Digital Detective

FRED helps investigators find electronic needles buried in PC haystacks.

by / December 20, 2002
Criminals using the Web for illegal exploits are having more difficulty covering their tracks; investigators are better trained and have more sophisticated tools at their disposal.One of those tools is the Forensic Recovery of Evidence Device (FRED), which helps an investigator uncover those deep, dark secrets potential criminals thought were deleted or overwritten on their computer hard drives. FRED -- a PC that locates digital evidence, including files, photos and e-mails -- serves as investigative eyes, searching for a needle in a haystack.

Federal, state and local governments use about 80 percent of the 2,000 FRED units in circulation, although the private sector is beginning to come on board. Typically, FRED gathers evidence in cases of child pornography, computer fraud and Internet solicitation, but the technology is helpful in any case involving electronic evidence, such as embezzlement, trade disputes, wrongful terminations and murder.

"It's equivalent to your DNA kit that you take out into the field to collect blood evidence," said Christopher Stippich, president of Digital Intelligence, FRED's manufacturer. "We're seeing it in just about every type of case."

FRED was developed in 1999 to obtain data from hard drives, floppy disks, ZIP cartridges, CD-ROMs, DVDs and portable PC cards. The product originally was offered in a single tower, stationary unit or in a mobile configuration. Later, the mobile unit was refined and renamed "FREDDIE." Another addition, FRED Sr., is a high-powered, stationary server that remains in an investigator's office or a laboratory. Data is acquired by removing the suspected hard drives and plugging them into it.

FREDDIE is a smaller, mobile, "luggable" system weighing about 32 pounds. It's carried to a crime scene, which is useful when a suspected computer can't be removed from the site and taken to a lab.

"We use [FREDDIE] for just about everything," said Steve Arter, senior supervisor of the Pennsylvania Attorney General's Computer Forensics Unit. "We do a lot of Medicaid fraud and insurance fraud cases where we're going into the doctors' offices or pharmacies.

"When you're talking about a doctor's office or a pharmacy, if you take their computers, you're pretty much shutting them down, and you're going to deny patients and customers service," Arter continued. "We don't want to do that."

When only two to three computers in an office with 15 or 20 computers have evidence, running them through FRED allows for elimination of computers without evidence. "We can use a parallel cable or a network cable and do a safe preview," Arter said. "We can look at everything on that hard drive using [forensic software] without changing anything. It's a safe way of looking at the suspect hard drive on site. Basically, FREDDIE acts as a portable lab. We can do pretty much everything with FREDDIE that we can do here on our lab machines."

Pennsylvania had its own lab machines but needed portability; it purchased FREDDIE, using the unit as a blueprint to build three additional machines.

Tons of Information
The technology helps law enforcement officials scan through vast amounts of information stored on modern hard drives, narrowing the search to what is pertinent. Investigators can specify that FRED search for photos, e-mail messages or files that may link to a case.

"To a great extent, it is just a giant search engine," Stippich said. "We're taking a look at every bit of information that's there. A normal investigator might sit down at a computer and take a look through Windows Explorer to see what information is there."

In some cases, that might be sufficient. If deleted, however, those Windows files would be lost without FRED.

Possible searches include specifically dated e-mails, all photographs on the disk or financial records. Stippich, who founded Digital Intelligence in 1999 after spending five years developing forensics programs for the state of Wisconsin and the National White Collar Crime Center (NWCCC), cited murder cases where perpetrators planned killings or alibis on computers and deleted the files, which were found using FRED.

Stippich said most people don't realize that deleted computer files aren't really gone. If a letter of resignation is written on a computer, then deleted after it's printed, multiple copies of the letter remain on the hard drive -- even if the writer thought everything was erased.

"There are, electronically, multiple copies of that file as you created it. Microsoft Word, for example, saves a backup copy of that file to the disk, so that's splattered out there on that media on allocated file space," Stippich said. "Everywhere you go nowadays, you're leaving digital tracks."

Preserving Evidence
Before FRED, investigators were warned of how fragile electronic evidence was. That's changed a bit with new technology's ability to recover deleted or lost information. "Nowadays, we've taken a reverse turn on that with the size of hard drives and the amount of information that's being kept electronically; it's hard to cover all your tracks," Stippich said.

FRED can create a duplicate of everything on a disk, providing a backup should the original be changed or modified. The Pennsylvania Computer Forensics Unit actually leaves the "ghost image" with the owner and takes the original to the lab.

FRED units cost anywhere from $5,700 to $8,400, but the real expense is forensics training, which can run as much as $3,000 per week. However, some organizations, such as the NWCCC and the National Consortium for Justice Information and Statistics (SEARCH), offer training at discounted rates or even for free.

Continued training is key in forensics work because technology constantly changes. "It's not like interrogation school or Breathalyzer school where you can do it once and learn it," Stippich said.

Another key is finding an officer with the aptitude and desire to continue training, and who is willing to serve in a support role for an entire department, Stippich said. "You have a whole bunch of detectives in the department investigating different types of cases, and each one of them has the potential for having some kind of electronic evidence. So when it comes time to analyze or grab that electronic information, they'll call in that forensic guy."
Jim McKay, Justice and Public Safety Editor Justice and Public Safety Editor