Criminals using the Web for illegal exploits are having more difficulty covering their tracks; investigators are better trained and have more sophisticated tools at their disposal.One of those tools is the Forensic Recovery of Evidence Device (FRED), which helps an investigator uncover those deep, dark secrets potential criminals thought were deleted or overwritten on their computer hard drives. FRED -- a PC that locates digital evidence, including files, photos and e-mails -- serves as investigative eyes, searching for a needle in a haystack.
Federal, state and local governments use about 80 percent of the 2,000 FRED units in circulation, although the private sector is beginning to come on board. Typically, FRED gathers evidence in cases of child pornography, computer fraud and Internet solicitation, but the technology is helpful in any case involving electronic evidence, such as embezzlement, trade disputes, wrongful terminations and murder.
"It's equivalent to your DNA kit that you take out into the field to collect blood evidence," said Christopher Stippich, president of Digital Intelligence, FRED's manufacturer. "We're seeing it in just about every type of case."
FRED was developed in 1999 to obtain data from hard drives, floppy disks, ZIP cartridges, CD-ROMs, DVDs and portable PC cards. The product originally was offered in a single tower, stationary unit or in a mobile configuration. Later, the mobile unit was refined and renamed "FREDDIE." Another addition, FRED Sr., is a high-powered, stationary server that remains in an investigator's office or a laboratory. Data is acquired by removing the suspected hard drives and plugging them into it.
FREDDIE is a smaller, mobile, "luggable" system weighing about 32 pounds. It's carried to a crime scene, which is useful when a suspected computer can't be removed from the site and taken to a lab.
"We use [FREDDIE] for just about everything," said Steve Arter, senior supervisor of the Pennsylvania Attorney General's Computer Forensics Unit. "We do a lot of Medicaid fraud and insurance fraud cases where we're going into the doctors' offices or pharmacies.
"When you're talking about a doctor's office or a pharmacy, if you take their computers, you're pretty much shutting them down, and you're going to deny patients and customers service," Arter continued. "We don't want to do that."
When only two to three computers in an office with 15 or 20 computers have evidence, running them through FRED allows for elimination of computers without evidence. "We can use a parallel cable or a network cable and do a safe preview," Arter said. "We can look at everything on that hard drive using [forensic software] without changing anything. It's a safe way of looking at the suspect hard drive on site. Basically, FREDDIE acts as a portable lab. We can do pretty much everything with FREDDIE that we can do here on our lab machines."
Pennsylvania had its own lab machines but needed portability; it purchased FREDDIE, using the unit as a blueprint to build three additional machines.
Tons of Information
The technology helps law enforcement officials scan through vast amounts of information stored on modern hard drives, narrowing the search to what is pertinent. Investigators can specify that FRED search for photos, e-mail messages or files that may link to a case.
"To a great extent, it is just a giant search engine," Stippich said. "We're taking a look at every bit of information that's there. A normal investigator might sit down at a computer and take a look through Windows Explorer to see what information is there."
In some cases, that might be sufficient. If deleted, however, those Windows files would be lost without FRED.
Possible searches include specifically dated e-mails, all photographs on the disk or financial records. Stippich, who founded Digital Intelligence in 1999 after spending five years developing forensics programs for the