Digital forensics on mobile devices has become an even more essential part of the FBI’s daily crime-fighting mission.
(TNS) — In 2016, a witness’ testimony against four West Coast Crips charged with homicide and other crimes was cancelled — with a bullet.
“They shot one guy in the head a day or two before he was to testify,” said Assistant U.S. Attorney Todd Robinson, who prosecuted the gang members in San Diego’s federal court.
The case, though, would turn on bulletproof testimony. Cyberclues — text messages, locations gleaned from cell phone records, photos posted on social media — helped guarantee the gang members’ convictions.
“It’s critical,” Robinson said of digital evidence last week. “I do a lot of gang prosecutions and they are on Facebook, everybody is on their phones. I’m typing up an affidavit right now and it includes a picture they sent each other of the dope they were going to sell.”
Uncovering these clues, though, is like finding a virtual needle in a million electronic haystacks. Cracking the encryption systems of suspects’ cell phones, tablets and laptops is a daunting task, one often entrusted to the FBI’s national network of computer forensics laboratories.
“If it stores data,” said Hans Frank, the supervisory special agent in charge of San Diego’s lab, “our guys will figure out how to get it.”
In the high-stakes chess match between cybercriminals and law enforcement, this FBI lab is a grandmaster. Since 1999, its team of computer experts has used digital evidence to convict murderers, child abusers, even a Border Patrol agent who used a hidden camera to film his female colleagues undressing in an agency restroom.
“The work you are doing is changing lives,” Frank tells his digital detectives. “Sleep well knowing you are serving your fellow man.”
Still, this work raises privacy concerns. While the Trump administration argues that law enforcement needs built-in “back doors” allowing entry to electronic devices, critics say these would expose law-abiding citizens’ financial and social media accounts to criminals.
“If there is a back door into the encryption, it is not just available to the good guys,” said Steven Andrés, who teaches in San Diego State University’s homeland security program. “If there is a back door, it is a weakness, and it is a weakness that is available to bad guys.”
Even without a “back door,” the local FBI analysts stay busy. In 2016, the year with the most current statistics, the lab examined 1,276 electronic devices, sifting through a mind-numbing 570 trillion bytes of information.
“That number is always growing,” Frank said. “It never goes down, it always goes up.”
Not every investigation requires the skills of a computer-savvy Sherlock Holmes. Among criminals, there may be more dunces than masterminds. For instance:
A man waiting to cross the border opened his iPad to a page of child pornography.
An attempted murder suspect’s social media pages included posts about, yes, the attempted murder.
On a suspect’s computer, analysts found a search history that included “how do i get rid of a dead body.”
There are times, though, when breaking into a suspect’s electronic device is a nerve-wracking ordeal. A famous instance came after the December 2015 terrorist attack in San Bernardino, Calif., when the FBI seized slain shooter Syed Rizwan Farook’s iPhone 5c.
The cell phone’s four-digit password was one of 10,000 combinations, but agents couldn’t make random guesses or program a computer to try every possibility. The phone’s built-in encryption system would eliminate all information after 10 incorrect guesses.
Apple refused FBI requests to unlock the phone. While the FBI will not comment on how it eventually opened the phone, civilian cybersecurity experts believe the agency took advantage of a vulnerability in the mobile operating system.
In San Diego, the suspect in an attempted murder case had another locked phone. In the lab, technicians used a hair-thin wire to connect to the motherboard, bypassing the encryption system and allowing detectives to find descriptions of the crime.
On another occasion, investigators cracked the locked phone of a suspected child molester. “We used techniques to get around that,” Frank said. “We were able to find new victims of child abuse because of that.”
Investigators need an arsenal of password-cracking methods. What works on one electronic device usually doesn’t work on another.
“All of these devices are unique,” Frank said. “We have to figure out ways to exploit all of them. Our people have to know the difference between Apple and Android and those knock-off Chinese items. There’s no brand loyalty.”
The FBI’s San Diego lab maintains a library of cell phones, representing various makes — iPhones, Nokias, Samsungs — and models.
“Recently,” Frank said, “we were given a flip phone. People still use those, so we have to have them.”
Dissecting these phones, analysts search for “vulnerabilities,” design flaws that allow outside parties to slip past passwords and other barriers. That’s valuable information for law enforcement — and, for better or worse, others.
Some private hackers alert companies when they find a vulnerability, agreeing not to publicize the discovery until the company engineers a fix.
“But there’s a whole industry of selling pre-release vulnerability information,” said SDSU’s Andrés. “They weaponize the vulnerabilities, creating something like a screwdriver that allows people to open that device.”
Not all digital detectives work for law enforcement. There’s a growing corps of civilian cybersleuths, some inspired by the promise of lucrative “bug bounties.”
Those are payments made to hackers who find and report vulnerabilities in computer programs. In 2012, for instance, Microsoft paid $200,000 to one successful hunter, a Columbia University graduate student, Vasilis Pappas.
United Airlines, on the other hand, awarded 2 million miles to a pair of hackers who found holes in the airline’s website.
The federal government also sponsors bug hunts. This April, the fifth annual “Hack the Pentagon” program unearthed 65 vulnerabilities in the website for the military's internal travel system. The Defense Department paid out $78,650.
There are even bounty brokers, like HackerOne, a San Francisco company whose network of 100,000-plus hackers is credited with finding and fixing more than 44,000 vulnerabilities.
There are good reasons to eliminate these flaws, Frank acknowledges. Countless law-abiding people rely on the internet to manage their finances, order medications, conduct business deals. In some countries, online expressions of political dissent can lead to prison terms, or worse, if the government is able to identify the messenger.
In those cases, robust encryption is a must.
“But an iPhone, when you can’t get in to find the child porn,” Frank said, “that’s a bad thing.”
At the FBI lab, exploiting vulnerabilities to gain access to a suspect’s electronic devices is the first step. Investigators then scour files for criminal evidence, ferreting out hidden files and retrieving those that were ostensibly deleted.
“When you click ‘delete’ on the computer, that doesn’t necessarily mean it’s gone,” Frank said. “Any time you do something, the computer keeps a record.”
Investigators also “hash” the computer. Using what’s known as a “hash function,” agents create a forensic image of all the data on the device.
“It’s like a fingerprint,” Frank said. “The whole point is to be able to present in court, beyond a reasonable doubt, that what we did is accurate.”
The hash, in other words, shows that those incriminating emails, graphic videos and other damning data were there before the FBI began poking around.
Found inside the FBI’s Sorrento Valley high-rise offices, the local lab is an investigative cooperative. From the El Cajon Police Department to the Naval Criminal Investigative Service, 17 law enforcement agencies provide staff for the lab’s task force.
The team also includes more than a dozen FBI agents. While most don't have computer degrees, all start their tenure here with what Frank called “A-plus certification.”
“That’s equivalent to the Geek Squad members,” he said.
Training is ongoing — there’s a classroom outside the lab, for lectures and briefings — that pushes investigators well beyond Geekdom. Staying ahead of the latest developments on the electronic frontier is a never-ending job.
Frank was reminded of this early last year, when he moved to San Diego from the Bay Area. To relocate his family, he scouted out suitable neighborhoods, scanned homes on the market, applied for a loan, made an offer and closed on the deal.
“I did the whole process on my phone,” he said. “If I’m doing all that on the phone, how much are the bad guys doing on the phone?”
©2018 The San Diego Union-Tribune Distributed by Tribune Content Agency, LLC.