Afghanistan — Bagram’s digital detectives dig in

BAGRAM AIRFIELD, Afghanistan — There is anoth­er war in Afghanistan. A war that has no armor or air­craft yet expands well beyond the bound­aries of every nation known to man, the vast land­scape of the dig­i­tal realm.

War­rant Office 1 Patrick Eller and Sgt. Rus­sell Rhodes, CID spe­cial agents and dig­i­tal foren­sic exam­in­ers assigned to the 10th Mil­i­tary Police Bat­tal­ion (CID) (ABN), cur­rent­ly deployed to Camp Sabalu Har­ri­son, Afghanistan, work in the DFE office exam­in­ing dig­i­tal evi­dence.
Click to enlarge

With­in this bat­tle space, an elite group of high­ly trained spe­cial agents assist their fel­low law enforce­ment pro­fes­sion­als nav­i­gate, process, and eval­u­ate dig­i­tal evi­dence; often mak­ing or break­ing an inves­ti­ga­tion in a soci­ety depen­dent on dig­i­tal media. 

“There is almost always a dig­i­tal evi­dence com­po­nent to every inves­ti­ga­tion we do, in that either through search­es or ques­tions asked dur­ing an inter­view, the poten­tial is there for almost every case,” said Spe­cial Agent Patrick Eller, the senior dig­i­tal foren­sic exam­in­er, cur­rent­ly deployed with the 10th Mil­i­tary Police Bat­tal­ion (CID) (Air­borne), at Camp Sabalu Har­ri­son, Afghanistan. “It’s not uncom­mon for there to be 12, 13, 14 even 15 dif­fer­ent pieces of media for just one case. Over the last five years it has just shot right through the roof,” he said. 

“Peo­ple just love dig­i­tal media,” said Spe­cial Agent Rus­sell Rhodes, a dig­i­tal foren­sic exam­in­er with the 10th. “Even in a deployed envi­ron­ment, dig­i­tal media is every­where. Sol­diers are con­stant­ly on their com­put­ers or Blackberry’s. Almost every­one has a cell phone, lap­top or iPod so nat­u­ral­ly some form of media will show up as evidence.” 

The Dig­i­tal Foren­sic Pro­gram ini­tial­ly was used to com­bat child pornog­ra­phy, but has devel­oped over the last sev­er­al years, touch­ing almost every type of crim­i­nal inves­ti­ga­tion from sex­u­al assault to mur­der to drug cas­es, Rhodes said. 

CID spe­cial agents select­ed to become dig­i­tal foren­sic exam­ines must com­plete three two-week cours­es cov­er­ing the myr­i­ad of dif­fer­ent types of stor­age devices, oper­at­ing sys­tems, soft­ware, as well as the tac­tics and tech­niques spe­cif­ic to pro­cess­ing the evi­dence for law enforce­ment pur­pos­es. More than 20 addi­tion­al cours­es in intru­sions, sys­tem spe­cif­ic soft­ware appli­ca­tions and elec­tron­ics are avail­able for dig­i­tal foren­sic exam­ines to fur­ther their exper­tise in dig­i­tal forensics. 

In Afghanistan, the dig­i­tal foren­sic pro­gram was some­what lack­ing with most evi­dence being sent back to the U.S. Army Crim­i­nal Inves­ti­ga­tion Lab­o­ra­to­ry at Fort Gillem, Ga., or the Defense Com­put­er Foren­sics Lab­o­ra­to­ry in Linthicum, Md., to be processed. 

“When I first arrived in Afghanistan, there was only one DFE at bat­tal­ion and a six-month back­log of evi­dence to be processed,” said Spe­cial Agent Antho­ny Wingate, a spe­cial agent from the Fort Bragg, N.C., CID Office. “Then Brigadier Gen­er­al (Colleen L.) McGuire came through and ordered the addi­tion of two more dig­i­tal foren­sic exam­in­ers to be deployed to Afghanistan, with anoth­er two DFEs to be sta­tioned in Kuwait. Now when a case comes through, it takes us about a month and a half to process the evidence.” 

“Basi­cal­ly our goal is for every­thing to be processed here, unless it’s some­thing we can’t do,” he said. 

Dig­i­tal foren­sic exam­in­ers can process all man­ner of dig­i­tal media except clas­si­fied sys­tems or dam­aged devices. Now ful­ly staffed, the CID dig­i­tal detec­tives are only chal­lenged by the cas­es them­selves and the con­tin­u­ous devel­op­ment of technology. 

“The size and types of media con­tin­ues to grow but the phys­i­cal con­tain­er con­tin­ues to get small­er,” Eller said. “Just a few years ago 32 giga­bytes was a hard dri­ve, now it’s a mem­o­ry card that’s as small as the tip of a finger.” 

The con­stant changes in tech­nol­o­gy also affect the inves­ti­ga­tions as well. 

“When I first start­ed in this career field 250 to 500 giga­bytes was the most we’d ever scan dur­ing an inves­ti­ga­tion. Now it’s not uncom­mon for us to go through four or five ter­abytes of infor­ma­tion,” he added. 

Just like being able to call in for back up, dig­i­tal foren­sic exam­ines are always on call for their fel­low spe­cial agents and have on more than one occa­sion been the cru­cial piece of infor­ma­tion that has blown a case wide open. 

“The stuff you come across here would absolute­ly blow your mind,” Wingate said. “Because every­one is so accus­tomed to using dig­i­tal media in their dai­ly lives, many times what we’ll dis­cov­er will either put that sus­pect behind bars, or in a few cas­es, clear them of any wrong doing.” 

One case was a seem­ing­ly straight for­ward child pornog­ra­phy inves­ti­ga­tion. How­ev­er, after all pieces of dig­i­tal media were exam­ined, CID spe­cial agents uncov­ered that the sus­pect not only pos­sessed child pornog­ra­phy, but was guilty of child molesta­tion and dis­tri­b­u­tion of that prod­uct. Some of the vic­tims were as young as 8 years old. 

The case has since been turned over to the Fed­er­al Bureau of Investigation’s Child Pornog­ra­phy Task Force for pros­e­cu­tion by the U.S. Depart­ment of Justice 

“That was a sig­nif­i­cant case because through everyone’s efforts we were able to get that per­son off the streets and behind bars,” Eller said. 

In anoth­er case, text mes­sages stored in a smart­phone helped exon­er­ate a Sol­dier wrong­ful­ly accused of sex­u­al assault. Now, the per­son who did the accus­ing was found guilty of lying to fed­er­al law enforce­ment offi­cials and giv­ing a false offi­cial state­ment. Both are felonies. 

“In most cas­es, the evi­dence will speak for itself,” Eller said. “Still, there’s no sign of stop­ping because as the var­i­ous FOBs (for­ward oper­at­ing bases), camps and bases con­tin­ue to grow so does the use of tech­nol­o­gy by those peo­ple occu­py­ing them.” 

With­in the last five months, the amount of dig­i­tal media exam­ined by the CID dig­i­tal foren­sic team has more than dou­bled. Then, once the inves­ti­ga­tion has been com­plet­ed and turned over for pros­e­cu­tion, dig­i­tal foren­sic exam­ines are sub­ject to trav­el to wher­ev­er that case is being tried to tes­ti­fy as an expert witness. 

“Most sub­jects in cas­es will plead out before it ever gets to tri­al, but some­times the case will go for­ward and we’ll have to tes­ti­fy as the sub­ject mat­ter expert on behalf of the pros­e­cu­tion,” Wingate said. 

Look­ing toward the future, CID’s dig­i­tal foren­sic experts con­tin­ue to do what has to be done, and encour­age their fel­low spe­cial agents to be mind­ful of the dig­i­tal foren­sic exam­ine piece while con­duct­ing an investigation. 

“What we’re try­ing to push out to the field is to real­ly look at what­ev­er type of inves­ti­ga­tion they may be con­duct­ing and keep the dig­i­tal foren­sic piece in mind,” he said. “Because that piece of media, that phone or iPod, might just be that cru­cial link that solves the case.” 

US Army 

Face­book and/or on Twit­ter

Team GlobDef

Seit 2001 ist im Internet unterwegs, um mit eigenen Analysen, interessanten Kooperationen und umfassenden Informationen für einen spannenden Überblick der Weltlage zu sorgen. war dabei die erste deutschsprachige Internetseite, die mit dem Schwerpunkt Sicherheitspolitik außerhalb von Hochschulen oder Instituten aufgetreten ist.

Alle Beiträge ansehen von Team GlobDef →