Running head: DIGITAL EVIDENCE: 1

Transcription

1 Running head: DIGITAL EVIDENCE: 1 Digital Evidence: How can the Des Moines Fire Department utilize this evidence in fire investigations? Mark Dooley Des Moines Fire Department, Des Moines, IA

2 DIGITAL EVIDENCE: 2 Certification Statement I herby certify that this paper constitutes my own product, that where the language of other is set forth, quotation marks indicate, and that appropriate credit is given where I have used the language, ideas, expressions, or writings of another. Signed: Mark H. Dooley

3 DIGITAL EVIDENCE: 3 Abstract The investigation of a fire scene has been difficult and there may be evidence that was not gathered by the investigator. The problem is that the Des Moines Fire Department (DMFD) does not currently use digital forensic investigation techniques to assist investigators during fire investigations. The potential consequence of not using these techniques is that there is evidence that may assist investigators that is not being identified. The purpose of this research is to identify factors that will allow the DMFD to implement current digital forensic investigation techniques during fire investigations. A research methodology was utilized to answer the following research questions: 1) What type of current digital investigation techniques could be applied to fire investigations? 2) When would current digital forensic investigation techniques be utilized in fire investigations? 3) What qualifications are required to be recognized as an expert witness utilizing current digital investigation techniques? The procedures utilized to complete this research will include subject matter experts in the fields of fire investigations, police investigations and digital forensics. The results of this research led to three primary recommendations: a) provide education b) improve the collection of digital forensic evidence that will assist with fire investigations c) evaluate opportunities to obtain funding for digital forensic investigation team. This will improve the professionalism of DMFD and expand the opportunity to gather evidence that could be used to increase the number of arrests and therefore provide a safer community for the citizens of Des Moines.

4 DIGITAL EVIDENCE: 4 Table of Contents Certification Statement 2 Abstract 3 Table of Contents.4 Introduction..5 Background and Significance..6 Literature Review.9 Procedures..22 Results 25 Discussion..37 Recommendations..39 References..42 Appendix A: Phone Software Components...45 Appendix B: Questionnaire to digital forensic subject matter experts..46 Appendix C: Interview questions asked to police and fire subject matter experts 47 Appendix D: Interview questions asked to fire subject matter experts.48 Appendix E: Interview questions asked to forensic subject matter expert 49 Appendix F: Interview questions asked to police and digital forensic subject matter expert 50 Appendix G: Interview questions asked of the City of Des Moines Fire Marshal...51

5 DIGITAL EVIDENCE: 5 Digital Evidence: How can the Des Moines Fire Department utilize this evidence in fire investigations? Fire departments have the authority to investigate the cause, origin, and circumstances of fires that occur in their jurisdiction according to the 2009 edition of the International Fire Code (International Code Council [ICC], 2009, p. 3). This is the case for the Des Moines Fire Department. The Des Moines Fire Department has two dedicated members and two additional part-time members that are responsible for investigating fires and malicious false alarms inside the city limits of Des Moines ("The Des Moines Arson Task Force," n.d. ). The research problem is that the Des Moines Fire Department does not currently use digital forensic investigation techniques to assist investigators during fire investigations. The potential consequence of not using these techniques is that there is evidence that may assist investigators that is not being identified. The unidentified evidence leads to assigned cases remaining undetermined after investigation and also reduces the likely hood of arson suspects being arrested and charged. The purpose of this research is to identify the factors that will allow the Des Moines Fire Department to implement current digital forensic investigation techniques during fire investigations. By identifying current digital forensic investigation techniques, the correct application of digital forensic evidence investigation to fire investigations and the skill set necessary to conduct digital evidence investigations in a forensically sound manner it is hoped that the Des Moines Fire Department will be able to recognize the benefits of digital evidence investigations. To accomplish this research the following questions will be used to support a research methodology: 1) What type of current digital investigation techniques could be applied to fire

6 DIGITAL EVIDENCE: 6 investigations? 2) When would current digital forensic investigation techniques be utilized in fire investigations? 3) What qualifications are required to be recognized as an expert witness utilizing current digital investigation techniques? These questions will be researched using a descriptive research method to determine if current digital forensic investigation techniques can benefit the Des Moines Fire Department during fire investigations. Research will be done by utilizing information gathered through interviews of recognized experts in the field of digital forensics. Research will also be conducted to see if other fire departments are utilizing current digital forensic techniques for fire investigations. Finally, research will be conducted as to courses and certifications that assist an investigator in applying scientific methodology to current digital forensic investigation techniques during fire investigations. At the conclusion of the research the information will be provided that will identify the factors necessary to allow the Des Moines Fire Department to implement digital forensic investigation techniques to assist with fire investigations. Background and Significance The Des Moines Fire Department (DMFD) is a full service department that provides fire suppression, Emergency Medical Services Advanced Life Support transportation, hazardous materials intervention at the specialist level, swift water emergency rescues, high and low angle rescues as part of our daily operations section. The department also has a fire prevention section that is responsible for public education, engineering review, fire investigations and code enforcement. The DMFD is charged with investigating all fires within the city limits. The responsibility for those investigations ultimately lies with the fire chief, but the DMFD has two members of the department, assigned to the fire prevention section whose full-time responsibility

7 DIGITAL EVIDENCE: 7 is to investigate fires and malicious false alarms. When either of those members is not able to cover their assigned shift, there are two additional members from the fire prevention section who will fill in and investigate fires and malicious false alarms. Each of the fire investigators works with a partner from the Des Moines Police Department (DMPD). The team approach allows for continuity of the case from the time it is assigned, until completion, with each member of the team bringing expertise and experience from their career discipline. Fire scenes are difficult to investigate; in the introduction chapter of Kirk s Fire Investigation 7 th edition the author states, due to the complex nature of the event, where fire often deforms or distorts the evidence, fire investigation is among the most difficult forensic sciences to practice (DeHaan & Icove, 2012, p. 2). Additionally, it is noted in chapter 4 of the National Fire Protection Association NFPA 921 Guide for Fire and Explosion Investigations 2011 edition that, A fire or explosion investigation is a complex endeavor involving skill, technology, knowledge and science (National Fire Protection Association [NFPA], 2011, p ). These are recommended national guides and standards that the DMFD follows in all of their investigations. The DMFD investigators all meet the minimum professional qualifications for fire investigator that are listed in National Fire Protection Association Guide 1033, specifically those listed in Section 1.3.8: The investigator shall have and maintain at a minimum and up-to-date basic knowledge of the following topics beyond the high school level at a post-secondary educations level: (1) Fire science (2) Fire chemistry (3) Thermodynamics (4) Thermometry (5) Fire dynamics (6) Explosion dynamics (7) Computer fire modeling (8) Fire investigation (9) Fire analysis (10) Fire investigation methodology (11) Fire

8 DIGITAL EVIDENCE: 8 investigation technology (12) Hazardous materials (13) Fire analysis and analytical tools (National Fire Protection Association [NFPA], 2009, p ) The investigators of the DMFD also apply the scientific method to fire investigations as recommended by NFPA 921 section 4.4 Basic Method of Fire Investigation. This method includes receiving an assignment, preparing for the investigation, conducting the investigation, collecting and preserving evidence, analyzing the incident and conclusions (NFPA, 2011, p & 19). In 2011 the Des Moines Fire Department responded to 19, 693 calls (Des Moines Fire Department [DMFD], 2011). For 2012 the Des Moines Fire Department responded to 20,710 calls (Des Moines Fire Department [DMFD], 2012). Through November 28 th, 2013 the city of Des Moines Fire Department responded to 19,551 calls for assistance (Des Moines Fire Department [DMFD], 2013). The fire investigators were assigned to investigate malicious false alarms, fires where the on-scene officer could not make a determination of the cause of the fire, and fires that resulted in the injury or death of a civilian or firefighter. In 2011 the fire investigators were assigned 685 cases (Des Moines Fire Department [DMFD], 2011, p. 15). Of those 685 cases there were 49 cases that remained undetermined after investigation and there were 21 cases that resulted in an arrest (Des Moines Fire Department [DMFD], 2011, p. 2). For 2012 the fire investigators were assigned 781 cases (Des Moines Fire Department [DMFD], 2012, p. 17). From those cases there were 18 arrests and 96 cases that remained undetermined after investigation (Des Moines Fire Department [DMFD], 2012). As of November 28 th, 2013 the Des Moines Fire Department fire investigators have been assigned 540 cases (Des Moines Fire Department [DMFD], 2013, p. 12). From those 540 cases there were 54 cases that remained

9 DIGITAL EVIDENCE: 9 undetermined after investigation, there have been 12 arrests and there are 153 open cases (Des Moines Fire Department [DMFD], 2013, p. 2). This Applied Research Paper (ARP) addresses curriculum that was presented in the author s attendance of the National Fire Academy course: Executive Development (ED) describing the challenges an authority figure is likely to encounter in team development (United States Fire Administration [USFA], 2012, p. 131). Additionally, this ARP will support one of the United States Fire Administration s five operational objectives to improve the fire and emergency services professional standards (United States Fire Administration, 2010, p. 3). Literature Review The review of literature for this ARP is critical to identify what information is available in the field of digital evidence investigation. Specifically, current digital investigation techniques that could be applied to fire investigations, when to apply those investigation techniques and the qualifications necessary to ensure that the investigative techniques were forensically sound and able to be recognized in a court of law. This literature review focused on practices being used by and taught to agencies currently involved with or studying digital evidence, difficulties and successes with the use and presentation of digital evidence and finally courses and certifications that allow for recognition of the digital evidence in a court of law. The relevant literature to these subject areas has been summarized to make sure adequate background information has been provided to understand this topic. In today s society many have come to rely on the plethora of information that is readily available via electronic means. One can simply use any internet search engine and find information on nearly anything imaginable. This information search, whether it is done on a

10 DIGITAL EVIDENCE: 10 home based computer, a laptop computer, a tablet or a smart phone will most likely leave some evidence of the search. Marie-Helen Maras has written a book Computer Forensics: Cybercriminals, Laws and Evidence in which she states, computers can be an incidental aspect of the commission of the crime and may contain information about the crime (Maras, 2012, p. 5). To identify the research question of what type of current digital investigation techniques could be applied to fire investigations this author researched and identified different investigation techniques and currently used language. In chapter 2 of her book Maras defines computer forensics as, a branch of forensic science that focuses on criminal procedure law and evidence as applied to computers and related devices (Maras, 2012, p. 27). She continued to explain that the science is applied the process of obtaining, processing, analyzing and storing the digital information and that this information that is obtained is not just from computers but from other electronic devices such as mobile phones, cameras, CD s, DVD s, USB flash drives, ipods and even gaming consoles (Microsoft s Xbox)(Maras, 2012, p. 27). It is also important to identify what is digital evidence. Continuing in chapter 2 of her book Maras has a section titled Electronic Evidence: What is it? She describes evidence as, any object or piece of information that is relevant to the crime being investigated and who collection was lawful she continues to identify that evidence is wanted to prove a crime has happened, linking a person to a crime, disprove or support testimony, identify a suspect provide investigative leads or eliminating a suspect from further consideration. She then describes electronic evidence as information extracted from computer systems of other digital devices used to prove or disprove an offense or crime (Maras, 2012, p. 35). In addition to Maras; Nelson, Phillips and Steuart released Guide to Computer Forensics and Investigations where they identify digital evidence as, any information stored or transmitted in digital form. They went on to state that United

11 DIGITAL EVIDENCE: 11 States courts accept digital evidence as physical evidence making it a tangible item (Nelson, Phillips, & Steuart, 2010, p. 150). The authors assert that evidence collected from electronic devices, in a forensic manner, is digital evidence and can be used in a criminal investigation. The evidence is tangible and used to prove or disprove a crime, but to get the information from an electronic device to a point where it can be presented in court requires the use of specialized tool kits equipped for computer forensic investigations. Marie-Helen Maras states that, these toolkits allow computer forensic investigators to collect, store, preserve and transport forensic evidence (Maras, 2012, p. 190). The tool kit will not be just a single tool to conduct a forensic investigation; the digital item that is being investigated will identify what equipment will be used for the investigation. However, to begin an investigation, the digital forensic investigator must not be able to modify the data that is being evaluated. Brian Carrier stated that, at the most basic level, digital forensics has three major phases: acquisition, analysis, and presentation. The acquisition phase is saving the state of a digital system to be analyzed later, similar to photographs or blood samples at a crime scene (Carrier, 2002, p. 2). The tool that would be required to acquire digital evidence would be a write block, which allows data to be transferred from the suspect source to a trusted source but no data can be transferred from the trusted source back to the suspect source. Nelson et al. in their book describes five tasks that are performed by computer forensic tools, acquisition, validation and discrimination, extraction, reconstruction and reporting. The first task that they describe is acquisition, which is making a copy of the original drive. A copy is made to preserve the original drive making sure that it is not corrupted and damages digital evidence. Acquisition can include making a physical data copy or a logical data copy. A reason that an investigator would choose a logical acquisition would be because of drive encryption. If

12 DIGITAL EVIDENCE: 12 an encrypted disk is copied it remains unreadable data; with a logical acquisition, an investigator can still read and analyze the files. The disadvantage of a logical acquisition is that it requires a live acquisition. Two acquisition tools are EnCase and AccessData Forensic Tool Kit (FTK) (Nelson et al., 2010). A digital forensic investigator must also verify that the data was not manipulated during the acquisition by using a hash algorithm. This algorithm is applied to the suspect data and the transfer data and when equal proves that there was no manipulation of the data. Nelson et al. refer to this task as validation. From validation, the next task that Nelson et al. lists is discrimination. Discrimination is the process of removing good data from suspicious data. Good data is data from known files such as operating system files, and common programs. By removing the known good files it reduces the amount of remaining data that must be evaluated by the investigator (Nelson et al., 2010). The second phase listed by Carrier is the Analysis Phase where the data acquired from the suspect source is examined for pieces of evidence. He continued by listing three pieces of evidence as: Inculpatory evidence that supports a given theory; Exculpatory evidence that contradicts a given theory and Evidence of tampering evidence that cannot be related to any theory, but shows that the system was tampered with to avoid identification (Carrier, 2002, p. 2). Nelson et al. list extraction as their third task and define is as the recovery task in computing investigation. They state that extraction includes data viewing, keyword searching, carving, decrypting and bookmarking. Data viewing is the method in which the data is viewed; it can be viewed logical drive structure which identifies folders and files or displays allocated file data and unallocated disk area with special file and disk viewers allowing analyzing and clue collection easier. Keyword searching is done by entering keywords of interest in the

13 DIGITAL EVIDENCE: 13 investigation. This allows the investigator to speed up the analysis process. Carving is the process of reconstructing fragments of files that have been deleted from the suspect drive. Often, investigators need to extract data from unallocated disk space. Encrypted files and encrypted systems can be problematic for investigations. Often, investigators must use recovery tools that allow for password dictionary attacks or brute force attacks on encrypted files. Bookmarking is labeling evidence that has been discovered so that it can be referred to later (Nelson et al., 2010). The fourth task listed by Nelson et al. as task completed by computer forensic tools was reconstruction. Reconstruction is defined as re-creating a suspect drive to exactly show what happened during a crime or incident. Another reason for reconstruction is to allow other investigators to have a fully functional drive for their own investigations. For validation and discrimination, extraction and reconstruction both Encase and AccessData FTK were listed as commercial software tools that can assist investigators with their investigations. The third and final phase that Carrier listed was the presentation phase. Here he stated that the evidence that was acquired and analyzed must be presented to the audience in a manner that is based on policy and law (Carrier, 2002, p. 3). Nelson et al. stated, to complete a forensics disk analysis and examination, you need to create a report. They went on to state that forensic tools such as EnCase and FTK produce a log report that lists the steps that an investigator took acquiring data from the suspect drive (Nelson et al., 2010, p. 271). Some digital evidence that was identified as being discoverable in a computer included files that were created by a user, files protected by a user and files created by the computer. Files that are created by a user include word files, text, spreadsheet, image, graphics, audio and video files. The data in these files often provide evidence about the author of the file and the company who the document belongs to; the computer owner; the date and time the file was created; the

14 DIGITAL EVIDENCE: 14 time and date the file was modified and saved and the last time and date that the file was printed. Additional files that are created by the computer user are calendars, web browser history and s that have been created and read by the user. Files that are protected by a computer user would be files that have been renamed or had their extensions changed; files that have been deleted by the computer user and files encrypted by the user. Finally, there are files that are created on the computer by the computer itself. These files are event logs which automatically record events occurring within a computer as an audit trail. These files include application logs; security logs setup logs and system logs. The security log is considered the most important event log because of the recording of all log-in attempts and activities of the computer user. Additional files that are created by the computer include history files, where the computer s operating system collects data about websites visited by the user; and cookies, which are files created by websites that are stored on a user s hard drive when a user visits a particular website. Finally, temporary files are files that are created by the computer without the users knowledge. Examples include unsaved documents, websites browsed, online searches, user names and passwords (Maras, 2012). While it is difficult to expect that digital evidence would be able to be extracted from an electronic device that was involved in a fire. It is possible for electronic evidence to be present at a fire scene from other electronic devices such as cellular phones. According to a recent survey conducted by Pew Research Center 91 percent of adults interviewed are using cell phones (Rainie, 2013, p. 1). The cell phone can be a great source of electronic evidence for an investigator, because of all of the electronic data that is produced by the cellular phone. In another survey conducted by Pew Research Center 56 percent of American adults are now smartphone owners (Smith, 2013, p. 1). Finally, a third report from Pew Research showed that

15 DIGITAL EVIDENCE: percent of cell phone owners use their phone to go online, which is double the number of owners online since 2009(Duggan & Smith, 2013, p. 2). The National Institute of Standards and Technology (NIST) released a special publication in May of 2007 titled Guidelines on Cell Phone Forensics Recommendations of the National Institute of Standards and Technology. This guideline provided a significant amount of material for this authors paper. Similar to the definition of computer forensics that was used by Maras, NIST defines mobile phone forensics as, the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods (Jansen & Ayers, 2007, p. 6). NIST also identifies a difficult challenge regarding cell phones, the continued upgrade of technology. The report states, cell phones vary in design and are continually undergoing change as existing technologies improve and new technologies are introduced (Jansen & Ayers, 2007, p. 6). Another difficulty in the advancement of technology is the processes that can be completed by cell phones, specifically, smart phones. NIST recognizes this and states in their report, mobile phones are highly mobile communications devices that perform an array of functions ranging from that of a simple digital organizer to that of a low-end computer (Jansen & Ayers, 2007, p. 8). Before the May publication, NIST also released a publication in March 2007 titled Cell Phone Forensic Tools: An Overview and Analysis Update which described evidentiary data that can be available on different types of cell phones. They categorize the phone into Basic, Advanced and High End. Appendix A contains an image taken from that publication that depicts the relationship between an advanced phone and the improvements in cellular technology showing the possibility for more evidentiary data to be collected. The report states:

16 DIGITAL EVIDENCE: 16 The diagram attempts to illustrate that more capable phones can capture and retain not only more information, but also more varied information, through a wider variety of sources, including removable memory modules, other wireless interfaces, and built-in hardware (Ayers, Jansen, Moenner, & Delaitre, 2007, p. 3). Additionally, with the improvements of phones, there is an improvement of software. These improvements allow for different types of communications, a basic phone will communicate via text messaging using the Short Messaging Service (SMS) where an advanced phone will communicate via Extended Messaging Service (EMS) and the text will have the ability to send a simple picture message. The high end phone will support the Multimedia Message Service (MMS) to exchange sounds, text and color images. Not just text messaging is improved but with a high end phone the possibility exists to communicate via Instant Messaging (IM) and have full http web access (Ayers et al., 2007). Nelson et al. suggest there are four critical areas that an investigator needs to check for electronic information: the internal memory of the phone, the SIM (subscriber identity module) card, any external or removable memory cards and the system server. If evidence is going to be requested from the system server a search warrant or subpoena will be required because of wiretap laws. Memory storage on phones will be a combination of volatile and nonvolatile memory. Volatile memory requires power to maintain its contents, but power is not necessary for nonvolatile memory. Volatile memory often has data that change often, such as text messages, missed calls, and sometimes even user files. Nonvolatile memory has the data for the operating system files and stored user information. There is a significant amount of data on the SIM card and that data would be divided into service-related data, identifiers for the SIM card and the subscribers; call data, such as numbers

17 DIGITAL EVIDENCE: 17 dialed; message information and location information (Nelson et al., 2010). External or removable memory cards simply extend the storage capacity of a cell phone. This allows an individual to store additional information beyond the capacity of the phone s built in storage capacity (Ayers et al., 2007, p. 6). This additional storage could contain pictures, documents, text files or any other type of photo, office or media file that could be found on a computer. Computers, cellular phones and other devices can be rich sources of digital evidence that can be used to assist fire investigators with fire investigations. However, that is not the only source of digital evidence that can be used to assist with fire investigations. The cellular device must be connected to a cell or cellular tower to talk, text, or use the internet. It is not possible for the cellular phone to just connect with any cell or cell tower. There are a multitude of steps that must happen for the cellular device to connect with the tower, and much of that is outside the scope of this research. However, there is some important information that must be shared to identify the cell or cellular tower as a source of electronic evidence. The first is the identification of the cellular tower itself. NIST refers to a tower as a Base Transmitting Station (BTS), the BTS is positioned so that it has three distinct sectors of 120 degrees of coverage, 0 degrees north to 120 degrees Southeast, 120 degrees Southeast to 240 degrees Southwest and 240 degrees Southwest to 30 degrees North. When a cellular phone is connected to the tower the BTS and the sector involved is identified. In addition to the BTS and sector information, NIST continues to identify additional digital information that would be relevant to an investigator with fire investigations; the subscriber account data and call detail records are available to investigators (Jansen & Ayers, 2007, p. 8). The Federal Bureau of Investigation had a case that was perplexing them and they used data from cell towers to provide them additional evidence they were able to use and solve the

18 DIGITAL EVIDENCE: 18 case. There were 16 robberies of rural banks committed by two individuals in northern Arizona and Colorado in After a witness to one of the robberies stated that there had been a suspicious man hanging out by the bank on his cell phone a couple of hours before the robbery the FBI asked a judge for cell tower dump of an identified cell tower near the bank. The information that was provided to the FBI was the records of every cell phone registered with the particular tower at a particular time. The FBI requested the information for four cell tower dumps from the four most remote bank robberies. They then took this information, entered it into a database and looked for the numbers that matched from those four towers. There ended up being only two numbers that matched from the data pulled from the information from the four towers and those numbers ended up belonging to the suspects and they eventually confessed (Anderson, 2013). Marie-Helen Maras also discusses the data that can be provided from cell towers. She states that: Cell phones are constantly communicating with whichever signal tower is closest to them. Providers such as Sprint, Verizon, T-Mobile and AT&T keep track of which phone numbers are communicating with every signal tower at any given time. This information can then be used to plot out the course and subsequent locations of a mobile device. Evidence of this type has been used in many criminal investigations (Maras, 2012, p. 298). Another piece of digital evidence that can be discovered and used in investigations is data that recovered from social media. There are many sources of social media that are used by people to communicate and share information; two examples would be Facebook and Twitter. The International Association of Chiefs of Police Center for Social Media released a report in

19 DIGITAL EVIDENCE: 19 February 2013 titled Developing a Policy on the Use of Social Media in Intelligence and Investigative Activities. The report addresses digital evidence that can be obtained from social media sites, and how to establish a policy that will allow the data to be obtained in a manner that is lawful and admissible. The article identifies that social media can be a valuable source of information where detectives use social media to assist with the identification and apprehension of criminal subjects. A criminal subject s Facebook page may be accessed to further support the id of the subject or possibly some of their acquaintances. Social media can also be used to determine a timeline of events for a subject, but the Center for Social Media also warns that as a source of information for lead development and follow-up, social media can be a valuable tool, but law enforcement personnel should always authenticate and validate any information captured from a social media site (Global Justice Information Sharing Initiative, 2013, p. 15). The article concludes that social media sites and resources may be helpful to law enforcement for all of their duties, prevention, identification, investigation and prosecution but there should be a social media policy and associated procedures (Global Justice Information Sharing Initiative, 2013). Presenting the data in court requires that both the investigator and the software used to evaluate the data are competent. Nelson et al. identified two roles that a digital forensic examiner will be placed into if a case goes to trial; technical/scientific or expert. The technical/scientific witness provides only the facts that were discovered during the investigation. The expert witness will present their opinion about the evidence that was discovered during the investigation (Nelson et al., 2010). Maras identifies that Computer forensics investigations have been conducted on computers, mobile devices, and other media, with the results of these investigations subsequently being

20 DIGITAL EVIDENCE: 20 presented as crucial evidence in the courtroom (Maras, 2012, p. 324). The author went on to talk about how the court system can recognize a witness as an expert. She stated that: Specifically, to testify as experts, witnesses must possess specialized knowledge and experience with which to explain evidence and certain events in relation to the crime. However, there is no rule as to the level of knowledge required to qualify as a witness as a technical or expert witness in the field. For example, in United States v. Scott- Emuakpor, the court held that to be considered an expert witness in computer forensics, knowledge of how to develop a sophisticated software program is not required. Instead, the court stated that the expert should possess the skills needed to find evidence on a hard or Zip drive. Therefore, to provide testimony as a computer forensics witness, knowledge of electronic evidence recovery is required, but an investigator does not need to be trained as a computer forensic investigator. Thus an individual who is skilled in computer forensics but has not had formal training can still qualify as an expert (Maras, 2012, p. 330). A third party certification was also discovered. Paraben s Certified Mobile Examiner is one such third party certification that is offered by Paraben Corporation. They have three levels of training that must be completed, a minimum time of experience, successful completion of a written exam at a score of 80% or greater and four practical application examinations ( In addition to the investigator presenting evidence either as a technical/scientific witness or as an expert, the software that was used by the investigator must also be recognized as valid software. NIST released a booklet in February 2012 titled Computer Forensics Tool Testing Handbook. This handbook was the result of a multiagency partnership that created a testing

21 DIGITAL EVIDENCE: 21 program for computer forensic tools. They call it the Computer Forensic Tool Testing program and the program is designed to test how well the forensic tool performs core forensic functions. They also list the benefits of utilizing a test forensic tool as assurance of what the tested tools capabilities really are, limitations can be addressed and appropriate actions can be taken, and there is a head start in validating the tool in the lab. The handbook then shows the test results for 19 disk imaging tools, 10 forensic media preparation tools, 9 software write blocking tools, 24 hardware write blocking tools and 19 mobile device tools (Ayers et al., 2007). To address the admissibility of the software that acquires the digital evidence, Brian Carrier published an article titled Open Source Digital Forensic Tools The Legal Argument which addresses the digital forensic tools and their use in a legal setting. Evidence must be relevant and reliable to be admissible in a United States court. The reliability of scientific evidence is determined by a judge in a pre-trial Daubert Hearing. The process of a Daubert hearing has four general categories used as guidelines to assess reliability. Those four categories are: Testing - can and has the procedure been tested; error rate, is there a known error rate for the procedure; publication, has the procedure been published and subjected to peer review and finally acceptance, has the procedure generally been accepted in the relevant scientific community (Carrier, 2002, p. 3) Through the literature review, information was obtained regarding current digital investigation techniques, when to apply those investigation techniques to obtain evidence and how to ensure that the evidence is recognized in a court of law.

22 DIGITAL EVIDENCE: 22 Procedures The procedures section will detail how the literature was reviewed and identify why the people that were selected for interviews were experts in their subject matter. An initial literature review of digital forensics was conducted at the National Fire Academic Learning Resource Center (LRC) located in Emmetsburg, Maryland at the National Emergency Training Center. This review identified a significant limitation, there was only one relevant item on the subject matter of digital forensic investigations available at the LRC and it was related to how state, local and other first responders preserve an electronic crime scene. Additional literature review was conducted utilizing the required textbooks for digital forensic certificate courses at Des Moines Community College which this author has attended. This author was limited due to the fact that there is no previous literature specifically for digital forensic investigations to assist with fire investigations. While the literature that this author did review provided information for the investigation of static or controlled scenes, there was no literature on digital forensic investigations that could be conducted at the scene that has been involved in a fire. There was information gathered through nine personal interviews of subject matter experts in both fire investigations and digital forensic investigations. A personal interview was conducted with Bryan Burkhardt, who is a subject matter expert in digital forensic investigations, on September 13, 2013 in his office at 2006 S. Ankeny Blvd Building 3W, Ankeny, Iowa Mr. Burkhardt has experience with digital forensic investigations in the corporate environment, is the current direct of the digital forensics investigation program at Des Moines Community College and provides technical assistance to members of the State of Iowa Electronic Crimes Task Force when requested. He is also the lead instructor of digital forensic investigation for cellular phones at the Des Moines Electronic Crime Institute. We discussed the questions that were presented to

23 DIGITAL EVIDENCE: 23 him on April 11 th, A copy of the questions that were sent to him can be found in Appendix B. Personal communication was conducted with Matt Sauer a subject matter expert in digital forensic investigations. He is the Special Agent in Charge of the Iowa Division of Criminal Investigation Cyber-Crime Unit Iowa Internet Crimes Against Children Task Force. His specialty is the digital forensic investigation of computers, both PC and Mac. He responded to my questions via on April 11 th, 2013 and his questions are provided in Appendix B. An additional interview was conducted with Darren Bjurstrom who is a subject matter expert in police and fire investigations. He is currently assigned to the DMFD/DMPD Arson Task Force. He has been a member of the DMPD for 22 years, a detective for over 12 years and a member of the Arson Task Force for the last 6 years. He was chosen for his broad experience in criminal investigations and experience in fire investigations. He was interviewed on November 30 th, 2013 in Des Moines, Iowa at the conclusion of a fire scene investigation; the questions that were presented to him are located in Appendix C. Jack Kamerick is a subject matter expert in police and fire investigations. Jack has been a member of the DMPD for more than 25 years, has been a detective for more than 15 years and assigned to the Arson Task Force the last 10 years. He was selected as a subject matter expert because of his broad experience in criminal investigations, fire investigations and some experience in using digital evidence to assist with fire investigations. He was interviewed in his office at Des Moines Police Department Headquarters building 25 E. 1 st Street, Des Moines, Iowa on December 3 rd, 2013 the questions that were asked of him are located in Appendix C. Brad Fousek and Dave Knutzen are both subject matter experts in fire investigations; they were interviewed on December 4 th, 2013 at the DMFD administrative headquarters located

24 DIGITAL EVIDENCE: 24 at 2715 Dean Avenue, Des Moines, Iowa The questions that were posed to them are located in Appendix D. Brad Fousek has been a member of the DMFD for over 34 years. He has been assigned to the DMFD/DMPD Arson Task Force for almost 20 years. He was chosen as an expert because of his rich experience in fire investigations and the opportunity to evaluate past fires where digital evidence could have assisted a fire investigation. Danielle Galien is a subject matter expert in forensics; she has been a member of the DMPD Crime Scene Investigative Unit for over 12 years. Danielle has attended training for digital forensic investigation on cellular phones. She is also completing the requirements for the certificate program at Des Moines Community College in Digital Forensic Investigations. She was interviewed in the Des Moines Police Department Crime Scene office at 25 E. 1 st Street, Des Moines, Iowa on December 3 rd, The questions that were asked of her can be found in Appendix D. Brent Curtis is a subject matter expert in police investigations and digital forensic investigations. He has been a member of the DMPD for over 20 years and has been the Detective assigned to Fraud and Computer Forensics for the past 8 years. He is assigned to cases through the DMPD but also assists the Iowa Internet Crimes Against Children Task Force. He was selected as a subject matter expert because of his broad experience in criminal proceedings and specifically his experience as a computer digital forensic investigator. On December 4, 2013 this author met with Mr. Curtis at his office at the Des Moines Police Department Headquarters building 25 E. 1 st Street, Des Moines, Iowa 50309; the questions that were asked of him are listed in Appendix F. A personal interview was also conducted with Jonathan Lund, Fire Marshal for the City of Des Moines and subject matter expert on supervising fire investigators. Mr. Lund has been with the DMFD since He is a licensed Fire Protection Engineer, and has a Masters of

25 DIGITAL EVIDENCE: 25 Public Administration degree. He was chosen as a subject matter expert because of his responsibilities to review all cases that are assigned to the DMFD fire investigators. He possesses personal knowledge of the rapid growth of mobile communication and understands that there may be tangible benefits for pursuing digital investigations to assist with fire investigations. The interview was conducted on Thursday November 21 st, 2013 in his office at the Des Moines Fire Department administrative building located at 2715 Dean Avenue, Des Moines, Iowa Appendix G lists the questions that were posed to him. The historical data of the Des Moines Fire Department was obtained from the DMFD s record management system, Firehouse Software. A report is produced by entering in parameters and querying the data. The data that was queried for 2011, 2012 and 2013 was the number of cases that were assigned to an investigator, the number of those cases that remained undetermined after investigation and the number of arrests. The only additional parameter that was used in 2013 was open case to identify cases that could still result in a determined cause of the fire and arrest. To conclude the procedures, the persons selected for interviews are subject matter experts in their fields, additionally, the literature that was reviewed was relevant to digital forensics investigations and text book theory. Results The applied research paper was completed using the descriptive research method to determine how the Des Moines Fire Department could utilize current digital forensic techniques to assist with fire investigations. The results were derived from personal interviews, literature review and statistical analysis of DMFD cases as listed in the procedures section of this paper. The following is a summary of the results from this author s research.

26 DIGITAL EVIDENCE: 26 When analyzing the results of the first research question: what type of current digital investigation techniques could be applied to fire investigations? the review of listed literature and personal interviews identified multiple opportunities for an fire investigator to identify and collect digital evidence. Marie-Helen Maras identified the opportunity to collect digital evidence from computers, cellular phones, and cellular towers (Maras, 2012). In Guide to Computer Forensics and Investigations Nelson et al. identified computers, s, cellular phones and other devices that could all be used to obtain digital evidence (Nelson et al., 2010). The Global Justice Information Sharing Initiative stated that social media sites and resources may be a helpful tool for law enforcement personnel in the prevention, identification, investigation and prosecution of crimes (Global Justice Information Sharing Initiative, 2013, p. 19). Jack Kamerick provided practical previous examples of situations when he was asked if he has used digital evidence with previous fire investigations he stated that he had one particular case where he used Facebook posts that have been provided to him by a victim as a reason for a search warrant and preservation letter sent to Facebook. With that same case he subpoenaed the phone records of the suspect, and was able to use to the information from the phone records to identify the location of the suspects mobile device. This information was then used in an interview as a directed contradiction to previously made statements (J. Kamerick, personal interview, December 3 rd, 2013). Darren Bjurstrom also stated, while he does not routinely use digital information in the investigation of fires, he had a particular investigation where a suspect made posts onto their Facebook page of their misconduct. The photo was noticed by a friend of the suspect and the investigators were contacted. During the interview of the suspect, the information was told to them and that person admitted to their wrong doing (D. Bjurstrom, personal interview, November 30 th, 2013).

27 DIGITAL EVIDENCE: 27 Bryan Burkhardt provided information by first defining digital forensics and then providing information on the utilization of fire investigations. He stated that forensics is the application of science for fact or law; when applied to digital investigations is was a series of repeatable events to derive facts or establish truth with respect to digital devices. Mr. Burkhardt then stated that all devices are capable of storing data in a digital manner and the amount of data could be overwhelming. He conceded that he is naïve with fire investigations but assured that digital investigations can assist identifying the who and how of nearly any criminal investigation. Digital evidence could identify the amount of premeditation that a suspect performed. He continued by stating that most planning, research and communication is done today with digital devices and that can produce digital evidence. Evidence such as the location of a cellular device could be used as either Inculpatory or Exculpatory evidence (B. Burkhardt, personal interview, September 13 th, 2013). When Matt Sauer was asked to define digital forensic investigations he stated that it was the act of collecting, analyzing and presenting results with regards to electronic devices that have the capability of storing data (M. Sauer, personal communication, April 11 th, 2013). He went on to stipulate that a digital forensic investigator must ensure that the data is altered and maintains the integrity of the original evidence. After the definition of digital forensics, Mr. Sauer stated that digital evidence has become increasingly more common in most criminal investigations. Digital investigations began with stand alone computers and have evolved to mobile devices. He stated that he felt with fire investigations, suspects will often research various ways to start fires, or may search media stories and fire reports via the internet for fires they have started. Lastly, he stated that the suspect often communicates, via text messaging and

28 DIGITAL EVIDENCE: 28 , with associates about their involvement (M. Sauer, personal communication, April 11 th, 2013). Very specific information regarding fire investigations was provided by Brad Fousek, who stated that he routinely tries to identify video footage of fires he investigates. He has used surveillance video from property owners, neighbors, neighboring businesses and he feels that it is great digital evidence. Often times this evidence assists in identifying a suspect at a scene at the time of a fire. He also has investigated fires where phone records were subpoenaed and instrumental in identifying who a suspect spoke to, and where the suspects mobile device was when the call was made. He was also involved in the case referenced earlier by Bjurstrom where a suspect made a post on Facebook of their criminal conduct and when told of the evidence, the suspect subsequently confessed to the crime (B. Fousek, personal interview, December 4 th, 2013). Dave Knutzen had a recent fire investigation where the business had video surveillance cameras that were fed into a computer and stored as digital video files. The computer that was used to store the videos had been subjected to heat from the fire and water from the suppression of the fire. Once removed from the scene with the permission of the property owner, the computer was allowed to dry, power to the computer was restored and the surveillance video files were able to be viewed. The videos showed the origin of the fire and the investigators were able to determine that the cause was accidental. He also had another fire where one of the first due company officers recognized the computer as part of the business surveillance system, removed the computer from the business and with the permission of the business owner they were able to view the video and identify that the fire was accidental. Mr. Knutzen has also been involved in cases where phone records were subpoenaed and used to contradict the statements