Vol. 79, No. 3Cover stories

Man works on digital device.

Behind the screen

Digital forensics specialists uncover, interpret data

Cpl. Darren Birnie uses a technique called in-system programming to acquire the complete memory contents from a digital device while leaving the original evidence intact. Credit: Serge Gouin, RCMP

By

In the office of the RCMP's Technological Crime Unit (TCU) at National Division in Ottawa, a small request to open a USB key has turned into an animated discussion about protocol and process.

Related link

In the field of digital forensics, preserving the integrity of data on a device is a key component of their work. It's crucial that members of the unit know all the facts before they access electronic data. So when a colleague from another team asks if digital forensics can take a look at the content on the USB key, the unit has questions.

What is it? Where did it come from? The simple act of opening the files could have negative consequences.

"We need to make a forensic copy of that USB to preserve the original content," says Sgt. David Connors, the non-commissioned officer in charge of operations for the Digital Forensics Team within the TCU. "For evidence to be admissible in court, we have to prove the evidence is the same piece that was taken at the scene. You can't say it's the same piece of evidence if for the last year everybody and their brother has been manipulating it. Any change that we do make to a device, we document."

In addition to preserving evidence, digital forensics specialists also perform a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events. Essentially, they make sense of this type of evidence so those without the high-tech background can understand it.

Digital data

It's not hard to see why digital forensics investigators (DFI) and analysts are often referred to as the techies by the clients they support. Their work with computers, cellphones and computer networks — anything related to digital data — would make most people's heads spin.

"It's very challenging work," says Cpl. Darren Birnie, a DFI with the TCU. "It's a very exciting career path if you're into continuous learning and new challenges all the time. When I start looking through these systems, you never know what you're going to get and I've been doing this since 2009."

The technology rapidly changes.

"We have to adapt constantly," says a *civilian analyst with the TCU. "New cellphones come out every few months. Today we're doing something one way. Next month you might not do the same thing to get the same result. We have to keep up and research all the time."

But while the unit must remain current, the investigations themselves are complex and can take time. The TCU in Ottawa was involved in investigating the Canada Revenue Agency Heartbleed hacking case in 2014. On May 6, 2016, the individual, Stephen Solis-Reyes, pleaded guilty to two counts of willful mischief (data), one count of unauthorized use of a computer and one count of obstructing a peace officer.

For the past few months, Cpl. Sébastien Laurendeau, a DFI with the Cybercrime Investigation Team (CIT), which is integrated with the TCU, has been spending his days searching data on hard drives, trying to find evidence to connect a suspect to the offence. While patience is required, Laurendeau says the work is satisfying.

"It's rewarding when you're able to connect the dots," says Laurendeau. "Even just figuring out how things work, 'Oh! This is how he was doing this.' When you're able to see that you're progressing and getting somewhere, it's fun."

Learning the ropes

Before joining the CIT, Laurendeau didn't consider himself to be a techie. His interest in digital forensics began with an online luring case he worked on when he was doing general duty in New Brunswick. He called the TCU in New Brunswick for advice.

"I tracked down my suspect using IP addresses and dealing with service providers, which got me really interested in it," says Laurendeau. "People think they're anonymous when they're online, but they aren't. I was able to find my suspect, arrest him and he was actually convicted."

This experience led him to pursue a career in digital forensics. He took a few courses to increase his knowledge, then applied. He first joined the TCU in New Brunswick before becoming a member of the CIT in Ottawa.

While several members on the TCU have a background in computers, it isn't necessary. There's an understudy program for successful candidates, which includes a combination of computer forensic courses at the Canadian Police College and on-the-job mentoring by a coach.

It typically takes one to two years to complete before DFIs are ready to work independently, which means there's a long time between hiring someone and having them work on their own.

Growing field

Based on the tools and state-of-the-art equipment the team has at their disposal, like the multi-million dollar server room to protect them from malicious attacks, it's clear the unit is a priority for the RCMP.

There's a TCU in every province to support local detachments. These provincial units see more street-level files, like assaults, break and enters, thefts, frauds and domestic disputes, but they also support major investigations involving homicides, large frauds, drug trafficking, organized crime, border/customs and national security.

The TCU in Ottawa differs in that it primarily supports larger and longer investigations, generated by National Division's Sensitive and International Investigations that examines political files, corruption, breach of trust, war crimes and kidnapping. The unit also supports National Capital Region Traffic services, General Duty Protective Policing, VIP, Prime Minister's Protective Detail and the Governor General's Protective Detail. And because the Ottawa TCU is integrated with the Cybercrime Investigation Team, they support cybercrime files as well.

Almost all investigations now involve some element of digital forensics. "Realistically, every single case could have a digital component," says Birnie. "But also realistically, there's a finite amount of resources so there has to be a cut off on what we can invest time in and what is not necessary for prosecution to take the case to court and be successful. There are just not enough tech crime guys to go around."

Connors says this means there's a continued need to develop expertise in digital forensics and push the information to the frontline.

"As more and more average people go to the online world to do their day-to-day business, more and more criminals will move into the same space and more police operations are going to have to take place there, too," says Connors.

*Some names are being withheld for security reasons.

Date modified: