Compared to many of you I'm still wet behind the ears. My first computer had a 386 processor, 4MB RAM, (paid extra for that) DOS 5.0, Windows 3.0, a whopping 120 MB HD, and a smokin' 28 baud modem. That was extra too, even though I was a bit fuzzy as to what I was actually going to do with it. This would have been about 1990 or so, and we bought the computer because we were both taking college classes part time and we'd seen how word processing was so much better than the typewriters we'd been using.
I was still in the uniformed Patrol Division of the police department, but about to be transferred to the Fraud Section. When I got there, owning a computer and knowing just a little about PCs and data transfer would change my career.
This thing fascinated me. How does a mouse work? What, exactly, happens when I press the letter "a" on the keyboard to make it appear on the screen in Wordpad or later, Ami Pro and then be able to print it? So I started buying books and subscribing to magazines to try to figure out how this machine-that-looked-like-magic actually worked. Both of us took basic and advanced classes in DOS from the County's Adult Education section, as we both were flummoxed by DOS. Who in their right mind would design such a clumsy interface and limit file names to eight plus three characters and have all those nonsensical sounding command prompt names? Seemed awfully dumb to me when Windows made actually doing anything so much easier. Oh, and I joined a local PC user group, which was a huge help with their BBS service.
In the Fraud Section we started getting cases involving early online fraud, mostly through AOL and local BBSs. I volunteered for those, partly because I thought they were interesting and partly because I was the only one who had a clue of what to do with them, so I got the reputation of "The Computer Guy" although I could barely write a (very simple) batch file but that was because I was the only one who even knew what a batch file was.
Shortly after the transfer to the Fraud Section we had to go to recurring in-service training for a week, which is required in MD to remain certified as a police officer. One of those classes had a one-hour talk by an FBI agent who was then the only agent who had a Ph.D. in Computer Science. He talked of clusters and sectors on hard drives and recovering erased files, and I was the only person in the room who had a somewhat vague and fuzzy comprehension of what he was talking about.
Then he told the story of a case he'd had in PA several years prior, in which (to make a very long story short) a female kidnapping victim had died a long, slow, and tortured death, in part because the police department there hadn't had the foggiest idea that a home computer could possibly be useful as a source of evidence. In this case, the home computer was just about the only source of evidence, and it sent the perpetrator to prison for life with no parole.
The thing that grabbed at me was that I could see the same thing happening where I worked, because at the time home computers were a rare thing, used mostly by math geeks, scientists and engineers. I think market penetration was about 5%. This was way before the release of even Norton's Utilities, which became the standard go-to software for forensic computer examiners until much better software came along so the FBI agent had to write his own software.
So I started reading all I could about computer crime and how I could apply it to my job. Then I got the first of several very lucky breaks. There was a four-day seminar being held at the Northern Virginia Police Academy and the guy from our department originally scheduled to go couldn't go because of a court date and I was asked if I wanted to go. Sure! They went into the minutia of how data is stored on a HD (in DOS, Macs weren't discussed) and how it could be recovered, and how to do it without writing anything on the HD so as not to alter the original evidence which would be crucial in getting it admitted as evidence in court.
I later had a chance to go to another week-long computer forensic class in Morgantown, WV that was free because the DOJ paid for it. It even included the hotel and meals but only at one hotel and one restaurant (I still don’t much care for Cracker Barrel because of that).
I started calling around to other police departments to see what they were doing with this new stuff, and found that there were only four people in the entire state working on computer forensics, which is basically data recovery combined with a knowledge of Fourth Amendment search and seizure law as it applies to presenting electronic evidence in criminal court. At the time there wasn’t much precedent and we were the ones “writing the book” on that.
Lucky break # two came when the International Association of Computer Investigative Specialists (IACIS) held their two-week conference/training class held the class in McLean, VA, within commuting distance. So far, that has been the only time it was ever held there. I asked to go and was turned down because the training budget for the year was exhausted. I knew that, so had the memo prepared and fired right back, saying that I would write the $700 tuition check if I could get two weeks administrative leave and use of the County car to commute. They said yes!
I gotta wrap this up, it’s getting too long.
So I got that certification, and eventually another guy and I got the job of setting up the Computer Crime Unit, where I stayed an additional four years after I could have retired simply because I was enjoying the work so much. I also became a coach and instructor at later IACIS conferences.
It was interesting because to me it was a job that came straight out of a Robert Heinlein story in part because nothing like that was even remotely conceived of when I was hired. “Computer Forensic Examiner? Whazzat?” And at the time it was truly bleeding edge stuff in law enforcement because there were rarely any precedents for the legal issues.
Here’s an example:
It is well established in Fourth Amendment law cases that a search must be “reasonable”. So if I have a search warrant to search a home for stolen car tires I can reasonably search in the attic, closets, maybe even under beds if they’re small tires, the basement, the garage, and so on. But if I open a filing cabinet and find drugs, that is going to be ruled inadmissible because I “exceeded the scope of the warrant” because one could not reasonably expect to find tires in a filing cabinet (unless it is a really huge cabinet, I’m thinking of the normal office size). Now, there is an exception to this (there always is) called the “plain view doctrine”. If I go into the basement looking for tires and find a drug-growing operation, that will be ruled admissible because I would have inevitably discovered it anyway because it is in plain view. This is called "inevitable discovery".
So how does this apply to a hard drive? No one had any idea because the issue has never come up before. Soooo… I get a hard drive on my desk to examine. The suspect is a programmer who worked for a financial data analysis company. This software sells for about $4 mil a seat so it’s not stuff you find at Walmart. He is suspected of stealing the software source code intending to sell it overseas for a nice profit. In the process of searching the hard drive I stumble across child pornography, which in most states is contraband, meaning that mere possession of it is a crime, in MD it is a misdemeanor. The legal question now is “Do I need to apply for a second search warrant to search for the child pornography?”
Going under the plain view doctrine I continue the search of the hard drive looking primarily for the source code files, but noting the porn stuff when I find it. When I finally find the source code (crudely put in a .zip file with the extension renamed .doc) I get the arrest warrants and serve them. Now the fun begins….
This guy is fighting the charges tooth and nail because he’s a foreign national and if he gets convicted of possession of child pornography he’s going to be deported since that is a sex crime. So the main issue before the court is “Should a second search warrant have been obtained?” The answer in this case is “No” but only by the thinnest of margins. With the advantage of hindsight I would have obtained the second search warrant and saved a lot of bother but at the time this was new legal territory.
The judge ruled the porn evidence admissible because the primary focus of the investigation remained on the felony, the theft of the source code. (There is an exception for that one too.) But generally, later higher court rulings were that the second search warrant must be obtained.
I’m absolutely sure that the fact that the judge was female and had four children of her own had absolutely nothing to do with the ruling.
. That's like 5th grade math, keeping track of the decimal and all. I guess I was to stupid to say no.
