Captain John C. Alfred discusses some pertinent points for forensic investigators working in law enforcement at DFRWS USA.
John: Well, good morning. And thank you so much for having me. I’m excited and, I got to tell you, a little bit intimidated as well. When I saw the list of some of the people that were showing up, it was the rock stars of forensics. I was pretty impressed and a little intimidated. I know [00:28] gave a great keynote yesterday. Is he in the audience?
Okay, so I’m a Boilermaker myself – I say I’m a boilermaker, because my daughter’s a boilermaker, and she just graduated, she was an undergrad from Purdue, so I know Purdue.
I could start off with a quick moment of silence. We just lost a police officer and a civilian in – next door, in Massachusetts. The police officer was shot and killed in the line of duty this past Sunday. So, if I use one second – a moment of silence for him and the civilian that was killed.[silence]
John: Okay. Thank you. I want to say his name, because we need to know them. [Michael Chazett] was the police officer who was shot. Okay, so I want to bring to you a little bit of the practical side of what we’re seeing at the moment, what we’re doing at the moment. I’m with the Computer Crimes Unit for – I guess it’s been about 12 years now. I started off as a young detective in the Major Crimes Unit some 20 years ago, coming from [a role as a trooper]. And while I was in Major Crimes, I started to see the development of forensics and computers playing a part in some way into crimes.
I don’t think I completely understood how much that was going to come to be, and how much it’s come to be now, in our world. I can tell you that almost every case we have nowadays has at least some aspect of the Computer Crimes Unit, whether it be a harassment case or a murder. There’s a phone somewhere [involved] or there’s a computer somewhere [involved]. There has not been one case that [we are not] involved with … on top of the idea of trying to deal with the child exploitation stuff we’re dealing with.
My unit is basically broken down into three different areas. We have the Forensic Unit – two civilians that work and some of us that do forensics as well as [02:44]. We have a Child Exploitation or an ICAC Unit, for those of you that don’t know, the Internet Crimes Against Children, which probably takes [02:51] our duties. And then we have the [02:55] Task Force, which is the [cyber side of] intrusions, fraud cases as well. Initially, so 12 years ago, 13 years ago, when we started off, we had one detective in Computer Crimes.
And he was a sergeant and he was expected to pretty much maintain the lab, do investigations, and … what everyone wants to do is to find that smoking gun, right? Because everybody wants the smoking gun [to do] forensics – even though sometimes it’s not even there.
From there, [they grew] and we had three of us. There was three of us involved, and we had one Dell computer, with pretty much no memory, that crashed in the middle of almost every forensic exam that we were doing. We had enough money maybe to buy a license for Encase at the time. We still [continue] to use Encase. And even that [ran out] a couple of times because [the powers that be] didn’t see the need for us to have a forensic license.
So, things have changed in a very short period of time. Within 13 years, we’ve seen a complete change from what we once expected the detective to do, to what we expect him to do now. That being said, what I want to do is I want to present to you kind of like a case study, and talk about some of the things that we do, and … [how many …] I know I’ve got one police officer in the who’s here. Any other police officers in the crowd? Or retired police officers? [There’s one] [04:24] [from Milwaukee].
Okay, some of the things that we’re dealing with, some of the problems that we’re dealing with and we’re seeing [regularly], and one of them is that we have a lot of [timeless words] that seem to always have a problem with [– anonymity]. And trying to prosecute cases through [anonymity] and trying to actually charge someone when they’re [anonymous] – very difficult task. So, [when I decided on a new] case study, and the case study is … because everybody likes cop shows, right? [You’ll find that there’s] many cop shows on TV. So, [we’ll do a] cop show. So, [I’ll run you through an actual] case that we had back in 2016, which required some forensics – maybe, if we can do it. But it also required some police work to go along with it. So, we’ll walk through that. I am going to tell you that I do have a disclaimer. Because some of the language that some of the suspects we’re using might be a little [05:22] I guess, so I hope you can manage that. If not, then go ahead and you can run out the door right now, because the language is not great.
Alright, so January 2016 to February 2016, we were getting crushed with bomb threats across the state. We had 18 [05:42] bomb threats and email threats sent through anonymous encrypted emails. So, we didn’t have any idea who was [doing it], we just knew that it was causing quite a ruckus. They were sent to local schools, news agencies, [nine public schools in all], two school districts, two police departments, and a local news agency. And this is all in a very short period of time, in a few weeks. And we were also dealing, at the same time, [06:08] nationwide. So, if you can remember back to 2016, [the year that a lot of us] [06:15] [news], it was causing a disruption amongst all the communities.
And then, we knew the suspect was using simple [06:24] applications and websites to anonymize [06:27]. They were delivered through telephone-spoofing websites [06:32], text-to-speech applications, so they weren’t really always giving us their voice, we were looking for voice. And they were using [lots of] encrypted email apps.
So, how do you use forensics with that? How do you even find out [what the forensics are]? If it’s so anonymous. Now, I’ll play you [06:54] call, this is one of the calls that came in to the [06:57] the state police.
John: Okay. Can you hear [08:05]. Alright. So, we get that call, and those calls would be pretty regular [08:14] were coming in. We were also receiving email threats, [08:21]. Encrypted email, anonymous email. This happens to be one that was sent in a little town, chief of police and the [school department]. I’ll let you just take a look at it quick.
So, with this happening, it causes a problem. Because what happens is we know it’s going on nationwide, we know it’s happening [Rhode Island], but who’s doing it? And is there a connection? That was the question we had.
We found that in 2015 and 2016, the bomb threats increased, immensely. Immensely. If you look, you can see [09:10] had 135 [09:12] had 10. So, were they connected? You’re going to see [now, we know that] yeah, they were connected. And some of these other states that you see there as well, they were also connected. If you look at that graph to my right … your left … your right, I’m sorry. The numbers went way up in 2016. As a matter of fact, 2011 and 2016, we had [1,461] percent increase. Almost 1500 percent of bomb threat [09:42].
Okay, so it’s a bomb threat. Big deal, right? Nobody’s going to get hurt. Kids have been doing this for years. But before, when they used to do it, you couldn’t do it [anonymously], could you? [You had to call from your AT&T or] [10:00] and you had to actually make your call from a phone that we could track back. Well, we don’t have that, because it’s anonymous. And it’s expensive. The estimated costs were around $250,000, [10:17], and that only includes [10:20] and the SWAT teams and whatever else they had to pull out to respond to all these different attacks that we had, 16 attacks that we had. [And what else did it mean?] It means that parents have to look at their kids. It means that the kids have to be home and that the parents have to take care of them at home, and also, they can’t go to work. That’s not even [figuring that stuff in], and believe me, when that happens, people get up in arms. [laughs] A disruption of life. Imagine that – you bring your kids to school, you go to work, and you get home from work on time to pick up your kids and bring them back home. Well, you can’t do that when you have to go pick them up two or three times a week because of a bomb threat.
And if that wasn’t enough, we also had the swatting calls. Does everybody know what swatting is? Okay. So, you see the definition there. And it’s basically a game these guys play, most of the gamers, where they cause a SWAT team or a police response team to be deployed on an unsuspecting victim on a false threat. I’m going to play you a recording of one of the swatting calls that we had. And again, they come from anonymous sources.
Alright, February 9th, this was kind of [our break]. We got a swatting call, we’d had other swatting calls to this particular house in the past, didn’t know that this swatting and the bomb threats were connected, but later on we find out that they are.
So, here’s the actual last threat that came in. This is [12:03].
John: Okay. So, obviously, [as we all know], that’s going to raise concerns by the police and probably change our response a little bit, I would think. We’re not going to walk up to that front and knock on the front door if you get a call like that. So, naturally, we’re going to call in either the high response team or a SWAT team, whatever might be available to try and see what was in the house.
During the [14:18], that particular one, the dispatcher [14:21] gets a phone number through Cox Communications to find out if we can call the house back after they hung up. And this is the answer that they got. [14:39]
John: Okay. [16:32] for that. [16:34] back and forth. Here’s my question to you. How has he answered that phone? How has that swatter answered that phone? Think about that for a moment. Again, now this has happened, it puts it a little higher, right? Because they’re calling what they think is the phone number back to the house, and this [nitwit’s] answered. And a couple of things – I want you to be detectives here now. So, [let’s consider] a couple of things in there that’s kind of helpful for our investigation. As you noticed, he said, “I’m also responsible for the bomb threats.” Thank you very much for telling us that. So, we knew there was some [kind of a nexus]. I want you to think about … [we’re going to ask you a little later on] to see who can tell me how he ended up doing that. [How did end up having that app?]
A couple of things that we [17:23], he mentioned something about the island, what they call the [state police paras]. If you live in [Rhode Island] and you call [Quidnick] Island, which is the new port area, “the island”, you’re a local kid, or you’re a local person that lives on the island, because that’s what’s the island people call it – “the island”. So, that helped us a little bit.
He talked about a maintenance room in the middle of a building. We knew that [Rogers] High School had their maintenance room right in the middle of the building, so we [start to turn to –] so not only is the person from the island, but [17:57] [Rogers] High School. He identified the boiler room, again that was in the middle of the building as well.
So, we have a few clues, but really, it’s still anonymous at this point. We don’t know where it’s coming from, but [we look] and we actually try to find out, it was coming back [out of Russia … well, coming back out of Russia certainly].
So, Newport police asked us to come in and help them out. They don’t really have a computer crimes unit, really didn’t know how to approach this. So, they asked us if we could come in and help them out, and we certainly wanted to. Because like I said, we’d already had 16 bomb threats in the course of less than a full month. We had … they had six swatting calls, we had [other swatting calls in Rome], Bristol, and also Cranston. So, we got the bomb threats going on and we got the swatting calls going on at the same time. And it’s disrupting normal behavior. So, how do we proceed? How would you proceed?
Hopefully, we’re going to get some forensics. Pretty cool, huh? So, we’re going to try some forensics. So, that’s [19:15], right?
So, we go to the house and, for analysis of the [whole] Cox Communications router, we’re [able to] authorize access. Okay, so we can do forensics on that, we can do [the forensics up around that]. It was actually logging IPs, which nine times out of ten, we [19:35] that, by default. But this would have to be logging IPs, and we found nothing out of the ordinary on all the different machines that were attached to the router, or all the ones [19:44]. So, nothing out of the ordinary.
So, that’s one [type of] forensics. Then we [get a little warmer. A woman can’t – she can’t] access [19:55] [password being changed]. [She can’t] get into her Cox account. Who do you think changed that password?
That’s the bad guy that was threatening them, right? That’s what he did. He [20:09] Cox Communications, got into the account, and changed the password. So, now he had complete control of that account. And the owner couldn’t even get into the account. So, that’s all part of the scam as well. We get consent to search [the rest of] the residence, [at which time] we [20:30] [resident’s] computers. [An elderly woman, an elderly man, not a lot going on.] [20:36] [target] stuff like that, [20:38] there. As far as anything else, nothing.
So, we start to do some police work and discuss with [the woman], well, who could be doing this? Who would change your password? Any idea? She had no idea. So, now, as we’re speaking, she says, “Well, we have a young couple, a young kid and [their sisters] living upstairs in the house, but I don’t think they would do it.” [You go,] “What? There’s somebody who lives upstairs?”
“Oh, yeah, well, they don’t rent from us, but we let them stay here, because [he had a fight with the] parents, and the sister’s taking care of [this little] brother, and they live on the second floor. Bingo! Right? The lights go on.
Okay, and who are these people? Well, she’s about 40 and her son goes to the [Rogers] High School. Oh! Really? Who knew, right? [Rogers] High School. So, at that point, [where do you think we head?] Up the stairs.
So, we don’t have any search warrants at this point. But remember, the people in the area were pretty [perturbed] at this whole thing going on. Because not only was the sister not happy about it because she had to go pick up her brother all the time, [21:51] work. So, she wasn’t happy about it. So, that kind of helped us along.
So, we go upstairs, we talk to her, she says, “You can look at any [materials] you want in this house.” Oh, okay, can you sign this? [22:04] right here, in bold letters, and the date today. She took it and she signed it.
She says, “Do you want me to get my brother home?”
Do you mind?
“Yeah, [he can] come back.”
Yeah, that’ll be nice [if he can] come back.
So, before we do that, we call the officer in the school, the SRO, and say, “Find that kid and grab his phone.” Grab his phone. Don’t let him play with it, don’t let him [22:28], just grab him and say, “Hey, we’d like to take you home, your sister’s coming to get you. In fact, I’ll give you a ride.” [In fact, we did – we had the SRO give him a ride] over to the house. Grabbed his phone and showed up, did a nice job.
So, [when they get] home, we say, “Hey, you know, we’d like your consent to search through all the property. Can we search through all this …” The kid’s kind of like, “Yeah. Uh, yeah, [you can look, I got nothing to hide.”
Alright – forensics again. When we get into his computer, in the second floor, lo and behold, the night before, a new operating system was installed. Again, as you people know, as forensic people, it doesn’t really make a difference to us, because there’s plenty of stuff [23:10] you can find, but [on the site] right now, we got a machine that’s as fresh as can be, and we have to [stop, pull the drive, and start looking at it forensically] to see if we can find some stuff [behind] that. So, [there’s forensics there, we can do forensics on that], so there’s one place we can do it.
Then we look at his [cellular phone]. And that was the [big one]. [That’s when we found out most of the stuff was going on] anyway. See, he wasn’t smart enough … and this is human nature, this is the only way that the police were [23:44] [get over this], is we make mistakes. And he made a mistake. And his mistake was that he deleted all his history, but he left his browser open. So, when he left his browser open, we were able to go back and find out what he’d been up to and what he’d been looking at. Okay?
So, with that happening, we saw the email account that happened to be sending emails to some of our cities and towns. [He’s checking] his IP address, he’s checking Middletown High School and principals’ names. So, he had a list of the principals and he was sending the emails to [her or him, whoever], to threaten them, at their houses. He somehow got a cellphone number for one of the principals, called her at midnight and threatened her. And [MPSRI, that’s a] Middletown School department, [we know he] used Google [and all that stuff]. We’d just had a bomb threat at Middletown School department.[Furthermore], we looked into some of his recent tabs, and everything kind of started to fall into place. Bomb threat … [he was pretty impressed] with the fact that [he was making the paper] without his name being in it. Bomb threats … he was reading about the bomb threats on his phone, he thinks this is a great thing.
If you notice, he [25:04] to remove Android history permanently, he was concerned about that, [along the line], I guess he didn’t follow the directions very well, so thank god.
Alright, so [this kid] … because with any computer and any forensics, as you do [25:19], right? And I’ve [already] said that when I do forensics, I can tell you a lot about a person, just based on their computer. If I get a person’s computer to look at and spend a good couple of hours on it, I can tell you [a lot of things that they wouldn’t want you to know]. And I’m sure [you’re the same way]. I’m sure when you look at a computer, you kind of get a feel for that person, in some ways. After [we had shown him] screenshots, he was [25:44] [25:48] and [then we showed him the] screenshots, and then he JUST kind of [… fell apart].
He claimed responsibility for the bomb threats [on Rhode Island] as well some in Massachusetts, New Jersey, and [United Kingdom]. So, [25:59]. He told us [he was using a Tor browser], [26:03] call2friends.com, [which is the tool that spoofed] the phone numbers, for voice over IP, and [26:10] for pre-typed messages. He was the one that would play [26:15]. He didn’t play his voice, it was all recorded voices that he would use. And pretty much his whole gang of people that we will talk about in a minute, that’s how they started off, and then they got a little more [brazen].
And again, it’s human nature, and that’s what helps the police [make a…]He advised he was part of a group called the Team of Evil. Pretty cool name, right? Which was responsible for the majority of bomb threats throughout the country as well as the swatting calls. So, do we have forensics on that? Well, we do have his machine. [We can start looking into it was we’re talking to him, and that’s what we did do.][He advised] he was playing a video game, Toontown. So, something as … nice as Toontown, which at one time was owned by Disney, and then they sold off the domain, and got rid of it, they didn’t support it anymore, and these kids have … they took it over, they were creating fights online, with their different characters, and not being very nice to one another. It becomes a game of “I’ll take care of you, you take care of me, I’ll take care of … He’s my friend, I won’t talk to you, he’s a jerk, he’s …” It’s what kids do, right? Because we know that kids’ brains don’t really develop until after 21 years old, and sometimes [27:33] kids are still [waiting] for their brains to develop, [27:36] some of the things they [27:35]. Alright. [27:40] make bomb threats through group calls on Skype. So, what they would do is they would listen in, [all of them would be] on Skype, and they’d listen to the bomb threats and kind of chime in. He identifies one kid, Massachusetts … you remember how many [numbers] of bomb threats we had in Massachusetts? It’s like 150, it was the highest in the country. [28:00]
So, and he said also, one of the key things he said is that … I think his name was [Alec]. [We don’t know] each other’s names, in fact, when we asked … when the dispatcher [28:12] was asking, “What’s your name?” he said, “I’m Christopher.” First of all, his name wasn’t Christopher, again. But we thought it was.
They really don’t know everything about each other, but they try to figure it out. Because [the anonymity] of the whole thing, they don’t know, they can’t [28:27] through IP, because … anonymous. [But they] knew that this kid’s name was [Alec], he’d been arrested previously for a similar crime.
He ended up being charged with 15 counts of bomb threats, two counts of extortion or blackmail, a count of access to computers for [28:44]. So, he’s got his hands full. Every single one of them is a felony. And one, 15 times over. So, he goes to the [28:51]. So, we think it’s over at that point, and maybe we can [refer some of that stuff to Mass State] Police and get some help from some of those other agencies. Well, it wasn’t over.
Oh, by the way, he has [29:04] 21 years old, [29:06] internet access for school purposes, and he had a fourth amendment waiver, which allows us to look at his computer and make sure that he’s not up to no good. [Not up to anything]. Right? [29:17]
Alright, but – you’re thinking this was just a prank. I want you to read this, and see if [29:22] what we’ve seen in the news recently, across the country, with some of the shootings that we’ve had. In particular, look at the highlight that I [29:33]. “I’ve gotten little reward and little recognition from my teachers. I deserve to be labeled the best and I deserve to be treated as though I am royalty. I deserve to be treated like the god that I am.”
Keep that in mind. [We’re going to] look at some of the other people we’re talking about here, and they all seem to think that way.
“I was abused by my mom daily. But now she gets what she deserved.” Now, to say this about your mother, a little disturbing to me. I don’t know about you guys, but to me, a little disturbing.
“I burned that bitch alive with a flamethrower and watched as her gruesome flesh tore off her body.” And then, at the bottom – now, this is [30:12] across the country right now. “I will take my local bus to school, and take a giant backpack with me. In that backpack, I will have 1,000 rounds of ammo, a sniper, an AR15, and eight handguns. I will also be equipped with eight petrol bombs, a flamethrower, rocket launcher, four car bombs for a little extra fun, and finally a suicide belt set to detonate on command.”
Alright, so maybe he went over the top a little bit with the flamethrower [30:37], but it’s kind of what we’re seeing – we’re seeing these kids, they take these guns, and they go to school, [and take out a bunch of kids, children]. So, a little concerning. So yeah, we may [say that these are just] bomb threats, and they’re anonymous bomb threats, and they’re just kids, and kids have been doing this for years. But there’s more to it than that. There’s a human side to it as well.
This young man right here, as you may have seen in the news recently, 2018, we were waiting for this, [that sooner or later] it was going to happen. And [they did] a swatting call to a house in Kansas. So, while he’s in jail, he somehow gets on the internet – I don’t know how he had a phone – and he starts tweeting. He says, “How am I on the internet if I’m in jail? Oh, because I’m an e-god, that’s how.” Okay? Sound familiar, to the other guy we just talked about? He also thought he was a guy [31:34]
This guy, as a result of his swatting call, ended up killing a man in Kansas. The police shot the man because [they thought it was an illegitimate gun call]. Awful. The house, the people in the house had nothing to do with anything that was going on with the person [31:53]. [Just an old residence.]Alright, so we think it’s done, and then, as [our suspect] goes to jail, he’s [sent to] training school, and he decide … our friend, or a friend that was involved with the “Team of Evil” decides he’s going to start calling the training school.
John: These are all recorded voices. This is not our actual suspect talking. [That was Russian.] I think. Anybody here [32:54].
John: Alright, so he continues to do that, continues to call up the training school with bomb threats. So, what happens then? You got to take all the kids out of the training school, search the building with dogs, [put them out in the yard]. And keep in mind, this is January, February. It is cold here in January, February. [For those that don’t know], it’s sometimes below zero. It gets cold. So, you put those kids out there, it becomes an issue. The same thing at the schools, especially when you start talking about little kids, like third, fourth grade.
Alright. So, he has also decided he’s going to start calling Cox Communications. Because Cox was the carrier for the woman that was [34:27]. At that time, she [34:29], so he decides he’s going to try doing that again, because [he’s now locked out of] her account. Because we were able to get Cox security involved, explain to them what happened, and they were able to get the woman back into her account, and cut the bad guy out. So, he continues to do the [34:46], not having much luck, because [34:50] be on the lookout for this guy, he’s going to try and call. So, in the end, he does the bomb threats on them. So, they have to evacuate their buildings, at Cox Communications. And that’s not here, that’s across the country.
Do we have forensics [then]? Not really, right? Again, it’s coming across an anonymous line. So, we have a total of 18 new incidents after the first [35:20] after we had him locked up. So, we had to continue on. So, we find out who the head of the “Team of Evil” was. And just a simple Google search shows you that he was arrested for threats in Michigan. We reach out to the police officer that managed that, [at Kent County,] Michigan sheriff’s office, and he was able to identify the leader online [35:50] the actual person in Massachusetts, and tell us where he lived and who he was. And he was very excited that we were going to do something, because when he was charged, he didn’t even do probation. [As a juvenile, he got nothing.]
So, he was excited that we were going to continue and go after this guy, because he considered him a threat. And so do I. The detective also [36:14] that he goes by the name of [Maverick], so we knew [who the guy was], and whomever it was that we were talking to, who was probably someone who had something to do with the bomb threats at the training school. And to Cox. And this kind of helped us [36:28].
We had the Fusion Center – [36:32] Fusion Center is. The Fusion Center is a clearing house of information that we share information across the country, with [one another, law enforcement] in particular. After 2001, after the 9/11 bombings, we found that we don’t do a very good job of sharing information [36:50]. So, we created the Fusion Centers to be able to [trade within the same …] and give each other information about different threats that might be available. And more recently, we’ve been dealing a lot more with [cybercrime, because cyber’s] become a huge threat for the United States.
So, we’ve found out that all these police departments were doing investigation but didn’t know who the person was that was making the phone calls, because [37:14]. So, I’m going to play this [rec] for you. This was the call to the [37:23] Sheriff’s Department.
John: Okay. We’ll come back to that. So, you can hear the dispatcher’s voice, she’s getting more and more concerned, more and more upset. She knows, thinks that something’s going on. The [voice user] comes on after that, speaking in a broken … I would say like an accent that would portray him to be someone who’s [Middle Eastern], [41:43] Boko Haram, [41:45]. But the mistake they made on that is they forgot to hang up.[laughter]
John: So, the kids stayed on there, and the dispatcher left it on, and when did that, you can hear them talking …
John: So, we had them talking, which was great for us, because now we could use that voice to find out who these kids are. So, they’re talking back and forth about, “Dude, you shouldn’t do this,” and “That doesn’t really sound like a [42:40],” they go back and forth.
We contact the juvenile probation officer and we’re able to play the voice for our suspect. He goes, “Yeah, I know who that is. That’s [Alec]. There’s no doubt in my mind.” That was April 22nd, when [Mass State Police and FBI] executed a search warrant at [Maverick’s] residence. This is what we find.
Have you ever heard of [Anonabox]? Okay. It’s [set on] telephones … now, this is a kid that’s not supposed to have any digital media at all. But of course he does. He’s got his mother’s laptop, which had been erased the day before. Completely erased. Bit for bit erased. He was a little smarter than the other guy. And an Xbox he was using, that as well. So, we got in to talk to this kid, interviewed him, [43:30] he was the [online hacking terror group] that we were looking for. And [43:35] several layers of encryption to protect themselves.
Here’s what he had to say.
John: [So, his mother’s trying to reason with him.]
John: He didn’t like us too much. Very upset about that. So, he was arrested, [44:29] to a training school until he was 21. He now still has active warrants in Rhode Island, New York, and Florida. As a result of this, we had the FBI reach out to us and we ended up with another arrest in the United Kingdom. It was a [bomb threats] group as well, and part of that [44:45] conversation that we could the voices go back and forth, that’s … that helped them out.
And we haven’t had any bomb threat – knock on wood – since then, since we made that arrest.
Now, [Franky] asked me if I could just share with you, real quickly, some things or some requests that we might have, State Police … as investigators, as forensic investigators. We need a [reliable program] to analyze Chromebooks, Surface Tablets, and gaming consoles. We really don’t have a lot of good tools to help us out with that. This is coming from my forensic examiners. [45:22] for decoding app contents on phones. As you know, the apps change constantly, so we’re communicating with different apps on the phones, and the machines of the … some of the old forensics machines that we’re using now don’t do a very good job of decoding some of these new apps.[The other one is] iTunes backup, passwords, and something new that we’ve been dealing with recently, where the iTunes backup … if they back up the phone to iTunes, and we try to dump the phone, and we can’t do it, because it’s looking for the iTunes password, before it [blocks it out].
And also, something that we’ve really been [hit,] on the other side of … the cyber security side of things, is that [these email compromises …] if you guys can come up with a way … [some type of user behavioral analysis technology or otherwise to monitor] for unusual account access patterns that may indicate unauthorized access or use. Because these people have no idea, businesses have no idea that someone is actually in their email account and watching the traffic that’s going back and forth between the two.
And I will finish by … or end by saying this: We’re at a juncture right now, I think across this country, where we’re trying to figure out, we’re in the initial stages of it, what’s important to us. Privacy, security? Both, right? Well, we have to come into some place in the middle and figure out how we can still stay secure, [to secure our position], not only our businesses, but also security from people like that, but also continue to have the privacy that we always love. [That’s what we’re] built on, this privacy, I understand. But we need, right now … we’re at a juncture where we have to figure out, can we do it without [anyone] being anonymous.
With that, thank you for listening, and I hope you enjoyed it.[applause]
Host: Thank you very much, and I’d like to give you a …
Host: Yeah. Well, our DFRWS …
Host: Whatever you want. And our …
John: Ah, look at that.
Host: … DFRWS sweatshirt. [We can take a couple of] questions, too, if people have …
Audience member: I have a question.
Host: Okay. Go ahead.
Audience member: So, it’s related to what you had just said. You were speaking about we need to be able to have … you would like it if we could be able to have privacy, but without being anonymous. What would you say to those people who basically say privacy and anonymity – I have trouble with that –
John: Yeah, me too.
Audience member: – are the same thing, or they go hand in hand. What would you say to people who say, “Well, if you can’t be anonymous, then you can’t truly have privacy.”
John: Well, I’d say . And I may get some pushback a little, but we, as the government, are not looking to meddle in your phones and your computers and see what’s going on. We are here to protect people, to protect our society from those people that [are doing] no good. I think the whole [Snowden thing] kind of threw a curveball at us, and changed a lot as far as the NSA and what they were up to, and …
I’m here to tell you that all countries are kind of paying attention to what [each other are] doing, I don’t think this is anything new, it’s been going on forever and a day, since the beginning of civilization. [49:07] to listen to each other’s conversation. So, I can tell you that it is not the same … … I use a VPN on the internet, Google [49:21], but in the same token, I’m not doing anything wrong, and if you’re doing something wrong, we need the ability to actually get in there and secure our country.
Audience member: Talking about the Fusion Centers, it’d seem like that was a very useful resource to have. Is that something that usually only becomes [available] as a last resort or is that something that happens in every … do you have access to that [49:50] at early stage?
John: [It doesn’t,] and as you saw the map, we knew that was going on across the country, and we had … I have [overseen a] Fusion Center too, so that helps out too. But we use it pretty regularly for information. It took a little time to get all the different departments to recognize that there was probably some type of [50:10], so I guess the short answer is no, we’ll use them from the get-go, but at the end, when we have all the different police departments, I think it’s more a resource to reach out to.
Host: I think we need to move on, but people can ask questions …
John: Yeah, I’ll stick around. [People can also throw tomatoes at me or whatever.] [applause]
End of transcript