Computer Forensic Investigations Explained by the DoD

If you have been reading my blog lately you have noticed that I’m interested in technology and computer forensics. This has even lead me to learn a bit about private investigation work. I took the time to convert a video from the DoD into text so you could read it:

The Many Uses of Computer Forensics

You name the crime and there’s going to be a digital nexus to that crime or it could be anywhere from a homicide, unattended death, espionage, terrorism, maybe a major intrusion. There’s not a case type that I can think of that doesn’t have some computer component to it.

A terminal screen shows a computer hacker typing in commands.
A terminal screen shows a computer hacker typing in commands.

When you think of a hacked computer, you can think of it in terms of a digital crime scene. In almost every general crime investigation these days, you do have a digital evidence component. Anytime there is a computer involved, any type of media, cyber department is called immediately.

The Changing Digital Landscape

Now the computers have gone from being an element of a crime to actually being a crime scene itself. In a computer forensics examination, our crime scene is the hard drive, the media. That’s where the evidence lies.

You have to take risk anytime that you’re opening up a device and getting at its most complex inner workings. We go any place where the data is.

We have deployments in Afghanistan, going to particular spots where there might be media that we can seize and process.

Cyber-crime leads investigators all over the globe.
Cyber-crime leads investigators all over the globe.

They have to respond to something within minutes (if not sooner) because they may be chasing someone, they may be just looking for information on a terrorist cell and it’s only going to be there for a short period of time.

The world we’re fighting today is very different. I would like to do my part in trying to help fight a war that’s not only physical, but it’s cyber.

Digital Detectives are on the Case

Searching for digital evidence in a homicide case, tracking the trail of a computer hacker. Protecting U.S. service members from internet fraud and identity theft. These are all a priority for defense department special agents fighting cyber crime.

They’re on the front lines of a new war being waged around the world and the battle ground is cyber space. They support the growing DOD mission of cyber security, helping to protect defense computer networks and data. With a unique blend of training and skills in law enforcement, forensic science and computer technology, DoD special agents and teams of cyber investigators are cracking computer codes and helping solve crimes.

Whatever the cyber crime may be, DoD Digital Detectives are on the case.

Nearly every NCIS investigation has a cyber dimension. The NCIS technical services division provides agents with investigative expertise and specialized gear.

There’s nothing like actually going to a scene, where there’s people who have been brutally murdered, where there’s a lot of blood or a body that’s been there for a very long time. There’s a lot of smells that go along with that. In criminal cases, we have to understand what we’re looking at with the body. The body is a crime scene in itself. An agent is an agent. Basically, we’re all trained law enforcement officers to work criminal cases and to follow the investigative process to come to an end, to help gather information, gather evidence, solve a crime.

Computer investigations, computer examinations, they often lead to strategies of perpetrators, where they’re going next.

Solving Recent Cases

New developments in the Camp Lejeune marine, who is suspected of murdering pregnant Lance Corporal Maria Lauterbach. An Onslow County North Carolina Grand jury indicted marine corporal Cesar Armando Laurean, Thursday on five charges.

Cesar Laurean was already absent without leave, so the fugitive team seized the government computers in an effort to see if there was anything, any communication or whatsoever to maybe the whereabouts of Cesar Laurean or the death of Maria Lauterbach.

Whatever you do on a government computer, we can examine for criminal activity. However, in this case we also got authorization from the commanding officer. Our job as computer forensic examiners is to extract that information from these computers, provide it to a case agent. They can use that for legal proceedings. We look at things like recently accessed files, photographs, documents that were typed, communications.

Cleared your Browser History Lately?

I examined that computer and specifically examined Cesar Laurean’s computer profile for any activity. I found information on his internet history. As you can imagine, we’re in a situation where we need to get information right away. Since he was already on the run, I was looking for specific dates. I wanted to get the last activity that was conducted on his computer. There was a specific MapQuest search for his residence to a particular hotel in Raleigh, North Carolina. He was doing Google searches for defense attorneys, on how to conduct a homicide investigation and job opportunities, classified ads in Puerto Vallarta, Mexico. That gave the fugitive team something to act upon. A viable lead.

A 3-month man hunt for a Marine Corporal charged with the murder of a pregnant fellow Marine has ended with his arrest in Mexico.

That’s the beauty of a computer examination. It gives them insight into their activity. Every aspect, where they may go next? We testified in court, as far as the MapQuest searches, the Google searches and what he was doing. I think it helped the jury, as far as premeditation and the deliberation of Cesar Laurean and his intentions.

Traditional forensics is going into a room and actually jamming the room and finding evidence. However, in a computer forensics examination, our crime scene is the hard drive, the media. That’s where we extract the information from. That’s where the evidence lies. In April of 2008, in the Hampton Roads neighborhood, a female was found in her home.

Her father came home and found her dead.

It looks like somebody tried to restrain her as her arms were tied behind her back.

The female was a daughter of a Navy Sailor. She was half dressed and bound, laying in a pool of blood. NCIS Norfolk Field Office and Portsmouth Police Department opened up a joint investigation. Because it was such a heinous crime, we threw a full spectrum of law enforcement resources at this to ensure we caught the assailant. One of those law enforcement resources was computer forensics, which NCIS Cyber Department brought to the table. We obtained the victim’s computer. We discovered numerous email chats, communications. One individual stood out, a Navy Sailor, who was interviewed. He was actually later cleared of the charges of sexual assault and murder.

A Corner Turned..

The investigation went on. A few months later a suspect was identified to interview. He had a computer, so we were again called to conduct forensic examination on the computer. It had email communications and, of course, chats. What the individual said was, “He had done a very bad thing and no one will understand what happened.” It doesn’t mean anything, until it’s actually brought together by the forensic examiner and identifying the person connected to the individual who put that information on the computer. The individual plead guilty and he was sentenced to 42 years for sexual assault and murder.

Cyber touches every part of everything that NCIS does. We’ve grown from a couple of guys in the Washington area, to now we’re worldwide. As the internet grow, so did the crime involving computers and other electronic media. In some cases, obviously, the digital evidence can expedite you solving a case and other times it can … Yeah, certainly it can slow it down, but it’s an essential part of producing a solid case that you’re going to take to court.

We have to have the ability to get evidence wherever it lies. We have to have every agent running an investigation understand where evidence may be, because digital evidence or just plain evidence, there’s really not any difference. It could be the linchpin to the entire investigation and often it is.

I’ve done computer support to murder for hire investigation. An individual had hired a hitman to kill his wife. We caught him. Things like text messages, email now, all that data links back into that communication that was necessary to prove a very serious criminal conspiracy. The end result, if we did not investigate, did not succeed in that investigation would have been death.

With any data we’re looking for to place the suspect at the location of the crime.

A lot of the investigative techniques with cyber investigations are simply an evolution of the general criminal investigative techniques.

The hard drive is just bits and pieces. It’s similar, again, to going into a room and doing traditional forensics. You’re not bringing the whole entire room to court, but you’re bringing the evidentiary pieces to court.

Almost every device you have today is supported and contains digital media, which might be relevant to an investigation or an operation.