Detective Lee Bieber on Digital Forensics Tools for Complex Cases

Christa Miller: Technology-facilitated child exploitation, including trafficking, has been the driver for much of the innovation behind most digital forensics tools. Here at the Forensic Focus Podcast to provide a customer perspective on that is Detective Lee Bieber of the Plantation Florida Police Department and the FBI’s Crimes Against Children and Human Trafficking Task Force in Miami. I’m your podcast host Christa Miller. Welcome, Detective Bieber.

Lee: Thank you for having me.

Christa: Absolutely. So I’d like to start with a little bit about you. How did you come to digital forensics and in particular crimes against children and human trafficking?

Lee: So, I’ve been a detective for about 20 years now, or I’d say a law enforcement officer for 20 years and been a detective for about 10 years. As a detective, I started in property crimes and then kind of moved into or transitioned into sex crimes.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

I was recruited for ICAC / human trafficking by my captain cause he knew that I had a background in computers. I did some computer, I guess, projects at the police department and he was happy with that and thought it would be a good transition for me.

So that’s how I got into ICAC. I’ve now been doing ICAC, I’d say probably about ICAC/HT for about eight years.

Christa: Okay. I was going to say property crimes into sex crimes is quite a transition. So I was curious how that happened?

Lee: Yeah. When you get into the criminal investigation division, you kind of go where they put you and I kind of transitioned to that and just, you know, kind of moved me into ICAC/HT from there.

Christa: Yeah, that makes sense. I noticed in your bio, you’ve also worked with the Vice, Intelligence and Narcotics unit at your agency. I can imagine there’s a lot of overlap with human trafficking in particular. And I wanted to get into like what digital evidence, artifacts or trends do you see now that you didn’t see when you started and where do you think those trends appear to be headed from here?

Lee: So, when I first started, I’ve been in Vice, Intelligence and Narcotics for approximately eight years now. And when I started, obviously the phones were coming about, you know, not everybody had phones as much or used them as the smart devices they are now.

But there was a nice transition between the two from that point. And what I noticed is that the phones have now become such an integral part of everybody’s life. Not only for people who are just, you know, following the law, but for everybody.

And what I find is that people that are doing criminal activity rely on their phones as well, and there’s a lot of information that we can utilize to help us solve these cases.

So one of the things that I notice with ICAC and HT investigations is the use of direct messaging applications. They seem to be as these direct messaging applications come out, they’re utilizing them — obviously they’re trying to use them with ones that have encryption on them — to try to give them anonymity and hide what they’re doing or concealing what they’re doing, the use of VPN applications too. Again, trying to have anonymity.

Another thing is with a lot of these cases, using digital currency seems to be a big trend now. Using these applications to, you know, send money back and forth, whether it be from the client or from the victim to, I should say to the conspirator or the suspect, but the money is flowing and there are ways to track that.

The way they travel now with applications, that’s another thing. Sometimes now, it’s not like taxis, they use Ubers and other things. Well, those are all app-based. So there’s a lot of good stuff out there, data that we can track other than the communications in the phone.

Because one thing the phone has that’s really good, even with the trends is not only the way they communicate with other people through these devices, but how they communicate with the device itself. And that shows us a lot as well when we’re looking at these cases.

So the trend is, you know, you look at the digital applications, you can look at the storage, how they’re storing information, because a lot of information is not stored on the phone anymore. A lot of information’s now stored in the cloud.

If you notice that when you look at a direct messaging application, not all your chats are in that application. You literally have to pull down and it recovers some of that information because it’s being stored somewhere else.

So, you know, that gives us more of an idea of, hey, maybe this is not all the information. Maybe there’s more data somewhere else that we can go after and see if that may have evidentiary value.

Christa: And then putting that all together, like, how do you put that all together? Because that seems like a lot of disparate information.

Lee: Well, so, I mean, obviously we want to see how people are communicating: the victims with the suspects, the suspects with possibly other co-conspirators. We want to see how they’re — especially when it comes to human trafficking, you know — the way I always look at things is, you know, what’s the crime that’s being committed, I look at the elements of the crime, and then I look for evidence that supports those elements of the crime. 

So when we look at human trafficking, you’re looking at harboring, enticing, advertising, and all those things come into play when I’m looking for data. I’m like, what will provide me evidence to support that statute?

So by looking at that, I’ll start looking at these direct messaging applications, I’ll look at their web history, I’ll look at their email and see if there’s anything of evidentiary value. And then I’ll see if there’s anything with their digital currency on there, you know, how are they getting money to go on for transportation, things like that.

So there’s a lot of good information that we can get from these applications. And we can also find out if other platforms are being utilized, whether it be cloud services or anything else.

Christa: Yeah, I think patterns of life is a phrase that’s been coming up more and more frequently in recent years. With regard to not just the amount of data, but the way that it can all be put together, right?

Lee: Correct.

Christa: Yeah. So I think we all know that digital forensics is a toolbox approach. Especially in these very complex cases that you work yourself. What are some of the forensic applications you utilize for your investigations?

Lee: Well, to go back a little bit and I’ll kind of explain how I got involved with digital forensics. Back in 2013, my department was outsourcing all the digital forensic work. But there was a long turnaround time, and we would get stuff back, but we wouldn’t know how to analyze the data.

Sometimes, you know, the other agencies had a large backlog. So it would be very difficult during our cases to number one; make that 21-day filing period that we would have with a lot of our cases, and then, you know, when the cases go to trial, you know, did we have the digital evidence at that point to go ahead and use those as exhibits?

So we transitioned to not only outsourcing, but allowing us to bring all that stuff in house by training some of our detectives. We actually created a digital forensic program, which has been very successful. And now we have approximately, I think, four digital forensic examiners at my department.  So we’ve been doing very well since 2013.

With that being said, we use several applications to do forensics. We use stuff like, you know, industry standards like Magnet Forensics AXIOM, fantastic tool; Cellebrite products, fantastic tool; Oxygen Forensics.

And I’ve always realized that even with the different tools that we use, there’s no one answer to anything. You know, each program decodes differently, each program parses out data differently, and we’re constantly playing catch up with these applications that are being put out.

The operating systems are updating so fast now, there are usually updates every couple weeks, if not months. The applications themselves are changing constantly. So if one’s not supporting it, maybe the other one will.

So it’s not uncommon for us to load these after we do an extraction, pull that data into multiple applications and kind of see what we have. It’s almost like trying to go to a doctor for a second opinion. You know, you want to look at the data and then, wait a minute, let me see how this other program does it, maybe it’s going to parse out differently.

Christa: So having said all that, is there one particular tool that stands out to you in terms of the features that it has? And if so, where have those features helped the most?

Lee: So, I’m a good proponent for all three, but however, the one I tend to utilize the most is Oxygen Forensics. And the reason being is that the analytical tools are very easy for me to understand. I can do things more efficiently, in a timely manner, and then be able to present that in a way that other people can understand, as well.

One of the greatest tools I think with Oxygen Forensics is that I don’t want to have to keep loading and unloading applications or, not applications, but extractions or images, image files. If, you know, with some of the other applications, you load once, but then you’ve got to either cancel out your extraction or import another one and it’s a tedious process.

Well, what Oxygen allows me to do is import a numerous amount of extractions and then put them under, or categorize them onto a case number. And I can look at them in, I guess almost as a whole.

So let’s say I get one case that has five or six phones or even other digital evidence. Well, I can kind of look at them all together and not have to go back and forth. And it makes my life a lot easier.

Christa: Yeah, it sounds like that definitely would. I mean I know one of the issues that also keeps coming up a lot is backlog, right, and efficiency, and it sounds like that really helps to streamline in that regard.

I know you mentioned a little bit ago about being able to communicate with other stakeholders. What are some of your biggest challenges with those stakeholder communications and how does Oxygen support communicating with them? I guess, particularly with prosecutors, but also across agencies.

Lee: Okay. So obviously in the forensic process there are different stages of it. Obviously we do our, you know, identification of devices, we do our extractions or imaging of the devices, analytics, and then we do our reports.

And while we’re working on it, it’s pretty easy to talk about, but it’s, you know, when these cases either go to trial or we’re going through trial preparation, or we’re preparing for discovery, sometimes the recall is a little harder.

So with the reports that we’re able to create through Oxygen, it makes it a little bit easier to recall that information and understand it better.

You know, with a lot of the reports that we make, obviously you’ll have your original evidence, which we call like, questioned evidence, and then you have your master copy of the evidence, and then you have your working copy. And a lot of people, we start with our working copy, and then based on that, we start doing our queries and then we start making our analytical reports.

Well, the reports that we find in Oxygen are very easy to understand, whether it be PDF or CSV or Excel format, whatever, or HTML; those formats, when you see how the data is presented, it’s easy for me to explain that to other officers or agents or attorneys when they come, not only for prosecution, but defense attorneys, when we go through like evidence review.

Christa: I mean, in the complex cases that you work, I want to come back to that in terms of can you give any examples of how that would work in an especially complex case?

Lee: Well, so in a lot of our cases, especially with the trafficking you’re going to have you could have multiple suspects, you could have multiple victims, it could be crossing over state lines, county lines, it could be, you know, in other countries, and then you’ll have a lot of digital evidence.

The evidence can be cellular phones, it could be tablets, it could be call detail records, it can be social media platforms where all the data’s not on the phone where it’s being stored in the cloud somewhere.

So with all this information, you have to be able to bring it to one spot and then review all the data almost like, separately, but together, and look for patterns. And by using this application it allows me to do that because I can look for things and do search queries over a group of information and not just in one singular thing.

So maybe not just one cell phone, but I’m looking for maybe a communication between two people over a variety of not only phones, but platforms that they’re using. So it makes it a lot easier for me. And I can explain it easier to other people when I find that data.

Christa: Yeah. So kind of on that note, child exploitation and human trafficking obviously have continued to escalate, especially throughout the pandemic. What do you think is the most important capability Oxygen has to support you in dealing with these case volumes and data volumes?

Lee: So going back to a point I made before, importing these into, or categorizing the extractions into, I guess, under a case file. And a lot of other applications that I have, it’s great. The tools are fantastic, and I can’t say enough for Cellebrite and AXIOM.

But when I have multiple phones and I can categorize them under one case number, that information kind of gets stored on a separate drive. And I don’t have to constantly recall that information. As soon as I launch the application, those files are already there.

So I can literally have 65, 75 phones open and categorized under the same case number and go and refer back to that at any time. And it’s easy when you’re jumping around to different cases.

We don’t just work on one case. We’re constantly working on multiple cases, and sometimes you’re assisting other officers or agents. They want to review their data, so you don’t have to spend time waiting for it to reload over and over again.

Christa: Yeah. Well, Lee, thank you again for joining us on the Forensic Focus Podcast.

Lee: Oh, thank you for having me.

Christa: Absolutely. Thanks also to our listeners. You’ll be able to find this recording and transcript along with more articles, information and forums at Stay safe and well.

Leave a Comment

Latest Articles