Digital Evidence: How Law Enforcement is
by Nancy Ritter
About the Author
Nancy Ritter is a writer/editor at the National Institute of Justice.
The need for State and local police departments to leap ahead in the war on cyber-crime and develop procedures for identifying and processing electronic evidence is urgent. Yet, progress continues to be slow.
“At the rate we’re going now, law enforcement is going to fall so far behind the electronic technology curve that, in a couple of years, we will never catch up,” says Bob O’Leary, a former New Jersey detective, who heads up the Electronic Crimes Partnership Initiative (ECPI).
Funded by the National Institute of Justice, ECPI is a multidisciplinary team of professionals committed to enhancing law enforcement officers’ ability to solve computer crimes. ECPI draws on the skills of a coalition of experts from law enforcement, academia, the government, and the private sector. The experts at ECPI teach police officers to solve computer crimes (such as using the Internet for child pornography) and to develop digital evidence (from computers or cell phones, for example) in crimes like rape and murder. By educating law enforcement professionals on the myriad ways computers can facilitate criminal acts, the group seeks to help officers conduct more sophisticated investigations that will build stronger cases and lead to more convictions.
The Importance of Cyber Education
Each day, State and local law enforcement officers must identify, gather, and analyze both physical and electronic evidence in a wide range of cases. Most police officers are skilled at recognizing physical evidence in such cases, but many have never been trained to recognize the existence or importance of electronic evidence in solving a crime or building a winning case.
And they aren’t the only ones in the dark. A recent NIJ needs-assessment study found that many police chiefs, senior managers, and those who make funding and resource allocation decisions do not possess the level of expertise or tools needed to investigate and prepare cases for successful prosecution. Guy Meader, an electronic crime technology analyst at NIJ and former detective in Montgomery County, Maryland, adds, “Of the police chiefs and managers who are willing to support an investigative capability for electronic crime, they often do so at the expense of other units or assign dual investigation responsibilities to personnel.”
To help law enforcement professionals use electronic tools in fighting crime, ECPI is developing a 4-year, bachelor’s degree curriculum that will award graduates a degree in Electronic Crime Prevention and Investigation. The degree will combine in-the-field investigative skills—the ability to see the big picture, whether through understanding a suspect’s modus operandi or approaching a physical location—with digital know-how.
ECPI also is working with the nonprofit volunteer group International Association of Computer Investigative Specialists (IACIS) on a “Bag-’n-Tag” course to teach officers how to seize and process digital evidence, which is often more fragile and fleeting than other physical evidence at a crime scene. ECPI and IACIS will hold classes in police departments, universities, and prosecutor’s offices around the country.
O’Leary emphasizes the importance of the Bag-’n-Tag course. “It’s crucial that you get everything from a crime scene the first time,” he says, “because you often don’t get to go back [without a new warrant].” By then, the scene may have been compromised, and critical evidence removed or destroyed.
Eliminating Impediments to Prosecution
One of the greatest challenges in electronic crimes for law enforcement is the absence of geographic boundaries. Ed Kelly is an Assistant United States Attorney for the Southern District of Iowa and is currently on detail to NIJ as a senior advisor on electronic crime. Kelly explains that while the Internet has eliminated boundaries for criminals, State and local officials’ investigative authorities still are bound by narrowly defined jurisdictional areas. These boundary restrictions and the resulting conflict of authority often mean that officers must apply for warrants in multiple jurisdictions. This extra footwork can translate into a loss of valuable time and, ultimately, evidence.
ECPI is working on a way to encourage reciprocity (sometimes called “full faith and credit”) between States when out-of-State search warrants, subpoenas, and court orders are served. Kelly, who is also a former assistant director for cyber-crime training of Federal prosecutors at the U.S. Department of Justice’s National Advocacy Center, said ECPI is investigating how reciprocity can best be pursued.
Another impediment to prosecuting cyber-crime cases is the time it takes for Internet service providers (ISPs) to respond to subpoenas. Currently, it often takes several weeks for an ISP to produce subpoenaed records. ECPI is working on a way to facilitate responses. Using secure servers in strategic locations around the country, ISPs could transfer records much more quickly to a regional server to which only designated law enforcement personnel would have access. ISPs, which are often served with hundreds of subpoenas a day, have voiced support for the idea, because it would save them significant reproduction time and costs. And, from a law enforcement perspective, a faster response increases the potential for more successful investigations and prosecutions.
The Need for Standards
Whenever a new field of investigation burgeons, a need to establish standards soon surfaces. Thus, ECPI is working to establish standards for the collection and analysis of digital computer evidence and to create uniform standards for the certification of examiners. Mike McCartney is a senior investigator with the Criminal Investigations Division of the New York State Attorney General’s Office and member of ECPI’s standards and certification working group. McCartney notes that although some standards exist for digital evidence forensics, the certification of examiners varies widely. And there are no standards or certifications for high-tech crime investigators.
McCartney’s group is exploring standards and certifications that will apply to personnel, education and training programs, tools, and forensics labs. The group is also establishing guidelines for conducting investigations, handling and preserving evidence, and prosecuting cases.
ECPI also has plans to update NIJ’s publications on e-crime and digital evidence. First on the agenda is an assessment of the tools that law enforcement needs to catch cyber-criminals and stay ahead of the electronic technology curve. Criminal justice professionals must look beyond the immediate horizon, says O’Leary, and a new needs assessment will help them do that.
ECPI was created after an NIJ needs-assessment study (Electronic Crime Needs Assessment for State and Local Law Enforcement, NCJ 186276) concluded that “any potential for growth in electronic crime raises serious concerns about the capability of law enforcement resources to keep pace.”
Digital Evidence in High-Profile Cases
Martin Novak, program manager of NIJ’s e-crime portfolio, illustrates how digital evidence know-how helped solve several recent high-profile crimes:
BTK serial murderer Dennis Rader terrorized Wichita, Kansas, for 30 years until evidence on a computer disk led police to the former church council president and Cub Scout leader.
Scott Peterson’s computer contained a map of the island where his wife’s body was found and revealed that he had shopped online for a boat, studied water currents, and bought a gift for his mistress.
David Leslie Fuller’s computers showed that he had stalked three other teenage girls before he abducted, raped, and murdered 13-year-old Kacie Woody, whom he met in an online chat room.