Today nearly every crime has some sort of digital footprint attached to it. So it’s easy to see why strong computer skills must round out any investigator’s toolkit. This course gives you an understanding of computer technology, its application to criminal activities, and the issues associated with investigating these cases. Through discussion and hands-on training, you’ll learn about computer hardware components, how to use the Internet to your advantage, search and seizure techniques, digital officer safety, and much more.
Audience: Law enforcement investigators and support staff
Prerequisites: Helpful to understand multiple platforms.
Length: 3 days
We begin our exploration into ways in which computers can be customized in order to camouflage illegal activities. We give you an overview of operating system folder properties and show you how they can be personalized to hide them. You’ll learn how to format your investigatory devices and set up your investigatory folders so that you can keep track of each step of your investigation. We talk about encryption and explain the issues you need to consider when conducting on-scene triage.
This block is all things Internet: connections, speed and bandwidth, types of service, and Internet Service Providers (ISP). You’ll learn about Internet Protocol (IP) addresses and networks, and see the role they play. We walk you through the steps of resolving an IP address and then show you how to serve legal process on the ISP in order to get the subscriber information and connection history you are looking for. You’ll see how to geolocate an IP address to place your suspect in a general geographic area. We show you how to investigate a website and give you resources for identifying a domain owner. We spend some time talking about social networking sites—Facebook and Myspace in particular—and give you tips on what types of information you can expect to find within these sites.
Tools for the Toolbox
With so much information just a click away, it’s often hard for an investigator to know where to start. We show you how to download some of our favorite Firefox Add-ons that will help in your investigations. You’ll see a demonstration of some add-ons that will speed up your investigations by increasing functionality. Many of these add-ons fall under the category of “You better hurry up and grab it now, because it might be gone later.” We introduce you to the SEARCH Investigative Toolbar, which is a collection of shortcuts that point to frequently used web resources. We also introduce you to the SEARCH ISP List, which is a collection of legal contact information and instructions you need in order to serve subpoenas, court orders, and search warrants to Internet service and other online content providers. You’ll see the types of information that can be gleaned from digital photos and learn the ins and outs of retrieving, viewing and mapping this exif data. We also show you tools for a) viewing graphics, b) playing/editing/recording audio and video files, and c) capturing a page.
Knowing how to use Google more effectively can save you time and make your investigations more successful. In this block we urge you to take the time to learn how Google works and then see how Boolean operators can help to narrow and refine your searches. We show you the ins and outs of advanced searching in Google and teach you how this can come in handy in social networking website investigations. You’ll also see how to set up your Google preferences so that you get the most information out of your searches. We talk about cookies. Lastly, we show you some Google apps that will help focus your search within a topical area.
In this block we take a look at a few different kinds of metadata that can help in investigations. We first explore document metadata, and see how it can shed light by telling us something about a document’s creator, or the time and date the file was created, or the name of the computer used to create the document. We can also find out if the document contains any hidden text or cells. You’ll learn about the metadata that is embedded in digital pictures. Called exif data—short for exchangeable image file format—this data may include the make, model and serial number of the device taking the picture, plus the date, time and possibly, the GPS coordinates for when and where the picture was taken.
Our exploration of email tracing begins with a look at email headers, which is the information needed to route an email from the sender to the recipient; it is created by the email server processing the message. The header is a record of the account and network that the message originated from and the servers that processed the message. Detailed header information is required to fully trace an email; we show you the steps you need to take to locate this information, which varies depending upon email client. We talk about the different types of protocol that help transmit messages on the Internet and show you how to identify the Message ID. Lastly, we discuss the limitations associated with email tracing.
Internet Relay Chat (IRC)
Email. Text messaging. Instant Messaging. These are all forms of communication services that you are likely familiar with. But what about chatting? While it has admittedly been pushed aside by some of the other more popular choices mentioned here, IRC still has its online niche that investigators need to be aware of. Chat rooms offer features that allow users to chat through private, one-on-one messages. Predators may use this to entice children into conversations about sex and offline meetings. We show you the mechanics of chatting and walk you through the steps to download, install, configure, and run mIRC, a Windows-based IRC client that will open doors to chat rooms for you.
This online marketplace offers free advertising for everything from used cars to new friends. Unfortunately many of the classified advertisements turn out to be fake, and are instead used by criminals to lure unsuspecting victims into their web. We explain Craigslist, and give you tips and tools on how to investigate criminal matters that arise from Craigslist encounters. We focus on where the main problem areas are within the site—those that facilitate activity that has the greatest potential for danger and abuse. You’ll see some tools that you should use to investigate crimes involving Craigslist, and we’ll cover the legal considerations and law enforcement resources for working with the site ISP.
Digital Officer Safety
When conducting online investigations, investigators must always ensure that they are not leaving themselves or their agencies open to discovery by others. Since IP tracking is prevalent on many websites, investigators need to be sure they are coming from an innocuous IP address in case they are traced. We walk you through the steps of digital officer safety as we talk about website tracking, phishing, safe login techniques, social network and cell phone profiles, and wireless network security.
There are two distinct categories here: one is a basic computer that you can use in undercover investigations. With this computer, you will trace IP addresses and domain names. You’ll also use it to capture images or videos online, or to scan a suspect network. With this computer you’ll set up your investigatory folders that will house case evidence and allow you to keep track of the steps taken in the investigation. The other computer you’ll need is one for running forensics so that you can image and recover suspect material. We give you pointers on the particulars of each computer and walk you through some of the pitfalls to avoid when working with a suspect’s device.
Mr. Andrew T. Owen is Director of Information Sharing Programs for SEARCH, The National Consortium for Justice Information and Statistics, where he oversees SEARCH initiatives to support justice and public safety information sharing nationwide. These initiatives focus on providing direct assistance to federal, state, local, and tribal organizations to improve their use of technology, information sharing, and communications interoperability in mission-critical projects. Initiatives include consultation and facilitation, strategic planning for information sharing and technology deployment, architecture development, business process modeling and analysis, service specification development, performance management, voice and data integration planning, application of technology standards, and developing effective governance and funding models.
Since joining SEARCH in 2006, Mr. Owen has worked on multiple projects focused on integrated justice information systems planning and implementation, including the National Information Exchange Model (NIEM), the Global Reference Architecture (GRA), and the Justice Information Exchange Model (JIEM®). He has provided programming and configuration assistance, consultation on implementation architecture, training, technical assistance, and research to jurisdictions nationwide in planning and implementing information sharing solutions, as well as developing information sharing standards and technical architecture. He has also played a key role in supporting members of the Open Justice Broker Consortium (OJBC).
Mr. Owen formerly was Lead Systems Analyst for the National Law Enforcement and Corrections Technology Center–Northeast (NLECTC-NE). In this role, he provided information sharing technical assistance and consulting services to many state and local law enforcement, courts, and corrections agencies.
Mr. Owen is experienced with JIEM, NIEM, and the IEPD development process. He has supported a number of Global and NIEM efforts, including developing corrections-related reference IEPDs, the New York State in-state Rap Sheet IEPD, California Courts IEPDs, , and several incident reporting projects that leverage the FBI’s Law Enforcement National Data Exchange (N-DEx) IEPD. Mr. Owen regularly serves as a presenter at conferences to discuss information sharing approaches and methodologies and has authored technical briefs on JIEM, NIEM, Web Services, XML, and related topics. He has led the policy and technology aspects of establishing identity management federations, using the GFIPM (Global Federated Identify and Privilege Management) guidelines and open source software, at the state level, allowing integrated justice initiatives to improve security while providing practitioners with seamless access to information.
Mr. Owen also has provided support to the U.S. Department of Justice’s Global Justice Information Sharing Initiative (Global). He participated on the Global Tech team and its XML Structure Task Force (XSTF), is actively involved in NIEM curriculum development, and is a NIEM training instructor. He has developed training materials, provided training to local and state justice agencies, and instructed at NIEM “train-the-trainer” events. In 2011, he was appointed co-chair of the NIEM Technical Architecture Committee (NTAC), representing state, local, and tribal organizations. Since becoming co-chair, he has played a lead role in establishing a Unified Modeling Language profile for NIEM and in developing the NIEM 3.0 technical architecture.
Mr. Owen has a bachelor’s degree in Applied Networking and Systems Administration from the Rochester Institute of Technology, New York. He has achieved SEARCH JIEM certification and is a Certified ScrumMaster® (CSM).
Mr. Timothy Lott is Director of the High-Tech Crime Training Services Program of SEARCH, The National Consortium for Justice Information and Statistics. He oversees a national program that provides expert technical assistance and training to local, state, and federal justice and public safety agencies on successfully conducting electronic crimes investigations.
These courses focus on teaching how to investigate Internet and computer crimes, online child exploitation, cellular devices, and social networking sites, and the proper search and seizure of home and small office networks. The High-Tech Crime Training Services team led by Mr. Lott also provides hands-on assistance in systems security and computer forensics.
Mr. Lott joined SEARCH in 2010 as a High-Tech Crime Training Specialist. He coordinated and provided training on high-tech crime investigations and forensics; provided technical assistance to law enforcement agencies in active cases; prepared training curricula; and presented at conferences throughout the United States. He was promoted to his current position in 2011.
Mr. Lott previously worked for 6 years as a Deputy Probation Officer for the Sacramento County (California) Department of Probation, and another 2 years as a Probation Assistant. He was assigned to the Sacramento Valley Hi-Tech Crimes Task Force, and helped conduct multijurisdictional investigations involving white-collar crime, organized crime, crimes against persons, and fraud when high-technology or identity theft is a factor. He also supervised a caseload of adult and juvenile probationers.
His assignment on the Task Force required him to conduct probation compliance checks on offenders who had been convicted and placed on probation for offenses involving the possession of child pornography, stalking via social networking sites or cell phones, and identity theft. In August 2009, Mr. Lott was cross-designated as a Special Deputy United States Marshal.
Mr. Lott is a member of the American Probation and Parole Association, American Criminal Justice Association, and High Technology Crime Investigation Association. He earned a bachelor’s degree in Criminal Justice from California State University-Sacramento. He is a certified Instructor through the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation / Instructor Development Institute (ICI/IDI).
Mr. Justin Fitzsimmons is a Program Manager in the High-Tech Crime Training Services (HTCTS) department of SEARCH, The National Consortium for Justice Information and Statistics. He helps coordinate training with law enforcement agencies, prepares budgets, oversees the HTCTS project staff, and develops high-tech crime training projects for justice, public safety, and homeland security agencies nationwide. He also conducts legal, policy, and regulatory research, prepares white papers, and provides assistance and instructional services to justice, public safety, and homeland security agencies, particularly in digital evidence recovery, investigation, and prosecution.
Mr. Fitzsimmons is conducting a national research effort to determine the current capabilities of law enforcement to investigate crimes with digital evidence and make recommendations to decision-makers about resources to assist law enforcement. He also presents at conferences and trainings, participates on advisory committees and task forces, and supports agencies and jurisdictions as they create and implement effective procedures, practices, and technology applications that seek to combat high-tech crime and recover digital evidence.
Before joining SEARCH in 2012, Mr. Fitzsimmons worked for the National District Attorneys Association, where he was Senior Attorney for its National Center for Prosecution of Child Abuse beginning in 2009. He responded to requests for assistance in child sexual exploitation cases from prosecutors and law enforcement around the United States, designed and presented training seminars, and published articles on emerging technological issues in child sexual exploitation. From 1998–2009, he was an assistant state’s attorney (ASA) in the State’s Attorney’s Offices for Kane and DuPage Counties, Illinois, where he prosecuted cases involving sexual exploitation and digital evidence. As an ASA for Kane County, he supervised the Special Prosecution Unit, responsible for investigating and prosecuting felony cases, including Internet crimes against children. He was also assigned to a Child Advocacy Center team that investigated and prosecuted cases of severe physical and sexual abuse against children, crimes of Internet solicitation of children, and child pornography. As an ASA for DuPage County, he worked in the Criminal Prosecutions Bureau and the Felony Domestic Violence Unit.
Mr. Fitzsimmons frequently presents and teaches at international, national, and regional conferences, workshops, webinars, and training courses on digital evidence collection, computer forensics, crimes against children, cybercrime, and human trafficking. He has published articles on digital evidence authentication, computer forensics for prosecutors, child sexual exploitation, and more. In addition, he has drafted legislation that was signed into law in Illinois on several technology-facilitated child sexual exploitation issues from 2006–08.
Mr. Fitzsimmons was a member of the U.S. Department of Justice (DOJ) National Strategy Working Group on Child Exploitation and co-chaired its Training Subcommittee. He also participated in the DOJ Office for Victims of Crime Working Group on Restitution for Victims of Child Pornography, the FBI Innocence Lost Working Group, and the Internet Child Exploitation Task Force. He has served as faculty of the National Children’s Advocacy Center, Huntsville, Alabama, and for the North-East Metropolitan Regional Training Center, Police Training, Aurora, Illinois.
Mr. Fitzsimmons is a graduate of the Illinois Institute of Technology’s Chicago-Kent College of Law, and earned a bachelor’s degree from Wittenberg University in Ohio.
Mr. Armstrong is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where he coordinates and provides training on high-tech crime investigations and forensics to local, state and federal justice agencies. He provides technical assistance to law enforcement agencies in active cases, prepares training curricula, teaches SEARCH investigative courses and speaks at conferences throughout the United States.
Before joining SEARCH in 2008, Mr. Armstrong was a System Specialist at Fox Valley Technical College, where he assisted with the management of the Internet Crimes Against Children (ICAC) International Database Network.
Mr. Armstrong retired from the San Diego (California) Police Department in 2006 after more than 27 years of service. When he retired, he was Lead Investigator for the ICAC grant in San Diego County. In this role, he was involved in both proactive and reactive investigations, forensic investigations, computer maintenance, office network and networking hardware, and grant financial planning. Immediately prior to his ICAC assignment, he spent 6-plus years as a Child Abuse Investigator, investigating every type of child abuse, up to and including child homicides. In 2007, Mr. Armstrong was the recipient of the United States Attorney General’s Special Commendation Award for a San Diego Police investigation.
Mr. Armstrong has taught numerous high-tech crime and law enforcement courses, to include Child Abuse Investigation, Sex Crimes Investigation, and Trends in High-tech Crime for universities, colleges in San Diego County, as well as the San Diego Police Department and the San Diego Regional Law Enforcement Academy.
Mr. Armstrong has earned certifications in White Collar Crime, Child Abuse Investigation, and Auto Theft Investigation from the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation (ICI), and is a certified Instructor from the ICI’s Instructor Development Institute. He attended National University, where he studied Administration of Justice; the Basic Law Enforcement Academy at Miramar Community College; City College of Chicago, where he became a Nationally Registered Emergency Medical Technician; and Grossmont Community College, where he received his Associate’s degree. He served as a Military Police Officer in the U.S. Army, and after completion of Officer Candidate School, as an Officer in the California Army National Guard, Armor Branch.
Mr. Lewis is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where he coordinates and provides training on high-tech crime investigations and digital forensics to local, state, and federal justice agencies. He provides technical assistance to law enforcement agencies in active cases, prepares training curricula, and speaks at conferences nationwide.
Before joining SEARCH in 2012, Mr. Lewis served for 23 years with the Lakewood (Colorado) Police Department, most recently as its Forensic Computer Analyst. He ran its forensic computer lab and was responsible for all aspects of digital evidence, from collection through analysis. He also was a Police Imaging and Technology Specialist, which involved analyzing images and creating imaging policies. He was a Police Photo Technician/Criminalist, operating and managing the department’s photo lab and conducting forensic imaging for its crime lab. He was also System Administrator of the department’s Mugshot System.
Mr. Lewis earned an associate’s degree in photography from Colorado Mountain College and a Computer Forensics Certificate from Marshall University (West Virginia). He is also a certified Instructor through the Colorado Peace Officer Standards and Training Board (POST). He has undertaken multiple computer forensics trainings, including forensic photography and technology, crime scene investigation, digital imaging, electronic/digital examination, data recovery and analysis, and computer crime investigations.
Mr. Lewis has taught numerous Lakewood Police Academy classes and at the Colorado Law Enforcement Training Academy in the Crime Scene Investigators course series. He also has taught law enforcement video analysis courses at Central Piedmont Community College (North Carolina), teaches cellphone forensics at the University of Colorado in the Master’s Program for the National Center for Media Forensics, and is an adjunct instructor for the Computer Science Program at the Community College of Aurora (Colorado), teaching computer forensics.
Mr. Lewis has provided consulting and training to agencies nationwide on techniques and procedures for conventional and digital imaging and analysis. He is a frequently published author on computer and digital forensics topics, and has presented at conferences, cybercrime summits, and trainings held by forensic sciences, computer evidence, and identification organizations. He writes a Forensic Bytes column for Digital Forensic Investigator News. In addition, he has been a court-qualified expert in forensic photography, video analysis, and computer and cell phone analysis for district courts in Jefferson County, Colorado, since 2002.
Mr. Lewis is a member of the International Association for Identification (IAI); the National Technical Investigators Association (NATIA); and the Digital Evidence Committee of ASTM International, a global standards organization. He is Past President of the Colorado Association of Computer Crimes Investigators (CACCI). He is also an appointed member of the FBI’s Scientific Working Group for Digital Evidence (SWGDE), which fosters cooperation among law enforcement agencies and recommends national standards and procedures within the forensic community. He has served as its Vice-Chairman and has chaired its Forensic Committee.
Ms. Elizabeth Tow is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where she coordinates and provides training on high-tech crime investigations and forensics to local, state and federal justice and public safety agencies. She provides technical assistance to law enforcement agencies in active cases, prepares training curricula, teaches SEARCH investigative courses and speaks at conferences throughout the United States.
Before joining SEARCH in 2010, Ms. Tow spent five years in local law enforcement in two states, as a Public Safety Dispatcher for the Grass Valley (California) and Helena (Montana) Police Departments. She gained experience in curriculum development and training and Internet Crimes Against Children peer-to-peer investigations. She is a Certified Trainer in the California Law Enforcement Telecommunication System (CLETS) and Department of Homeland Security (DHS) National Incident Management System/Standardized Emergency Management System (NIMS/SEMS). She is a Peace Officer Standards and Training-certified Public Safety Dispatcher in both California and Montana, and has received POST training in such areas as law enforcement response to terrorism, child abduction intervention and resource training, and domestic violence and sexual assault for dispatchers.
While working for the Grass Valley Police Department, Ms. Tow served as the CLETS Operational Trainer, the Communications Center CLETS Coordinator, and the Communications Training Officer. She also served on the department’s Recruitment and Retention Committee and Organizational Excellence Committee, and was a member and agency representative to the California CLETS Users Group.
Ms. Tow has additional experience as a Finance Assistant and Parks and Recreation Supervisor with the City of Grass Valley, in addition to a great deal of conference and training-related experience in the private sector beef industry from 1988–2005. She earned a bachelor’s degree in Criminal Justice Management from Union Institute and University and also studied Animal Science at Montana State University. In 2013, she earned a Masters of Forensic Psychology from Argosy University.
Ms. Tow is a certified Instructor through the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation / Instructor Development Institute (ICI/IDI).
Ms. Lauren Wagner is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where she coordinates and provides training on high-tech crime investigations and forensics to local, state and federal justice and public safety agencies. She provides technical assistance to law enforcement agencies in active cases, prepares training curricula, teaches SEARCH investigative courses and speaks at conferences throughout the United States. She has also authored and coauthored various high-tech crime investigative guides, which have been published by SEARCH.
Ms. Wagner previously worked as a Research Analyst for SEARCH, focusing on research and development projects on integrated justice information systems planning and implementation using the Justice Information Exchange Model (JIEM™) tool. She also worked on managing the online state and local integration profiles as part of SEARCH’s justice and public safety Information Sharing Initiatives program.
Ms. Wagner first joined SEARCH in 2005 as a student intern. She holds a bachelor’s degree in Physics from Allegheny College, a master’s degree in Forensic Science from the University of New Haven (UNH), and a master’s certificate in Forensic Computer Investigation from UNH.
She also has her Network Plus Certification, and is a certified Instructor through the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation / Instructor Development Institute (ICI/IDI). In 2009, Ms. Wagner was awarded the California POST ICI Award for Excellence in Instruction. In 2011, she completed and was certified in the Intermediate Level (Level II) of the California POST IDI Master Instructor program. She then completed and was certified in the Advanced Instructor Development Level (Level III) of this Master Instructor program in 2012.
Dean C. Chatfield
Mr. Dean Chatfield is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics. He coordinates and provides training on digital evidence investigations and forensics to local, state, and federal justice agencies. He also provides technical assistance to justice agencies in active cases, prepares training curricula and other resource materials, teaches SEARCH investigative courses, and speaks at conferences throughout the United States.
Before joining SEARCH in 2013, Mr. Chatfield worked for the National White Collar Crime Center (NW3C) for 14 years, first as a computer crime specialist, then as a Supervisory Computer Crime Specialist. He presented basic and advanced cyber investigative and computer forensic courses to local, state, federal, military and international law enforcement agencies; researched computer forensics issues; and provided advice to law enforcement agencies in computer seizure and analysis. As Supervisor of the NW3C Computer Crime Section, he managed 26 computer crime specialists and 7 support staff and developed curriculum for 16 cyber and forensic courses. He researched existing and new technology to enhance the courses and managed software development of NW3C products, including PerpHound™. He was NCW3C’s liaison with Microsoft’s Digital Crimes Unit on various projects, including programming of MS COFEE versions 1.1.2 and 2.1 (Computer Online Forensic Evidence Extractor).
Mr. Chatfield has 25 years of experience in law enforcement. He was a Criminal Investigator for the Maricopa County (Arizona) Attorney’s Office for 13 years, where he conducted major felony investigations, including criminal enterprises, financial crimes, political corruption, and analysis of computers and computer-generated data. He also was Chief of the Mancos (Colorado) Police Department for 6 years, and began his law enforcement career as a Police Officer and Field Training Officer for the Phoenix (Arizona) Police Department.
Mr. Chatfield is a lifetime member of the International Association of Computer Investigative Specialists (IACIS), a nonprofit organization of volunteer computer forensic professionals dedicated to training and certifying practitioners. He has served on its Board of Directors, as well as its elected President and Vice President. As an IACIS instructor for 5 years, he developed training courses on computer crime investigations and the methodology for seizing and analyzing computer-based evidence. He is a Board member of the American Society of Digital Forensics and eDiscovery (ASDFED) and has been an associate member of the Scientific Working Group for Digital Evidence (SWGDE) since 2005.
Mr. Chatfield was the first person certified as a Computer Forensics Expert by IACIS in 1992. He was selected to train the Commercial Crime Bureau of the Royal Hong Kong Police Force and NATO Intelligence organizations on computer forensics. He also represented state and local law enforcement on the NIST Computer Forensic Tool Testing committee.