[August 09, 2011] Forensics lab dissects the tech Tweet Aug 09, 2011 (Charleston Daily Mail - McClatchy-Tribune Information Services via COMTEX) -- As with everything else, crime is moving online. And thanks to experts at the West Virginia State Police Digital Forensics Unit, there's a new way to dust for fingerprints. Cpl. Robert Boggs runs the unit's Huntington lab, housed in the Marshall University Forensic Science Center. A self-confessed geek, Boggs has been hunting down and catching digital criminals since 2006. He was the only investigator in the lab at the time. He now has help from Chris Vance, the Huntington unit's mobile forensics expert, as well as university graduate students. The unit also got a brand-new laboratory in April, thanks to Marshall and a $500,000 grant from the National Institute of Justice. The room looks like a set from "CSI" or "NCIS." There are LCD screens everywhere, computers used as evidence and other, bigger computers used for processing evidence. Each of the lab's computers cost $60,000 and has 16 processors, 15 terabytes (more than 15,000 gigabytes) of hard drive space and 34 gigabytes of memory. Most high-end consumer computers have four processors, a one-terabyte hard drive and eight gigabytes of memory. A cardboard box in a corner is stamped with the Department of Homeland Security emblem. Someone had scrawled "EVIDENCE" across it with a black marker, and that box couldn't be photographed. The new lab is about twice the size of the Digital Forensics Unit's former digs. Boggs designed it himself. "I tried to make it an efficient workflow," he said. The lab turns around cases in about six months but can bump up high-priority cases. The first computer station in the room is dedicated to logging evidence. When investigators need a computer hard drive or cell phone checked out, they mail the evidence to Boggs's lab. He documents each package's contents and photographs them. More than 30 pieces of evidence come through the door each week. The lab processes between two and three terabytes of data every month. "It's a painstaking documentation process," he said. "This type of stuff needs to be processed properly. When it comes to court, a defense attorney's going to question that." Once the evidence has been logged, its second stop is the lab's imaging station. Investigators make an exact digital copy of the hard drive in question, down to the wallpaper on the desktop. The original evidence then is put away for safekeeping. Boggs also runs preliminary "malware" scans at the imaging station, checking computers for viruses, trojans, keystroke-logging software and hacker's aids. He creates a report of the scan's findings and moves the hard drive on to the next station. The lab is outfitted with a program called Forensic Toolkit 3.0, an industry-standard forensics program that searches a hard drive and creates a giant searchable database of its data. The process can take several days, depending on the size of the hard drive. Boggs said the program logs every file and file extension on the computer. It also makes a list of every file's binary codes, the basic computer language of ones and zeros. Much like fingerprints or snowflakes, no two binary codes are exactly alike . . . unless they come from copies of the same file. That allows investigators to identify child pornography without even looking at the images. Boggs said his office has created a library of known child pornography files and their underlying binary codes. If his lab scans a computer and finds a file that matches one of those codes, they know the computer contains illegal material. "Once everything's been indexed, I can go in and filter (the database) in any way possible," he said. Experts also can use Forensic Toolkit databases to search hard drives for specific kinds of information, like credit card numbers or chat logs. One of the lab's computers is dedicated to password cracking, outfitted with four specially modified video cards to break encryption. The computer tries combination after combination until a password finally works. Boggs said some computer encryption techniques are so effective "the sun will literally burn out" before a computer cracks the code. But there are ways around that. Forensic Toolkit also can create individualized dictionaries for computers, logging everything from the family dog's name to anniversary dates and frequently used words or phrases. "Chances are, that password is on that hard drive somewhere," Boggs said. He said criminals rarely try to hide behind encryption, however. He said one suspect had a child pornography image as his desktop background. It's not just about finding illegal material, however. Boggs said many computers have multiple users, so he must find out which user committed a crime. To do this, Boggs looks at which sites the user visited just before getting to the pornography, which bank accounts they checked and what emails they read or wrote. "That tends to show whoever possesses that child porn," he said. Once Boggs has completed his digital investigation, he compiles all the information on a DVD and gives it to prosecutors. The lab also investigates wireless devices like cell phones and tablets like the iPad. "It's a new area and it's constantly evolving," Boggs said. Vance, the lab's mobile forensics expert, said home computers have three main operating systems -- Windows, Mac and Linux -- but there are hundreds of cell phones available and almost everyone has its own operating system. That makes digital investigations of phones extremely difficult. The lab uses many different tools and programs to scan phones. Vance said those tools must be constantly updated as new phones come on the market. "It's a constant game of cat and mouse," he said. But the information cell phones provide are invaluable to investigators. Boggs said many drug dealers like to take photos with their drugs, their guns and their money. Forensics experts also can use call logs and text messages to see with whom suspects have communicated. They use stored global positioning data to show where the phones have traveled. Boggs said 80 percent of the lab's work involves child exploitation, whether that's physical abuse, sexual abuse or pornography. "Our caseload's growing extremely fast. When we get a murder or an embezzlement, we're happy. It's something different," he said. Boggs prepared a video highlighting the state's child pornography problem to show the governor and legislators last year. He said the state's biggest population centers, Charleston, Morgantown and Huntington, are also the biggest hotspots for child pornography activity. "We're just touching the beginning. There's not enough jails to put everybody in that's involved in this," he said. "You're inundated with results." Contact writer Zack Harold at 304-348-7939 or [email protected]. To see more of the Charleston Daily Mail, or to subscribe to the newspaper, go to http://www.dailymail.com/. Copyright (c) 2011, Charleston Daily Mail, W.Va. Distributed by McClatchy-Tribune Information Services. For more information about the content services offered by McClatchy-Tribune Information Services (MCT), visit www.mctinfoservices.com. [ Back To TMCnet.com's Homepage ]