Nearly every case Homeland Security Investigations (HSI) opens has some sort of digital evidence to be collected and analyzed.
But the work can’t be done by just anyone. The data must be meticulously cared for by agents trained to preserve the integrity of the material, who can also combat suspects’ attempts to erase their digital dealings — even from afar.
To address the need locally, HSI built a state-of-the-art computer forensics lab inside its Philadelphia offices to process the growing amount of evidence amassed from computers, smartphones and other mobile devices.
“If it involves electronic media and they need to look for evidence of a crime, it comes through us,” said Chris, 44, a Computer Forensic Agent.
Chris and three colleagues run the lab inside HSI’s Child Exploitation Unit, nicknamed CP for child pornography. It’s hidden behind a nondescript beige door next to the unit’s work area. The windowless, 30-foot long rectangular room is packed with electronics and monitors, collected as evidence or diagnostic equipment to analyze evidence.
The group works in the lab for nearly their entire shift. Unlike what many people may be trained to expect through watching hours of shows like “The Blacklist,” the room is more pedestrian than store displays at Best Buy.
Computer monitors sit on a shelf that rings the room at eye level. Some are black, while others show specialized software processing suspect’s hard drives. Those running are taking images, or snapshots of data, to be reviewed and preserved for cases.
Down below, black, rubber-topped workbenches are covered with devices, electronics cords and tools used to extract hard drives and memory cards. Nearby, smartphones sit in a metal box outfitted with glove holes and a small window. The enclosure, similar to ones used to contain infectious disease samples, is a cellular shield. It allows the forensic agents to power up mobile devices and extract evidence without the worry of a phone being remotely wiped.
Another wide gray workbench cuts the room in half. Here, the agents align the evidence up on mats imprinted with rulers and take photos of the confiscated items. CD burning machines spit out packages of evidence for case agents and other officials to review.
In the far north corner, Chris sits and quietly scrolls through a series of photos and videos on a large flat-screen — his gaze intently locked to the monitor. The images are evidence of child pornography. He’ll catalog the set, pull samples for a report and pass them over to the case agent who is handling the investigation.
He’s grateful that typically he won’t have to look at all of them.
“My personal feeling is that the case agents have it worse than we do,” he says. “If it’s 10,000 images or it’s 5,000 videos, we’ll collect a sampling and then the case agent will review the remainder. They need to look at everything, where we generally don’t have to do that.”
Specialized software also helps alleviate that problem, while speeding up the processing of evidence.
The software, which agents are reluctant to detail for fear they may give predators an insight into their investigative techniques, scans hard drives for photos and videos. Each piece of media has a unique code called a hash value — like a “fingerprint” -- that is identified through a mathematical algorithm.
This “fingerprint” is checked against their database, where images that have already been cataloged are separated out. Only the unidentified photos and videos will need to be reviewed by the computer forensic agent.
“The stuff that we know already is child exploitation material, I don’t even have to look at that, because we’re really interested in the stuff that we don’t know,” said Special Agent Jim. The new images will then be reviewed and indexed into the database.
Once the unknown images are collected, case agents will review them all, determine what violates the federal statutes and include vivid descriptions of a select few pieces of media in affidavits. The descriptions will outline how the children are forced to expose themselves and how the adult abused them. Those documents go to the CP unit supervisor, Will Crogan, the U.S. Attorney’s Office and ultimately a federal judge to determine whether warrants can be issued.
The case agents also perform field surveillance to ensure their suspects match up.
“If these investigators can get a hard address or track down a good IP and eventually find somebody, then we’ll get ‘em. It’s on. There’s still good forms of physical surveillance to perform just like good old detective work,” said Crogan, who oversees the unit and lab.
Agents are seeing a larger volume of evidence than ever before. This year, Jim said he processed about 35 terabytes of data. That’s nearly two times more than he reviewed seven years ago. If the data were all images, that would equate to tens of millions of photos. Just one terabyte holds more data than seven 128GB iPhone 6 smartphones.
“Nowadays, these guys have a laptop, a desktop, a tablet, a cellphone, hundreds of thumb drives,” the agent said. “It’s like we’re taking so much more stuff that we do need something to make it easier to get through this stuff.”
While the majority of their work is focused on child pornography evidence, the forensic team will also serve other HSI investigative units like Fraud and Narcotics.
“When I started in ‘09, I would say about 80 percent of the cases I did were child exploitation. I would say that that’s down to 60/40 now,” Chris said. “Not because the volume of the child exploitation case work is less, but the volume of the other case work is up.”
HSI agents have a love-hate relationship with technology. Almost each advance can both make their jobs easier by developing a new way to identify material and criminals, but can also help perpetrators get a step ahead of the good guys.
“I don’t think it’s going to get better,” Jim said. “With the direction technology is going, there’s certainly going to be more ways to hide this stuff.”