The byte stuff

April 1, 2009
Local officers should be prepared to follow the trail of bytes criminals leave behind

     Between 1974 and 1991, the BTK killer taunted police with letters boasting of his atrocities but yielding few clues to his identity. The serial killer resurfaced in 2004 and police corresponded with him in an effort to gain his confidence. In one of these communications, BTK sent detectives a purple floppy disk containing an ominous warning.

     The BTK task force enlisted the expertise of Det. Randy Stone in the Wichita (Kansas) Police Department's Computer Crimes Unit, who checked disk properties and learned the previous user's name was Dennis. Further examination revealed the disk was last used at Wichita's Christ Lutheran Church. After a quick search of the church's Web site, Stone learned there was one Dennis among the church officers - Dennis Rader.

     The knowledge tipped the investigation in law enforcement's favor, where DNA evidence linked Rader to 10 murders. In August 2005, the courts sentenced him to 10 consecutive life sentences. Stone's digital detective work had cracked the decades-old case in a 15-minute forensic examination.

     Stone rates his computer forensics work in this case as a three on a scale of one to 10, and stated in a 2007 "Popular Mechanics" article that, "As simple as that was, the sad thing is 95 percent of law enforcement in the U.S. could not have done something like that."

     Though digital evidence has lead many cases to similar resolutions, Stone says the state of affairs he described two years ago remains largely true today. "A lot of agencies recognize the need for computer forensics capabilities but often cannot afford to add them," he says. "There are many departments where the forensics guy wears multiple hats. He is the D.A.R.E. officer, the third-shift patrol officer, the forensics guy, the cell phone guy, and works for the volunteer fire department too."

     While regional task forces help local agencies deal with the proliferation of digital evidence, it is not enough, says Rich Harris Jr., director of High-Tech Crime Training Services at SEARCH, an organization focused on identifying and solving information management challenges facing public safety agencies.

     "The feedback we are getting from across the country is the model of having regional task forces is good but most of them are overwhelmed," he says. "There just isn't enough base knowledge in local departments, so every single device or computer that pops up in every investigation needs to be sent to a task force."

     Los Angeles Sheriff's Department Lt. Rocky Costa, who heads the Southern California High-Tech Crimes Task Force, warns while these specialized teams shoulder most of the high-tech investigations load, every law enforcement agency must prepare to handle these cases. He emphasizes technology touches nearly every crime today. Digital media seized in relation to an offense may include everything from computers, flash drives, cell phones, digital cameras and game units, all of which needs forensic examination.

     "Criminals don't even think of these things as digital storage devices - it's so much a part of their culture," he says. "That's how much technology touches our lives."

     High technology has made the criminal a better criminal, and as Stone points out law enforcement struggles to keep pace. But it's clear the gumshoe of the future will need to be trained to study bytes the way old-school investigators examined fingerprints.

Funding woes

     Costa says a task force approach offers a good safety net for agencies lacking high-tech capabilities. "It allows officers to focus on the robberies, the assaults, the murders - the crimes against people," he says. "They can rely on the task force to assist them with technology crimes."

     Federal and state funding makes these teams possible because the money enables task force members to keep their skills sharp as technology evolves. However, the funding to keep specialized forces afloat is increasingly threatened. In early February, California's five task forces learned they lost 40 percent of their funding due to a freeze in government grants ordered by Gov. Arnold Schwarzenegger. Though state officials passed an 11th hour resolution designating vehicle licensing fund dollars to pay task force costs for five years, the operations of one of the state's teams - the Northern California Computer Crimes Task Force - remain suspended until further notice.

     "We ceased operations as of February 1," says Ed Berberian, Marin County District Attorney and project director of the Northern California Computer Crimes Task Force. The task force relies on state and federal funding for 100 percent of its operations. Local governments could not pick up the tab for expected state and federal declines, so the group had to disband.

     This scenario is common for the 100 California agencies in 13 counties that rely on these specialists to process digital evidence. "These are [mostly] small agencies," Berberian says. "They don't have the extra investigative resources to continue these operations."

     All agencies relying on task forces face similar fates should teams lose funding. When the Southern California High-Tech Crimes Task Force faced losing its grants, Costa says he was asked what would happen if the money disappeared. "I said over the long haul it means we'll be frozen in 2008 techniques, software and equipment, while the crooks are on the cutting edge. As technology moves ahead, we cannot afford for technology investigators to remain behind."

Bring it local

     While task forces offer much assistance to small agencies ill-equipped to perform this work, with technological crimes and digital evidence increasing at tremendous rates, it remains critical for all agencies to prepare in some way, stresses Tom Quilty, president of BD Consulting and Investigations Inc. and treasurer of the International High Technology Crime Investigation Association (HTCIA).

     "Someday there will be no crime labeled as high tech, it will be just crime," he says. "Technology is becoming an increasingly important part of criminal activity, and agencies need resources and training to deal with it."

     Patrol officers most commonly run across cell phones containing a wealth of information, says Harris. He describes a recent California gang shooting where rival gangs rolled into a parking lot and opened fire on each other with automatic weapons. While hundreds of rounds were fired, when police interviewed those involved they claimed they didn't see anything. But when officers confiscated and searched their cell phones, they found photographs, text messages and other information about the shootings. This, he says, is typical of the digital information first responders come across.

     Strict budgetary confines prevent many local agencies from training officers to perform this work. It would cost an agency approximately $20,000 to train and properly equip a detective to investigate high-tech crimes and inspect digital evidence. But in small departments, Stone says departments often invest around $3,000 in training and equipment and expect $20,000 worth of performance.

     "You can give me a week's worth of auto-theft training and I can investigate auto theft," he says. "But if you assign someone to computer crimes, it's going to take a year to put them through the training."

     The need for these skills varies from department to department, creating another concern, as these are perishable skills, adds Costa. "If you're not getting cases that often, you may need to weigh the cost of training versus the number of cases the officer may have," he says.

     Finally, the rotating assignment process many agencies follow produces challenges as well. Some agencies rotate officer assignments every few years. It doesn't pay to invest in training someone who leaves for another assignment in a year or two. An agency must commit to keeping high-tech officers assigned to digital crimes once fully trained, says Stone, who originated Wichita PD's computer crimes investigation section with Mike McNown 11 years ago. This department rotates assignments on a regular basis, but not in its computer forensics division.

Local preparations

     Police administrators play an active role in setting up local high-tech crimes capabilities. These individuals must decide where this capability falls within the department and the types of high-tech crimes that will be given priority. If the department has one examiner, Stone explains this officer may receive 100 cases annually and will need to whittle that number down. A solid policy designating priority to each type of crime aids in the decision-making process. Stone also warns to look beyond child porn cases when making these considerations. "You get financial crimes and identity theft cases that have losses in excess of $1 million. Where will these cases fall?" he asks.

     Managers then must define resources. "Is one person part-time good enough? How much training does that person need?" Stone asks. "Managers must realize they can't send an officer to three days of training, buy him a thumb drive, not use him for six months and expect him to be competent. There is a commitment involved, if they want to be able to investigate technological crimes."

     Equipment needs cannot be overlooked either, he warns. These officers need robust computers, software tools, write protecting devices and more. "They require more than one tool in their toolbox," Stone says. "If you have a guy whose only tool is a hammer, he'll try to fix everything with a hammer, but not everything can be fixed with one. Administrators may complain that's an extra expense, but investigators need more."

     Harris recommends local agencies embrace a multi-organization approach to bear these costs. When several agencies join forces, it becomes easier to finance needed manpower, training and equipment. "It's a good alternative to having nothing at all," he says, adding that in his area one part-time detective took it upon himself to learn cell phone examinations and is now training other officers in the region to do the same.

     Sharing the workload also helps shrinking and overloaded task forces. In the Sacramento area, Harris says a patrol officer might send a confiscated cell phone to the task force where it may sit for three to six months. "That's problematic. If you have an ongoing investigation you need that information right away," he says. "The prosecution time clock is ticking."

     Multiple agencies that align with each other and a task force cover all bases, because criminals are not bound by jurisdictional boundaries - especially in high-tech crimes, adds Costa. "The Internet and high technology allows criminals to be virtually any place and victimize a person anywhere." Partnerships with federal law enforcement help investigate crimes across multiple jurisdictions or even international venues.

     "Today's agencies need to think regionally and consider collaborations and partnerships that haven't existed before, and look at pooling experience and resources to address high-tech issues," Harris stresses. If things remain status quo, he says the only thing certain in his mind is "criminals will get a much bigger upper hand than they ever had before" as they move into the high-tech world and few officers are trained to examine the trail of bytes they leave behind.

     Editor's note: At press time, a California news agency reported the Northern California Computer Crimes Task force had its funding restored and will reportedly resume operations on April 1.

     Ronnie Garrett served as the editorial director of the Cygnus Law Enforcement Group for 12 years. She can be reached at [email protected].

Technological investigations training

     Several organizations provide high-tech crimes training to law enforcement, says Det. Randy Stone of the Wichita (Kansas) Police Department Computer Crimes Unit. These include:

  • National White Collar Crime Center (NS3C) offers a variety of cyber crime courses on topics that include identifying and seizing electronic evidence, cell phone examinations, online investigations and more. These inexpensive or free courses can be brought to the agency itself or taken at NW3C's headquarters in Fairmont, Virginia. To learn more visit www.nw3c.org/ocr/courses_desc.cfm.

  • International Association of Computer Investigation Specialists (IACIS) is a private, nonprofit organization that offers computer forensics courses in a two-week training conference followed by a year-long certification process once officers leave. More information on IACIS training can be found at www.iacis.com/training/course_listings.

  • SEARCH offers training at its National Criminal Justice Computer Laboratory and Training Center in Sacramento, California. Among its course offerings are a 32-hour basic computer crime course, an advanced search and seizure course for first responders, a cellular device investigation course, and a course on social networking sites. To learn more visit www.search.org.

Sponsored Recommendations

Build Your Real-Time Crime Center

March 19, 2024
A checklist for success

Whitepaper: A New Paradigm in Digital Investigations

July 28, 2023
Modernize your agency’s approach to get ahead of the digital evidence challenge

A New Paradigm in Digital Investigations

June 6, 2023
Modernize your agency’s approach to get ahead of the digital evidence challenge.

Listen to Real-Time Emergency 911 Calls in the Field

Feb. 8, 2023
Discover advanced technology that allows officers in the field to listen to emergency calls from their vehicles in real time and immediately identify the precise location of the...

Voice your opinion!

To join the conversation, and become an exclusive member of Officer, create an account today!