Running head: DIGITAL EVIDENCE: 1

Transcription

1 Running head: DIGITAL EVIDENCE: 1 Digital Evidence: How can the Des Moines Fire Department utilize this evidence in fire investigations? Mark Dooley Des Moines Fire Department, Des Moines, IA

2 DIGITAL EVIDENCE: 2 Certification Statement I herby certify that this paper constitutes my own product, that where the language of other is set forth, quotation marks indicate, and that appropriate credit is given where I have used the language, ideas, expressions, or writings of another. Signed: Mark H. Dooley

3 DIGITAL EVIDENCE: 3 Abstract The investigation of a fire scene has been difficult and there may be evidence that was not gathered by the investigator. The problem is that the Des Moines Fire Department (DMFD) does not currently use digital forensic investigation techniques to assist investigators during fire investigations. The potential consequence of not using these techniques is that there is evidence that may assist investigators that is not being identified. The purpose of this research is to identify factors that will allow the DMFD to implement current digital forensic investigation techniques during fire investigations. A research methodology was utilized to answer the following research questions: 1) What type of current digital investigation techniques could be applied to fire investigations? 2) When would current digital forensic investigation techniques be utilized in fire investigations? 3) What qualifications are required to be recognized as an expert witness utilizing current digital investigation techniques? The procedures utilized to complete this research will include subject matter experts in the fields of fire investigations, police investigations and digital forensics. The results of this research led to three primary recommendations: a) provide education b) improve the collection of digital forensic evidence that will assist with fire investigations c) evaluate opportunities to obtain funding for digital forensic investigation team. This will improve the professionalism of DMFD and expand the opportunity to gather evidence that could be used to increase the number of arrests and therefore provide a safer community for the citizens of Des Moines.

4 DIGITAL EVIDENCE: 4 Table of Contents Certification Statement 2 Abstract 3 Table of Contents.4 Introduction..5 Background and Significance..6 Literature Review.9 Procedures..22 Results 25 Discussion..37 Recommendations..39 References..42 Appendix A: Phone Software Components...45 Appendix B: Questionnaire to digital forensic subject matter experts..46 Appendix C: Interview questions asked to police and fire subject matter experts 47 Appendix D: Interview questions asked to fire subject matter experts.48 Appendix E: Interview questions asked to forensic subject matter expert 49 Appendix F: Interview questions asked to police and digital forensic subject matter expert 50 Appendix G: Interview questions asked of the City of Des Moines Fire Marshal...51

5 DIGITAL EVIDENCE: 5 Digital Evidence: How can the Des Moines Fire Department utilize this evidence in fire investigations? Fire departments have the authority to investigate the cause, origin, and circumstances of fires that occur in their jurisdiction according to the 2009 edition of the International Fire Code (International Code Council [ICC], 2009, p. 3). This is the case for the Des Moines Fire Department. The Des Moines Fire Department has two dedicated members and two additional part-time members that are responsible for investigating fires and malicious false alarms inside the city limits of Des Moines ("The Des Moines Arson Task Force," n.d. ). The research problem is that the Des Moines Fire Department does not currently use digital forensic investigation techniques to assist investigators during fire investigations. The potential consequence of not using these techniques is that there is evidence that may assist investigators that is not being identified. The unidentified evidence leads to assigned cases remaining undetermined after investigation and also reduces the likely hood of arson suspects being arrested and charged. The purpose of this research is to identify the factors that will allow the Des Moines Fire Department to implement current digital forensic investigation techniques during fire investigations. By identifying current digital forensic investigation techniques, the correct application of digital forensic evidence investigation to fire investigations and the skill set necessary to conduct digital evidence investigations in a forensically sound manner it is hoped that the Des Moines Fire Department will be able to recognize the benefits of digital evidence investigations. To accomplish this research the following questions will be used to support a research methodology: 1) What type of current digital investigation techniques could be applied to fire

6 DIGITAL EVIDENCE: 6 investigations? 2) When would current digital forensic investigation techniques be utilized in fire investigations? 3) What qualifications are required to be recognized as an expert witness utilizing current digital investigation techniques? These questions will be researched using a descriptive research method to determine if current digital forensic investigation techniques can benefit the Des Moines Fire Department during fire investigations. Research will be done by utilizing information gathered through interviews of recognized experts in the field of digital forensics. Research will also be conducted to see if other fire departments are utilizing current digital forensic techniques for fire investigations. Finally, research will be conducted as to courses and certifications that assist an investigator in applying scientific methodology to current digital forensic investigation techniques during fire investigations. At the conclusion of the research the information will be provided that will identify the factors necessary to allow the Des Moines Fire Department to implement digital forensic investigation techniques to assist with fire investigations. Background and Significance The Des Moines Fire Department (DMFD) is a full service department that provides fire suppression, Emergency Medical Services Advanced Life Support transportation, hazardous materials intervention at the specialist level, swift water emergency rescues, high and low angle rescues as part of our daily operations section. The department also has a fire prevention section that is responsible for public education, engineering review, fire investigations and code enforcement. The DMFD is charged with investigating all fires within the city limits. The responsibility for those investigations ultimately lies with the fire chief, but the DMFD has two members of the department, assigned to the fire prevention section whose full-time responsibility

7 DIGITAL EVIDENCE: 7 is to investigate fires and malicious false alarms. When either of those members is not able to cover their assigned shift, there are two additional members from the fire prevention section who will fill in and investigate fires and malicious false alarms. Each of the fire investigators works with a partner from the Des Moines Police Department (DMPD). The team approach allows for continuity of the case from the time it is assigned, until completion, with each member of the team bringing expertise and experience from their career discipline. Fire scenes are difficult to investigate; in the introduction chapter of Kirk s Fire Investigation 7 th edition the author states, due to the complex nature of the event, where fire often deforms or distorts the evidence, fire investigation is among the most difficult forensic sciences to practice (DeHaan & Icove, 2012, p. 2). Additionally, it is noted in chapter 4 of the National Fire Protection Association NFPA 921 Guide for Fire and Explosion Investigations 2011 edition that, A fire or explosion investigation is a complex endeavor involving skill, technology, knowledge and science (National Fire Protection Association [NFPA], 2011, p ). These are recommended national guides and standards that the DMFD follows in all of their investigations. The DMFD investigators all meet the minimum professional qualifications for fire investigator that are listed in National Fire Protection Association Guide 1033, specifically those listed in Section 1.3.8: The investigator shall have and maintain at a minimum and up-to-date basic knowledge of the following topics beyond the high school level at a post-secondary educations level: (1) Fire science (2) Fire chemistry (3) Thermodynamics (4) Thermometry (5) Fire dynamics (6) Explosion dynamics (7) Computer fire modeling (8) Fire investigation (9) Fire analysis (10) Fire investigation methodology (11) Fire

8 DIGITAL EVIDENCE: 8 investigation technology (12) Hazardous materials (13) Fire analysis and analytical tools (National Fire Protection Association [NFPA], 2009, p ) The investigators of the DMFD also apply the scientific method to fire investigations as recommended by NFPA 921 section 4.4 Basic Method of Fire Investigation. This method includes receiving an assignment, preparing for the investigation, conducting the investigation, collecting and preserving evidence, analyzing the incident and conclusions (NFPA, 2011, p & 19). In 2011 the Des Moines Fire Department responded to 19, 693 calls (Des Moines Fire Department [DMFD], 2011). For 2012 the Des Moines Fire Department responded to 20,710 calls (Des Moines Fire Department [DMFD], 2012). Through November 28 th, 2013 the city of Des Moines Fire Department responded to 19,551 calls for assistance (Des Moines Fire Department [DMFD], 2013). The fire investigators were assigned to investigate malicious false alarms, fires where the on-scene officer could not make a determination of the cause of the fire, and fires that resulted in the injury or death of a civilian or firefighter. In 2011 the fire investigators were assigned 685 cases (Des Moines Fire Department [DMFD], 2011, p. 15). Of those 685 cases there were 49 cases that remained undetermined after investigation and there were 21 cases that resulted in an arrest (Des Moines Fire Department [DMFD], 2011, p. 2). For 2012 the fire investigators were assigned 781 cases (Des Moines Fire Department [DMFD], 2012, p. 17). From those cases there were 18 arrests and 96 cases that remained undetermined after investigation (Des Moines Fire Department [DMFD], 2012). As of November 28 th, 2013 the Des Moines Fire Department fire investigators have been assigned 540 cases (Des Moines Fire Department [DMFD], 2013, p. 12). From those 540 cases there were 54 cases that remained

9 DIGITAL EVIDENCE: 9 undetermined after investigation, there have been 12 arrests and there are 153 open cases (Des Moines Fire Department [DMFD], 2013, p. 2). This Applied Research Paper (ARP) addresses curriculum that was presented in the author s attendance of the National Fire Academy course: Executive Development (ED) describing the challenges an authority figure is likely to encounter in team development (United States Fire Administration [USFA], 2012, p. 131). Additionally, this ARP will support one of the United States Fire Administration s five operational objectives to improve the fire and emergency services professional standards (United States Fire Administration, 2010, p. 3). Literature Review The review of literature for this ARP is critical to identify what information is available in the field of digital evidence investigation. Specifically, current digital investigation techniques that could be applied to fire investigations, when to apply those investigation techniques and the qualifications necessary to ensure that the investigative techniques were forensically sound and able to be recognized in a court of law. This literature review focused on practices being used by and taught to agencies currently involved with or studying digital evidence, difficulties and successes with the use and presentation of digital evidence and finally courses and certifications that allow for recognition of the digital evidence in a court of law. The relevant literature to these subject areas has been summarized to make sure adequate background information has been provided to understand this topic. In today s society many have come to rely on the plethora of information that is readily available via electronic means. One can simply use any internet search engine and find information on nearly anything imaginable. This information search, whether it is done on a

10 DIGITAL EVIDENCE: 10 home based computer, a laptop computer, a tablet or a smart phone will most likely leave some evidence of the search. Marie-Helen Maras has written a book Computer Forensics: Cybercriminals, Laws and Evidence in which she states, computers can be an incidental aspect of the commission of the crime and may contain information about the crime (Maras, 2012, p. 5). To identify the research question of what type of current digital investigation techniques could be applied to fire investigations this author researched and identified different investigation techniques and currently used language. In chapter 2 of her book Maras defines computer forensics as, a branch of forensic science that focuses on criminal procedure law and evidence as applied to computers and related devices (Maras, 2012, p. 27). She continued to explain that the science is applied the process of obtaining, processing, analyzing and storing the digital information and that this information that is obtained is not just from computers but from other electronic devices such as mobile phones, cameras, CD s, DVD s, USB flash drives, ipods and even gaming consoles (Microsoft s Xbox)(Maras, 2012, p. 27). It is also important to identify what is digital evidence. Continuing in chapter 2 of her book Maras has a section titled Electronic Evidence: What is it? She describes evidence as, any object or piece of information that is relevant to the crime being investigated and who collection was lawful she continues to identify that evidence is wanted to prove a crime has happened, linking a person to a crime, disprove or support testimony, identify a suspect provide investigative leads or eliminating a suspect from further consideration. She then describes electronic evidence as information extracted from computer systems of other digital devices used to prove or disprove an offense or crime (Maras, 2012, p. 35). In addition to Maras; Nelson, Phillips and Steuart released Guide to Computer Forensics and Investigations where they identify digital evidence as, any information stored or transmitted in digital form. They went on to state that United

11 DIGITAL EVIDENCE: 11 States courts accept digital evidence as physical evidence making it a tangible item (Nelson, Phillips, & Steuart, 2010, p. 150). The authors assert that evidence collected from electronic devices, in a forensic manner, is digital evidence and can be used in a criminal investigation. The evidence is tangible and used to prove or disprove a crime, but to get the information from an electronic device to a point where it can be presented in court requires the use of specialized tool kits equipped for computer forensic investigations. Marie-Helen Maras states that, these toolkits allow computer forensic investigators to collect, store, preserve and transport forensic evidence (Maras, 2012, p. 190). The tool kit will not be just a single tool to conduct a forensic investigation; the digital item that is being investigated will identify what equipment will be used for the investigation. However, to begin an investigation, the digital forensic investigator must not be able to modify the data that is being evaluated. Brian Carrier stated that, at the most basic level, digital forensics has three major phases: acquisition, analysis, and presentation. The acquisition phase is saving the state of a digital system to be analyzed later, similar to photographs or blood samples at a crime scene (Carrier, 2002, p. 2). The tool that would be required to acquire digital evidence would be a write block, which allows data to be transferred from the suspect source to a trusted source but no data can be transferred from the trusted source back to the suspect source. Nelson et al. in their book describes five tasks that are performed by computer forensic tools, acquisition, validation and discrimination, extraction, reconstruction and reporting. The first task that they describe is acquisition, which is making a copy of the original drive. A copy is made to preserve the original drive making sure that it is not corrupted and damages digital evidence. Acquisition can include making a physical data copy or a logical data copy. A reason that an investigator would choose a logical acquisition would be because of drive encryption. If

12 DIGITAL EVIDENCE: 12 an encrypted disk is copied it remains unreadable data; with a logical acquisition, an investigator can still read and analyze the files. The disadvantage of a logical acquisition is that it requires a live acquisition. Two acquisition tools are EnCase and AccessData Forensic Tool Kit (FTK) (Nelson et al., 2010). A digital forensic investigator must also verify that the data was not manipulated during the acquisition by using a hash algorithm. This algorithm is applied to the suspect data and the transfer data and when equal proves that there was no manipulation of the data. Nelson et al. refer to this task as validation. From validation, the next task that Nelson et al. lists is discrimination. Discrimination is the process of removing good data from suspicious data. Good data is data from known files such as operating system files, and common programs. By removing the known good files it reduces the amount of remaining data that must be evaluated by the investigator (Nelson et al., 2010). The second phase listed by Carrier is the Analysis Phase where the data acquired from the suspect source is examined for pieces of evidence. He continued by listing three pieces of evidence as: Inculpatory evidence that supports a given theory; Exculpatory evidence that contradicts a given theory and Evidence of tampering evidence that cannot be related to any theory, but shows that the system was tampered with to avoid identification (Carrier, 2002, p. 2). Nelson et al. list extraction as their third task and define is as the recovery task in computing investigation. They state that extraction includes data viewing, keyword searching, carving, decrypting and bookmarking. Data viewing is the method in which the data is viewed; it can be viewed logical drive structure which identifies folders and files or displays allocated file data and unallocated disk area with special file and disk viewers allowing analyzing and clue collection easier. Keyword searching is done by entering keywords of interest in the

13 DIGITAL EVIDENCE: 13 investigation. This allows the investigator to speed up the analysis process. Carving is the process of reconstructing fragments of files that have been deleted from the suspect drive. Often, investigators need to extract data from unallocated disk space. Encrypted files and encrypted systems can be problematic for investigations. Often, investigators must use recovery tools that allow for password dictionary attacks or brute force attacks on encrypted files. Bookmarking is labeling evidence that has been discovered so that it can be referred to later (Nelson et al., 2010). The fourth task listed by Nelson et al. as task completed by computer forensic tools was reconstruction. Reconstruction is defined as re-creating a suspect drive to exactly show what happened during a crime or incident. Another reason for reconstruction is to allow other investigators to have a fully functional drive for their own investigations. For validation and discrimination, extraction and reconstruction both Encase and AccessData FTK were listed as commercial software tools that can assist investigators with their investigations. The third and final phase that Carrier listed was the presentation phase. Here he stated that the evidence that was acquired and analyzed must be presented to the audience in a manner that is based on policy and law (Carrier, 2002, p. 3). Nelson et al. stated, to complete a forensics disk analysis and examination, you need to create a report. They went on to state that forensic tools such as EnCase and FTK produce a log report that lists the steps that an investigator took acquiring data from the suspect drive (Nelson et al., 2010, p. 271). Some digital evidence that was identified as being discoverable in a computer included files that were created by a user, files protected by a user and files created by the computer. Files that are created by a user include word files, text, spreadsheet, image, graphics, audio and video files. The data in these files often provide evidence about the author of the file and the company who the document belongs to; the computer owner; the date and time the file was created; the

14 DIGITAL EVIDENCE: 14 time and date the file was modified and saved and the last time and date that the file was printed. Additional files that are created by the computer user are calendars, web browser history and s that have been created and read by the user. Files that are protected by a computer user would be files that have been renamed or had their extensions changed; files that have been deleted by the computer user and files encrypted by the user. Finally, there are files that are created on the computer by the computer itself. These files are event logs which automatically record events occurring within a computer as an audit trail. These files include application logs; security logs setup logs and system logs. The security log is considered the most important event log because of the recording of all log-in attempts and activities of the computer user. Additional files that are created by the computer include history files, where the computer s operating system collects data about websites visited by the user; and cookies, which are files created by websites that are stored on a user s hard drive when a user visits a particular website. Finally, temporary files are files that are created by the computer without the users knowledge. Examples include unsaved documents, websites browsed, online searches, user names and passwords (Maras, 2012). While it is difficult to expect that digital evidence would be able to be extracted from an electronic device that was involved in a fire. It is possible for electronic evidence to be present at a fire scene from other electronic devices such as cellular phones. According to a recent survey conducted by Pew Research Center 91 percent of adults interviewed are using cell phones (Rainie, 2013, p. 1). The cell phone can be a great source of electronic evidence for an investigator, because of all of the electronic data that is produced by the cellular phone. In another survey conducted by Pew Research Center 56 percent of American adults are now smartphone owners (Smith, 2013, p. 1). Finally, a third report from Pew Research showed that

15 DIGITAL EVIDENCE: percent of cell phone owners use their phone to go online, which is double the number of owners online since 2009(Duggan & Smith, 2013, p. 2). The National Institute of Standards and Technology (NIST) released a special publication in May of 2007 titled Guidelines on Cell Phone Forensics Recommendations of the National Institute of Standards and Technology. This guideline provided a significant amount of material for this authors paper. Similar to the definition of computer forensics that was used by Maras, NIST defines mobile phone forensics as, the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods (Jansen & Ayers, 2007, p. 6). NIST also identifies a difficult challenge regarding cell phones, the continued upgrade of technology. The report states, cell phones vary in design and are continually undergoing change as existing technologies improve and new technologies are introduced (Jansen & Ayers, 2007, p. 6). Another difficulty in the advancement of technology is the processes that can be completed by cell phones, specifically, smart phones. NIST recognizes this and states in their report, mobile phones are highly mobile communications devices that perform an array of functions ranging from that of a simple digital organizer to that of a low-end computer (Jansen & Ayers, 2007, p. 8). Before the May publication, NIST also released a publication in March 2007 titled Cell Phone Forensic Tools: An Overview and Analysis Update which described evidentiary data that can be available on different types of cell phones. They categorize the phone into Basic, Advanced and High End. Appendix A contains an image taken from that publication that depicts the relationship between an advanced phone and the improvements in cellular technology showing the possibility for more evidentiary data to be collected. The report states:

16 DIGITAL EVIDENCE: 16 The diagram attempts to illustrate that more capable phones can capture and retain not only more information, but also more varied information, through a wider variety of sources, including removable memory modules, other wireless interfaces, and built-in hardware (Ayers, Jansen, Moenner, & Delaitre, 2007, p. 3). Additionally, with the improvements of phones, there is an improvement of software. These improvements allow for different types of communications, a basic phone will communicate via text messaging using the Short Messaging Service (SMS) where an advanced phone will communicate via Extended Messaging Service (EMS) and the text will have the ability to send a simple picture message. The high end phone will support the Multimedia Message Service (MMS) to exchange sounds, text and color images. Not just text messaging is improved but with a high end phone the possibility exists to communicate via Instant Messaging (IM) and have full http web access (Ayers et al., 2007). Nelson et al. suggest there are four critical areas that an investigator needs to check for electronic information: the internal memory of the phone, the SIM (subscriber identity module) card, any external or removable memory cards and the system server. If evidence is going to be requested from the system server a search warrant or subpoena will be required because of wiretap laws. Memory storage on phones will be a combination of volatile and nonvolatile memory. Volatile memory requires power to maintain its contents, but power is not necessary for nonvolatile memory. Volatile memory often has data that change often, such as text messages, missed calls, and sometimes even user files. Nonvolatile memory has the data for the operating system files and stored user information. There is a significant amount of data on the SIM card and that data would be divided into service-related data, identifiers for the SIM card and the subscribers; call data, such as numbers

17 DIGITAL EVIDENCE: 17 dialed; message information and location information (Nelson et al., 2010). External or removable memory cards simply extend the storage capacity of a cell phone. This allows an individual to store additional information beyond the capacity of the phone s built in storage capacity (Ayers et al., 2007, p. 6). This additional storage could contain pictures, documents, text files or any other type of photo, office or media file that could be found on a computer. Computers, cellular phones and other devices can be rich sources of digital evidence that can be used to assist fire investigators with fire investigations. However, that is not the only source of digital evidence that can be used to assist with fire investigations. The cellular device must be connected to a cell or cellular tower to talk, text, or use the internet. It is not possible for the cellular phone to just connect with any cell or cell tower. There are a multitude of steps that must happen for the cellular device to connect with the tower, and much of that is outside the scope of this research. However, there is some important information that must be shared to identify the cell or cellular tower as a source of electronic evidence. The first is the identification of the cellular tower itself. NIST refers to a tower as a Base Transmitting Station (BTS), the BTS is positioned so that it has three distinct sectors of 120 degrees of coverage, 0 degrees north to 120 degrees Southeast, 120 degrees Southeast to 240 degrees Southwest and 240 degrees Southwest to 30 degrees North. When a cellular phone is connected to the tower the BTS and the sector involved is identified. In addition to the BTS and sector information, NIST continues to identify additional digital information that would be relevant to an investigator with fire investigations; the subscriber account data and call detail records are available to investigators (Jansen & Ayers, 2007, p. 8). The Federal Bureau of Investigation had a case that was perplexing them and they used data from cell towers to provide them additional evidence they were able to use and solve the

18 DIGITAL EVIDENCE: 18 case. There were 16 robberies of rural banks committed by two individuals in northern Arizona and Colorado in After a witness to one of the robberies stated that there had been a suspicious man hanging out by the bank on his cell phone a couple of hours before the robbery the FBI asked a judge for cell tower dump of an identified cell tower near the bank. The information that was provided to the FBI was the records of every cell phone registered with the particular tower at a particular time. The FBI requested the information for four cell tower dumps from the four most remote bank robberies. They then took this information, entered it into a database and looked for the numbers that matched from those four towers. There ended up being only two numbers that matched from the data pulled from the information from the four towers and those numbers ended up belonging to the suspects and they eventually confessed (Anderson, 2013). Marie-Helen Maras also discusses the data that can be provided from cell towers. She states that: Cell phones are constantly communicating with whichever signal tower is closest to them. Providers such as Sprint, Verizon, T-Mobile and AT&T keep track of which phone numbers are communicating with every signal tower at any given time. This information can then be used to plot out the course and subsequent locations of a mobile device. Evidence of this type has been used in many criminal investigations (Maras, 2012, p. 298). Another piece of digital evidence that can be discovered and used in investigations is data that recovered from social media. There are many sources of social media that are used by people to communicate and share information; two examples would be Facebook and Twitter. The International Association of Chiefs of Police Center for Social Media released a report in

19 DIGITAL EVIDENCE: 19 February 2013 titled Developing a Policy on the Use of Social Media in Intelligence and Investigative Activities. The report addresses digital evidence that can be obtained from social media sites, and how to establish a policy that will allow the data to be obtained in a manner that is lawful and admissible. The article identifies that social media can be a valuable source of information where detectives use social media to assist with the identification and apprehension of criminal subjects. A criminal subject s Facebook page may be accessed to further support the id of the subject or possibly some of their acquaintances. Social media can also be used to determine a timeline of events for a subject, but the Center for Social Media also warns that as a source of information for lead development and follow-up, social media can be a valuable tool, but law enforcement personnel should always authenticate and validate any information captured from a social media site (Global Justice Information Sharing Initiative, 2013, p. 15). The article concludes that social media sites and resources may be helpful to law enforcement for all of their duties, prevention, identification, investigation and prosecution but there should be a social media policy and associated procedures (Global Justice Information Sharing Initiative, 2013). Presenting the data in court requires that both the investigator and the software used to evaluate the data are competent. Nelson et al. identified two roles that a digital forensic examiner will be placed into if a case goes to trial; technical/scientific or expert. The technical/scientific witness provides only the facts that were discovered during the investigation. The expert witness will present their opinion about the evidence that was discovered during the investigation (Nelson et al., 2010). Maras identifies that Computer forensics investigations have been conducted on computers, mobile devices, and other media, with the results of these investigations subsequently being

20 DIGITAL EVIDENCE: 20 presented as crucial evidence in the courtroom (Maras, 2012, p. 324). The author went on to talk about how the court system can recognize a witness as an expert. She stated that: Specifically, to testify as experts, witnesses must possess specialized knowledge and experience with which to explain evidence and certain events in relation to the crime. However, there is no rule as to the level of knowledge required to qualify as a witness as a technical or expert witness in the field. For example, in United States v. Scott- Emuakpor, the court held that to be considered an expert witness in computer forensics, knowledge of how to develop a sophisticated software program is not required. Instead, the court stated that the expert should possess the skills needed to find evidence on a hard or Zip drive. Therefore, to provide testimony as a computer forensics witness, knowledge of electronic evidence recovery is required, but an investigator does not need to be trained as a computer forensic investigator. Thus an individual who is skilled in computer forensics but has not had formal training can still qualify as an expert (Maras, 2012, p. 330). A third party certification was also discovered. Paraben s Certified Mobile Examiner is one such third party certification that is offered by Paraben Corporation. They have three levels of training that must be completed, a minimum time of experience, successful completion of a written exam at a score of 80% or greater and four practical application examinations ( In addition to the investigator presenting evidence either as a technical/scientific witness or as an expert, the software that was used by the investigator must also be recognized as valid software. NIST released a booklet in February 2012 titled Computer Forensics Tool Testing Handbook. This handbook was the result of a multiagency partnership that created a testing

21 DIGITAL EVIDENCE: 21 program for computer forensic tools. They call it the Computer Forensic Tool Testing program and the program is designed to test how well the forensic tool performs core forensic functions. They also list the benefits of utilizing a test forensic tool as assurance of what the tested tools capabilities really are, limitations can be addressed and appropriate actions can be taken, and there is a head start in validating the tool in the lab. The handbook then shows the test results for 19 disk imaging tools, 10 forensic media preparation tools, 9 software write blocking tools, 24 hardware write blocking tools and 19 mobile device tools (Ayers et al., 2007). To address the admissibility of the software that acquires the digital evidence, Brian Carrier published an article titled Open Source Digital Forensic Tools The Legal Argument which addresses the digital forensic tools and their use in a legal setting. Evidence must be relevant and reliable to be admissible in a United States court. The reliability of scientific evidence is determined by a judge in a pre-trial Daubert Hearing. The process of a Daubert hearing has four general categories used as guidelines to assess reliability. Those four categories are: Testing - can and has the procedure been tested; error rate, is there a known error rate for the procedure; publication, has the procedure been published and subjected to peer review and finally acceptance, has the procedure generally been accepted in the relevant scientific community (Carrier, 2002, p. 3) Through the literature review, information was obtained regarding current digital investigation techniques, when to apply those investigation techniques to obtain evidence and how to ensure that the evidence is recognized in a court of law.

22 DIGITAL EVIDENCE: 22 Procedures The procedures section will detail how the literature was reviewed and identify why the people that were selected for interviews were experts in their subject matter. An initial literature review of digital forensics was conducted at the National Fire Academic Learning Resource Center (LRC) located in Emmetsburg, Maryland at the National Emergency Training Center. This review identified a significant limitation, there was only one relevant item on the subject matter of digital forensic investigations available at the LRC and it was related to how state, local and other first responders preserve an electronic crime scene. Additional literature review was conducted utilizing the required textbooks for digital forensic certificate courses at Des Moines Community College which this author has attended. This author was limited due to the fact that there is no previous literature specifically for digital forensic investigations to assist with fire investigations. While the literature that this author did review provided information for the investigation of static or controlled scenes, there was no literature on digital forensic investigations that could be conducted at the scene that has been involved in a fire. There was information gathered through nine personal interviews of subject matter experts in both fire investigations and digital forensic investigations. A personal interview was conducted with Bryan Burkhardt, who is a subject matter expert in digital forensic investigations, on September 13, 2013 in his office at 2006 S. Ankeny Blvd Building 3W, Ankeny, Iowa Mr. Burkhardt has experience with digital forensic investigations in the corporate environment, is the current direct of the digital forensics investigation program at Des Moines Community College and provides technical assistance to members of the State of Iowa Electronic Crimes Task Force when requested. He is also the lead instructor of digital forensic investigation for cellular phones at the Des Moines Electronic Crime Institute. We discussed the questions that were presented to

23 DIGITAL EVIDENCE: 23 him on April 11 th, A copy of the questions that were sent to him can be found in Appendix B. Personal communication was conducted with Matt Sauer a subject matter expert in digital forensic investigations. He is the Special Agent in Charge of the Iowa Division of Criminal Investigation Cyber-Crime Unit Iowa Internet Crimes Against Children Task Force. His specialty is the digital forensic investigation of computers, both PC and Mac. He responded to my questions via on April 11 th, 2013 and his questions are provided in Appendix B. An additional interview was conducted with Darren Bjurstrom who is a subject matter expert in police and fire investigations. He is currently assigned to the DMFD/DMPD Arson Task Force. He has been a member of the DMPD for 22 years, a detective for over 12 years and a member of the Arson Task Force for the last 6 years. He was chosen for his broad experience in criminal investigations and experience in fire investigations. He was interviewed on November 30 th, 2013 in Des Moines, Iowa at the conclusion of a fire scene investigation; the questions that were presented to him are located in Appendix C. Jack Kamerick is a subject matter expert in police and fire investigations. Jack has been a member of the DMPD for more than 25 years, has been a detective for more than 15 years and assigned to the Arson Task Force the last 10 years. He was selected as a subject matter expert because of his broad experience in criminal investigations, fire investigations and some experience in using digital evidence to assist with fire investigations. He was interviewed in his office at Des Moines Police Department Headquarters building 25 E. 1 st Street, Des Moines, Iowa on December 3 rd, 2013 the questions that were asked of him are located in Appendix C. Brad Fousek and Dave Knutzen are both subject matter experts in fire investigations; they were interviewed on December 4 th, 2013 at the DMFD administrative headquarters located

24 DIGITAL EVIDENCE: 24 at 2715 Dean Avenue, Des Moines, Iowa The questions that were posed to them are located in Appendix D. Brad Fousek has been a member of the DMFD for over 34 years. He has been assigned to the DMFD/DMPD Arson Task Force for almost 20 years. He was chosen as an expert because of his rich experience in fire investigations and the opportunity to evaluate past fires where digital evidence could have assisted a fire investigation. Danielle Galien is a subject matter expert in forensics; she has been a member of the DMPD Crime Scene Investigative Unit for over 12 years. Danielle has attended training for digital forensic investigation on cellular phones. She is also completing the requirements for the certificate program at Des Moines Community College in Digital Forensic Investigations. She was interviewed in the Des Moines Police Department Crime Scene office at 25 E. 1 st Street, Des Moines, Iowa on December 3 rd, The questions that were asked of her can be found in Appendix D. Brent Curtis is a subject matter expert in police investigations and digital forensic investigations. He has been a member of the DMPD for over 20 years and has been the Detective assigned to Fraud and Computer Forensics for the past 8 years. He is assigned to cases through the DMPD but also assists the Iowa Internet Crimes Against Children Task Force. He was selected as a subject matter expert because of his broad experience in criminal proceedings and specifically his experience as a computer digital forensic investigator. On December 4, 2013 this author met with Mr. Curtis at his office at the Des Moines Police Department Headquarters building 25 E. 1 st Street, Des Moines, Iowa 50309; the questions that were asked of him are listed in Appendix F. A personal interview was also conducted with Jonathan Lund, Fire Marshal for the City of Des Moines and subject matter expert on supervising fire investigators. Mr. Lund has been with the DMFD since He is a licensed Fire Protection Engineer, and has a Masters of

25 DIGITAL EVIDENCE: 25 Public Administration degree. He was chosen as a subject matter expert because of his responsibilities to review all cases that are assigned to the DMFD fire investigators. He possesses personal knowledge of the rapid growth of mobile communication and understands that there may be tangible benefits for pursuing digital investigations to assist with fire investigations. The interview was conducted on Thursday November 21 st, 2013 in his office at the Des Moines Fire Department administrative building located at 2715 Dean Avenue, Des Moines, Iowa Appendix G lists the questions that were posed to him. The historical data of the Des Moines Fire Department was obtained from the DMFD s record management system, Firehouse Software. A report is produced by entering in parameters and querying the data. The data that was queried for 2011, 2012 and 2013 was the number of cases that were assigned to an investigator, the number of those cases that remained undetermined after investigation and the number of arrests. The only additional parameter that was used in 2013 was open case to identify cases that could still result in a determined cause of the fire and arrest. To conclude the procedures, the persons selected for interviews are subject matter experts in their fields, additionally, the literature that was reviewed was relevant to digital forensics investigations and text book theory. Results The applied research paper was completed using the descriptive research method to determine how the Des Moines Fire Department could utilize current digital forensic techniques to assist with fire investigations. The results were derived from personal interviews, literature review and statistical analysis of DMFD cases as listed in the procedures section of this paper. The following is a summary of the results from this author s research.

26 DIGITAL EVIDENCE: 26 When analyzing the results of the first research question: what type of current digital investigation techniques could be applied to fire investigations? the review of listed literature and personal interviews identified multiple opportunities for an fire investigator to identify and collect digital evidence. Marie-Helen Maras identified the opportunity to collect digital evidence from computers, cellular phones, and cellular towers (Maras, 2012). In Guide to Computer Forensics and Investigations Nelson et al. identified computers, s, cellular phones and other devices that could all be used to obtain digital evidence (Nelson et al., 2010). The Global Justice Information Sharing Initiative stated that social media sites and resources may be a helpful tool for law enforcement personnel in the prevention, identification, investigation and prosecution of crimes (Global Justice Information Sharing Initiative, 2013, p. 19). Jack Kamerick provided practical previous examples of situations when he was asked if he has used digital evidence with previous fire investigations he stated that he had one particular case where he used Facebook posts that have been provided to him by a victim as a reason for a search warrant and preservation letter sent to Facebook. With that same case he subpoenaed the phone records of the suspect, and was able to use to the information from the phone records to identify the location of the suspects mobile device. This information was then used in an interview as a directed contradiction to previously made statements (J. Kamerick, personal interview, December 3 rd, 2013). Darren Bjurstrom also stated, while he does not routinely use digital information in the investigation of fires, he had a particular investigation where a suspect made posts onto their Facebook page of their misconduct. The photo was noticed by a friend of the suspect and the investigators were contacted. During the interview of the suspect, the information was told to them and that person admitted to their wrong doing (D. Bjurstrom, personal interview, November 30 th, 2013).

27 DIGITAL EVIDENCE: 27 Bryan Burkhardt provided information by first defining digital forensics and then providing information on the utilization of fire investigations. He stated that forensics is the application of science for fact or law; when applied to digital investigations is was a series of repeatable events to derive facts or establish truth with respect to digital devices. Mr. Burkhardt then stated that all devices are capable of storing data in a digital manner and the amount of data could be overwhelming. He conceded that he is naïve with fire investigations but assured that digital investigations can assist identifying the who and how of nearly any criminal investigation. Digital evidence could identify the amount of premeditation that a suspect performed. He continued by stating that most planning, research and communication is done today with digital devices and that can produce digital evidence. Evidence such as the location of a cellular device could be used as either Inculpatory or Exculpatory evidence (B. Burkhardt, personal interview, September 13 th, 2013). When Matt Sauer was asked to define digital forensic investigations he stated that it was the act of collecting, analyzing and presenting results with regards to electronic devices that have the capability of storing data (M. Sauer, personal communication, April 11 th, 2013). He went on to stipulate that a digital forensic investigator must ensure that the data is altered and maintains the integrity of the original evidence. After the definition of digital forensics, Mr. Sauer stated that digital evidence has become increasingly more common in most criminal investigations. Digital investigations began with stand alone computers and have evolved to mobile devices. He stated that he felt with fire investigations, suspects will often research various ways to start fires, or may search media stories and fire reports via the internet for fires they have started. Lastly, he stated that the suspect often communicates, via text messaging and

28 DIGITAL EVIDENCE: 28 , with associates about their involvement (M. Sauer, personal communication, April 11 th, 2013). Very specific information regarding fire investigations was provided by Brad Fousek, who stated that he routinely tries to identify video footage of fires he investigates. He has used surveillance video from property owners, neighbors, neighboring businesses and he feels that it is great digital evidence. Often times this evidence assists in identifying a suspect at a scene at the time of a fire. He also has investigated fires where phone records were subpoenaed and instrumental in identifying who a suspect spoke to, and where the suspects mobile device was when the call was made. He was also involved in the case referenced earlier by Bjurstrom where a suspect made a post on Facebook of their criminal conduct and when told of the evidence, the suspect subsequently confessed to the crime (B. Fousek, personal interview, December 4 th, 2013). Dave Knutzen had a recent fire investigation where the business had video surveillance cameras that were fed into a computer and stored as digital video files. The computer that was used to store the videos had been subjected to heat from the fire and water from the suppression of the fire. Once removed from the scene with the permission of the property owner, the computer was allowed to dry, power to the computer was restored and the surveillance video files were able to be viewed. The videos showed the origin of the fire and the investigators were able to determine that the cause was accidental. He also had another fire where one of the first due company officers recognized the computer as part of the business surveillance system, removed the computer from the business and with the permission of the business owner they were able to view the video and identify that the fire was accidental. Mr. Knutzen has also been involved in cases where phone records were subpoenaed and used to contradict the statements

29 DIGITAL EVIDENCE: 29 that were given by a suspect in previous statements (D. Knutzen, personal interview, December 4 th, 2013). When Brent Curtis was asked if he was aware of any digital evidence being used in a fire investigation he stated that he was not aware of any case where digital evidence was used. In a follow up question, Mr. Curtis was asked if he was aware of any digital evidence being removed from a computer that was involved in a fire. He shared a previous case he had investigated where a suspect took their laptop into their front yard, doused the computer with a flammable liquid in the presence of police officers who had a search warrant for the computer, and started the computer on fire. The fire was extinguished by the police officers present limiting the damage to the external case of the computer and keyboard. The hard drive of the computer was not damaged, Mr. Curtis was able to extract the data from the computer using EnCase software and the data was used in the conviction of the suspect (B. Curtis, personal interview, December 4 th, 2013). Danielle Galien was asked if she knew of any digital evidence that had been collected and used in the conviction of an arson fire; she stated there were no cases that she was aware of utilizing digital evidence. With the next question, of how she felt that digital evidence found in a forensically sound manner could assist a fire investigation, she stated that the investigation of a cell phone could provide a lot of information. She expanded on that by identifying that nearly every person has a cell phone as a way of communicating. And her experience with smart phones people use their phones for GPS mapping, s, text messaging, picture messaging, internet searches, as a camera and their daily calendar. She feels that all of that information could be used to assist with a fire investigation (D. Galien, personal interview, December 3 rd, 2013).

30 DIGITAL EVIDENCE: 30 Jonathan Lund was able to present insight into how digital investigations could be utilized in fire investigations from the perspective of a section supervisor. When asked if he was aware of any digital evidence that has been used in fire investigations he responded that he is aware of photos being used and video surveillance being retrieved from the scene, neighbors, neighboring business, etc. He is aware that these videos have been useful with past convictions. When questioned if he was aware of cellular tower information in current fire investigation he responded that he is not aware of any use since being in the office of Fire Marshal (J. Lund, personal interview, November 21 st, 2013). A summary of the results to answer the first research question of what type of current digital investigation techniques could be applied to fire investigations? produced the following: with the identification of a computer, cellular phone or other digital device, investigative techniques that have been used in other criminal investigations could be applied to fire investigations. To evaluate the second research question of: when would current digital forensic investigation techniques in fire investigations? the information from the subject matter experts provided insight that was relevant to their area of expertise. Literature that was specific to digital forensics provided information that can be and has been used in general criminal investigations. However, Brad Fousek provided information when asked how do you feel digital evidence could be used in future fire investigations? that it would be important to have a reason to believe that digital evidence would be relevant. He went on further to state that each and every case had to be evaluated on its own merit. When a follow up question was asked if digital evidence investigations would be beneficial in future investigations he stated that the amount of work would have to be measured against the benefit. He again stated that it would have to be evaluated on a case by case basis. Mr. Fousek also stated that the digital evidence would have to

31 DIGITAL EVIDENCE: 31 be such that it cannot be disputed. He did also state that phone records are good information to be used in follow up interviews of a suspect to refute previous statements (B. Fousek, personal interview, December 4 th, 2013). During his interview Dave Knutzen was asked how he felt digital evidence could be used in future fire investigations he stated that some information that would be positive would be to use information on what side of a cell tower a phone was used by a suspect. A concern that he had was what if the suspect had a trac fone which does not have subscriber information, would an investigator be able to get beneficial digital evidence for a fire investigation? When he was asked if digital evidence would be beneficial to assist future investigations he again talked about DVR computers that records surveillance videos, and how it would be important to be able to get information from a computer that may have been involved in fire (D. Knutzen, personal interview, December 4 th, 2013). When posed the question of previous cases where digital evidence would have been beneficial, Jack Kamerick stated that whenever there is a possible suspect, or an identified suspect, digital evidence such as phone numbers and phone records would be a great help with any previous cases. When asked if digital evidence could improve or enhance fire investigations he replied that it is a good tool that could be used. He cautioned that there needs to be a suspect and some information that could be taken to the count attorney for a search warrant (J. Kamerick, personal interview, December 4 th, 2013). Darren Bjurstrom responded to the question of any previous cases where it would have been beneficial, he stated that he was unaware of cases with an identified suspect where that information would be beneficial and also stated that without enough evidence to support a warrant, an investigator could not just subpoena tower records without a suspect and a phone number to support the records request. He felt that the same

32 DIGITAL EVIDENCE: 32 information was appropriate to the question that digital evidence could improve or enhance fire investigations. He stated that it is not practical or legal to just request phone tower records without a suspect and phone number to support the records request (D. Bjurstrom, personal interview, November 30 th, 2013). Jonathan Lund was asked if he would support a department policy identifying the use of obtaining digital evidence to support fire investigations. His reply was that he would have to be better versed in the capabilities and results of digital investigations. He also expressed concerns of the costs of implementation, the training and time requirements, and the staffing needs of the fire prevention section (J. Lund, personal interview, November 21 st, 2013). Matt Sauer was asked how and when would digital forensic investigations be utilized to assist with fire investigations and he stated that it would be similar to the previous question of how digital investigations could be utilized. Mobile devices are becoming increasingly prevalent in all criminal investigations, so in regards to fire investigations a search of the suspects internet history, s that they have used to communicate with others, or text messaging can all be potential digital evidence (M. Sauer, personal communication, April 11 th, 2013). When Brent Curtis was posed with the question if digital evidence could be beneficial for fire investigations he stated if would be very beneficial. Utilizing current digital investigation techniques that the DMPD is using within the fraud division, an investigator could perform a web browser search to view the searches that a suspect has performed on the computer, also an investigator could search for videos and images that may been taken at a fire scene, he stated that suspects often use to talk with accomplices. Mr. Curtis also stated that he has found people save chat room discussions on their computers and that could be another area of evidence. He stated that using the EnCase program for computers and investigator could get the

33 DIGITAL EVIDENCE: 33 information from a suspect s computer and by doing a key word search could identify many pieces of digital evidence on a suspect s computer (B. Curtis, personal interview, December 4 th, 2013). During the interview with Bryan Burkhardt he was asked how and when would digital forensic investigations be utilized to assist with fire investigations and his immediate answer was the digital investigation cannot start soon enough. He stated that all digital devices need to be treated as evidence, if handled properly the digital evidence that is stored on the device will be preserved. He went on to say that the use of digital evidence needs to begin early and continue throughout the investigation. It should begin at the moment of the call; the phone number and person who called should be obtained, with information from a cell tower, using that information as a baseline to identify what numbers are often present and what numbers are transient. He conceded that digital evidence is circumstantial evidence, but digital evidence allows the investigation to be more colorful and colors are the details (B. Burkhardt, personal interview, September 3, 2013). In order to identify when digital forensic investigation techniques would be relevant to fire investigations the experts stated that it should be a thought early and throughout the investigation, with a thought on evaluating each case on its own merit and realizing that there should be a suspect identified to support the request of a search warrant for cellular tower and mobile device records. To address the third research question: what qualifications are required to be recognized as an expert witness utilizing current digital forensic techniques? a combination of the literature reviewed and the interviews from the persons who are subject matter experts in digital forensics was used to obtain the results. In the interview with Bryan Burkhardt he was asked to identify certifications or certain classes to would assist an investigator in being recognized as an expert

34 DIGITAL EVIDENCE: 34 utilizing digital forensic techniques. His response was that the Certified Forensic Computer Examiner from the International Association of Computer Investigative Specialists was a recognized certification in the field of digital forensic investigations. He followed that answer with a statement that the certificate was very rigorous to obtain but was very focused on a single computer investigation, had very little testing on network investigations and no testing on cell phone investigations. Mr. Burkhardt continued by stating that certification from a vendor is good when the investigator uses that vendor s product. Additionally, Mr. Burkhardt stated that the classes offered from the Electronic Crime Institute are good courses for an investigator because the course teaches programming knowledge and also demonstrates and evaluates students abilities to carve evidence from data when typical, commercial means are not available. They also utilize both EnCase and FTK as commercial software for digital forensic investigations and case management in the classroom (B. Burkhardt, personal interview, September 3 rd, 2013). When Matt Sauer responded to the question asking for identification of certifications or certain classes that would assist an investigator in being recognized as an expert witness utilizing current digital forensic techniques he stated that he has been a witness in court proceedings to present digital evidence that he discovered during a digital forensics investigation. Additionally, he stated that he is certified as a Certified Forensic Computer Examiner from the International Association of Computer Investigative Specialists. He also stated that it was important to attend as many training course as possible regarding the specific forensic hardware/software that are being utilized. He also stated that many companies offer certifications specific to their own software such as EnCase Certified Examiner Certification.

35 DIGITAL EVIDENCE: 35 Danielle Galien understood the importance of training for the collection of evidence as a crime scene investigator, which is why she has attended specific training for the Cellebrite forensic tool that is used to extract digital evidence from smart phones. She is also attending classes in digital forensics at the Des Moines Area Community College Electronic Crime Institute. Additional certifications were identified for mobile devices in the literature review. Paraben Corporation offers a four day training that allows a student to finish the program with a final practical and written test to complete Level 1 certification. They continue by offering another four day training program that is more advanced and builds on the knowledge obtained in Level 1 training; it also concludes with a written exam and the student will obtain Level 2 certification. The third level is a two part video course that covers the cellular tower data and call detail records. As with the other certifications it concludes with a written test for certification as a Level 3 Paraben Certified Mobile Examiner. The certification was specific to their mobile phone forensic investigation software. In Chapter 15 of Guide to Computer Forensics and Investigations Nelson et al. presented information about being an expert witness with digital forensics. Nelson et al. defined an expert witness as a witness who has opinions about what you have found or observed. You form these opinions from experience and deductive reasoning based on facts found during the investigation. In fact, it is your opinion that makes you an expert witness (Nelson et al., 2010, p. 542). They also emphasize that the steps that were used to gather and preserve the digital evidence need to be documented so that the steps are repeatable. The tools that are used in the digital forensic investigation need to be validated and the evidence needs to be verified with the use of hash tags (Nelson et al., 2010).

36 DIGITAL EVIDENCE: 36 Marie-Helen Maras wrote about expert witnesses as referenced Rule 702 of the Federal Rules of Evidence. She stated that as an expert witness the computer forensic investigator collects, analyzes and evaluates the evidence and then forms an opinion. The expert witness is the only witness who is allowed to present an opinion without having physically been at the crime scene or involved in any way after it occurred. The expert witness must also be knowledgeable in the methods that the digital evidence was gathered so that they can testify to the authenticity of the evidence (Maras, 2012). With an article specific to computer investigations, Carrier identified that the reliability of scientific evidence must be determined by a judge. That determination is based on whether the methodology and techniques of the tool used to gather the information were sound and as a result the evidence is reliable. The four categories that are identified as guidelines used by the judge to determine reliability are testing, error rate, publication and acceptance. The testing of investigative tools that gather digital evidence must identify a procedure to ensure that the tool provide accurate results. These tests must address both false negatives and false positives, a false negative test with ensure that the investigative tool provided all of the available data from the input. A false positive test ensures that the investigative tool did not introduce any new data into the output. Error rate guidelines will identify is there is a known or published error rate for the tool. The publication guideline demonstrates that the procedures used by the tool have been documented in a public place and undergone a peer review. The guideline of acceptance refers to the associated scientific community evaluating the published procedures of the methodologies and techniques of the forensic tool (Carrier, 2002). The conclusion presented by Carrier in his paper is that:

37 DIGITAL EVIDENCE: 37 Digital forensics is a maturing science that needs to be continuously held to higher standards. The procedures used should be clearly published, reviewed and debated. The availability of analysis tools to the general public has likely increased their quality and usability. The next step is to increase confidence in the tools through publication, review, and formal testing (Carrier, 2002, p. 9) Concluding the results for the third research question: what qualifications are required to be recognized as an expert witness utilizing current digital investigation techniques? it was presented in the results that there are classes available for specific programs, there are courses available from institutions of higher learning and there are courses from vendors. However, the tools that are used and the methods employed by the investigator must be repeatable to be accepted by the scientific community of digital forensic investigations. Discussion The investigation of a fire scene is an extremely difficult task, as was presented by DeHaan & Icove; the NFPA Guide 921 used the words complex endeavor (NFPA, 2011, p ) to describe a fire investigation. The DMFD has used a task force approach with the DMPD to investigate 2006 cases from January 1, 2011 to November 28, 2013 that has resulted in the arrest of 51 suspects. A significant limitation in the descriptive methodology of this ARP is that there was limited literature to the application of digital forensic investigations to fire investigations. This limited the research in that this author relied significantly on the opinions and experience of subject matter experts in order to accomplish the research required for this paper.

38 DIGITAL EVIDENCE: 38 This author has been studying digital forensic investigations at the Electronic Crime Institute and felt that the DMFD/DMPD task force would benefit from digital forensic investigations. When interviews were conducted on subject matter experts, another limitation that was discovered was that subject matter experts for fire investigations did not have the same definition of digital evidence and digital investigation as the author of the ARP. However, through the interview of Dave Knutzen he identified he has viewed video files that were stored on computer and the computer was inside the building that had been involved with fire (D. Knutzen, personal interview, December 4, 2013). This author had not thought of videos as being digital evidence until that interview, also the interview with Brad Fousek who stated that it would be great to have videos from all fires to help us identify a suspect and stated that there are now videos taken with cell phones (B. Fousek, personal interview, December 4 th, 2013). The removal of videos from computers was presented by Brent Curtis who explained the case where he was able to remove pictures and videos from the hard drive of a computer that had been involved in a fire (B. Curtis, personal interview, December 4 th, 2013). Since 91 percent of American adults are using cell phones (Rainie, 2013, p. 1), 56 percent of American adults are using smart phones (Smith, 2013, p. 1) and 63 percent of cell phone owners use their phone to go online (Duggan & Smith, 2013, p. 2) the research identified that there is a lot of digital evidence that is available for fire investigators to use to assist with fire investigations. The digital evidence that is possible from a cell phone as identified by Maras, such as phone numbers dialed, missed calls, calls received, text messages, s and internet data (Maras, 2012), and the case discussed by Jack Kamerick where cell phone records were used in an interview with a suspect to challenge previous statements made by the suspect; it

39 DIGITAL EVIDENCE: 39 could be correlated that the digital evidence that can be collected will assist with fire investigations. Due to the significant presence and use of digital devices in America a digital forensic investigator needs to have education and experience related to the technology in order to utilize digital forensic investigation techniques in their investigations. The listed vendor specific courses from Paraben ( and EnCase Certified Examiner Certification as recommended by Matt Sauer (M. Sauer, personal communication, April 11 th, 2013) are a good place to obtain the education requirements. There was substantial information provided for this ARP from subject matter experts in fire investigations, police investigations, digital forensic investigations and crime scene evidence collection. These experts and the information that was discovered from the review of the listed literature identifies that digital forensic investigations can assist with current and future fire investigations. Any efforts that the DMFD can take to increase the number of cases where digital forensic investigations is utilized will benefit the DMFD/DMPD arson task force and allow these departments to improve their professionalism. Recommendations Through the results of the research conducted as a portion of the ARP and the examples of how digital forensic investigation techniques have been applied in specific DMFD fire investigation cases and other criminal cases, there is conclusive evidence that the DMFD would benefit from a more standard application of digital forensic investigation. The DMFD/DMPD arson task force does not routinely utilize digital forensic investigation to assist with fire investigations. Through the review of literature, the questions that were answered and the

40 DIGITAL EVIDENCE: 40 personal interviews that were conducted, a few recommendations have been created. The primary recommendation is to provide education to the members of the DMFD/DMPD arson task force about the possibilities of digital evidence being able to assist with fire investigations. The second recommendation is to identify through the relationship between the DMFD and the DMPD a way to improve the collection of digital forensic evidence that will assist with fire investigations. A third recommendation would be to expand the relationship between the DMFD and the DMPD and evaluate opportunities to obtain funding for joint funded, joint staffed digital forensic investigation team. Each of these recommendations is examined in greater detail below under each sub-heading: Education In order to obtain the beneficial results of digital forensic investigations to assist with fire investigations, the information about digital forensic investigations needs to be presented to all of the members of the DMFD/DMPD arson task force. While the members of the task force were interviewed for this ARP and have some familiarity of digital forensic investigation, that familiarity should be enhanced. Communication by electronic means and the establishment of monthly case reviews could possibly identify when digital forensic investigations could be used to assist with fire investigations. Additionally, member of the DMFD/DMPD arson task force that are going to conduct forensic investigations should attend the training to obtain Paraben Mobile Examiner Level 3 and obtain the specific certification from EnCase - EnCase Certified Examiner Certification. Improvement

41 DIGITAL EVIDENCE: 41 When the DMFD/DMPD arson task force understands the benefit of utilizing digital forensic investigations to assist with fire investigations there will need to be an improvement on the collection of digital forensic evidence to assist with fire investigations. The members of the DMFD/DMPD arson task force are going to need to understand the importance of collecting digital devices in a forensically approved manner to allow the digital forensic investigator the opportunity to obtain evidence in a manner that will allow the evidence to be presented in court. Expand The DMFD and the DMPD posses a unique situation in that we have been utilizing the task force, team approach to the investigation of fires for many years, the close working relationship that has developed has proven beneficial. The third recommendation is for that relationship to expand and have both department evaluate the benefits of and possible funding sources for a joint staffed, joint funded digital forensics team. Through this expansion, the DMFD/DMPD will be able to improve the professionalism of the departments, expand the opportunity to gather evidence that could be used to increase the number of arrests and therefore providing a safer community for the citizens of Des Moines.

42 DIGITAL EVIDENCE: 42 References Anderson, N. (2013, August 29). How cell tower dumps caught the High Country Bandits - and why it matters. ars technica. Retrieved from Ayers, R., Jansen, W., Moenner, L., & Delaitre, A. (2007). Cell Phone Forensic Tools: An Overview and Analysis Update (NISTIR 7387). Retrieved from National Institute of Standards and Technology - Computer Security Resource Center website: Carrier, B. (2002). Open Source Digital Forensic Tools - The Legal Argument. Retrieved from DeHaan, J. D., & Icove, D. J. (2012). Kirk s Fire Investigation (7th ed.). Upper Saddle River, NJ: Pearson. Des Moines Fire Department. (2011). Firehouse Software - Daily Arson Report List by Alarm Date/Time - Alarm Date Between {01/01/2011} And {12/31/2011} [Data File]. Des Moines, Iowa: Des Moines Fire Department. Des Moines Fire Department. (2011). Firehouse Software - Daily Arson Report List w/ Fire Report Info - Alarm Date Between {01/01/2011} And {12/21/2011} and Cause of Ignition = U and Case Status = 4 [Data File]. Des Moines, Iowa: Des Moines Fire Department. Des Moines Fire Department. (2011). Firehouse Software - Department Journal [Data File]. Des Moines, Iowa: Des Moines Fire Department.

43 DIGITAL EVIDENCE: 43 Des Moines Fire Department. (2012). Firehouse Software - Daily Arson Report List by Alarm Date/Time - Alarm Date Between {01/01/2012} And {12/31/2012} [Data File]. Des Moines, Iowa: Des Moines Fire Department. Des Moines Fire Department. (2012). Firehouse Software - Daily Arson Report List w/ Fire Report Info - Alarm Date Between {01/01/2012} And {12/31/2012} and Case Status = 4 and Cause of Ignition = U [Data File]. Des Moines, Iowa: Des Moines Fire Department. Des Moines Fire Department. (2012). Firehouse Software - Department Journal [Data File]. Des Moines, Iowa: Des Moines Fire Department. Des Moines Fire Department. (2013). Firehouse Software - Daily Arson Report List by Alarm Date/Time - Alarm Date Between {01/01/2013} And {11/28/2013} [Data File]. Des Moines, Iowa: Des Moines Fire Department. Des Moines Fire Department. (2013). Firehouse Software - Daily Arson Report List w/ Fire Report Info - Alarm Date Between {01/01/2013} And {11/28/2013} and Cause of Ignition = U and Case Status = 4 [Data File]. Des Moines, Iowa: Des Moines Fire Department. Des Moines Fire Department. (2013). Firehouse Software - Department Journal [Data File]. Des Moines, Iowa: Des Moines Fire Department. Duggan, M., & Smith, A. (2013). Cell Internet Use Retrieved from Global Justice Information Sharing Initiative. (2013). Devloping a Policy on the Use of Social Media in Intelligence and Investigative Activities. Retrieved from

44 DIGITAL EVIDENCE: 44 International Code Council. (2009). International Fire Code. Country Club Hills, Il:. Jansen, W., & Ayers, R. (2007). Guidelines on Cell Phone Forensics - Recommendations of the National Institute of Standards and Technology (NIST Special Publication ). Retrieved from Maras, M.-H. (2012). Computer Forensics: Cybercriminals, Laws and Evidence. Sudbury, MA: Jones & Bartlett Learning. National Fire Protection Association. (2009). NFPA 1033 Standard for Professional Qualifications for Fire Investigator. Quincy, MA: National Fire Protection Association. National Fire Protection Association. (2011). NFPA 921 Guide for Fire and Explosion Investigations. Quincy, MA: National Fire Protection Association. Nelson, B., Phillips, A., & Steuart, C. (2010). Guide to Comupter Forensics and Investigations (4th ed.). Boston, MA: Course Technology. Rainie, L. (2013). Cell phone ownership hits 91% of adults. Retrieved from Smith, A. (2013). Smartphone Ownership Update. Retrieved from The Des Moines Arson Task Force. ( n.d. ). Retrieved from United States Fire Administration. (2010). Applied Research Self-Study Guide. Washington, DC: Government Printing Office. United States Fire Administration. (2012). Executive Development ED-Student Manual (). Washington, DC: Government Printing Office.

45 DIGITAL EVIDENCE: 45 Appendix A: Phone Software Components (Ayers et al., 2007, p. 4)

46 DIGITAL EVIDENCE: 46 Appendix B: Questionnaire to digital forensic subject matter experts Mr. Bryan Burkhardt Mr. Matt Sauer Thank you for taking the time to assist me with my research paper for the National Fire Academy. My stated problem statement is: The Des Moines Fire Department does not currently use digital forensic investigation techniques to assist investigators during fire investigations. My stated purpose statement is: The purpose of this research is to identify the factors that will allow the Des Moines Fire Department to implement current digital forensic investigation techniques during fire investigations. I would like you to please answer the following questions: Please define digital forensic investigations in your words. How can digital forensic investigations be utilized in fire investigations? If digital forensic investigations can be utilized in fire investigations, how and when would digital forensic investigations be utilized to assist with fire investigations? Can you identify certifications or certain classes that would assist an investigator in being recognized as an expert utilizing current digital forensic investigation techniques? Respectfully, Mark Dooley Lieutenant Des Moines Fire Department

47 DIGITAL EVIDENCE: 47 Appendix C: Interview questions asked to police and fire subject matter experts Detective Darren Bjurstrom Detective Jack Kamerick Thank you for agreeing to meet with me regarding my research paper for the National Fire Academy. My research paper in on utilizing digital evidence to assist with fire investigations and how the department implements those techniques. Here are the questions that I will be asking each of you when we meet. Do you use digital evidence with your current investigations? If so what evidence do you use? Are you aware of any arrests that were made that were supported by digital evidence? Are you aware of any cases that you have had where digital evidence would have been beneficial? Do you believe that digital evidence could improve or enhance fire investigations? Again, thank you for your assistance with my research paper. Respectfully, Mark Dooley Lieutenant Des Moines Fire Department

48 DIGITAL EVIDENCE: 48 Appendix D: Interview questions asked to fire subject matter experts Investigator Brad Fousek Investigator Dave Knutzen Thank you for agreeing to meet with me regarding my research paper for the National Fire Academy. My research paper in on utilizing digital evidence to assist with fire investigations and how the department implements those techniques. Here are the questions that I will be asking each of you when we meet. Are you aware of any cases where you had used digital evidence to assist with a fire investigation? How do you feel digital evidence could be used in future fire investigations? Would digital evidence be beneficial to assist future fire investigations? Are you aware of previous cases where digital evidence could have been beneficial? Again, thank you for your assistance with my research paper. Respectfully, Mark Dooley Lieutenant Des Moines Fire Department

49 DIGITAL EVIDENCE: 49 Appendix E: Interview questions asked to forensic subject matter expert Danielle Galien Thank you for taking the time to assist me with my research paper for the National Fire Academy. I am researching to see if the fire department would benefit from utilizing digital investigation techniques to assist fire investigations and how to implement that benefit. I have listed the questions that I will be asking when we meet. Are you aware of digital evidence being collected and used in the conviction of an arson fire? Do you feel that digital evidence obtained in a forensically sound manner could assist a fire investigation? If so, what type of evidence? Do you have specific training or experience with collecting digital evidence in a forensically sound manner? Again, thank you for helping me with my research paper. Respectfully, Mark Dooley Lieutenant Des Moines Fire Department

50 DIGITAL EVIDENCE: 50 Appendix F: Interview questions asked to police and digital forensic subject matter expert Brent Curtis Thank you for taking the time to assist me with my research paper for the National Fire Academy. I am researching to see if the fire department would benefit from utilizing digital investigation techniques to assist fire investigations and how to implement that benefit. I have listed the questions that I will be asking when we meet. Are you aware of any digital evidence that has been used in fire investigations? Are you aware of any digital evidence being removed from items that have been involved in fire? Do you think that collecting digital evidence could be beneficial in fire investigations? Again, thank you for helping me with my research paper. Respectfully, Mark Dooley Lieutenant Des Moines Fire Department

51 DIGITAL EVIDENCE: 51 Jonathan Lund Appendix G: Interview questions asked of the City of Des Moines Fire Marshal Thank you for taking the time to assist me with my research paper for the National Fire Academy. I am researching to see if the fire department would benefit from utilizing digital investigation techniques to assist fire investigations and how to implement that benefit. I have listed the questions that I will be asking when we meet. 1 Are you aware of any digital evidence that has been used in fire investigations? 2 Are you aware of any cellular tower information that has been used in current fire investigations? 3 Are you aware of any forensic investigations of cellular phones and other electronic devices for digital evidence being used in current fire investigations? 4 - Would you support a department policy identifying the use of obtaining digital evidence to support fire investigations? Again, thank you for helping me with my research paper. Respectfully, Mark Dooley Lieutenant Des Moines Fire Department