Afghanistan — Bagram’s digital detectives dig in

BAGRAM AIRFIELD, Afghanistan — There is anoth­er war in Afghanistan. A war that has no armor or air­craft yet expands well beyond the bound­aries of every nation known to man, the vast land­scape of the dig­i­tal realm.

War­rant Office 1 Patrick Eller and Sgt. Rus­sell Rhodes, CID spe­cial agents and dig­i­tal foren­sic exam­in­ers assigned to the 10th Mil­i­tary Police Bat­tal­ion (CID) (ABN), cur­rent­ly deployed to Camp Sabalu Har­ri­son, Afghanistan, work in the DFE office exam­in­ing dig­i­tal evi­dence.
Click to enlarge

With­in this bat­tle space, an elite group of high­ly trained spe­cial agents assist their fel­low law enforce­ment pro­fes­sion­als nav­i­gate, process, and eval­u­ate dig­i­tal evi­dence; often mak­ing or break­ing an inves­ti­ga­tion in a soci­ety depen­dent on dig­i­tal media.

“There is almost always a dig­i­tal evi­dence com­po­nent to every inves­ti­ga­tion we do, in that either through search­es or ques­tions asked dur­ing an inter­view, the poten­tial is there for almost every case,” said Spe­cial Agent Patrick Eller, the senior dig­i­tal foren­sic exam­in­er, cur­rent­ly deployed with the 10th Mil­i­tary Police Bat­tal­ion (CID) (Air­borne), at Camp Sabalu Har­ri­son, Afghanistan. “It’s not uncom­mon for there to be 12, 13, 14 even 15 dif­fer­ent pieces of media for just one case. Over the last five years it has just shot right through the roof,” he said.

“Peo­ple just love dig­i­tal media,” said Spe­cial Agent Rus­sell Rhodes, a dig­i­tal foren­sic exam­in­er with the 10th. “Even in a deployed envi­ron­ment, dig­i­tal media is every­where. Sol­diers are con­stant­ly on their com­put­ers or Blackberry’s. Almost every­one has a cell phone, lap­top or iPod so nat­u­ral­ly some form of media will show up as evi­dence.”

The Dig­i­tal Foren­sic Pro­gram ini­tial­ly was used to com­bat child pornog­ra­phy, but has devel­oped over the last sev­er­al years, touch­ing almost every type of crim­i­nal inves­ti­ga­tion from sex­u­al assault to mur­der to drug cas­es, Rhodes said.

CID spe­cial agents select­ed to become dig­i­tal foren­sic exam­ines must com­plete three two-week cours­es cov­er­ing the myr­i­ad of dif­fer­ent types of stor­age devices, oper­at­ing sys­tems, soft­ware, as well as the tac­tics and tech­niques spe­cif­ic to pro­cess­ing the evi­dence for law enforce­ment pur­pos­es. More than 20 addi­tion­al cours­es in intru­sions, sys­tem spe­cif­ic soft­ware appli­ca­tions and elec­tron­ics are avail­able for dig­i­tal foren­sic exam­ines to fur­ther their exper­tise in dig­i­tal foren­sics.

In Afghanistan, the dig­i­tal foren­sic pro­gram was some­what lack­ing with most evi­dence being sent back to the U.S. Army Crim­i­nal Inves­ti­ga­tion Lab­o­ra­to­ry at Fort Gillem, Ga., or the Defense Com­put­er Foren­sics Lab­o­ra­to­ry in Linthicum, Md., to be processed.

“When I first arrived in Afghanistan, there was only one DFE at bat­tal­ion and a six-month back­log of evi­dence to be processed,” said Spe­cial Agent Antho­ny Wingate, a spe­cial agent from the Fort Bragg, N.C., CID Office. “Then Brigadier Gen­er­al (Colleen L.) McGuire came through and ordered the addi­tion of two more dig­i­tal foren­sic exam­in­ers to be deployed to Afghanistan, with anoth­er two DFEs to be sta­tioned in Kuwait. Now when a case comes through, it takes us about a month and a half to process the evi­dence.”

“Basi­cal­ly our goal is for every­thing to be processed here, unless it’s some­thing we can’t do,” he said.

Dig­i­tal foren­sic exam­in­ers can process all man­ner of dig­i­tal media except clas­si­fied sys­tems or dam­aged devices. Now ful­ly staffed, the CID dig­i­tal detec­tives are only chal­lenged by the cas­es them­selves and the con­tin­u­ous devel­op­ment of tech­nol­o­gy.

“The size and types of media con­tin­ues to grow but the phys­i­cal con­tain­er con­tin­ues to get small­er,” Eller said. “Just a few years ago 32 giga­bytes was a hard dri­ve, now it’s a mem­o­ry card that’s as small as the tip of a fin­ger.”

The con­stant changes in tech­nol­o­gy also affect the inves­ti­ga­tions as well.

“When I first start­ed in this career field 250 to 500 giga­bytes was the most we’d ever scan dur­ing an inves­ti­ga­tion. Now it’s not uncom­mon for us to go through four or five ter­abytes of infor­ma­tion,” he added.

Just like being able to call in for back up, dig­i­tal foren­sic exam­ines are always on call for their fel­low spe­cial agents and have on more than one occa­sion been the cru­cial piece of infor­ma­tion that has blown a case wide open.

“The stuff you come across here would absolute­ly blow your mind,” Wingate said. “Because every­one is so accus­tomed to using dig­i­tal media in their dai­ly lives, many times what we’ll dis­cov­er will either put that sus­pect behind bars, or in a few cas­es, clear them of any wrong doing.”

One case was a seem­ing­ly straight for­ward child pornog­ra­phy inves­ti­ga­tion. How­ev­er, after all pieces of dig­i­tal media were exam­ined, CID spe­cial agents uncov­ered that the sus­pect not only pos­sessed child pornog­ra­phy, but was guilty of child molesta­tion and dis­tri­b­u­tion of that prod­uct. Some of the vic­tims were as young as 8 years old.

The case has since been turned over to the Fed­er­al Bureau of Investigation’s Child Pornog­ra­phy Task Force for pros­e­cu­tion by the U.S. Depart­ment of Jus­tice

“That was a sig­nif­i­cant case because through everyone’s efforts we were able to get that per­son off the streets and behind bars,” Eller said.

In anoth­er case, text mes­sages stored in a smart­phone helped exon­er­ate a Sol­dier wrong­ful­ly accused of sex­u­al assault. Now, the per­son who did the accus­ing was found guilty of lying to fed­er­al law enforce­ment offi­cials and giv­ing a false offi­cial state­ment. Both are felonies.

“In most cas­es, the evi­dence will speak for itself,” Eller said. “Still, there’s no sign of stop­ping because as the var­i­ous FOBs (for­ward oper­at­ing bases), camps and bases con­tin­ue to grow so does the use of tech­nol­o­gy by those peo­ple occu­py­ing them.”

With­in the last five months, the amount of dig­i­tal media exam­ined by the CID dig­i­tal foren­sic team has more than dou­bled. Then, once the inves­ti­ga­tion has been com­plet­ed and turned over for pros­e­cu­tion, dig­i­tal foren­sic exam­ines are sub­ject to trav­el to wher­ev­er that case is being tried to tes­ti­fy as an expert wit­ness.

“Most sub­jects in cas­es will plead out before it ever gets to tri­al, but some­times the case will go for­ward and we’ll have to tes­ti­fy as the sub­ject mat­ter expert on behalf of the pros­e­cu­tion,” Wingate said.

Look­ing toward the future, CID’s dig­i­tal foren­sic experts con­tin­ue to do what has to be done, and encour­age their fel­low spe­cial agents to be mind­ful of the dig­i­tal foren­sic exam­ine piece while con­duct­ing an inves­ti­ga­tion.

“What we’re try­ing to push out to the field is to real­ly look at what­ev­er type of inves­ti­ga­tion they may be con­duct­ing and keep the dig­i­tal foren­sic piece in mind,” he said. “Because that piece of media, that phone or iPod, might just be that cru­cial link that solves the case.”

US Army

More news and arti­cles can be found on Face­book and Twit­ter.

Fol­low on Face­book and/or on Twit­ter