Digging up digital dirt

It’s not all black suits and sunglasses for the U.S. Secret Service. These federal agents are also some of the best computer forensic examiners in the nation. At its training institute in the Hoover Public Safety Center, the Secret Service shares its forensic knowledge with state and local law enforcement from across the nation.

The National Computer Forensic Institute (NCFI) was conceived as a joint effort of the Secret Service, the Department of Homeland Security and the Alabama District Attorneys Association. They recognized that digital evidence was a growing field, and the state and federal computer examiners were overwhelmed with a backlog of cases.

“It was not unusual at all to take somebody a hard drive and be told that it might be two years before they might have the chance to look at it,” said NCFI Deputy Director Barry Page.

With the help of U.S. Rep. Spencer Bachus, the NCFI found a home in 32,000 square feet of unused space in the Hoover Public Safety Center. After renovations to include five classrooms, a moot courtroom and offices, the NCFI held its first classes in 2008.

The goal of the NCFI is to train police, prosecutors and judges in understanding, collecting and using digital evidence. Since its inception, the NCFI has given free courses to more than 3,000 people from all 50 states, Puerto Rico, Guam and the U.S. Virgin Islands. That number includes 28 Hoover Police Department employees and 29 people from the Shelby County Sheriff’s Office, District Attorney’s Office and Circuit Court.

“The idea was, ‘Let’s make the same thing that federal agents are getting trained for available for state and local law enforcement,’” Page said.

There are currently 13 classes for beginner, intermediate and advanced students. The topics for law enforcement include extracting information from hard drives and mobile devices, combating network intrusions, finding evidence on social networks and credit card information theft. Prosecutors are taught to question computer forensics experts, present digital evidence to a jury and argue for admission or exclusion of evidence. Judges learn about warrants for digital evidence and understanding this evidence in court. At the end of the courses, students get to take home the equipment they used.

NCFI students learn not only technical skills but also how to focus their investigations to save time and resources. With limited computer forensic manpower, most local police forces and district attorneys cannot spend days combing through massive hard drives. Page said it’s all about working “smarter, not harder.”

“The technology is there, the capability is there, the training is there to go in and look at those things, but can you dedicate a week’s worth of an examiner’s time on every case?” Page said. “It’s just not possible.”

Classes are constantly changing or being added to keep pace with technology. Since 2008, mobile devices and social media have grown in popularity and become more important sources of evidence for criminal cases.

“If somebody’s going to commit a crime, it’s not unreasonable to think that there’s going to be GPS information, cell tower information, some type of email or text communication, something on social media,” Page said.

The instructors also have to keep up with new trends. Page remembers that in early classes, social networks were a one-hour discussion as part of a broader class, but now there is a three-day course devoted solely to the subject. In a prosecutors’ class in June, the participants talked about Bitcoin for the first time. The introduction of cloud storage is a new problem that the NCFI will have to address.

“Just about every class, there’s something new to talk about,” Page said.

Students also benefit from connecting to the NCFI network of computer forensic examiners scattered across the country. When they need advice or outside help, former students can draw on the expertise of classmates, teachers and an NCFI database.

Page said he often hears from students whose NCFI training has helped them solve cases. He has also noted decreases in computer forensics backlogs across the country, but there is a long way to go.

“Certainly the amount of cases are going up, the amount of people who are being trained are going up. There are still significant backlogs, but things are getting better,” Page said. “I don’t know what it would look like to have enough computer forensic examiners trained. I don’t know how many is enough, because we’re nowhere near that point.”

On June 2, the Hoover City Council approved the NCFI’s use of its current space until 2024. In that time, Page hopes to increase the institute’s budget, currently set at $7.5 million, and continue improving its courses. For Page, the most satisfying part of his job is seeing the NCFI wall map and its 3,000 pins placed on each student’s home city.

“I enjoy being able to see the impact of what you’re doing,” Page said. “We do hear back on a pretty regular basis about the impact it’s made. It’s pretty significant.”