Webinar presenters Shannon Kail, Trevor Goode, Ed Michael, and Jim Needles answered a number of your questions after their presentation, "Overlaying Digital Intelligence and Ballistics Technology to Enhance Investigations." Here are a few of their responses.
Audience Question: Do you have any suggestions on how to manage the complexity of the case especially when you have multiple agencies, technology constantly coming in, so some best practices that you could share with the audience?
Ed Michael: Some of the key things that we do… first of all, documentation. What phone came from where is so important. I know it sounds very basic but really having a plan from the start to documentation on who gave you the device, where it came from. Especially, you get multiple jurisdictions, various jurisdiction that shows up, maybe they had a series of mass arrests — they have 5, 6 devices that they dump up off all on you. Really starting with that is what we found is key. We actually start diagramming by hand early. There's a couple of different free tools out there for diagramming. We'll put something in the center, a key focus, a victim, a business. Then we actually start drawing lines off of that. There's this tool called Maltego which is used in malware investigation and you can just draw with it and drop in evidence, photos, along with the name, and put some notes in there. We found that it's really kind of the key in keeping track who's the victim, how people are connected until we give enough data to really start combining it in an analytics format.
Audience Question: Did you get all the information using the Cellebrite analytics enterprise that you ended up using?
Ed Michael: Yes. That's what we used to combine everything together. We have access to multiple mobile forensic suites here in the lab. Cellebrite oxygen XRY Cellebrite is our primary tool but that was the only analytics tool that's met our needs by far more than the other tools. That was definitely key in being able to ingest any type of image or data and that's really what helped solve it for us.
Audience Question: Is it used by all of your special teams and investigative units and do the patrol units ever use the technologies?
Ed Michael: Yes, our patrol officers are trained as part of their orientation to come in and they're trained how to seize the digital devices, what devices to turn off, that they have to leave on, what they need to bring to us directly. All the digital extractions have to come through the lab and we have a couple special detectives there trained as well to aid us in their cases. The majority of it is our detectives and specialized units but we probably get 30% of our intake cases are from various patrol units as well.
Audience Question: How problematic was it in terms of getting through the security on the phone — passwords, encrypted phones and so on?
Ed Michael: Obviously as we progress later in the investigation, things became a little more problematic. We have things like Android encryption, Android 7 was released. And they were stealing phones so that they can have the latest and the greatest phones that caused some issues. A lot of them loved the Apple iPhones and I would say probably at least two-thirds of them were social engineered and were cooperative in giving their passcodes up. Our gang unit made a phenomenal job of building rapport with them and then show up with 8 phones and 8 passcodes. Obviously, you want to take care of them and get those in. Some of the other technologies we used. A lot of them are low-income areas that really didn't have computers at home to get any type of advanced record or anything from. If they weren't cooperative, we use investigative process, we used a search warrant to Apple to get their iCloud account and we got a lot of data that way. Some of the encrypted Androids, the ones that we really wanted into there was one or two I believe we sent to celebrate services and I believe the other three that really gave us a hard time, we either eventually got the passcode or the technology improved and we might have gotten it within a week or a month, or a few months through updates, and technology improved and we were able to get access data information. By far, the best success we had was from investigators obtaining the passcodes.
Audience Question: Have you all noticed an increase of tradecraft in regard to phones such as using all burner phones, switching up the sim cards, turning the phones off during the crimes, surveillance phones, GPS and so on… I was wondering if there's a trend in the tradecraft of street gangs that are similar to that of some terrorists?
Shannon Kail: One of the things that we have seen is with the drug operation type things, is when you get a subject in custody and they have a really hot number, they will say over jail calls to have that number ported to a new phone or a new provider so that they can continue to receive the customers on that number. We've been seeing that quite a bit here in Milwaukee.
Audience Question: You talked about the different technologies that your agency has procured, did you have the same funding source for that technology or how did you fund the procurement?
Shannon Kail: I only know about the ShotSpotter and NIBIN because I was hired in 2014 so I know that we partnered with the ATF to actually get that free from them. They actually helped us set that up here ate our department within our fusion center. Regarding the ShotSpotter, our previous captain had written a grant to actually get funding for that to start out ShotSpotter and then, as the more success we've got, we just extended it to get more money and funding to extend the boundaries of our ShotSpotter locations.
Audience Question: Can you talk a bit more how tolls work with phones?
Trevor Goode: Basically, in the investigation that we had, cellphones ping off of cell phone towers and that puts you into a vicinity of those towers. The tower records will show where those phones were for the suspects in these cases, placing them within very close proximity of the case. For instance, the first homicide that we know happened, the cellphone tolls put the main suspect that I had his picture out there within a block and a half of that first homicide and I believe it was 50 minutes before the actual murder happened. That's how we use the tolls for that investigation.
Audience Question: About finding the presence of DNA on one of the firearms, do you check all handguns for DNA? And if so, which part of the firearm do you check for DNA?
Trevor Goode: I think there's a big misconception out there about the success rate of getting fingerprints and DNA off firearms. In a study in Police One, it talks about how less than 5% of all guns that are fingerprinted, you can get quality fingerprints from that gun. I'm not the fingerprinter, we've got forensic technicians to do that. DNA, we are more successful at getting DNA off of guns from the trigger guard, from the magazine wells, the bullets actually in the magazine, that's where we get our greatest successes.
There are more fingerprints found on magazines than there are on the actual guns, especially when you have polymer guns like Glocks that just don't have a surface for fingerprint powder and DNA swabs.
The trigger guard's probably the biggest area and the magazine and the bullets if you have that in the gun are going to be the best success rates that I've seen as far as getting that evidence off of the gun. Long guns, different story.
Audience Question: What software do you use for obtaining and interpreting the cellphone toll data?
Trevor Goode: I'm more of a case carrying detective, like the guy who's going out to find the bad guys and I give those phones to detectives who work in that area. And I believe they use Cellebrite. I am not tech-savvy as far as the cell phones go. I understand how the technology works and what they need to use it and how to write search warrants to get it, but once I get those warrants, I hand it off to a specialist, and it sounds like Ed is one of those guys who's really up to speed to those kinds of stuff. I am more of a 'go find the shooter, and once you have the evidence, give it to someone a lot smarter than me to process'.
Audience Question: When taking cases to trial for a case that has used this technology, how much work needs to be done to explain the underlying technology to the juries?
Trevor Goode: I think it's important to not overstep your grounds. For instance, in 2007, we had an officer who was murdered here in Glendale. He was murdered in the area that ShotSpotter covers and there were some questions about how ShotSpotter works. How the towers receive information so I believe the path for that was to have people from that company come in and explain how that works. It's always important when you're testifying not to testify the stuff you don't truly understand. Lots of us in law enforcement, you get how to work a system but you don't get how the system works if that makes sense. So, it's important not to talk like an expert when you're not because that's how defense attorneys are really going to open up and hammer you. A great example of that is I think probably most of us listening and most cops understand what DNA is but to truly understand how DNA's translated is something you probably should leave to a scientist who understands the science behind it and not the cop version of "well, I know your DNA's on that gun because you touched it".
Jim Needles: I might also add that in situations like that, ShotSpotter does have expert personnel available to assist in testimonies for the technical side of their product.
Audience Question: Does NIBIN and IBIS provide information about other agencies that may have matching casings?
Jim Needles: Yes. That is what is so important about the IBIS equipment and the NIBIN network. NIBIN allows you to network nationwide. So right now, we're approaching over 200 sites in the country and not only are there 200 sites but there are multiple agencies utilizing those sites. Law enforcement agencies can connect network with each other and they're automatically sharing information across jurisdictional borders.
Click Here to Watch a Recording of "Overlaying Digital Intelligence and Ballistics Technology to Enhance Investigations."