This is turning out to be the summer of interviews here on the blog. I am working on some right now that I am very excited about that deal with topics such as mobile devices, incident response, and security operations. This interview is with Cindy Murphy who one of my favorite digital forensics people. Cindy has made a name for herself by being heavily involved in leading the field in technical areas such as mobile device forensics and as a leader in several industry organizations. This interview turned out to be one of my favorite ones to do so far because Cindy can discuss any topic in an entertaining and informative manor with her unique blend of insight and humor. Cindy is also fellow native Iowan so that is always worth bonus points. Additionally, Cindy was recently part of a fantastic all-female panel for the Forensic 4cast podcast which you can find here.
Professional Biography of Cindy Murphy
Cindy Murphy is a Detective with the City of Madison, WI Police Department where she has been employed since 1991. She has been in law enforcement since 1985 when she started her policing career as a Military Police Officer in the US Army. She is a certified forensic examiner (EnCE, CCFT-A, DFCP), and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of hundreds of hard drives, cell phones, and other digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual assaults, child pornography, financial crimes, and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She is also a part time digital forensics instructor at Madison Area Technical College, and is currently working on her MSc in Forensic Computing and Cyber Crime Investigation through University College in Dublin, Ireland.Detective Murphy has provided training for her department, outside departments, and the public in the areas of computer crimes, Internet safety, and digital forensics. She has provided rank specific and specialty specific training to detectives from Madison Police Department and other Wisconsin Law Enforcement Agencies in the use of computer evidence in criminal investigations. She has also provided training at the state and national levels to prosecutors in the use of digital evidence in criminal prosecutions and regarding expert witness testimony in digital forensics cases. She also developed and published “The CDMA Fraternal Clone Method” as well as several documents and white papers regarding the methodology of processing of cell phones as evidence. Detective Murphy is the president of the west chapter of Wisconsin Association of Computer Crimes Investigators (WACCI W), and is a member of the Chicago Electronic Crimes Task Force, High Tech Crime Consortium (HTCC), High Tech Crime Network (HTCN), is a board member of the Consortium of Digital Forensic Specialists, and is a member of the International Guild of Knot Tyers (IGKT).
AFoD: What led you to become a military police officer?
CM: I guess ancient history is as good a place to start as any, huh? Hmmmm.... 1985. Let's do the time warp again... again.
I was a senior in High School at West High School in Iowa City, IA (Go Trojans!) and really didn't know what I wanted to do with myself after high school. I knew I was good at school, but wasn't really sure what I wanted to study in college or what I wanted to be when I grew up, except for a vague dream of becoming a bush pilot in Alaska some day (yes, really.... stop laughing Eric!)
My twin sister Becky (identical, hash matching sister that is) had been contacted by an Army recruiter and dragged me down to the recruiting center to take the skills test with her – no commitment required, of course. We both set the curve on the ASVAB test, and afterwards a sharp recruiter asked me what I wanted to do with my life, and then promised that by becoming an MP (95B at the time) I could get stationed in Alaska after training - It was even written into the contract I signed. I thought my ship had come in and that providence was lighting the way to my future...
So, off I went to Fort McClellan, AL for Basic and AIT. After graduation, I received my orders - fully expecting to end up in Alaska. I couldn't believe my eyes when the orders read "Fort Polk, Louisiana." I actually probably could have legitimately gotten out of the Army at that point, but I have never been a quitter. I got to see Alabama, Louisiana, Honduras, a tiny piece of Nicaragua, and little bit of Germany while I was in the Army. I also met and married my first husband and had my daughter by the time I was 20. I took to the policing role like a fish to water, and found that I really loved it. In 1988, the year my daughter was born, I left the Army and moved to Massachusetts where I was offered a job as a VA Police Officer at the Brockton and Boston VA Medical Centers. I started college at Bridgewater state college where I studied Graphic Arts with a Criminology minor.
Three years later, I saw an ad in Police magazine advertising police officer openings in Madison, WI. I had studied the concept of Community and Problem Oriented Policing and had read about the great work done by then Chief David Couper and Professor Herman Goldstein at the University of Wisconsin. I applied for one of 24 police officer positions among a pool of over 1200 applicants. When I got the job offer, I jumped at it and have loved it since the beginning.I haven't made it to Alaska yet, but I'd sure like to go someday.
AFoD: Sure, we can do “The Time Warp” again. After all, it's just a jump to the left and then a step to the right. How did your career progress with Madison and how did it eventually lead you into digital forensics?
CM: I joined Madison Police Department on August 12, 1991 with 23 other hard charging people. The academy started with a ropes course and a trek into the bowels of a deep dark Wisconsin cave where along with building confidence and reliance on ourselves and our classmates, we learned that Wint-O-Green Life Savers really do spark in the dark. After the academy and field training, I spent my first year working nights on the East side of Madison, and then moved to second detail in the South and East Districts, and eventually to day shift in the North and East Districts. I loved patrol work dearly. Not being tied to a desk and being free to do foot patrol and take on community problems when not at work on dispatched calls was a really good experience. I got to know the people and businesses and conflicts and strengths in my various beats extremely well over the next 9 years.
There is no other job like being a police officer. You see people and communities at their absolute best and at their absolute worst, and you learn your own strengths and weaknesses along the way. I learned that I was a great problem solver and that I have the ability to see not only the larger problem, but the small problems that make up the larger problem. I also learned that when it comes to a chase, I'm a bit like a Chihuahua after a pork chop - read that "relentless". Being a good problem solver is pretty obviously a strength. Having an on-only switch when it comes to a chase can be a strength, but can also get you hurt. In my case, several foot chases I was in resulted in injuries. In the fall of 1998 I was involved in a high speed chase where an armed subject ran from a stolen vehicle after he crashed it. I continued the chase on foot, which took both of us over a 5 foot chain link fence. Several hundred yards beyond the fence, another officer and I were able to tackle the suspect, disarm him, and get him into handcuffs. The other officer then kindly pointed out to me that my pants were torn from crotch to knee and I was bleeding profusely. It was only then that I realized through the adrenaline and endorphin rush that I had not made it over the fence unscathed but had messed up my lower back and lacerated my hamstring in the process. After a patch-up at the ER and several months of PT later, I returned to the streets determined to be a smarter chaser.
While on light duty, recovering from that injury, I caught the digital forensics bug. I worked with a now long-retired detective from our department named John Mulcahy on one of the first computer forensics cases our department had done. We worked that case using DOS commands on a DD image of the suspect's computer. It was a different and fascinating set of problems to solve, involving skills my dad had shown me when I was a kid. I put in a training request to go to the NW3C's Basic Data Recovery and Analysis class and ended up attending in Helena, MT in 1999 with my twin sister (strangely enough, we didn't plan it that way - she was working in network security for Yellowstone County, MT at the time, and they sent her to BDRA too).
So, several months later, back on the streets, healed from my injuries, and a new fan of digital forensics, I got into another foot chase. I'm not sure where my 'smarter chaser' attitude went, because when I came across 3 teenagers spraying graffiti under a bridge. When they saw me they took off running, and I took off right after them. I chased them through a ditch beside the highway through waist-high grass, along side a parking lot where rain water runoff had etched out a three foot deep canyon that I didn't see because of the waist-high grass. All three teenagers made it over the gully. I almost made it over, but ended up blowing out my right knee - LCL, MCL, PCL and meniscus as I fell short, a$$ over teakettle into the trench. Another trip to the E.R., a round of knee surgery, and another long stretch of PT later, I came out in relatively good shape. I went back on light duty, and worked on updating the department's web page and helping out with a new computer forensics case.
After consultation with my family, (who needless to say had come to worry that I was a hopeless klutz) I wrote for and was promoted to detective in 2000. I started out working General Assignment the first 6 months or so, and then became a Financial Crimes detective. During this time, I was also being tasked to help with computer related cases where they came in, and over the next several years they took over more and more of my case load until in 2003 the department created a new position in the detective bureau for Computer Crimes, and I was assigned to working computer crimes and computer forensics full time.
AFoD: Ouch. Ouch. Ouch. So what you are telling us is that one of the finest computer crime investigators in the field today came into being because the City of Madison was concerned it was going to run out of storage space for your medical records? My own patrol injury stories aren't nearly as good. They generally involve being bitten by dogs and wiping out on the ice shortly after getting out of a patrol car. I agree with you wholeheartedly on the value of a solid patrol education. I learned an incredible amount about people and myself during my patrol days that I still use each day in the private sector.
I also think there many intangibles you get out of that initial academy experience beyond learning basic police skills. You learn a tremendous amount about yourself and how to operate as part of a team. You also learn it's really funny to watch your buddy get sprayed directly in the face with Oleoresin Capsicum (pepper spray) while the rest of your buddies laugh like hyenas. Well...it's a barrel of laughs right up until the point where it's your turn to get sprayed.
What has it like being a woman who entered law enforcement in the mid-1980s? Have you encountered any sort of sexism or similarly bad behavior?
CM: First of all... Aw shucks! I certainly wouldn't have the reputation I have in forensics without the dozens of really smart forensic folks out there who I've gone to for help on various problems I've encountered over the years, nor without the support of my department putting me through a whole lot of training. One thing is for sure in this business - there's no way for anyone to know everything they need to know, so having a great professional network and keeping your own training and education qualifications up to date is really important.
There are some universals in policing, aren't there? I've had the obligatory dog bite and ice slips, as well. It seems that Murphy is never far away and is forever enforcing The Law.
I think that any woman who has been in this (or any other male-dominated) field for any amount of time has faced a certain degree of 'sexism or similarly bad behavior' at one time or another. Luckily, I was one of three daughters raised by a feminist father and an extremely confident, skydiving other-mother. The message in our household was that we could accomplish anything we set our minds and hearts to.
A few examples: In the Army, I had many male soldiers offer to dig fox holes for me, and a staff sergeant who stalked me and left gross messages on my answering machine. On the street, I've had men volunteer to be handcuffed and who commented on how they loved women in uniform or women in positions of power. Just a year or so ago a retired forensic investigator (not digital forensics) from my department commented to me after my testimony in a homicide case "my you've gotten smart haven't you, young lady?" My response to him? "I've always been smart, you were just never smart enough to see it." I didn't want to come across as bitchy, but he sure wasn't concerned about coming across as condescending and sexist.
Misogyny generally sticks out like a sore thumb. It's easy to recognize and can raise its ugly head when someone of the opposite sex feels threatened by a strong and competent woman. Oprah said that "excellence is the best deterrent to sexism or racism" and I believe that to a certain extent that is true. On the other hand I also believe what Clare Boothe Luce said "Because I am a woman, I must make unusual efforts to succeed. If I fail, no one will say, 'She doesn't have what it takes.' They will say, 'Women don't have what it takes.'
I think that women bring a very unique and needed perspective not only to policing, but to digital forensics as well. We have a creative and collaborative approach to problem solving that is a good fit in these roles. If you look at the sea of faces at any given forensics conference, and note the gender inequality, you'll see that we have a long way to go when it comes to recruiting and supporting women in digital forensics. For the most part though, I have felt very accepted and respected among my male peers in the digital forensics community. More thankfully, I believe that the respect and acceptance I've garnered in this community is based upon my brains, my skills, my work, and my willingness to work with others rather than on my gender. And that means we truly have come a long way since the eighties.
AFoD: Can you tell the readers what your job is like on a daily basis?
CM: I work Monday - Friday 7:45 am until 4pm with every third Monday off for what I believe to be one of the finest police departments in the country. Every work day begins with Detective briefing, during which each of MPD's five districts share information about the cases that have happened in the past 24 hours, and about events such as search warrants and lineups that require extra assistance from other district detectives. After briefing, I head upstairs to my office and lab to check for new lab requests and answer email and voicemails. Then, I turn on Pandora and I dig into whatever happens to be in my caseload at the time, and I pretty much keep at it until the end of the work day. There are days when I look up at the clock and realize that it's 4:15 or 4:30, and that I should have left already.
Some days I get out of the office to help other detectives with a particular case, interview, or search warrant, or to the DAs office to consult with the attorneys there over cases from my jurisdiction or others. Some days I work on developing training or presentations, and others I may be writing search warrants or subpoenas or researching a particular forensic artifact or problem that's relevant to a case I'm working on. Some weeks are wrapped up in trial preparation where all of my time and efforts are spent on getting the digital evidence end of things ready for trial. This can even mean helping the DAs office by doing legal research and helping to prepare direct and cross examination questions, depending on the type of case, the experience and knowledge of the attorney, and the attorney's own crazy work load. And some weeks, I get to go to a digital forensics or investigative conference and present on my work. I like those weeks a lot, as they are a chance to recharge my batteries and fuel my imagination about what's new in the field, but going back to the case load is always rough, because no one is working on my ever-growing to-do list while I'm away.
A friend of mine once expressed an analogy about detective work that I think fits pretty well for digital forensics in law enforcement. Doing this job is like being a chef at a 10 burner stove, and nearly everything you have cooking is ready to boil over at any given moment. As the chef, it's your job to make sure the food still comes out perfectly, which generally means lifting the pots off the burner long enough to stir them before setting them down to work on the next. When something is finished, you get to present it to the customer, but there's always another boiling pot to take its place. Only as detectives, our boiling pots are felony cases involving real victims, witnesses and suspects.
Each case involves living, breathing human beings with a vast variety of backgrounds, feelings, hopes and fears, biases, addictions, and expectations. And we have to get it right because the stakes for those real people are so high. We have to be sure we have legal authority to do the things we do, and that we always scrutinize our work to be sure we've done everything we can, and have done it right. Of course, we are human too, and we all make mistakes - when we do, it's our job to find them, correct them, and learn from them. Sometimes the mistakes actually teach us more than the things we do perfectly. The harder part is that we're being asked to do more and more with less and less, in a situation where we really didn't have that many resources to begin with.
Because of limited resources, with very few exceptions, every case I work on is a felony. When an individual's life story becomes involved as victim, suspect, or witness to one or more felony crimes, their story is by it's nature compelling. There are literally hundreds of memorable stories that have emerged from the cases I've worked on over the past 12 plus years of doing digital forensics. I've worked a number of fairly high profile cases over the years, including the first computer crimes case charged under the Patriot Act, and have had one case go the the US Supreme Court and another go to the Wisconsin Supreme Court. To me, the small cases can be as interesting as the big ones, depending upon the story behind the evidence. They say that the truth is stranger than fiction. I've seen some of the strangest truths out there doing this work, and the stories behind the cases are the main reason I find the work so compelling.
AFoD: Can you talk about your case that involved memory forensics?
CM: I guess the case I'm probably best known for is the Madison Police Radio interference case involving a hacker named Rajib Mitra. That case was compelling enough on it's own, but as with so many cases, it became two cases when I found encrypted child pornography during the forensic examination of his hard drives. With a great deal of help from Milwaukee Det. Rick McQuown we broke the encryption on Mitra's drive and were able to charge and successfully prosecute Mitra for possession of child pornography and child exploitation. The original computer crimes case began back in 2003, and the child exploitation case just ended this spring. Unfortunately, the day after he was sentenced in his child pornography case, Mitra committed suicide in jail.
From January through November of 2003, my police department experienced a series of intentional jamming attacks against its newly installed computer controlled, trunked radio system. There were three distinct attack methods used over the course of those 11 months, and Mitra was eventually identified as the suspect and then apprehended, prosecuted, convicted and held responsible for the attacks. The three jamming attacks looked like this:
1) Between January 15th and August 15th 2003 there were, at minimum, 21 jamming incidents where radio communications within a small geographical area of downtown Madison were interfered with. Police Officers, Fire Fighters, and Emergency Medical Services personnel in the affected area couldn't send or receive radio transmissions for short periods of time, generally around 15 to 20 minutes per incident. During these incidents, the error code “no system” was displayed on the screens of officer’s portable and squad radios. These “no system” outages generally corresponded with police calls involving bar fights or other radio-dispatched emergencies that occurred in the immediately affected geographic area. Obviously, for those officers in the area when the radio system was being attacked, this was a really dangerous situation.
2) During the night of Halloween, 2003 a steady rogue tone was broadcast on the control channel frequency, effectively blocking emergency communications over a large geographical area of Madison and Dane County, Wisconsin and creating a significant safety hazard for public safety personnel and the public. Three times the control channel was manually switched to an alternate frequency in an attempt to alleviate the problem; and three times the attacker redirected the jamming signal to the new control channel frequency. Due to the nature of this interference it was readily apparent that intentional sabotage was the cause, as the rogue signal followed the legitimate one several times. This was a really dangerous attack considering that Madison traditionally has a large Halloween celebration each year that sometimes tends to end in riots anyway. 2003 was one of the riot years, by the way.
3) On November 11th, 2003 things got really strange. MPD experienced additional problems with intentional radio interference consisting of thirteen sexually explicit audio clips piggy-backed onto the end of officers’ legitimate transmissions over a 2 1⁄2 hour period of time. The transmissions were broadcast across the repeaters and affected the entire city and county geographic area. The piggybacked pornographic transmissions were audible to any one monitoring radio traffic with a police radio scanner. While the thought of porn being played on police radios might at first seem funny, the natural reaction for officers on the street was to turn off their radios, effectively putting them out of communication with dispatch.
I was assigned as the lead detective on the case after Halloween when it became obvious that the attacks were intentional. One of the first problems was that unless an attack was ongoing, there was no way to trace where it was coming from. I then engaged in a super-crash-course on computerized trunked radio systems, soaking up as much information as I could about how they work. Thankfully, some of what I learned then applies nicely to cell phone investigations. Next, we basically put together an incident response team. We didn't call it an IRT, but the same concept applies. If you think about it the first two attacks described above are basically DoS attacks against the radio system, and the third was an intrusion and unauthorized user on the system.
November 11th, (the night of the porn broadcasts) was literally a dark and stormy night. It was cold, windy, and thunder-storming. Mitra was convicted in a Dane county courtroom for a speeding ticket, and left the courtroom angry. 45 minutes later the explicit broadcasts started, and the Officer In Charge initiated our response plan, calling in the people who had been prepping in the 10 days since Halloween. We tracked the intermittent rogue signals to an apartment building, but didn't get enough information to make an arrest that night. We backgrounded everyone in the building until we came across Mitra, who had two previous hacking convictions and was a licensed HAM radio operator. Two days and a marathon search warrant writing session later, we served the warrant on Mitra's apartment, and arrested him on his way home from class at UW.
Mitra invoked his right to a speedy trial in the federal court system, and so within 90 days, we had a jury trial, after which he was found guilty and was sentenced to 7 years in federal prison followed by 3 years extended supervision. It turned out to be the first computer crimes case charged under the Patriot Act, though I didn't know that at the time. He appealed the case all the way to the US Supreme court which declined to hear the case on Halloween day, 2005. In the mean time, Mitra sued me civilly to get the data on his hard drive back (I had returned his property to his parents at his insistence following the exhaustion of his appeals, but had wiped the drives because of the suspected child pornography on them). He wrote letters to the DA's office and other investigators involved in the case accusing me of being dishonest and even asking that I be charged for perjury. His writings made some things really clear to me - first that he blamed me and ‘the system” in general and not his own behavior for the situation he found himself in, and second that he really, really wanted his data back. Up until this point in my 20+ years of policing, I had never been sued or even accused of doing anything wrong. Call me officer Friendly Mc. Goody-two-shoes... I follow the rules in policing, and they have never steered me wrong!
The process of dealing with the legal demands from his appeals and civil suits kept the drive and it's encryption problem on my front burner. I went to a WACCI conference in June of 2009, and heard Rick McQuown talk about pulling encryption keys from hyberfil.sys files, and afterwards sent the registry files and then the full drive image to him. Several days later, I got a call from him and he asked me, "Are you sitting down?" I knew right away that he had good news - I will never forget that day. He walked me through the process he had used, and viola'! Forensic magic of the best kind!
So, then I tracked down his victim and interviewed her, put together the new images case, and sent it to the DA's office. A co-worker who was aware of all the headaches and stress I had gone through with the appeals, false accusations, and civil suits asked me something that I still think about once in awhile. She said, "Now that the first case is over and all of his appeals and civil suits are done with, is this really worth it?" I thought of the very predictable upcoming suppression hearing, followed by another jury trial, appeals, and the potential for more lawsuits. In the end, the answer for me is that it doesn't really matter whether its worth it to me or not - it was my job to do it and to do it to the best of my ability. So, there was a nasty suppression hearing in December 2010 where I was basically accused of conducting a warrantless search (with three warrants in place) planting CP in the drive back in 2003 to be found later (matching MD5 hashes ROCK) and of planning the timing of the second prosecution to coincide with Mitra's release from prison (like I control the timing of anything in the criminal justice system) among other things.
Then we were off to the second jury trial in January, where the victim had to testify and have her photos shown to 13 complete strangers, the judge, the attorneys, and the defendant. Mitra testified on his own behalf and the jury came back in just around three hours with guilty verdicts on all counts: 8 counts of possession of CP and 2 counts of manufacturing CP. He was sentenced in April 2011 to 6 1/2 years in state prison followed by 7 years extended supervision, with no possibility of any use of any digital device until after supervision. The day after sentencing, he met with his attorney, filed his appeal and then hung himself, after sending a suicide note to a media outlet.
I began this story by saying his suicide was unfortunate, and I believe that it was. He left his parents with all sorts of unfounded and unanswered questions and planted blame before he left. He left his victim, whom he once claimed to love, with enormous amounts of guilt and put her through hell along the way. He never did truly understand the impact of his actions on the people around him. He left the world having wasted enormous potential with his intelligence and technical abilities. A reporter recently asked the question whether Mitra was the dangerous man portrayed by the court record, or the kind and funny man portrayed in his letters to an acquaintance that he wrote from jail. I don't think he was either one or the other - the truth is he was both. And when it comes right down to it, he was a social engineer, able to use what charm he had and his intelligence to manipulate the world around him.
He also left me with several lessons that are important for all high-tech investigators and forensicators.
1) In his civil trial when trying to get his data back, Mitra* told the judge, 'My hard drive is an extension of my brain, and she took it away from me.'
2) In a phone conversation with an ex-felon who asked his advice on whether to buy an iPhone or an Android, Mitra answered, 'You should get the iPhone. But me? I'd get the Android because it's more flexible and I could do more with it.' What I heard was 'Watch out forensicators - that's a Unix box on a very large network of Unix boxes with users who know nothing about Unix security!'
3) In his sentencing hearing in April, the day before his suicide, Mitra told the judge 'I always made my own definitions of right and wrong.'
4) Genius without conscious and without empathy is dangerous and wasted.
So... back to those chases that always seemed to end in injury... am I a smarter chaser than I used to be or am I just plain relentless? Again, I think the answer is both.
*Disclaimer – these aren’t exact quotes they are my personal recollections of his statements.
AFoD: That brings up something that you and I have talked about before privately. One of the things that we've learned doing this work is that in some cases a digital forensics examination can feel like a psychological exploration of another person. Sometimes a deep exploration of a person's digital media can feel like you are spending time in a person's mind. In your case, you are spending a considerable amount of time examining digital evidence that was used by people who are deeply involved with the sexual abuse of children. That has to be very disturbing at times. Do you ever get used to doing those types of exams? What do you do to protect yourself psychologically?
CM: I’m certainly no psychologist or psychiatrist, but any examiner who has looked at large numbers of computers and cell phones belonging to different people understands fundamentally that those devices reflect the personal interests, activities, and thought patterns of the person or people who use them. Even how the file structure is organized (or not) can give clues about a person’s usual (or unusual) behavior and habits. I have openly predicted that as we move into the future of digital forensics, a new branch - let's call it "Computer Forensic Psychology" will develop based upon this phenomenon. There are already people whose job it is to background and profile people based upon the contents of their personal electronic devices and the information they post publicly on the Internet.
Computers are a fabulously convenient way for people to explore and develop their interests, legitimate and otherwise. That exploration can lead to or facilitate an already existing double life, and those double lives are often what gets people into trouble - at home, at work, or with the law. When people use their personal computers and cell phones, they're generally not thinking about what they have to hide, and if they do think about it, often their impulse to engage in whatever secret life they're exploring, ends up outweighing their thoughts about the consequences if they're caught. People often comment on how 'stupid' the people are that we catch, and my usual reply is that the people we catch aren't necessarily 'stupid', but rather they are impulsive. In fact, as we can see from headline after headline, some really smart people engage in really impulsive behavior using their computers and cell phones, despite the obviously really high stakes of getting caught.
As you, and many other forensic examiners have experienced, it can be somewhat disorienting to spend long hours picking around in the "extension of" another person's brain. The fact is, stuff that that person might never ever in a million years admit to their wife, their priest, or their psychiatrist can 'live' there in the person's personal writings, messages, web history, and pictures. While you can’t hold someone responsible for the content created and posted by someone else, what they choose to repeatedly look at and expose themselves to can say a lot about their personal motivations and proclivities. Whether it's an arsonist, a burglar, or even a financial criminal, what you find inside their computer can be disturbing. It can be disturbing, disheartening, and it can be disgusting.
It's hard for me to say whether I've 'gotten used to' forensic exams that involve child sexual abuse or not. It's more that I've learned what reactions to expect from myself when I work those cases and how to handle them and take care of myself. Many of us who work these cases think about the sheer numbers of nameless victims represented in the cases we work. We wonder where the kids are now, how they've survived emotionally and physically....sometimes whether those kids are still alive. I'm working two huge cases that came in last fall right now - one with over 1/2 million images and movies, and the other with likely over a million all told. I find myself wondering how under reported the problem of child sexual abuse must be, and how hard it is for the average person to understand the scope of what a m.i.l.l.i.o.n. images of child sexual abuse means.
It takes a great deal of emotional resilience to do this kind of work. It takes the ability to transform your personal feelings about it into positive action towards making some sort of positive difference, while maintaining a high standard of professional ethics and objectivity. Holding the right person responsible is as important as anything else. As far as protecting myself psychologically, what works for me is to talk about it with other examiners and if something just sticks in my head and won't go away, to talk with a therapist who uses EMDR (Eye Movement Desensitization and Reprocessing). No one - I repeat - NO ONE - doing this kind of work should think twice about finding a good therapist and unloading the burdens on them. I also volunteer for an organization named PAWWS to Heal that provides animal assisted therapy and animal assisted activities to kids who have experienced trauma. That helps me to remember how resilient kids are and that healing is possible. I try to spend time outside every day and I spend as much time as I can with Bailey, my Brittany Spaniel at the dog park and occasionally pheasant hunting. And, as a hobby, I tie knots.
AFoD: Knots?
CM: Yes, Knots. As you can probably tell by this point, I am a big fan of analogy. Knots contain an awful lot of analogy, and have been used as symbols since ancient times. When I'm engaged in the hands on, up close, process of Marlinspike knotting, my mind gets to take a break from the larger problems of the world and play. That is therapeutic.
First and foremost, the process of knotting is extremely binary. Your choices when tying are basically over or under. You repeat a series of overs and unders a certain number of times, in a certain direction, and when you complete the pattern a certain number of times, in the end you come up with a beautiful knot. Anyone following the same set of instructions ends up with basically the same results (with the exception of the size of the cord, color, and neatness factors). In that way, knotting is a lot like a simple computer program. If the outcome isn't correct, it means that you've messed up the programming somewhere along the way. Sometimes the 'mistakes' result in a knot that's even better than the originally planned knot, and you learn a new knot. For those who are interested, the original (and still best) knotting reference out there is the Ashley Book of Knots, a book that contains the basic programming for thousands of different knots.
When applied to investigations or forensics, think about the analogies that present themselves. We follow leads presented to us in order to put the pieces of a case together. When it comes together just right and all the pieces make sense, the knot is complete. When leads dangle, don't come together correctly, or just plain don't make sense, we have more work to do or are just plain headed in the wrong direction in the investigation. You can take a lot of disparate facts that are all related to the same investigation and give individual explanations for each of them that make sense standing on their own. But there is likely only one set of facts that exists that explains all of those disparate facts as a whole. In that sense, what we do as investigators and forensic examiners is untie and tie knots.
Knots are to me also a physical reminder of the intrinsic connection between science and art. I've attached a picture of my current keychain. It's a 16 bight, 20 lead,120 facet globe knot tied in one strand of blue followed round twice, and one strand of black followed round once in the middle (and yes, I am showing off.) In every truly good and well tied knot, there is science - the geometry and math of the knot, as well as their fractal qualities; and art - the pattern, and aesthetic of the knot. Where does the science end and art begin? When you start thinking about it, the answer is in itself a knot, is it not? ;o) Another reason I love knotting is because it's an activity I learned with and share with my father and my twin sister. The other attached picture is of three Turk’s head bracelets tied by my father. Knotting is a great solo or social activity, and it’s a fairly rare art form, so when you find other people who are knotters, there’s always something to talk about. Plus, the knots you produce can be great give away items to people you like and care about, or even to strangers who admire the knots and compliment you on them. I’ve given away a lot of knots to investigators and forensic examiners who have ‘tied together’ great cases as well.I could go on, but I think instead, I'll knot.
AFoD: You certainly aren't afraid of complex challenges. In addition to everything else you have going on, you are also in the process of completing your graduate degree. Can you tell us about the program and what lead you to enroll in it?
CM: Sometimes an opportunity comes up that you know in your gut you just can't pass up without regretting the decision later. In June of 2009, I presented a cell phone forensics method at the Mobile Forensics World Conference which I had developed for CDMA phones specific to a homicide case I was working on. The method had been tested and validated by students of Gary Kessler's at Champlain College in Burlington Vermont, and of Rick Mislan at Purdue at my request because I knew if I ever had to testify to something that hadn't been done before (or if it had it wasn't documented that I could find) I would need to back up the validity of my work and have it published, tested, and validated as a real method.
At that conference, I met a woman named Liz Conway from Ireland who was affiliated with University College in Dublin. She came up to me after I spoke and told me about the UCD law enforcement Forensic Computing and Cyber Crime Investigation MSc Program. I told her that it sounded perfect for me, but that I doubted that I would qualify for the program since I hadn't finished my undergraduate degree.
Let's take another jump to the left and time warp back to my early work history for a second. I started a degree program at Bridgewater State College in Massachusetts in Graphic Arts and was also studying Criminology. When I took the job in Madison, I started going to Edgewood College part time, and started a Sociology degree with a Criminal Justice minor. By the time I got close to graduation, my daughter was nearly 11 years old, and being the child of a newly divorced and very accident prone cop, it became obvious that she needed my time and attention more than I needed to finish the few courses I had yet to complete to finish my degree. DF training and education had come into my life and fulfilled my thirst for learning in the mean time, and since I had my career before my degree, school had always been something I did for myself rather than for the degree.
Now step back to the right... back to MFW 09 - Liz told me that I probably wouldn't need to have a degree to enter the UCD program given my previous college credits, police experience and training, and DF experience and training, and because I was already published. So, with her encouragement I looked into the UCD program in the fall of 2009. I applied for grad school and my butt was sitting in a classroom orientation in Dublin, Ireland within 2 weeks. That seemingly impulsive and huge life decision felt to me to be a complete no-brainer. Here was a degree program that suited to my interests and needs that was located in a country I'd always wanted to travel to. And, I’d have to go there.
The program has been really good so far, and the opportunity to interact with other law enforcement officers from around the world involved in cybercrime investigations has been absolutely invaluable. Most of the program is given online, but there is a requirement to go to Ireland ("please... don't throw me in the briar patch!" said Peter Rabbit!) for several hands-on workshops and exams. I am currently working on my dissertation related to human perception and our ability to estimate the age of children from digital images. It's due in August, and I'll graduate with my master's degree in December.
UCD has expanded its program recently, and they now offer a similar non-LE program as well. I have really been impressed with the way they develop their program around the needs expressed by the students who are currently in the program. They build the future of the program based upon the real life experiences and needs of the students in the current program, an approach that should keep the program fresh and relevant into the future.
The programs currently offered through University College, Dublin related to Forensics and Cybercrime are:
MSc Forensic Computing & Cybercrime Investigation
Graduate Diploma Forensic Computing & Cybercrime Investigation
Graduate Diploma Forensic Computing
Graduate Diploma Cybercrime Investigation
Graduate Certificate Forensic Computing & Cybercrime Investigation
Graduate Certificate Forensic Computing
Graduate Certificate Cybercrime Investigation
Continuous Professional Development Modules Forensic Computing & Cybercrime Investigation
More information about the program can be found at http://cci.ucd.ie/fcci. I think that I'm the first Law Enforcement officer from the United States to participate in the program, and if that's the case, it is certainly an honor.
AFoD: Can you tell us more about your dissertation and how your research will contribute to combating child sexual abuse?
CM: The title of my dissertation as it stands right now is "A Multidisciplinary Approach to the Estimation of Victim Age in Child Pornography and Child Exploitation Investigations." In my research, I looked at what we can learn about child age estimation from several fields including medicine, psychology (more specifically perception), machine learning/artificial intelligence, and art.
My motivation for choosing this topic was that this issue is one that often comes up in court. Are we as forensic examiners or investigators qualified to estimate the age range of a child depicted in an illicit image, or does it take a doctor to do so? Can a layperson tell the difference between an adult and a child, and at what point in a child's development does it get more difficult to do so? If it takes specialized training to make the determinations involved in age estimation, how can we expect suspects to know the difference? How good are humans at estimating age? And more importantly, if we're not good at age estimation, shouldn't we know that since the stakes are so high for suspects?
Last fall, I put out a couple of Internet based surveys to gather some data. The first was designed to gauge the scope of this problem, and how jurisdictions around our country and around the world are dealing with age estimation for cases where a victim's age and identity are unknown. I also presented respondents with stylized images of children and adults from artistic works and popular media to see whether they could determine from representations of humans whether they were depicted as adults or children. In the second survey, I took images of real people, mostly children, but with a few adults interspersed, and asked respondents to identify the individual as adult, child, or not sure and then to estimate a three year age range for the person in the picture.
One of the most compelling parts of the dissertation process was review of the literature that's out there related to the topic in the fields of perception, machine learning, and art. Our perceptual cues to a child's age range are so much more comprehensive than simply looking at secondary sexual characteristics. Think about the amount of change that happens in a child between birth and sexual maturity... for that matter, how much change happens over any given three year period of a child’s development. While children mature at different rates, the same sorts of physical changes happen (given normal physiology and development) in all human beings. I hope that compiling all of that information and giving the field a comprehensive and referenced source for the pertinent information will help them to deal with some of the arguments that come up in this area, as well as help them learn to identify and articulate the perceptual cues that are used in the process of age estimation. Considering the length of the paper, I'm hoping to put together a shorter practical reference guide as well.
AFoD: Have you had any instance where defense counsel has been successful in arguing that their client made a reasonable mistake based on age and, therefore, should not be convicted?
CM: Generally, when I've seen this argument made by the defense, it has been raised at the preliminary hearing stage of a case. In felony cases in Wisconsin, the preliminary hearing is conducted in order to prove that sufficient evidence exists to establish that each of the elements of the crime has been established and that the person charged probably committed the crime. In many cases the preliminary hearing is waived by the defendant. In other cases, the defense basically attempts to try the case at prelim and to discover as much information as possible beyond basic probable cause in the process.
One of the elements of the crime of possession of child pornography in Wisconsin is that the person knows or reasonably should know that the child has not attained the age of 18 years. The annotated version of our statutes goes on to say that "Reasonably should know" is defined as less than actual knowledge but still requires more than the standard used in civil negligence actions.
Like most forensic examiners working these types of cases, I'm pretty conservative about what images and videos I move forward for charging and the charged images generally depict individuals who are unquestionably children unless it's a case where we know the suspect knew the person was under 18 years of age through some other means. I've never had an defense attorney use the "reasonable mistake' argument successfully, but nonetheless it is a common one and I have heard of it being successful in other jurisdictions. Still, questions about examiners qualifications to make a determination about whether a depicted individual is an adult or a child are common, even with depictions of prepubescent children.
AFoD: What advice do you give to people who ask you how to break into digital forensics?
CM: Aside from the fact that I very nearly literally 'broke' my way into digital forensics, I certainly don't recommend that method to people who ask!
One of the first pieces of advice I give people who want to work in this field is that they have to be prepared to never stop learning. Build your basic ground level DF knowledge base - there are certificate and degree programs all over the place, as well as vendor based and vendor neutral trainings. Use that basic education to figure out where your specific interests and talents are, and then pursue those further. Look into whether there are internships available in DF companies or labs in your area, and go after them. Keep learning and keep growing - if you don't, it will come back to bite you in the end as technology and time move forward.
The field of digital forensics now encompasses such a wide variety of sub-specialties and focuses: network security and intrusion detection, e-discovery, iOS forensics, malware analysis, cell phones and GPS... different operating systems, hardware platforms, and different purposes - intelligence, corporate, criminal, civil legal, counterterrorism... you get the picture. There is no way for any examiner to know everything they might need to know to deal with the vast variety of potential forensics problems that they might be faced with. This creates a need for constant growth and exploration so if you're not naturally curious, you might want to think twice about a career in DF.
Because the field is so broad based and covers such a variety of specialties there is great opportunity (and need) for new examiners to find a niche within the field that fits their particular interests and area of curiosity. When you find that niche, If you find a new artifact or an easier way to solve a common problem, share it. People who are trying to solve the same problem or a similar one will be grateful, and you'll start to build a name for yourself. Network with other examiners at conferences, on listservs, on social networking sites, and through the various professional organizations that exist. Get to know other examiners, what their DF interests are, and someday when your problem matches their interests, you'll know exactly who to call for help. As Harlan Carvey often points out, bad guys are better at sharing than we are - we need to change that.
Along the lines of networking - don't be afraid to reach out to those people in forensics who wear the figurative super-hero capes or have earned the middle name "freaking". Ovie Carroll, Rob Lee, Brian Carrier, Harlan Carvey, Eoghan Casey… the list here is of course not all-inclusive. The authors and speakers, programmers and teachers, movers and shakers in this business are nearly without exception exceptionally friendly, fascinating and approachable people who love to talk about digital forensics (not to mention music, scuba diving, magic, philosophy, photography, Rubik's cubes, beer, wine, gaming, running, singing, mountain climbing, banjo playing, horses, dogs and cats... the list goes on!) In my experience, the cape wearing veterans in DF all care deeply about this profession and want to see the next generation of up and coming forensicators thrive in it.
AFoD: What training and academic programs do you recommend to people who are interested in learning digital forensics?
CM: This is an interesting question, because there are so many certificate programs, undergraduate programs, and graduate programs popping up around the country right now, as well as the myriad vendor specific and non-vender specific short term but intensive training programs. And, its a difficult question to answer because so much of how and why a person chooses an academic or training program depends on what's available to them where they live and what they can afford.
I had a conversation with a young TSA officer recently who was going to school for digital forensics. I asked him where he was going to school, and his response was, "I'm embarrassed to say." I asked him why he was embarrassed, and It turns out he was most of the way through a DF program in one of the larger private schools which offered credits that don't transfer easily to other schools. He was going there because his local community didn't have another program available, and he was a hands on learner who didn't feel he would catch on as well in a mostly on-line environment. I asked him if he felt like he was learning a lot, and he said, "yes". I then assured him that he shouldn't be embarrassed, he should embrace that experience as the foundation of his education and continue to move forward from there.
My advice would be to choose trainings and programs that are developed and taught by people who are currently in, or who are actively engaged with people who are in the DF profession. That way the course materials are more likely to be up to date and relevant. I would also advise that people choose a program that has a strong hands-on / lab component to it, whether that means logging in to a lab facility via VPN as happens in the UCD program, or whether it means physically sitting down in a lab environment. This work is a good mix of both practice and theory, and there is just no way to practice the skills and apply the concepts you need in DF without a lab. I would also say that those training and educational programs which are set up to have everything in the lab work perfectly the first time are teaching something that is somewhat detrimental to students. Problem solving is a HUGE component of this work, and facing problems in a school lab environment is a great way to practice for the sorts of things that come up every day in the real world.
The important thing is to really take a hard look at the programs ahead of time to see if they are going to fit your particular needs and interests. Talk to graduates to see what their experiences have been. Do a little research on the program and instructors to see what the overall reputation of the program has been. Hopefully this kind of approach will help you to feel that your time, efforts, and money have been well spent.
One other thing I would say is that all of us who are currently in the DF field ought to stay interested in learning digital forensics. Keep learning and keep growing as a forensic examiner. Stay curious about new technology and what's coming around the corner. Knowing what we don't know is as important, if not more important as knowing what we do know. Reach into DF areas that aren't necessarily your specialty and learn how they relate to the things you know well. I say this because while there are a lot of sub-specialties developing in our field, at some point they may well all fit right back together. Part of the reason I see mobile phones as so interesting is that these devices are hand held computers, communication devices, and nodes on various networks all at the same time. Garnering a better understanding of how all those factors come together starts to become more and more important.