Sergeant Josh Moulin: Digital Evidence Forensics

Sgt Josh Moulin

Sergeant Josh Moulin supervises the Central Point Police Department’s Technical Services Bureau and is the Commander of the Southern Oregon High-Tech Crimes Task Force. He is one of approximately 470 Certified Forensic Computer Examiner’s worldwide and has been trained by a variety of organizations in digital evidence forensics. Sgt. Moulin has also been qualified as an expert witness in the area of computer forensics and frequently teaches law enforcement, prosecutors, and university students about digital evidence.

Beginning his public safety career in 1993, Josh started in the Fire/EMS field working an assortment of assignments including fire suppression, fire prevention, transport ambulance, and supervision. After eight years Josh left the fire service with the rank of Lieutenant and began his law enforcement career. As a Police Officer Josh has had the opportunity to work as a patrol officer, field training officer, officer in charge, arson investigator, detective, and sergeant.

For further information about the Central Point Police Department please visit www.cp-pd.com, and for the Southern Oregon High-Tech Crimes Task Force visit www.hightechcops.com. To reach Sgt. Moulin you can e-mail him at joshm@hightechcops.com.

Digital Evidence Forensics

Computers and other digital evidence can contain a tremendous amount of information and evidence in a criminal investigation. Digital evidence is quite unique because it can be the fruit of a crime, the instrumentality used to commit a crime, or contain evidence of a crime that it had nothing to do with. With this information in mind, there is nearly always some nexus to justify analyzing digital media in almost any crime. I’ll explain further the examples I provided above.

Fruit of the crime – It is all too common to have computers, cell phones, digital cameras, camcorders, iPods, etc. stolen during a burglary, robbery or theft. When these devices are taken the criminals generally just start using them as their very own or sell them on eBay.

 

They might delete some of the files of the original owners, or format a hard drive but it has been my experience that usually they do not. The great thing about computer forensics is that even if they do delete files and format drives, we can generally recover those items.

Often our forensics lab receives stolen property and is asked to identify the original owners based on old information left on the devices. The device itself is fruit of the original crime and can help point investigators to the correct victim. It is also common to recover a large amount of stolen equipment from one suspect, but they are from multiple crimes. Using forensics to analyze all the evidence can help close several unsolved cases.

Instrumentality used to commit a crime

By far the most common reason to have a digital device sent to the forensics lab. This is when a suspect uses a computer or other device to perpetrate the crime. Some examples would be child exploitation/child pornography, ID theft, fraud, forgery, cyberbullying, hacking, terrorism, etc. When we receive devices under this umbrella we are typically asked to locate all evidence of the suspected crime as well as other criminal activity located on the media.

Containing evidence of a non high-tech crime

 

This is where a digital device contains evidence that can be of interest in a case, but doesn’t have anything directly to do with the original crime. Some examples of this could be pictures/video of the crime stored on a digital device, a diary, a blog entry, an e-mail, or the tower coordinates of a cellular phone at the time of a crime. One great example of this is an arson case I assisted with.

The suspect of this arson had allegedly burned down an ex-boyfriend’s house using a complex incendiary device. After some investigating it was determined that the suspect had no previous training in firefighting or anything else that would teach her how to build such a device. We were able to articulate in a search warrant that the most common place for a person to gain this knowledge is from the Internet. After checking whether or not the suspect had Internet access and a computer the search warrant was served and several computers were seized. During the forensic analysis an e-mail was found that contained information about the fire that only the arsonist would have known. This “smoking gun” (forgive the pun) along with other physical evidence was enough to get a conviction.

The e-mail was the only direct evidence linking the suspect to this particular fire.

Digital evidence forensics has played a major role in several high-profile cases ranging from the BTK Killer to Scott Peterson.

 

It is difficult to think of any crime that doesn’t have some connection to technology.


10 replies
  1. Sgt. Moulin
    Sgt. Moulin says:

    Although some items will change over time (specifically some of the procedures), there are still a lot of things that have been good and will continue to be relevant for years. For instance, tracking a suspect from cell phone technology, finding deleted files on a computer that is just what the investigator was looking for, cracking a suspect’s password to get to that all important file, etc.

    As far as good books about computer forensics, most of them that I use are more technical reference books. Some of them are great, if you’re into digital forensics specifically. I would recommend anything written by Harlan Carvey, especially if you want to know about some of the cutting edge stuff like live response.

    Josh

  2. pabrown
    pabrown says:

    Thanks, Josh. I hope you do write another blog. Computer forensics fascinate me. I’ve worked in IT for the past 15 years but always in the support and network end so while I had to involve myself a bit in the security side, I never had anything to do with forensics. I’d love to know more about the field, especially as it offers plot possibilities. Can you recommend any good books on the subject? (Though as Lee has found, even a couple of years can render any book obsolete)

    Pat

  3. Lee Lofland
    Lee Lofland says:

    Kendra – My book about police procedure came out last year and there’s already something that could stand updating (me). Remember, I wrote the book two years ago, and some of the research was conducted three years ago.

    By the way, Sgt. Moulin is mentioned in my book (page 77).

  4. Kendra
    Kendra says:

    Hi Sgt. Moulin. Good to hear from a fellow Oregonian. I’m embarrassed to admit I had to check a map for Central Point. I knew it was “down south” somewhere but not the exact location. Fascinating blog. I wouldn’t have guessed that simply unplugging a computer would lose so much information.

    Terry, I understand your comment about technology being out of date by the time a book is published. I recently read a book pubbed in 2006 that was severely dated by the author’s use of cell phone technology. I’m sure it seemed cutting edge at the time he wrote it. A big issue for current day crime and suspense writers.

  5. Sgt. Moulin
    Sgt. Moulin says:

    pabrown – the answer to your question is, “it depends”. This is probably a great subject to do a completely separate blog for, but I’ll give you a few answers here. In the past the only way to seize a computer was to just pull the plug from the outlet and transport the computer to the forensics lab. Now, several new variables come into play. The days of just having patrol officers or detectives seize computers is coming to an end, and soon computer forensic examiners will have to respond to the scene to properly seize a computer. The biggest issue is the large amount of volatile data (located in RAM) computer’s have these days, and the processes that are currently running on the computer. Once the plug is pulled, much of this information is gone forever. “Live response” is now the procedure of choice and that is where a forensic examiner first obtains the volatile data from a computer before turning it off.

    Once the computer is seized it should never be turned back on by anyone other than the forensic examiners. Generally on most cases the hard drives are removed from the computer and forensically imaged using special hardware and software. A hash value is created which shows that the copy of the hard drive is the exact same as the original, and then the original is placed back into the evidence room. All analysis then takes place on the forensic copy.

    Hopefully that will give you some additional information, but you just gave me some great ideas for another blog! Thanks, Josh

  6. Elena
    Elena says:

    Terry, I’m with you all the way. Though with computers 1990 would qualify as a historical 🙂

    I got my first paying job in the computer field in the mid-60’s, and today the skills that had headhunters calling me are either found in Computer Science Intro books – in the chapter called “History”, or in books stored in the library’s sub-basement.

    I had never heard of MySpace before, but having looked it over now I can say I think it’s great that Josh and team maintain an accessible presence there.

  7. pabrown
    pabrown says:

    What are the exact procedures for securing a computer believed to contain evidence. I’ve heard there’s a process that has to be followed – the way the PC is disconnected from a network or the Internet, the way it’s shut down. Once the PC is secured, how is evidence secured so it can be used in court? Are the hard drives cloned? I know any hint of data being changed could jeopardize a case and computer data can be changed so easily. What are the rules governing this processing of data?

  8. Terry
    Terry says:

    Interesting post. And maybe I’ll try my hand at writing historicals, since there’s no way I can keep abreast of the technology. By the time a book hits the stores, it’s probably out of date.

Comments are closed.