Decoding Digital Evidence
Criminal acts portrayed in movies or television are often accompanied by scenes of the bad guys attempting to destroy the physical evidence, whether it’s a cell phone being smashed or a computer disc being beaten with a baseball bat. These scenes may seem overdramatized, but trying to reconstruct what happened in the course of a crime involving digital evidence is a real-life challenge for law enforcement, and the task of a special type of laboratory founded by the FBI, called a regional computer forensics lab (RCFL).
There are 15 RCFLs across the United States. The FBI started the program in 2002 when it launched an RCFL National Program Office to oversee the development of the labs.
Security Management got a behind-the-scenes look at the Orange County Regional Computer Forensics Laboratory (OCRCFL) in Anaheim, California. Christopher Pluhar, director of the OCRCFL, says that the center services a range of cases given the ubiquity of digital evidence. “We support all of it: cybercrime, domestic violence, child exploitation, large fraud cases,” he notes.
Founded in 2011, the OCRCFL serves the Central District of California, which comprises approximately 250 law enforcement agencies. Fifteen agencies support the lab, including local and federal agencies from Orange, Los Angeles, San Bernardino, and Riverside Counties. Officers are assigned to serve the lab for two years. The lab supports criminal investigations at local, state, and federal levels.
Pluhar says that oftentimes the evidence alleviates the need for a criminal trial because the suspect will confess. “At the end of the day it’s pretty convincing if it’s on your computer or cell phone,” Pluhar notes. “But if it ends up going to court, we would testify to the process by which it was gathered.”
The lab is set up for information sharing and interoperability with partner agencies. A large server room at the lab consists of more than 35 miles of cabling and more than 300 terabytes of storage. Pluhar says the agencies can use virtual private network connections to connect with each other’s networks, but the server does not have a public-facing Internet connection.
The lab is accredited by the American Society of Crime Laboratory Directors/Laboratory Accreditation Board, the largest forensic science accrediting body in the world. Thirty-eight labs around the globe hold the accreditation for the digital media forensics discipline, including 13 RCFLs. OCRCFL also conducts its own internal auditing process on policies and procedures.
There is a detailed chain of custody for any evidence brought into the lab. Officers from the local, state, and federal levels who need assistance can submit a request for service online when they have evidence to search. They then bring the device to the lab where it is processed.
Pluhar says that it’s critical to preserve the integrity of the device being examined, so they image hard drives on computers, or extract data from evidence like SD cards, then leave the original device in the evidence room in a heat-sealed bag.
The lab also has a classroom that seats up to 30 people where it conducts training on seizing, handling, and processing digital evidence for a range of law enforcement agencies. “We educate a lot of state and local partners about digital evidence procedures,” Pluhar says.
In 2013, OCRCFL rolled out its Mobile Forensics Lab (M-LAB), a moveable unit which provides full digital examination and processing capabilities in the field. The M-LAB at OCRFCL is just one of six at FBI regional computer labs across the country. “The OCRCFL Mobile Laboratory enables OCRCFL personnel to conduct preservation, seizure, and limited examination work on-site when appropriate,” says Pluhar. He adds that during on-site searches and time-sensitive operations, the capabilities of the M-LAB facilitate a rapid response to the digital evidence demands of an investigation.
There are challenges that come along with the digital evidence submitted to the lab, and Pluhar says there is no one way to extract the needed data. For example, powering on a cell phone to examine it could compromise the data it contains while the device automatically tries to connect with the cellular network. To prevent this, the lab has a Faraday box which blocks all outside cellular and Wi-Fi connections. Using special gloves to reach into the box from the outside, the examining officer can safely power on the phone and extract any needed data.
During its four years of operation, Pluhar notes that the lab has been involved in many successful investigations, including extraction of critical data from a cell phone that was burned when a suspect set fire to his victim’s car after committing homicide. The lab was also able to extract and reconstruct video from an inoperable CCTV system, providing valuable video evidence for a sexual assault investigation.
“As the use of computers and mobile devices increases, the technical support and expertise provided by the OCRCFL will continue to be an invaluable part of successful law enforcement investigations throughout southern California,” Pluhar says.