Locked away in digital data stored on desktop, tablet and laptop computers, mobile phones, flash drives and computer networks are the missing pieces to civil and criminal cases. Digital evidence is as vital to investigators as any physical evidence roped off by yellow crime-scene tape.
Felipe Chee is the San Diego-based investigator for the California Department of Motor Vehicle Investigations Division’s computer forensics team, and secretary of San Diego’s High Technology Crime Investigation Association. In an interview from his Rancho San Diego office, Chee said digital forensics are part of any thorough investigation.
“As law enforcement, we have to do our due diligence," Chee said. "For example, if I do a pat-down, I can't pat here but not here. Nowadays, everything’s not in a file cabinet, it’s all on a computer.”
“Sometimes the only connection to the crime might be the phone or computer,” said Chee, whose investigations for the DMV range from identity theft to counterfeit vehicle registrations.
Accessing the digital data is no small feat. A search warrant must be obtained to look at any digital device or network, citing the specific crime under investigation. The data are stored in a read-only format to prevent disturbing any evidence. Then the investigator must traverse ever-evolving operating systems and pass-code locks, and search through deleted, existing and back-up files. The forensic tools available for mining the data are made by a number of vendors, and no one gadget or software works for every computer or cellphone.
“When an officer brings in something and says, ‘What can you get from that?’ My answer is, ‘It depends.’ There’s no guarantee. I’ll do what I can. There’s no magic bullet for everything,” Chee said.
Once data is mined, the real work begins, according to Daniel A. Libby, director and chief examiner for downtown San Diego-based Digital Forensics Inc., a private investigative firm that does contract forensic work for corporations, law firms and government agencies.
“The hardest thing we have to prove is who was at the keyboard at the time,” Libby said.
For example, in the case of a child pornography warrant, the crime is typically traced to an IP address. “If it’s in a house with 15 or five people, I have to prove who actually was there, who really did it,” Libby said.
Libby and Chee said they frequently testify in court about their findings. The forensic tools they use are at their or the law enforcement agencies’ discretion, but the investigator often must cite their certifications to prove their credibility. Libby is an AccessData certified examiner, or ACE, a credential intended to demonstrate his proficiency with Utah-based AccessData’s Forensic Toolkit technology. Meanwhile, Chee is a certified forensic computer examiner with the International Association of Computer Investigative Specialists, a vendor-neutral accredited certifying body. Chee said his CFCE certification shows the court he has a demonstrated ability to extract digital forensic evidence, just as any other certified forensic specialist might extract physical evidence.
The global reach of digital data means investigations often stretch beyond jurisdictions and city limits. Chee said in those instances his DMV computer forensics team can work with one of its other three offices statewide, high-tech task forces like San Diego’s multi-agency Computer and Technology Crime High-Tech Response Team or “CATCH,” or the Federal Bureau of Investigation.
“Especially with computer crimes, it doesn’t just happen here locally. It could be anywhere," Chee said. "From a law enforcement perspective, it is kind of fragmented. That’s a tough one.”
While data found through digital forensics can be used to prosecute cases, Chee said it’s worth noting that advanced electronic data mining can likewise be used to exonerate people suspected of committing crimes.
“We’re not here always to try to throw the book at the bad guy," he said. "There are times when I look at digital evidence and I think, I don’t think your guy has anything.”