The National Computer Forensics Institute Trains U.S. Law Enforcement Professionals on Digital Evidence

Brian Musthaler
By | November 18, 2013

Posted in: Network Security Trends

In 2011, young mother Casey Anthony went on trial for the murder of her two year old daughter Caylee. You may recall some of the lurid details from the case. In June 2008, the mother reported her child as missing. Caylee’s skeletal remains were found by a utility worker in December 2008. Prosecutors felt they had enough evidence to charge Casey with capital murder. The case was carefully laid out over the course of a month, but in July 2011, the jury found Casey Anthony not guilty of the most serious charges against her: first degree murder, aggravated child abuse, and aggravated manslaughter of a child. She was, however, found guilty of providing false information to law enforcement.

Many people were stunned at the outcome of this trial, having expected that Casey Anthony would be found guilty of murder. The disappointment reached a crescendo when it was revealed in 2012 that investigators overlooked – and thus never presented – key evidence that could have completely changed the outcome of the murder trial.

It turns out investigators who looked at Casey Anthony’s home computer for evidence before the trial did not thoroughly investigate her browser search history. What they missed was a search for “fool proof suffocation” done on the day that Caylee Anthony was reported missing. This evidence is critical because it was asserted that Caylee died from poisoning and suffocation. Unfortunately, it was discovered too late and cannot be presented in court now that Casey has been found not guilty.

Forensic investigators and prosecutors all across the country have looked at this case as a lesson learned, and it has become part of the curriculum at the National Computer Forensics Institute (NCFI). Funded by the U.S. Department of Homeland Security, the NCFI is a training center in Hoover, Alabama that teaches law enforcement officers, prosecutors and judges how to collect, preserve and utilize digital evidence for the ultimate goal of obtaining convictions for crimes.

Barry Page is deputy director of the NCFI and a prosecutor for the state of Alabama. According to Page, “Because of Internet searches, because of email, because of smart phones and phone calls, there is potential digital evidence in every type of case, whether it is a drug sale, murder or whatever. The problem was that law enforcement in general across the board was not trained in the value of digital evidence, where to find it, how to preserve it, what to get when they go to a crime scene. Prosecutors did not know how to present the evidence in court, and judges didn’t understand how to issue search warrants and rule on evidence.” He says the NCFI was started about 10 years ago to fill that need for training.

NCFI offers a range of courses that run the gamut from basic to very advanced. The courses are tailored for the audience and how they will work with or use the digital evidence. For example, a prosecutor needs to be able to explain the significance of digital evidence to a jury in layman’s terms, while a judge must understand the parameters of a search warrant and whether evidence is admissible or not.

A basic computer forensics class helps students understand the principles of what evidence can be gathered, such as pornographic images on the hard disk, audit trails of browser searches, and geolocation data of cell phones and smart phones. Then there is a five-week computer forensic class where investigators are trained in how to do the forensic examinations. They learn techniques they call the dead box forensics, which means extracting the evidence off of hard drives, and they learn the network side which would be the intrusions and viruses investigations and those type of things. There’s also a class that focuses on mobile devices, since they are so different from PCs in terms of how they operate.

The law enforcement agents who go through the extensive forensics courses take home the hardware and software that allows them to do thorough investigations. Technically the equipment is owned by the Secret Service but it’s assigned to the state or local law enforcement agency so that investigations can be conducted locally.

So far the program has been a big success. “Since 2008 we have trained about 2600 people, and that’s all state and local law enforcement, prosecutors and judges. That covers all 50 states plus 3 territories,” says Page. “They represent somewhere between 500 and 600 law enforcement agencies. We have far greater demand than we have budget for. We don’t advertise the classes because we are already turning so many people down. On average we get about six applicants for every available seat we have over the course of the year.” He hopes that DHS can expand the programs budget to allow the institute to train more people.

Page says that whom the students meet through the courses is as important as what they learn. “This training allows them to develop the personal network of all the other people in the class, the instructors, the contacts here at the Institute, and the Electronic Crimes Task Forces (ECTFs) that are around the country,” says Page. “When they leave class they have this big network and when they have cases where they’re not sure how to do something, there are a lot of people that they can reach out to for help. Everybody is being trained on the same equipment and they are being taught the same protocols and how to do the reports. They get a real consistent base on the language they speak.”

As more and more members of our law enforcement community go through these courses and learn how to deal with digital evidence, there are hopes that there will be no more oversights like the one that occurred with the Casey Anthony case.

You May Also Be Interested In: