if you don’t challenge yourself to see things from different perspectives.
We are all in this for a common goal. Find the issue, right the wrong, catch the bad guy, protect the innocent. If you can find a better way, or if you have knowledge, share it, talk about it, teach it. Whether it’s law enforcement, digital forensics, or now the corporate world, it’s a brotherhood with common values and goals.
Find out more about ADF's digital forensics solutions on their website.