Archive for the ‘Digital Evidence and High-Tech Crimes’ Category

Josh Moulin

Digital pictures and video have transformed our lives.  I have so many pictures and videos of my kids that by the time they are in college, I’ll have Terabytes of data.  It is so easy these days to capture anything with a digital image.  There is no need to worry about having film developed, or being careful to only take good pictures since you only have a limited amount of pictures left on the roll in your camera.  Now, we’re only limited by the amount of storage space our digital devices have.  As an example, the MicroSD card in most of our smartphones can contain over 18,000 pictures. 

MicroSD cards now have a capacity of up to 64 GB

Often, digital images are involved in criminal investigations.  Imagine the treasure-trove of information that can be obtained from a cell phone, tablet, or digital camera when it is seized from a suspect.  In my experience, those involved in criminal activity just can’t help themselves when it comes to documenting their criminal activity in pictures or video.  In literally hundreds of cases, I found suspects taking pictures of themselves using drugs, vandalizing property, committing arson, abusing children, and in some cases, even murder.

While having picture or video evidence of a suspect actually committing a crime is the type of evidence that makes a prosecutor excited about a case, the digital image is just the beginning of the story.  Imagine if we could tell what camera was used to take a certain picture that was found on the Internet, or could link an image found on a suspect’s computer with their personal phone or digital camera found at their home?  This is all possible thanks to something called metadata.

Metadata is simply extra information about a file, or some people refer to it as “data about data”.  You are probably familiar with metadata but maybe not with the term itself.  Have you ever right-clicked on a computer file and seen the properties?  Dates, times, who was the author, when the file was last printed, etc., are all examples of metadata.  For digital pictures and videos there is a specific kind of metadata that exists known as EXIF (Exchangeable Image File Format) data.  EXIF data is information embedded in the image or video that can contain all or some of the information below (what is actually in the image depends on the camera manufacturer):

·       Make of the camera that took the picture/video

·       Model of the camera

·       Serial number of the camera

·       Date / time the image was taken (according to the camera’s clock)

·       Filename

·       Flash settings

·       Aperture settings

·       Image resolution

·       Software

·       And more…

A forensic computer examiner can examine a picture or video for evidence of EXIF data and use special programs to interpret the information.  There are many free programs available on the Internet to do this and many photographers use EXIF data to improve their photographs.  In fact, EXIF data was originally created for photographers so they could look at their camera settings stored within the EXIF data to find out what settings worked or didn’t work when taking pictures under different conditions.

Screenshot from an EXIF data parsing tool

To illustrate how EXIF data can be used to solve a crime, imagine this scenario.   I was investigating a case where an adult male was suspected of having a sexually explicit conversation with a 14-year-old female via the Internet.  This adult male was sending explicit text messages and it gradually escalated to him sending images of…well, you can image, to the victim.  When the victim reported this to a teacher at school, our unit became involved and we forensically analyzed the victim’s cell phone.

When reviewing the pictures on the victim’s phone, we found the pictures of the suspect.  None of the images showed his face and all of them were obviously taken from inside of a residence.  Since he sent the messages from his cell phone, we were able to trace the phone number they came from and identify the sender.  When we reviewed the pictures sent from the suspect, each image contained EXIF data.  The EXIF data showed that the pictures were all taken from a Samsung cellular phone and since he had his geotagging feature enabled on this phone, each image contained the latitude and longitude of exactly where the phone was when the image was taken.  This allowed me to create a Google Earth map, which happened to place a big red dot right over the suspect’s apartment.

Just from the EXIF information we could prove that the particular sexually explicit image was taken by the suspect’s phone, from the suspect’s home, at a certain date/time (since phone’s clocks are generally set by the cell phone network, they are reliable).  Another critical element to prove in a crime is that of venue (proving the crime happened within a certain jurisdiction).  With EXIF data, it is not difficult to prove this at all, since we know the exact GPS coordinates of the crime scene.

EXIF data has also been used to locate victims or suspects of crimes from images and videos posted on the Internet.  Imagine watching a video that was uploaded to the Internet which depicted the racially motivated assault of a person.  If the camera used to create the video is capable of embedding EXIF data and the website the video was uploaded to doesn’t remove EXIF data, investigators can download the video and examine the EXIF data to potentially find out more information to lead to a suspect. 

While EXIF data has proven itself to be an amazing tool for law enforcement, it has also been exploited by criminals.  If you have used any of the geotagging features of your favorite social media sites (Twitter, Google+, YouTube, Facebook, Foursquare, etc.) then you are aware that you can share your location with your posts and pictures.  This technology is similar to EXIF data by utilizing the devices internal GPS functionality to embed your longitude and latitude into your post.

Criminals have begun using this technology as another tool for cyberstalking.  By downloading images and videos that people post to their personal websites or social media sites, tech-savvy criminals can do the same technique law enforcement employs to locate where someone was at when they created the image.  If you are a victim of stalking or have been threatened by someone in the past and have gone to great lengths to hide from them, all it would take is them getting ahold of one image placed on a social network site taken by your cell phone or high-end digital camera with built-in GPS.  If that picture was taken at your home, work, child’s school, etc. that’s all they would need to find you.  It’s a scary thought and one that people must consider when using this kind of technology that is generally turned on by default.

Josh Moulin

Josh has a long history of public service, beginning in 1993 as a Firefighter and EMT. After eight years of various assignments, Josh left the fire service with the rank of Lieutenant when he was hired as a police officer.

Josh spent the next eleven years in law enforcement working various assignments. Josh worked as a patrol officer, field training officer, arson investigator, detective, forensic computer examiner, sergeant, lieutenant, and task force commander.

The last seven years of Josh’s law enforcement career was spent as the commander of a regional, multi-jurisdictional, federal cyber crime task force. Josh oversaw cyber crime investigations and digital forensic examinations for over 50 local, state, and federal law enforcement agencies. Under Josh’s leadership, the forensics lab was accredited by the American Society of Crime Lab Directors / Laboratory Accreditation Board (ASCLD/LAB) in 2009.

Josh has been recognized as a national expert in the field of digital evidence and cyber crime and frequently speaks across the nation on various topics. He has testified as an expert witness in digital forensics and cyber crime in both state and federal court on several occasions. He also holds a variety of digital forensic and law enforcement certifications, has an associate’s degree and graduated summa cum laude with his bachelor’s degree.

In 2012 Josh left law enforcement to pursue a full-time career in cyber security, incident response, and forensics supporting a federal agency. Josh now leads the Monitor and Control Team of a Cyber Security Office and his team is responsible for daily cyber security operations such as; incident response, digital forensics, network monitoring, log review, network perimeter protection, and firewall management.

Lieutenant Josh Moulin supervises the Central Point Police Department’s Technical Services Bureau and is the Commander of the Southern Oregon High-Tech Crimes Task Force. He is one of approximately 470 Certified Forensic Computer Examiner’s worldwide and has been trained by a variety of organizations in digital evidence forensics. Lt. Moulin has also been qualified as an expert witness in the area of computer forensics and frequently teaches law enforcement, prosecutors, and university students about digital evidence.

Beginning his public safety career in 1993, Josh started in the Fire/EMS field working an assortment of assignments including fire suppression, fire prevention, transport ambulance, and supervision. After eight years Josh left the fire service with the rank of Lieutenant and began his law enforcement career. As a Police Officer Josh has had the opportunity to work as a patrol officer, field training officer, officer in charge, arson investigator, detective, and sergeant.

For further information about the Central Point Police Department please visit www.cp-pd.com, and for the Southern Oregon High-Tech Crimes Task Force visit www.hightechcops.com. To reach Sgt. Moulin you can e-mail him at joshm@hightechcops.com.

Southern Oregon High-Tech Crimes Task Force Attains Accreditation

It has been a while since I have blogged for Lee, and part of the reason behind that is because I have spent the last year working on getting our forensics laboratory accredited. I thought I would provide some information about lab accreditation in this blog.

Between blogs I have received several emails from different authors asking questions and I am always happy to reply. If you have any questions for me surrounding high-tech crimes or digital evidence (or other police related questions), feel free to send me an email.

On July 17th 2009 the Southern Oregon High-Tech Crimes Task Force attained the prestigious American Society of Crime Laboratory Directors Laboratory Accreditation Board (ASCLD/LAB) Accreditation and joined the ranks of some of the most premier digital evidence forensics laboratories in the world.

ASCLD/LAB (www.ascld-lab.org) offers voluntary accreditation to any crime lab that can comply with their large number of standards. Criteria include all aspects of operations such as management, personnel training and qualifications, health and safety, evidence handling, proficiency testing, lab security, and forensic practices. Part of the accreditation process is an onsite inspection by ASCLD/LAB trained professionals who inspect the laboratory, interview personnel, and review case files and practices. As of September 13th 2009, there are 366 crime labs accredited by ASCLD/LAB worldwide.

After over a year of dedicated hard work and preparation, the Southern Oregon High-Tech Crimes Task Force (SOHTCTF) achieved their accreditation for the Digital and Multimedia Discipline in both the computer and video forensic sub disciplines. There are 97 different quality standards applicable for digital forensics laboratories that are rated as Essential, Important or Desirable. The task force complied with 100% of the Essential, 92% of Important (only 75% required), and 94% of Desirable (only 50% required).

The SOHTCTF is the only standalone local law enforcement digital evidence forensics laboratory to be accredited by the ASCLD/LAB legacy program in the world. The SOHTCTF joins only 54 other laboratories in the world that are accredited to perform some aspect of forensic analysis on digital evidence.

(Left to Right: – Det. Bloomfield, Lt. Moulin, Support Specialist Miller)

According to a letter announcing the SOHTCTF’s accreditation, ASCLD/LAB Chair Jami St.Clair wrote, “Accreditation is granted only after a thorough evaluation of a laboratory’s management practices, personnel qualifications, technical procedures, quality assurance program and facilities. Accreditation is the result of extensive commitment of resources and much preparation by the management and personnel in your laboratory.”

Accreditation provides reassurance that the task force’s work is of the highest quality and the laboratory and personnel have gone through an external review by an independent organization.

Background on the Southern Oregon High-Tech Crimes Task Force

The SOHTCTF was first created by the City of Central Point Police Department in 2005 and in 2007 was joined by personnel from the City of Medford Police Department. The SOHTCTF is a regional, multijurisdictional task force performing cyber crime investigations and digital evidence forensics for approximately 30 federal, state and local law enforcement agencies throughout Oregon. Some of the agencies include the FBI, DEA, ICE, BLM, DOJ, Oregon State Police and multiple agencies in Jackson, Josephine, Douglas, Curry and Klamath Counties. While the task force typically provides services throughout Oregon, it has assisted in investigations in the States of Washington, California, Idaho, Montana and Texas.

The SOHTCTF performs forensic examinations on digital evidence such as computers, cellular phones, servers, removable media, digital cameras and other peripheral devices to support criminal investigations such as homicides, terrorism, child sexual exploitation, white collar crimes, and other felony crimes. In addition, the task force conducts proactive undercover Internet investigations and a large amount of public education courses. To date the task force has provided 218 hours of training to over 1800 people nationwide.

The examiners within the task force are highly trained and certified and have all been qualified as expert witnesses in digital forensics in both state and federal court on numerous occasions. The SOHTCTF examiners are recognized nationwide and frequently called upon to teach across the nation for organizations such as the National District Attorney’s Association, National Center for the Prosecution of Child Abuse and the National Association of Attorneys General, teaching how to investigate and prosecute technology based crimes against children.

The SOHTCTF has seen a 28% increase in cases submitted and an 8% increase in the amount of evidence submitted for forensic analysis from just last year. As electronic evidence continues to play a very important role in nearly every criminal investigation, becoming accredited is more critical than ever.

I hope everyone has a Merry Christmas and Happy New Year.