Category Archives: High Tech Crime

High tech roundup: February 2012

iPhone 4 cameraIf you came to this blog by way of Twitter or Facebook, you know that for several months I’ve been using the Scoop.It bookmarking service to aggregate news items about how police are using high tech. One reason I like it: its magazine-style format is nicely laid out, easy to read and easy to digest. Monthly I pull out articles that seem to revolve around a few particular themes. This month: digital investigative techniques, and transparency through video and other content.

Digital investigative techniques

Should police receive training in low-level online crimes? The UK-based Commons Science and Technology committee thinks so. This kind of strategy, like “Broken Windows” for the online world, would encourage police to care about the small problems in order to help citizens feel cared about and willing to partner to stop bigger crimes.

Also consider whether you, even if you don’t consider yourself a “high tech” investigator, need to geolocate images from mobile phones. A good step-by-step procedure comes from digital forensic examiner Girl, Unallocated. Take the time to try it out for yourself, and think about robbery, stalking, and other cases you might need geolocation data for.

Data visualizations — graphs, maps, and so on — can be important in court; would you create them if you knew how? Pete Warden documents his methodology, a process he says came via trial and error. It includes choosing a question, sketching the presentation, crunching the data—and finding the surprises. (Don’t be afraid of surprises during an investigation. They mean you’re doing good work.)

Making police work more transparent

Dashboard and body-worn cameras are up for debate in Nevada after Henderson police were filmed striking a motorist in diabetic shock; unions want more say in their installation and use. But as the Las Vegas Sun noted, “The city of Seattle and its police department, facing accusations of excessive force, have been sued seeking release of video footage. The department has lost tens of thousands of videos, the station, KOMO-TV, reported.”

I’ve written before about the importance of content that can show the public a police department’s need for better training. But if police are unwilling to make themselves more transparent, they are likely still to face the issue from other quarters. A op-ed noted:

Technology doesn’t just provide citizens with a way to tell their own version of events, it gives police departments all over the country a reason to implement much-needed reforms that can improve transparency and public trust. This will make cops safer and their jobs easier.”

Indeed, Baltimore police created new rules for public recordings of police. Follow suit, and keep up with your training, which — despite its traditional place on the chopping block in hard times — may just be more important now than ever.

Transparency in digital investigations

Of concern to citizens: how German police used Facebook to identify citizens, and how Denver police record witness descriptions. In both places, the human memory under duress is at issue. Going deeper, however, is the question: how do we use technology? In our drive to understand and adapt it, do we overrely on it?

You can’t, obviously, be transparent about everything in police work… but online engagement is a start toward the kind of transparency that puts citizens at ease enough to listen to you. My January column for discussed police departments as media platforms, and a related article from the Content Marketing Institute, “Creating Content that Serves Its Civic Duty,” provides several examples of government websites doing content right—encouraging public engagement.

As Luke Fretwell wrote just recently, “Creating sustainable, meaningful civic contributions to government” is hard to encourage much less measure. Yet government agencies can do it, as Cumbria (UK) police showed when they held a live webchat about Internet safety.

How are you communicating your agency’s use of high tech to the public?

Creative Commons License photo credit: jesus_leon

Why and how to add mapping to your cell phone evidence

cell phone forensics mapping

How maps help juries visualize cell phone data

In May, Law Enforcement Technology published an article, “Mapping Human Behavior,” which used a high-profile California homicide case to show the pivotal role which cell phone evidence played.

Wireless expert Jim Cook, quoted in the article, will be presenting at the HTCIA International Training Conference & Expo in September. To promote his lecture via their blog*, I interviewed him for more information.

We ended up in a long discussion that wouldn’t fit there, but that I thought would fit quite well here, about things first responders and investigators both need to know about cell phone evidence — but rarely do.

Why cell data mapping?

Cook says in some cases, the cell phone can be one of the primary pieces of evidence. It usually contains content and metadata (information about content, such as a date/time stamp or geotag on an image or video).

In other cases, the data on the phone may be deleted. While cell phone forensics can recover this kind of data, it may not recover everything (depending on the tool used and the examiner’s skill level). Even if it does, carrier data can be an important corroboration of what the phone tells the investigator.

A carrier’s call detail records are a “fingerprint” of the device’s activity, which may include calls, texts, and data transmissions placed or received. The records include information about the cell sites and sectors from which this activity originated; sometimes, if requested soon enough, location information and text content can be obtained from the carrier.

“Sometimes you don’t have the weapon, or witnesses, but you do have potential suspects,” Cook explains. “The victim’s or suspects’ cell phones and carrier data together can contain critical evidence including a suspect’s movements, possible witnesses or even more suspects.”

Otherwise, with no clues, investigators may want to consider requesting a “tower dump.” The tower dump is a request which the investigator makes of the carrier to provide all call, text, and data transmissions that connect to the cell sites covering the crime’s geographic area for a specified time period.

Cell carriers are encouraged to “co-locate,” or lease space on the tower(s) they own, to other carriers wishing coverage in an area that they don’t currently cover. That means that a single tower can contain records for multiple carriers’ customers — which can run into the hundreds or even thousands, depending on the time period and the location.

“A tower dump is a ‘needle in a haystack’ piece of evidence,” Cook says, “but it can be especially useful with serial crimes such as home invasions, robberies or sexual assaults, because tower dumps for each crime location can be cross-referenced for numbers that come up in all locations.” In a case he assisted with, this type of evidence was backed up with search warrants to specific carriers, which led to the arrests of 11 suspects.

But so much evidence can be overwhelming in its raw format. Once the tower dump leads to a specific suspect via a specific carrier, as in the case example above, those call detail records can be mapped as a way to help non-technical people visualize a suspect’s or victim’s movements.

cell sector mapping

Visualizing a cell sector as a "piece of pie."

“You first explain to the jury how the phone actually works,” says Cook. “You explain antennas, sectors [he uses the analogy of a piece of pie] and so on — then the call process, and how the carrier captures the data.

“Then you show them the map and how you plotted the data, and ultimately, what it means to the case — how it solidifies or even potentially refutes other evidence, including eyewitness accounts, video or social networking updates.” He estimates the conviction rate on cases he has assisted with is 96-97 percent. “Cellular phones are really the new DNA,” he adds, paraphrasing Santa Clara County Deputy DA Vicki Gemetti.

So how do investigators do the mapping?

1. Book cell phones as evidence; don’t mark them as personal property.

“Personal property, if picked up by the suspect or a designee, can be wiped of any and all content,” says Cook. “Booking the phone as evidence allows you to write a search warrant to examine the phone, and also obtain call detail records, text and data transmissions from the carrier for the time period in question, which should be done ASAP because it’s volatile. Not every carrier holds it for a year — some expunge call records after just 90 days.”

Currently, MetroPCS is the only carrier that maintains text message content for up to 60 days. Other carriers such as AT&T and Sprint don’t maintain content at all, while some (like Verizon) maintain it for very short periods of time — six to eight days.

Call detail records can substantiate witness, suspect, or victim testimony, and can even solve a case. At that level, waiting too long can be fatal to a case.

2. Be sure to get data from the phone, too.

Don’t overrely on the carrier, even if you haven’t waited too long. “There is always more evidence,” says Cook. “Take the extra step or two you need to find what you can find from the device.

“Don’t think you can’t get data if the phone’s battery isn’t charged, or if you don’t have cell phone forensic tools. I’ve bought chargers for police from wireless retailers,” he adds. “And if you don’t have a forensic tool, or the tool you have doesn’t work on that phone, or you have only one tool, find an agency that has a tool that will work or a different tool from the one you use. There is always more data; to recover the maximum amount of data from the device, use more than one tool.”

3. Write warrants for carrier data from at least the past three months.

Cook raised this point in the LET article, what he calls “the Jim Cook Rule #1”: go far beyond the immediate period of time you’re interested in.

“We’re all creatures of habit,” he says. “We’re up in the morning, on the road by a certain time, driving through Starbucks and calling mom or dad on our way to work. We have similar routines on the way home and on the weekends.

“But then, we take our phone to New York, and there’s this big gap of no activity when normally, we’re talking to people. Only an extended sample of call detail records can show whether this is out of the ordinary, or part of a subject’s monthly routine.”

4. In your warrant, use the right verbiage.

Also discussed in the article — a sidebar goes into the specific eight items that Cook recommends — is the need to get the right amount of detail in the search warrant. “Carriers need exact requirements for certain information,” says Cook, “like cell sites and sectors, along with the phone data. If they don’t provide it up front, investigators will end up having to write multiple warrants.” That can waste precious time, and lose data along the way.

5. Make sure you’re getting the right data from the carrier.

If the defense attorney is doing his or her job, you may need to prove that the phone really belonged to the suspect at the time of the incident. “Number portability and number switching mean that the investigator needs to find out if the device was active and billable in the suspect device’s carrier’s network during the specified date range,” says Cook.

“If not, you have to find out where to serve the paper sooner rather than later, while the data is still there, instead of finding out you were wrong two or three months later when the records are gone.” Services like FoneFinder or Neustar will show carriers of record; however, they aren’t always 100% accurate, and investigators should follow up their findings with a phone call to those carriers.

6. Be specific with tower dump requests.

If you have to take that next step into the haystack, provide carriers with a physical location, longitude, latitude of crime scene or other location of interest; then, request a tower dump of all calls, text events and data transmissions from all cell sites and sectors covering that geographic area during a period of time. “Let the carrier’s engineers determine the best sites and sectors, as opposed to an investigator making an incorrect assumption that will only result in the wrong data being obtained,” says Cook.

Questions about cell phone investigations or mapping, or want to get in touch with Jim Cook directly? Let us know in the comments!

*Disclosure: HTCIA is a client, but I was not compensated for this post.

Creating partners in public safety

109 Precinct Community Council Meeting, September 7, 2010A couple of articles caught my eye last week. First, there was Good Old Bill’s wistful story of a spontaneous decision to engage in some community policing:

People see that little of us these days, other than in a quick fleeting visit or by passing them whilst preoccupied whilst on foot – or more likely – by car. When they do see us we are generally busy thinking about what we have to do and that we have X amount of outstanding jobs that are “backing up” and need dealing with and that we have a pot of crimes that need investigating between all the calls for service….

All of this has resulted in people forming opinions of us. We are arrogant, unapproachable and uninterested [being some of the most popular ones]. In turn, we have formed opinions that the public don’t like us and that we are unappreciated and not understood. It’s a vicious circle.

We cannot control what opinions people form, but we can try to influence the reasons why they think them.

If only we had more opportunities like those I had this week. I think all of us would benefit from it. But I didn’t get a “tick” for doing it, and it’s not measurable by some kind of statistic.

Then, police leaders’ point of view on where policing is headed, from a summit in Seattle:

“The fact is, we’re in the process of constructing the next iteration of police work,” [Chief Garry McCarthy of the Newark Police Department] said. “Initially, police were very reactive,” responding to crimes after they’d been committed, he said.

“Then proactive policing came in, and we talked about preventing crime. The next step is preventing crime in concert and with the blessings of the community,” McCarthy said. “It’s where we’re going as a profession.”

[King County Sheriff Sue Rahr] said police agencies are good at teaching officers physical skills, but now they need to focus on officers’ interpersonal skills.

Instead of focusing on building trust through community forums and other macro-level efforts, Rahr said the focus is shifting to the micro level by building trust through individual contacts.

“We need to build community trust one interaction at a time,” she said.

What austerity means to community

Both in the United Kingdom and in the United States, what is called “austerity measures” in the UK and “budget cuts” in the US has impacted policing severely. Just this past week, the Sacramento Police department was the latest to announce deep cuts, layoffs too. Many specialized units are being eliminated, and officers will respond primarily to emergencies.

Yet both Good Old Bill and Sheriff Rahr are calling for more one-to-one interactions as a way to stave off the psychological impact of these measures. What’s up with that?

I’ve worried about what cuts would mean to high tech crime investigation and digital forensics. The more entrenched technology becomes, the more need to examine it for evidence of crime. Yet as police departments pull staff from these tasks and reassign them to the street (or lay them off altogether), the return to a more physical form of policing means less opportunity for officers to practice their digital — along with their interpersonal — skills.

The answer may just lie in those one-to-one interactions. Last year, a Denver Post article detailed how residents of Colorado Springs (Colo.) were taking a more active role in their own quality of life maintenance, the issues behind the “Broken Windows” theory of policing.

This reflects an article from San Diego, in which police noted that community policing was never meant to be permanent; it was meant to be transitory, enabling the community to be proactive and rely less on police. This transition may be underway already, even if we weren’t expecting it.

Legal and social complications

Still, questions remain on legal and social issues, especially with regard to high tech crime and evidence. Two other stories are troubling because of what they mean for privacy and how civilians relate to one another.

In Michigan, the ACLU has for a long time demanded to know how state troopers use cell phone forensic tools. Other law enforcement agencies are starting to put these tools in cruisers for officers to use, to save time and enable more evidence collection with less manpower.

However, and not just because of the ACLU, forensic professionals hesitate to cheer such decisions because good case law is predicated on proper forensic process. With great power comes great responsibility, after all; is it enough simply to train the officers on the use of the tool? A forensic unit is not a radar unit; it takes more than tuning forks to validate that the tool works properly.

In addition, The Independent noted that in the UK, victims of theft have engaged in some degree of vigilantism to find the high-tech equipment they’ve found stolen:

From Surrey to San Francisco, software is doing the job of the police as vigilantes use tracking programmes more commonly seen in CIA action thrillers to locate missing computers and phones. In April, the ex-England rugby captain Will Carling traced his stolen iPad to a block of flats in Woking. He knocked on all the doors – to no avail – then traced its movement through the town while detailing the chase on Twitter. The iPad was eventually handed in to local police.

Certainly this is convenient, but in some cases it may violate state laws. In California, for instance, no “safe harbor” law exists for crime victims to monitor stolen equipment in real time. That means residents who use these tools may be violating anti-wiretapping laws, and laws designed to protect private communications — yes, even on stolen equipment.

In other words, police can’t use that evidence in court, or at least can use only the data not collected in real time, and may be barred from using the information even with a search warrant.

More recently, vigilantism reared its head in Vancouver following the riots over the city’s Stanley Cup loss:

[B.C. Civil Liberties Association David] Eby said he understood the community’s anger, given the destruction and chaos, but said that bloggers run the risk of labelling bystanders as criminals.

“The concern that we have is when pictures are posted to private websites, the suggestion is made that people may have broken the law,” he said. “There were many people in the downtown area that were shocked, stunned, appalled that were not breaking any laws.”

It seems clear to me that in order to help citizens navigate these issues, police cannot simply return to the “bread and butter” of traditional policing. If they do, then that leaves only federal law enforcement — the Secret Service, the Internet Crimes Complaint Center, etc. — which is also unsustainable over the long term.

If we:

  • don’t want to return to traditional reactive policing because it will undo all the hard work we’ve put in over 20 years
  • don’t have time or resources to devote to proactive policing over the next 20 years
  • are truly taking the next step towards empowering citizens to keep themselves safe

Then we should consider treating them almost as rookie cops, finding field training officers and attorneys who can help them navigate legal and social issues as they become proper partners in public safety. It goes without saying that social media could help pave the way.

I know of detectives and officers who already do this, making the time with their agencies’ blessing. How might yours make room among their regular duties?

Image: lancmanoffice via Flickr

Danger! Zombies ahead… and other security issues

INL@Work Cyber Security ResearcherWeb-based traffic signs seem like the perfect solution for agencies that have speed enforcement problems. With the ability to change the sign’s message online — as well as receive alerts and data from the sign — no longer do supervisors need to send precious units to the signs to perform these functions manually.

But in January 2009, signs in Austin (Texas) were hacked. Displaying messages like “Caution! Zombies Ahead!!!”  they slowed traffic and made for some debate about “harmless fun” (reminiscent of the MIT hacks) vs. vandalism as a threat to public safety.

The signs were not connected to the internet, so hackers had to be there physically to break the locks and the passwords on the controller computers inside. Nevertheless, technology advancements mean that law enforcement administrators need to remember: information security isn’t just about sensitive employee and crime-related data.

Why are these stories important? They reflect that the more law enforcement agencies rely on information technology to make police work more efficient, the more threats they will face from both outside and inside. Whether student pranksters (as was speculated in Austin), foreign operatives (as was speculated in Iowa), or ill informed employees, these threats can take many different forms.

For example, remote-controlled robots are increasingly being deployed in bomb and hostage situations, as in Milwaukee in December. However, as early as last year, cybercrime and security expert Marc Goodman warned of vulnerabilities in battlefield robots, which could easily translate into vulnerabilities for police robotics as well.

The point is not to spread fear, uncertainty and doubt (FUD) about deploying new technologies. Rather, as Goodman puts it: “While electronic warfare is a relatively old domain, the presence of battlefield (and perhaps police robots) means there is a whole additional set of technologies which need to be fully understood and protected prior to deployment in real world scenarios.”

The same can be said of social media, “the cloud,” or even computer-controlled traffic signs. Nothing is completely secure; the human factor trumps all. However, the public- and officer-safety, force-multiplying, and investigative benefits of each kind of technology are too great to avoid them entirely.

What kind of security research have you done on technology you considered or deployed? How have you prepared your employees for best security practices?

Creative Commons License photo credit: Idaho National Laboratory

5 free resources for high tech crimes investigators

high tech crime investigators resourcesLast week I wrote about the need to become better informed on high tech crimes, the better to help victims of identity theft, cyberstalking, and other complex crimes. Fortunately, free resources exist.


Designed for agencies that can’t afford a subscription to Lexis-Nexis’ Accurint or ChoicePoint, TLO is rapidly becoming a strong competitor for both services, and is a viable alternative for small or medium-sized agencies with no budget. That’s because Accurint’s designer is behind it, and boasts a team of law enforcement, prosecutors, programmers, scientists, and executives — many of whom have worked together for decades.

Take time to poke around the site and register for the service — you won’t be disappointed.

National White Collar Crime Center (NW3C)

The NW3C provides quite a few resources, including free training, free investigative assistance, and even financial support for some cases. The catches: first, a case must have a tie to financial crime (though nearly all high tech crime cases do). And second, the agency must be a member.

However, once the agency is signed up — again for free — the NW3C provides a wealth of assistance. It runs information through all major databases and provides free software — along with the training to use it — such as TUX4N6 for on-site previews, PerpHound for mapping GPS or cell tower coordinates, and others.

In addition, the NW3C has a partnership with the FBI and the Bureau of Justice Assistance (BJA) to sponsor the Internet Crime Complaint Center (IC3), a good resource to which to direct citizens when you can’t take the report or don’t have the resources to investigate yourself.

NCIC Off-Line Search

The National Crime Information Center (NCIC) Off-Line Search is, because of the power of NCIC’s online searches, vastly underutilized. However, it could “could assist an investigator in locating an item of property, determine the proximity of an individual to a crime scene, substantiate or discredit an alibi, or trace the route of a person of interest.” It exists, in other words, to provide leads and obtain information not generally available through an online query.

The Off-Line Search has been used to help identify and capture Timothy McVeigh, recover stolen vehicles and kidnapping victims, and solve murders. It is accessible via email, phone or NLETS.

Though not originally designed for law enforcement, provides instant updates anytime a suspect or convict is arrested anywhere else in the nation. This is a tool that’s valuable for information sharing — if the name you’re tracking shows up in your email, you have only to contact the arresting agency to take your investigation one step further.

The Hi-Tech Resources Listserv

Lots of listservs, forums and other resources exist for high tech crimes investigators. Some are available after you become a member of the sponsoring organization. Others are free, but are focused on areas like digital forensics.

The Hi-Tech Resources Listserv, however, was founded as a way to share search warrant, corporate liaison contact, and investigative information. Originally a resource for investigators in northern and central California, the Yahoo! list has rapidly expanded to include more than 1,000 members in states as far east as New Jersey.

Resources include regularly updated law enforcement liaison information for internet and cell service providers, cell service provider data retention records, sample search warrants and subpoenas, and information related to specific crimes including high-tech stalking, child exploitation and identity theft.

Listowner Kipp Loving, a detective in central California, tells me that instructors from SEARCH and the NW3C encourage their trainees nationwide to join the list. To join, you need to be prepared to provide the following information:

  • Full name with agency name
  • Contact information (phone or e-mail, preferably work address and not a Yahoo email)

This information is kept confidential and the list is limited to law enforcement. Be prepared to have your affiliation verified before you join!

What free tools are your favorites, and why?

Image: KOMUnews via Flickr

What does high tech crime preparedness mean to you?

a decade of mobile telephonyWhen someone calls or emails your agency to make a report about a high tech crime… what do you do?

Some reports, like child pornography, are easy. Internet Crimes Against Children task forces exist in every state — some states have multiple task forces — and even if your agency isn’t affiliated, there’s always the nearest FBI field office.

But what about identity theft? Cyberstalking? Phone service abuse? Do you have officers or detectives trained to identify and investigate these issues? If you rely on state or regional resources like computer forensics labs, how soon can you expect to hear from them? Do you even take a report?

This New York Times article details some of the threats that exist today — not threats that are coming in a year or two, but things that are happening right now. No, your cops don’t have to be malware experts; far from it.

But they do need to understand the fallout from malware infections. They do need to understand social engineering (hint: it’s not limited to high tech) and it would be helpful for them to know all the different ways credit card numbers can be stolen.

When I wrote an article in 2009 about cyberstalking, it was astonishing to me that many police departments don’t take reports. Not knowing how to deal with certain high tech crimes, they may even turn victims away, or worse, assume keylogging or other forms of “spyware” can’t possibly exist.

Well, they do, and far beyond. So even if an agency cannot respond in full, they owe it to their citizens at least to react: to ask the right questions when taking a report, to assess the extent of a cyber threat (read the above article to see information about a rural sheriff’s office doing just that), and to refer the victim to a resource that can help when necessary.

True: departments’ resources have dwindled. It can be hard to tell the difference between legitimate victims, and individuals with a mental illness or those who seek attention. Cyber threats may also not seem as serious as physical threats. It may not be worth the time to file a report when you don’t have the resources to respond, and have no way to forward the report to an agency that can.

Still: resources exist. At the very least, an agency should be prepared to direct a victim to the Internet Crimes Complaint Center (IC3). But because even those resources are not ideally staffed, and because (as the Times points out) high tech crime will only become more ubiquitious over time, every agency should be prepared to educate itself.

Next week we’ll talk about some of the resources that can help you do that, and investigate the crimes too. Best of all? The tools are free. Stay tuned: subscribe (that’s free too)!

Creative Commons License photo credit: AutomaticDefence