FBI lab unites local agencies over data analysis

Officers serve on front lines of cyber battle with criminals

By Sherman Smith
The Topeka Capital-Journal

KANSAS CITY, Mo. (AP) - The FBI's Heart of America Regional Computer Forensics Laboratory, where a cadre of examiners imparts their crime-fighting expertise, is littered with the remnants of hard drives, cellphones, circuit boards and everything else in the bulging array of electronic devices that record data.

Here, the seemingly infinite chains of 1s and 0s that coalesce to form data are mined for secrets that prosecutors will use to influence jurors.

Their services are needed now more than ever, as the technology that enriches the lives of everyday Americans provides information about where people are, what they are doing, and what their motivations may be. In addition to computers, phones and tablets, your car, lights, TV, thermostat, appliances and voice-controlled smart speakers can be harvested to reveal your every move and intention.

"The majority of our cases are things that are with us all the time, and there's so much evidence to be gained because of the fact that it's with you all the time," said Sarah Lucas, the lab director and a supervisory special agent with the FBI. "There are people that are connected all the time. I struggle to think of a crime that wouldn't have a digital component."

For 15 years, the Kansas City lab - one of 17 in the FBI's arsenal - has united officers selected by local agencies in Kansas and Missouri to serve on the front lines of a cyber battle with criminals, the Topeka Capital-Journal reported. By assigning an employee to the unit, the local agency gets unlimited access to an immense collection of tools, software and expertise. The FBI trains and certifies the examiners to glean and parse data, or make audio and video easier to hear and see.

This is where they discovered the metadata that BTK - Wichita's notorious serial killer - unwittingly abandoned on a floppy disk, leading authorities to Dennis Rader's church. Examiners here discovered and dissected chatroom comments that Melvern, Kansas, resident Lisa Montgomery exchanged with Bobbie Jo Stinnett before Montgomery traveled to Skidmore, Missouri, to murder Stinnett and rip the unborn child from her victim's womb.

Darrin Jones, special agent in charge of the Kansas City division of the FBI, said the goal is to build a cadre of extraordinarily professional and competent digital examiners.

If someone embezzles money, he said, the culprit may have been thinking about how to do it. He may have a co-conspirator. They develop a plan. They create a document on how to do it, which might reside on a computer, a phone or in the cloud.

That's where the digital examiners come in.

"They have to have the expertise to take the stand and tell a jury how did that document get there, who created it, when was that document edited and by whom," Jones said. "Was that document transmitted? Where? What was the mechanism? Because as you can imagine, everyone's entitled to a robust defense. Great defense attorneys are going to challenge at every step of the way, as they should, this evidence."

Examiners at the lab have access to special tools in different rooms to meet specific needs. They can place a phone in a box that blocks electromagnetic waves - so you can't erase, alter or access it remotely - while they make an identical copy of its data. This is one of the few labs that have software capable of cracking iPhone encryption, which can take between 2 seconds and 29 years, depending on your password.

A powerful microscope and hair-thin soldering iron are used to retrieve data from damaged goods. Earlier this year, the lab's services were called into action when a woman's body was discovered after two months in the Platte River. Examiners were able to access data from her waterlogged phone and conclude there was no foul play.

In the evidence room, rows of shelves are filled with devices sealed in pink plastic bags. On average, the turnaround time for reviewing evidence is 90 days. For more serious, time-sensitive crimes, the volume of staff and a mobile unit allow for immediate results.

"We'll go out on scene at 11 at night and make sure we do everything on site so then we're doing it within an hour," Lucas said. "We have other things that come in and it's a priority - 'I need this because I have trial in a week.' We'll prioritize those things and make sure they get in."

The lab can deploy a blue van with a massive server rack and all the tools needed to process, harvest and review data on location.

Scott Slifer, the lab's deputy director and a forensic examiner with the Lawrence Police Department, said the FBI partnership gives officers from smaller agencies an opportunity to work on high-profile cases.

When Terry Loewen landed on the FBI's radar by advocating for violent jihad on Facebook, Slifer helped answer questions for investigators. They knew the avionics technician wanted to bomb the Wichita Mid-Continent Airport, but what else was he thinking about? How was he radicalized?

"It was an absolutely fascinating computer exam," Slifer said. "You could see it on his computer - the internet history, the books that he read, the things that he was interested in. How does an American end up where he was?"

Shawnee County Sheriff Herman Jones said having Cpl. Thad Winkelman at the FBI lab, where he was first assigned in 2005, gives his agency "first-line access to the latest forensic techniques and equipment." Winkelman, who is certified to work on computers, cellphones, video, audio and vehicle infotainment systems, also serves as a local instructor.

Marc Rogers, a professor at Purdue Polytechnic Institute who trains lab technicians and helped set up the FBI lab in Louisville, Kentucky, said there is "a wicked demand" for those who have computer forensic skills. Bad guys don't have to worry about whether they are using court-certified processes when they deploy technology for nefarious means, leaving law enforcement "a couple of steps behind," Rogers said.

Part of the challenge is the "internet of things," a phrase that refers to the volume of devices that communicate with each other. There is too much data now, Rogers said, to review it all.

A benefit to having that data - from the police perspective - is how it can be used to scrutinize a suspect's alibi. Darrin Jones, the special agent in charge, said GPS signals may show your car was at the scene of the crime as the crime was being committed and that your phone was connected to the car's Bluetooth system. Your home's motion-detection lights didn't come on, you weren't watching Netflix, and the thermostat was in sleep mode because there was no activity in the house.

"We get paid to think in a bad way, or to be a little paranoid," Jones said. "I actually have to have people think about how the refrigerator could be used to commit a crime. What could the furnace tell me about activity that may have happened in that house?"

Published: Mon, Oct 29, 2018