1. Community Supervision in the 21st Century
Prepared By: Mathew J. Shelby, Correctional Probation Senior Officer & UCF Student Examiner
Program Purpose:
The purpose of a Digital Forensics Lab within the Florida Department of Corrections is to
provide officers with essential information needed to support best practice supervision plans for
offenders. The Internet provides anonymity for offenders and gives them the ability to hide
volumes of information on computers, cell phones, laptops and other electronic storage devices
placing officers at a disadvantage when this information cannot be discovered and shared.
Officers without knowledge and proper training in computers and digital forensics can
compromise cases in Court when non-forensic methods of discovery are used. The lab will
provide scientifically sound forensic services for recovery of electronic evidence so supervising
officers can more effectively determine an offender’s activities, thereby maximizing corrections
resources, enhancing public safety and ensuring the highest rates of successful outcomes.
Personal Statement & Vision:
This project was undertaken because this student examiner and Correctional Probation
Senior Officer wanted to take a more active role in the supervision of sex offenders and cyber
criminals as a result of my advanced coursework at the University of Central Florida in digital
forensics. I have been employed with the State of Florida since graduating from Florida State
University in 2003 with a Bachelor of Science in Criminology and a Minor Specialization in
Sociology. During my employment with the State of Florida, I have worked as a Child Protective
Investigator and a Correctional Probation Officer. As a Child Protective Investigator I have
witnessed firsthand damages caused by sexual abuse through interviews with child victims and
2. identified a personal need to take action. In 2011-2013, I completed general information security
coursework at Pasco Hernando Community College including coursework in Computer
Concepts, Managing Information Technology, Microcomputer Applications, Introduction to
Networking, Microcomputer Software Essentials, Principles of Information Security, Webpage
Design and Business Communications. In 2013, I enrolled in the Masters of Science Program in
Digital Forensics under the leadership of Dr. Sheau-Dong Lang, an educator who has spent many
nights answering my countless questions! My coursework at the University of Central Florida
has included Computer Forensics I, Computer Forensics II, Topics in Forensic Science, The
Practice of Digital Forensics, Operating Systems and File System Forensics, The Nature of
Crime, Incident Response Technologies and Electronic Discovery for Digital Forensic
Professionals. I have maintained a 4.0 GPA throughout my coursework in Information Security
and Digital Forensics. I have spent the last two years of my life devoted to learning the skills
necessary to conduct forensic digital examinations using industry software and hardware. In
2014, I was recommended by my former supervisor, Lisa Payne, for the prestigious Community
Corrections Employee of the Year and received this award on May 7, 2014. I was also classified
as a subject matter expert by the Florida Department of Law Enforcement in the subjects of
Intake and Orientation, Case Management, and Offender Supervision in August 2014. Later that
month, I was recognized by my director, Dr. Sheau-Dong Lang with the UCF Provost Merit
Scholarship for my studies in Digital Forensics at the University of Central Florida. I have
learned best practices to ensure examinations are conducted in a sound forensic manner that are
defensible in a Court of law. Due to graduate in Summer 2015, I want to put this knowledge to
use at the Florida Department of Corrections! It is my hope and dream that this report resonates
with the right staff at my agency who agree that Community Supervision in the 21st century
3. involves Digital Forensics and other advances discussed herein. My inspiration for this project
was a news article and subsequent conversation had with Mrs. Christi Winters, a probation and
parole officer with the Multnomah County Department of Community Justice in the state of
Oregon who helped develop and run a computer forensics lab for her agency.
Expected Outcomes & 2013-2016 Strategic Plan:
This pilot project is designed with several goals of the 2013-2016 Strategic Plan for the
Florida Department of Corrections in mind. First, Goal 3 states, "Enhance public safety through
effective supervision of offenders in the community." In support of achieving this goal, this
officer recommends reclassification of several Correctional Probation Specialist caseloads to
Cyber Specialist designation. Initially, this examiner recommends one Specialist and one backup
in the Tampa Circuit while the pilot project is being conducted. An existing Correctional
Probation Specialist may be used if they are found to possess the unique knowledge, skills and
abilities discussed elsewhere in this report; or in the alternative, a statewide survey of
Department of Corrections staff may be utilized to identify prospective candidates. The Tampa
Circuit was chosen because of its proximity to one of two Digital Forensics laboratories in
operation by Florida Department of Law Enforcement. The other Digital Forensics laboratory is
located in Tallahassee, Florida where the pilot may be expanded if the initial phases are
successful. It is envisioned that a working relationship would be developed between staff at
FDLE and Department of Corrections to make use of existing training opportunities and
resources shared by the State and to minimize expenses. Capitalizing on partnerships such as
these to continue to improve the quality of life in Florida is one of the missions of the Florida
4. Department of Corrections. It also complies with Objective 2.4.5 of the 2013-2016 Strategic Plan
whose focus is to "establish collaborative partnerships with local law enforcement, community
service providers, businesses, and other appropriate entities."
The Cyber Specialist [and their backup] would be responsible for conducting all forensic
searches of sex offenders supervised in the assigned Circuit. The Specialist would work in
conjunction with the existing Correctional Probation Specialists to conduct quarterly computer
searches of supervised sex offenders and identified cyber criminals where technology was
instrumental in the commission of their crime. Although this paper focuses on sex offenders
many of the same evidence-based practices apply to cyber criminals since the Computer and
Internet are instruments that can be used in their respective criminal activities. This examiner
envisions that the Cyber Specialist would be a search team member responsible for the forensic
computer search while the physical search of the residence is conducted by the assigned officer
and other search team members. In addition, the Cyber Specialist would be responsible for
monitoring computer activities of selected sex offenders and cyber criminals who have
monitoring software installed on their computers. If a violation is discovered, the Cyber
Specialist would staff the case with the assigned officer and complete the Violation Paperwork
due to their advanced knowledge of the alleged non-compliance. The Cyber Specialist, based on
their knowledge and experience, would then testify in Court to any actions taken in the offender's
case.
In consideration of Strategy 3.4, which states "Enhance stakeholder awareness of the
role, importance, and long-range outcomes of successful community supervision," this
examiner believes that the implementation of a Digital Forensics program within the Florida
Department of Corrections will have a positive impact on our "branding platform" to the general
5. public and our law enforcement partners. This also ties into our core values of ensuring Trust,
Respect, Accountability, Integrity and Leadership (TRAIL) because the general public and our
law enforcement partners can trust that we are holding offenders accountable for their actions.
Next, Goal 4 of the 2013-2016 Strategic Plan for the Florida Department of Corrections
states, "Optimize organizational performance." The selected Cyber Specialist will help reduce
the burden of some of the tasks assigned to Correctional Probation Specialists by doing their
computer searches, computer activities monitoring and associated Violation paperwork on cases
they were involved in. This will not only optimize organizational performance but allow for
increased supervision and collaboration among staff. The end result is increased efficiency and
the perception to the offender that he or she is being "watched" more closely. In reclassifying an
existing position, there is no additional personnel cost to implement the Digital Forensics
program. Grant-funded organizations such as the National White Collar Crime Center have a
variety of free training courses available to agency partners and grants may available through
resources such as the Edward Byrne Memorial Justice Assistance Grant and Internet Crimes
Against Children Task Force for the purchase of equipment and software.
Strategy 4.4 of the 2013-2016 Strategic Plan includes the objective to "enhance the
relevance of job-related training throughout the Department" (Objective 4.4.3) in an effort to
"increase employee recruitment and retention efforts." (Objectives 4.4.1 and 4.4.2) This type
of training offered to Department staff who are technically inclined will provide another level of
job satisfaction that will increase the likelihood of employees remaining with the Department.
By expanding the pilot statewide into other regions such as Tallahassee where the second FDLE
Computer Forensics Lab is located, the Department will be "developing an agency-wide
succession plan for technical and specialty positions." (Objective 4.4.4)
6. Strategy 4.5 of the 2013-2016 Strategic Plan states the goal to "increase the efficiency of
Department operations through enhanced information technology" A digital forensics lab
would increase the efficiency of Department operations by using specialized resources to address
specialized offenders according to evidence-based practices. If the Department can obtain grants
to fund the purchase of software and forensic workstations, then this will also meet Objective
4.5.2 whose goal is to "refresh or update individual computing devices of Department staff" at
minimal expense to the taxpayers of the State of Florida.
Strategy 4.7 of the 2013-2016 Strategic Plan states the goal to "foster partnerships to
enhance the accomplishment of the Department's mission". If the pilot project is implemented
in the Tampa Circuit as intended, then a working relationship with the forensics lab at the Florida
Department of Law Enforcement can be implemented to share resources and training. The
Department could also meet Objective 4.7.1 whose goal is to "reinforce partnerships with
Florida's colleges and universities for the provision of research in the area of corrections" if a
partnership was established with the recently opened Florida Center for Cyber Security at the
University of South Florida located in Tampa, Florida. Joining local task forces and working
with the resources already available in this area, would also meet Objective 4.7.3 whose goal is
to "continue to encourage the development of local criminal justice partnerships."
Target Market:
There are several target markets that would benefit from the implementation of Digital
Forensics capabilities at the Florida Department of Corrections. First and foremost, our 2013-
2016 Strategic Plan indicates our goal is to "Change Lives to Ensure a Safer Florida." As an
7. agency, we have a responsibility to protect the citizens of the State of Florida through enhanced
supervision activities. When new technologies arise, it is our responsibility to investigate and
implement these activities to ensure that offenders on supervision are properly supervised
commensurate with the risk they pose to the public. Digital forensic capabilities can augment
community supervision and give us new insights into criminals who continue to re-offend. In this
regard, Digital Forensics would allow probation officers to investigate new criminal activity in
conjunction with law enforcement. Utilizing the intelligence obtained during computer
searches, mobile device analysis, and other activities, we can bring community supervision into
the 21st century and improve existing relations with our law enforcement partners.
The next target market that would benefit from the implementation of Digital Forensics
capabilities is the Sentencing Authority and Florida Commission on Offender Review (FCOR),
formerly known as the Parole Commission. Both entities could be assured that we are using
every tool in our arsenal to hold offenders accountable for their actions. When an offender is
sentenced to probation or conditional release and has restrictions about what material they can
access on computers, Internet or other electronic devices, we can use digital forensics to ensure
the offender remains in compliance. These capabilities will also allow us to enforce no contact
clauses in cases that are victim-sensitive. We can extract data from offender's cell phones and
other electronic devices to determine if they are initiating or maintaining contact with victims, in
violation of their supervision orders.
Another target market that would benefit from the implementation of Digital Forensics
capabilities at the Florida Department of Corrections is Human Resources and the Office of
Inspector General (OIG). Nearly all the work created by Department employees involves a
computer or electronic device. Staff use desktop computers, laptops, cellular phones and VOIP
8. desk phones which are connected to the Internet. When a Department employee is accused of
misconduct, digital forensics can play a key role in obtaining evidence of policy violations
and/or criminal conduct. These capabilities, and strong policies regarding employee use of
Department-owned equipment and Internet use, allow the Department to be proactive in
investigating cases where employee misconduct is reported. A forensic examiner can use the
Windows registry to ascertain whether a Department employee is using a personal thumb drive
on a work computer in violation of company policies. An Internet history cache search will also
reveal computer use for non-work purposes. Digital forensics is an extremely valuable tool in
internal investigations.
Digital forensics is also relevant on the Institution side at the Florida Department of
Corrections. Probation and Parole, commonly referred to as P&P, is always trying to improve
existing relations with the Institution staff and our shared resources. When contraband cell
phones or other electronic devices are recovered by corrections officers or Inspectors, they can
be given to a Certified Digital Forensics Examiner for analysis and intelligence gathering.
Examiners would be outfitted with a mobile forensic workstation kit so they could drive to the
Institution and perform on-site analysis or Inspectors can meet forensics examiners at the Lab
located in Tampa, Florida. This reduces the time constraints and expense of having to send this
material to Florida Department of Law Enforcement and allows intelligence to be disseminated
more quickly, ensuring the safety of other inmates and staff on the compound. Contraband cell
phones and other electronic devices may contain information about drugs, gangs, and other
violent activities in and outside of the institution. In this respect, probation and parole and
institution can work together to increase safety for staff and inmates throughout the State of
Florida.
9. Job Duties for Computer Forensics Examiners:
Job duties for computer forensics investigators include recovering data from computer
hard drives, including those that have been damaged or erased. They analyze data for clues and
evidence, and may trace hacks or gauge the effects of malware on an information system.
Additional duties for computer forensics investigators can include:
Taking custody of equipment used in crimes, including computers, thumb drives, CDs
and DVDs, backup tapes, smart phones and digital cameras
Using imaging software to copy data and disks
Using file recovery programs to search for and restore deleted data
Maintaining the chain of custody for evidence
Writing reports and documenting procedures
Testifying in court
Required Training and Experience:
Computer forensics investigators require a deep knowledge of computer hardware,
software and operating systems, and employees chosen for this pilot project should have a strong
technical background. This officer recommends a statewide survey of current Florida
Department of Corrections staff to determine interest in the project and whether candidates
possess the required educational background or experience to perform digital forensics analysis.
For legal reasons, certified staff (as opposed to civilian DOC personnel) should be utilized to
ensure evidence is admissible in a Court of law.
10. Selected personnel should also be expected to have a broad range of attributes and
abilities, including:
Strong analytical and investigative skills
Solid decision-making skills
Clear written and oral communication skills
Self-discipline and focus
Innovative problem-solving
Attention to detail
Scope of the Problem
According to an article written by Dr. Jim Tanner, Ph.D., computer use and Internet
access poses a risk to the proper treatment and containment of sex offenders without being
managed. Search engines estimate there are more than 60 million pages of sexually related
content on the Internet and this number grows daily. This aggregate amount does not include
information available on the Deep Web or Dark Net. The Internet not only allows offenders to
access sexually explicit material, it can also connect them with potential victims. More than 90%
of children ages 5 to 17 now have access to a computer and two thirds of kids aged 10 to 17
regularly use the Internet. (Source) One in five children reported receiving an unwanted sexual
solicitation over the Internet during the previous year. Tanner writes that, on average, 60% of the
sex offenders convicted are placed on probation in the community. Community Corrections
agencies across the nation are tasked with managing their criminal conduct and protecting the
public. As the number of sex offenders and victim-sensitive cases grow each year, local forensics
11. labs cannot handle the current volume of monitoring tasks presented by the current caseloads of
Correctional Probation Specialists within the Florida Department of Corrections, yet alone the
projected volumes in years to come. The Florida Department of Corrections should take action
now to manage the Internet use of sex offenders and cyber criminals on our caseloads.
The Solution (as presented by Jim Tanner, Ph. D.)
Until recently, computer forensics on sex offender's computers was only performed by
law enforcement. The main focus of law enforcement is in determining whether the suspect's
computer contains child pornography since adult pornography is not illegal to possess. Once an
offender is convicted, the focus of our examinations must shift. We must take a broader approach
to what constitutes contraband and what activities are unacceptable while being supervised.
There are three primary targets of a computer exam on a convicted sex offender: Internet History
Records (URL records), Image and media searches, and text searches. URL records are the best
source of information since they contain a record any time an offender visits a webpage. The
record will show the text that was typed by the offender to access a specific webpage or keyword
in a search engine. The examiner can determine the date/time the offender visited the page and
this information can be stored indefinitely [unless altered by the offender, although it may still be
recoverable]. Secondly, image and media searches are important to the Cyber Specialist because
we can examine their legal sexual content to help us determine the offender's sexual interests
such as:
Do the images or media reflect an interest in a specific sex act?
Do they reflect a preference in "partners" (e.g. age, gender, hair color, size, etc)?
Do they reflect any other themes (e.g. exhibitionism, BDSM, etc)?
12. It is equally important for examiners to look for major themes that are non-sexual in nature, even
if they are not specifically related to the instant offense. These themes may turn out to be triggers
for the offender that are exposed during subsequent sex offender treatment. Some examples of
these may include:
Children’s web sites (e.g. Nickelodeon, Sesame Street) .
Travel or Mapping sites.
Farm equipment sites.
Images of women and/or
children (non-sexual).
On-line clothing catalogues.
Model train sites.
Personal Ad (dating) sites.
Genealogy research sites.
Health information sites.
Gaming sites.
E-Bay®
Netflix®
The third main target of any computer search should be text-based searches. Many
offenders deviate from image-based pornography since it is more easily recognizable by law
enforcement and probation officers. Some sex offenders switch to text based fantasy instead of
audio/video and examinations may uncover erotic literature or hits for chats on sexually explicit
websites. Many erotic literature regarding children is stored in other languages on the internet to
avoid detection, however there are many online language converters available at no cost, making
this contraband easily accessible to offenders. Research has shown that keyword searches for
"pussy" and "cock" will identify approximately 95% of all sexual content in a forensic
examination and should be included in any computer search, at a minimum.
Dr. Tanner proposes a five part solution for the effective management of community
based sex offender [and cyber criminal]'s computers:
13. 1) Understand the reasons for computer management
Three reasons: gather evidence for prosecutorial goals, provide supervision and
containment of the offenders; and assist the treatment agency in understanding the
offender.
2) Establish clear conditions that are computer specific
Conditions should be carefully worded to avoid violations of the rights afforded to
offenders under the Constitution and the Electronic Communications Privacy Act.
Conditions should include: offender permission for unannounced examination of
the system, offender responsibility for all data found on the system, and offender
permission for seizure of the equipment in violation. Offenders should also be
prohibited from:
Use of the Internet to access sexual content of any nature and in any form
Use of web based email programs which provide anonymity.
Possession or use of programs or systems which allow the device to be booted
into a RAM kernel.
Use of encryption and/or password protection of data
Destroying or altering computer use records - including deleting Internet History
Records and restoring operating systems.
Cleaning or wiping hard drives.
Use of anti-forensic software or processes.
Obtaining or retaining “trophy material”.
Visiting sites which focus on the culture of potential victims.
3) Conduct an Intake early in supervision
Goals: determine the extent and type of sexual interests, deletion of inappropriate
images and text to help eliminate the existing library of sexually explicit materials
14. (if not previously conducted by law enforcement), and preparation of the hard
drive for future examinations.
It is imperative that any material found on the initial search be shared with the
treatment provider to gauge honesty of the offender and establish a baseline for
the offender's sexual interests during treatment. The psychological effect of
knowing all computer activity is monitored cannot be understated.
4) Install monitoring software
Monitoring software is both a time- and cost-effective solution to monitoring
offender compliance. Community supervision officers cannot seize offenders’
work computers for simple monitoring purposes, nor can they routinely remove
computers from offenders’ homes. Monitoring software can reveal the contents of
items that offenders have viewed, but not printed, and creates a clear trail of the
offender's actions. Tech-savvy offenders who try to employ anti-forensics on their
computer would be captured by monitoring software. Officers should review the
offender's computer activities, either remotely or during a field visit, at least
monthly and the process takes about 10-15 minutes. Some programs can even
forward usage reports to officer's emails where they can view information about
screenshots, email, chat room participation, Internet activity and keystrokes typed.
5) Monitor the computer frequently
One of the goals of computer management is the perception of being "watched".
If computer activities are not reviewed at least monthly [or more depending on the
offender risk assessment], then this defeats the purpose of having software
15. installed and may lead the offender to deviate. Some jurisdictions require
offenders to bring their computer with them to office visits.
Policy and Procedure Discussion
It is this examiner's opinion that the Department's existing computer search policy
remains valid, with some provisions added based on my knowledge and experience as a digital
forensics student and my overall experience as a Correctional Probation Senior Officer. The
Sentencing Authority (also known as the Court or, in some cases, the Florida Commission on
Offender Review (formerly known as the Florida Parole Commission) specifies the terms and
conditions of probation when an offender is sentenced. Standard conditions of supervision do
not require oral pronouncement by the Court. One such condition "permits such supervisors
[Probation Officers] to visit him or her [Probationer's] at his or her home or elsewhere." (F.S.
948.03(1)(b)). Obviously one of the first requisite steps in searching an Probationer's computer
is to be legally authorized to gain access to the location where the computer or electronic device
may be stored and this statue covers the Probation Officer's presence in the home or other
location. As authorized in Florida Statutes, the Sentencing Authority is also permitted to order
any special conditions of supervision. Florida Statute 948.039 specifies that:
"The court may determine any special terms and conditions of probation or community
control. The terms and conditions should be reasonably related to the circumstances of
the offense committed and appropriate for the Probationer. The court shall impose the
special terms and conditions by oral pronouncement at sentencing and include the terms
and conditions in the written sentencing order."
16. If the Court were to impose a special condition for Computer Searches on a Sexual Offender,
Sexual Predator or other Probationer where the use of a computer or electronic devices was a
part of the crime, then this would qualify under Florida Statutes as "reasonably related to the
circumstances of the offense." In cases where the use of a computer or electronic device was not
utilized by a Sexual Offender or Sexual Predator in the commission of their underlying offense,
the Legislature has determined that it is still "appropriate" to place restrictions on these
individuals' access to computers and the Internet, as specified in Florida Statutes 948.30(5)(h),
which states that:
"Effective for probationers and community controlees whose crime is committed on or
after July 1, 2005, a prohibition on accessing the Internet or other computer services
until a qualified practitioner in the Probationer’s sex offender treatment program, after
a risk assessment is completed, approves and implements a safety plan for the
Probationer’s accessing or using the Internet or other computer services."
In arriving at the determination that this condition is "appropriate", the Florida Legislature has
authorized the restriction of Internet access and computer search condition as a standard
condition (e.g. does not require oral pronouncement) for all probationers convicted and placed on
supervision for violations of chapter 794 [Sexual Battery], s. 800.04 [Lewdness/Indecent
Exposure], s. 827.071 [Sexual Abuse of Children], s. 847.0135(5) [Computer Pornography,
Prohibited Computer Usage, Traveling to Meet a Minor], or s. 847.0145 [Selling or Buying of
Minors (e.g. Human Trafficking)]. The Florida Legislature further authorizes in Florida Statute
948.30(5)(k) that probationers convicted of the above offenses and placed on supervision are
required to:
17. (k)Submission to a warrantless search by the community control or probation officer of
the probationer’s or community controlee's person, residence, or vehicle."
It is at this juncture where I believe moving forward it is important for the Florida Legislature to
further specify "computers or electronic devices" in this sub-section or clarify that a search of the
residence can include a search of computers or electronic devices. My version of the revised
statute would read:
(k)Submission to a warrantless search by the community control or probation officer of
the probationer’s or community controlee's person, residence, vehicle or computers and
electronic devices."
I would also like to see the Florida Statutes revised to include this provision for all probationers
on Community Supervision, regardless of the offense committed. Although this may seem far-
reaching, having the condition in place allows for the examination should the need arise.
Practically speaking, personnel and budget resources would limit how many computer searches
can be completed, however having the statutory authority to conduct a computer search when
there is reasonable suspicion would give probation officers more tools "in their virtual tool belt"
to ensure offender compliance. Having the computer search condition imposed as a standard
conditions of supervision would allow Probation Officers to investigate proactively if there is
reasonable suspicion to conduct a computer search. How many times has a police officer
conducted a traffic stop and found an Probationer in possession of drugs or other contraband
material? A probation officer may be supervising an Probationer for a burglary and stumble upon
a large child pornography ring that may have otherwise gone undetected.
18. If the Florida Legislature accepted the above statute revisions, or similar wording, then
agency policy could be revised to include "computers and electronic devices" in the definition of
Warrantless Planned Search as noted below:
Warrantless Planned Search
Refers to the unannounced search of an Probationer’s clothing; person; vehicle (any
vehicle driven, leased, or owned by the Probationer regardless of its location); computers
and electronic devices (owned or accessed by the Probationer, regardless of location)
living quarters (including common areas shared by the Probationer and other occupants
of the dwelling [i.e., kitchen, bathrooms, family room, den, living room, basement, attic,
utility room, and garage] and areas occupied solely by the Probationer [i.e., Probationer’s
bedroom or den/office]); surrounding property (including the front and back yards,
storage shed, or property surrounding the residence); or other possessions by a
Correctional Probation Officer without a warrant and will be used to ensure the
Probationer’s compliance with court orders. This type of search can occur with or
without a “search” condition of supervision.
The State of Wisconsin makes a broad stroke in defining what is subject to search.
Wisconsin Administrative Code 328.044(3)(k) specifies that offenders must:
Make himself or herself available for searches ordered by the agent, including but not
limited to body contents searches as defined in s. DOC 328.21 (4) (a), or search of the
client’s residence or any property under the client’ s control"
19. This would appear to encapsulate computers and electronic devices and may be a more
appropriate way of essentially saying the same thing without major revisions in Florida Statutes
or Administrative Policies.
Now that we have established that a Probation Officer has the legal authority to supervise
a Probationer on community supervision (e.g. Probation), has the ability to enforce standard and
special conditions imposed by the Sentencing Authority, has the authority the conduct home
visits, walk through visual inspections and warrantless planned searches, let's examine how an
actual computer search is conducted. The officer will utilize the forensic software in conducting
the computer search according to Departmental policy and procedures. If any data is recovered
that would constitute a violation of supervision, the data will be saved on a removable storage
device. There is no mention in the procedure of using any hardware or software write blocking
devices or forensically wiping the removable storage device prior to its use. Since we are not
working with encapsulated evidence files using this type of software, it is important for the Court
to distinguish that no data from a previous computer search could be left on the reusable USB
thumb drive. For brevity purposes, I will not copy the entire policy I have previously written on
the subject of media sanitization, however it is important to note that this is an important step for
chain of custody purposes if the recovered evidence were to be challenged in Court.
It is my opinion based on training and experience that these two additions to the policy
would help to ensure its validation. For reference purposes, the Summary of Method is listed
below because it is relevant in this procedure:
Media sanitization is the process of overwriting or removing data from a hard drive and
other electronic media at the end of the data's life cycle, or when the drive is to be used for an
20. alternate purpose where the previously stored data should be rendered unrecoverable. Low level
formatting is the process of writing all zeroes to a hard disk, causing any previously stored data
on the drive to be unrecoverable, even with forensic data recovery utilities. In this procedure, the
examiner will attach the hard disk to the forensic workstation via the appropriate USB, SATA or
IDE connector or docking station, if appropriate. The examiner will initiate the Lowvel
application and select the target hard drive from the dropdown menu. If a drive is currently in
use, the application will report that it is "locked". This does not mean that the application cannot
overwrite the drive but results are not guaranteed when the drive is locked according to the
provided documentation. This is most often the case involving system drives which are actively
running an operating system. Once the drive has been selected, the examiner will click "Start" to
initiate the data overwriting process. Depending on the size of the drive, this process may take a
few minutes or a few hours. As an example, a 4GB USB thumb drive took around 3.5
minutes to complete the format. After the process has completed, the status bar at the bottom will
indicate "100%" and whether any bad sectors were found. In order to validate the results from
the Lowvel application, the examiner will utilize a second application, HxD, to verify no data
remains on the target drive. The examiner will analyze the disk and compute a CRC checksum
which should read "0" if the process was successful. If the desired results are not achieved, the
examiner will redo the process, paying special attention to the procedures in this document and
note any technical issues to be forwarded to the Policy Review team.
21. Case Law
This examiner was surprised to discover that there is not a lot of case law attributed to
computer searches of those convicted of felony offenses. A web search revealed an interesting
2014 case out of the state of Wisconsin Supreme Court State v. Jeremiah Purtell which reversed
an unpublished 2013 Court of Appeals decision. Jeremiah Purtell was placed on probation for
animal cruelty charges and a special condition of supervision was "computer access only for
school or work". During a conversation with the offender, he admitted to having a computer. The
probation agent seized the computer and located images of young females engaged in sexual acts
with animals. Authorities got a search warrant and found other photos of child pornography on
the computer. The issue in the case was whether the probation officer had a right to search the
computer. In the case, the trial court originally rejected the defendant's position that Purtell's
conditions of probation didn’t expressly prohibit him from possessing such images and because
there were no reason to believe the computer contained some other kind of contraband and found
the search "reasonable". The Supreme Court of Wisconsin subsequently reversed that decision,
concluding that:
"A probationer’s possession of a computer in violation of a rule or condition of probation
makes the computer “contraband” that can be searched as contraband, without regard
to whether the agent has reasonable grounds to believe the computer itself
contains (i.e., has stored on it) other contraband or evidence of other rule violations"
(Source)
In a related case, United States vs. Skinner, Courts have declined to "recognize a
‘legitimate’ expectation of privacy in contraband and other items the possession of which are
22. themselves illegal, such as drugs and stolen property.” In this case, the Government used data
from a prepaid cell phone to track the whereabouts of the defendant, Melvin Skinner, as he
trafficked in drugs between Arizona and Tennessee. The Court rejected the defendants' motion to
suppress the cell phone data based on violation of 4th Amendment search and seizure
prohibitions because it was used as part of a criminal scheme and was used on public
thoroughfares. According to the opinion in the case, the law cannot be that a criminal is entitled
to rely on the expected untrackability of his tools. Similarly to the prior case, Jeremiah Purtell
had a reduced expectation of privacy because he was on probation and also because the computer
was considered a "contraband" item he was prohibited from possessing in the first place.
Another case out of the State of Illinois People v. Clayton Thornburg revolved around a
state Court's appeal of a Circuit Court decision to suppress evidence in a Violation of Probation
case where probation officers' searched the offender's desk and pornographic DVDs and then
searched the computer and discovered child pornography. The state argues that (1) the officers
had a reasonable suspicion to search defendant's bedroom and computer since defendant was
already on probation, and (2) defendant consented to the searches. The Appellate Court
acknowledged that "probationers have a reduced expectation of privacy compared to ordinary
citizens, because they are criminal offenders," but also concluded that "a search of his home
remains a significant intrusion on his privacy and a search without any reasonable suspicion
would be constitutionally unreasonable." In this case, officer admitted they had no reasonable
suspicion to search before arriving at the home and locating the pornographic DVDs (which did
not violate his supervision conditions). The defendant was required to allow his probation
officers to visit his residence. He was also required to submit to a search of his “person, home.
residence, papers, automobile and/or effects” when officers had a reasonable suspicion to require
23. it. Thus, defendant could refuse without consequence a request to search his dresser or desk
drawers when requested without any reasonable suspicion. The Appellate Court also found that
the Computer Use Agreement signed by the offender at the onset of supervision was valid and
therefore the computer search was permitted regardless of whether reasonable suspicion existed.
It provided that defendant was subject to: “unannounced examinations of his computer, software
and other electronic devices to which [he had] access,” the installation of equipment or software
to monitor his computer use, “examination[s] at any time,” and seizure if any prohibited
materials were found. The offender was ultimately found to have violated the conditions of his
supervision when child pornography was located on his computer.
Recent estimates show that nearly three fourths of Americans are online. If that sample is
representative of our offender population, then we can presume as much, if not more, of our
probationers and inmates want or desire access to the Internet. Denying probationers and
parolees access to computers and the Internet is no longer justifiable in other than the most
severe circumstances. Some case law reveals that Courts agree sex offenders cannot be denied
access to the Internet although the Legislature in Florida has taken a more conservative approach
and withheld Internet access for offenders convicted of certain crimes subject to review by the
treatment provider.
Based on the case law I reviewed, the current status of computer searches appear to be
supported for use in Florida. It would be "best practice" to develop and sign a "Computer Use
Agreement" with the offender at the onset of supervision which will further detail his/her
requirements under the law and compliment those conditions imposed by the Sentencing
Authority.
24. Digital Forensics Software Recommendations:
In attempting to research products and services for a Digital Forensics Lab at the Florida
Department of Corrections, there are a lot of factors to be considered during the Planning Phase.
The first order of business is to complete a Needs Assessment. This will document user and
facility needs (both current and projected future needs), evaluates the existing facility, define
space requirements, and provides project cost data. Since no budget is provided, my goal is to
provide budget conscious solutions where available but still feature capable and which would
support growth as the company expands.
In my opinion, it is important not to place all of your eggs in one basket, so where
feasible, I will recommend a tool and a backup. I considered open source tools for this project,
however ultimately decided on commercial (paid) products for the primary tool due to the
likelihood of ongoing updates to the software, whereas open source tools are not guaranteed
updates as the forensics landscape changes.
In this case, a sample Needs Assessment revealed that we would need the capability to
serve the following:
Computer workstations at multiple facilities covering three regions throughout the State
of Florida including the following:
Central Office
Institutional Facilities (including seven privately run facilities)
Regional Business Offices
Re-Entry Centers
25. Work Camps, Forestry Camps and Road Prisons
Community Release Centers
Probation Offices
Servers both remotely located at facilities and at the Shared Resource Center located in
Tallahassee, Florida
Remote access forensic capabilities on all user workstations
A need for E-Discovery capability on user workstations and servers
A need for digital forensics capability of user workstations and servers
A need to support incident response and forensics pertaining to intrusions, APT and
malware infections
A need for digital forensics capability to search computer workstations, electronic
devices and mobile phones possessed by offenders on felony probation
A need for Internet and Computer Activities Monitoring of Convicted Sexual Offenders
and Identified Cyber Criminals on felony probation
A need for digital forensics capability to search contraband cell phones and other
electronic storage devices recovered from inmates incarcerated in correctional facilities
located throughout the State of Florida
Questions Considered in Choosing Software:
Is the product open or closed source?
Does the software support encryption?
Does the software have remote access/acquisition capabilities?
26. Does the software require software on client PCs to function as intended? If so, can the
client software be hidden so that it is no recognizable to the end-user?
What are the licensing requirements? Are site licenses available or per-user workstations?
Do the selected products support our current hardware infrastructure? What new
purchases will be needed for implementation?
Is training and software support included or at additional cost? Are there published
failure rates?
How well-maintained and supported is the software by the vendor?
Has the tool/software been validated and acceptable for legal purposes (e.g. use in
Court)?
Will the software in use cause any disruption in company operations?
Does the tool have case management/reporting built-in or can it be merged within our
existing framework?
Digital Forensics Capability
Selected Product: EnCase Enterprise
Selected Vendor: Guidance Software (Links to an external site.); Founded in 1997
I chose EnCase Enterprise (closed source) to be the primary backbone for the company's
needs because it is a full-featured solution which will support remote investigations (Internal
Employee/HR) and ongoing case management. Case management features include allowing
other investigators and external parties access to the evidence for parallel investigations. In
addition to remote investigations, data collection can be setup on interval schedules which will
reduce personnel costs. It has a thorough on demand training library, some available at no cost
for licensed users, which will save the company money in ongoing support costs. There are
27. multiple training options available: onsite, on-demand, webinar for additional costs and training
can be tailored to the specific company needs. The Enterprise version of EnCase has the ability
to support all user workstations and servers currently in use and meets current hardware
configuration requirements. The software features EnScripts, which allow custom scripts to be
used to increase efficiency by automating routine investigative tasks. The software also supports
smart phone and tablet acquisition without having to pay for additional vendor software,
licensing and training. Software also can be translated to multiple languages should the need
arise since the company's offices are spread throughout the United States. The Enterprise version
of the EnCase software gives the company expandability for the future if the needs arises for
mobile data collection in the field at no additional cost using EnCase Portable. The software also
supports evidence triage, which allows for preview while the evidence is still being processed.
This will reduce disruption to company operations, thereby saving the company money.
Software Cost: Initial Purchase: $3995.00; Yearly Maintenance: $1918.00
Backup Tool: FTK The Forensic Toolkit is another very powerful tool used by a good number of
forensic investigators. It comes with essential features including powerful file filtering, full text
indexing, advanced searching, deleted file recovery, data-carving, email and graphics analysis,
hashing, advanced search functionality and many more. A package of FTK includes FTK
Imager; Hash Library- Known File Filter (KFF); and Registry Viewer; it may also include
Password Recovery Toolkit (PRTK)
Internet Monitoring Software
Selected Product: Spector CNE Investigator
Selected Vendor: SpectorSoft
28. Cost: $90.00 (in Volume Discounts of 10-25 purchased at one time)
Founded in 1998
I chose this company because it is headquartered in Vero Beach, Florida and has been a trusted
solution for computer management of sex offenders throughout the nation. The software is
currently used by 36,000 corporate customers and over 900,000 home users. This software
allows the Cyber Specialist to receive instant alerts when keywords or phrases are typed or
contained in an email, chat message or website. There is proactive web filtering which will
prevented web access to sites that are inappropriate to the offender's specific conditions of
supervision. Screen playback allows officers to review computer activities as if you were sitting
right next to the offender. It also captures website visits, searches performed and social media
activity. The software records a complete copy of both sides of chat and instant messaging
conversations for later review. Spector CNE watches for printed files, documents edited on
network and external devices. It records application and network activity and can record all
incoming and outgoing activity on the offender's computer.
E-Discovery capability
Selected Product: Nuix Director Suite (including Network Collector)
Selected Vendor: Nuix (Links to an external site.)
In Business Since: 2000
I chose Nuix as the E-Discovery platform for this company mainly because of its remote
access capabilities that allow for remote collection of evidence across network shares and
because it supports all the operating systems in use at the company. The program is template-
driven or custom scripts can be written or imported in Ruby, XML, Python and JavaScript. There
are versions of the software that are web-based so client software does not need to be installed.
29. The platform contains case management and reporting and includes the ability for the project
manager to send collection links via email to their constituents with all the collection parameters
pre-selected so that the client user can click on the link to begin collection process and upload
the data back to where the project manager has specified. There are portable version of the E-
Discovery product in the event the circumstances dictates on-site collection. The software splits
the collection of evidence into two routines: survey and collection. A project manager can
complete a survey prior to collection to see if there is any evidence discovered which would save
on personnel costs or the software can do both at the same time. Software can import data from
common evidence files (Encase, E01) formats as well as integration with Windows Shadow
Copy which will allow for collection of open or locked files). De-duplication and de-nisting can
be completed at the time of collection (longer collection time) or afterwards. The documentation
also reports integration with Symantec Enterprise Vault for file storage. The software provides
secure remote access and graphical reports of data for staff, clients and reviewers. Nuix Director
Suite also has a Legal Hold component which allows for the company's legal departments to
send, track and receive data from opposing companies in civil cases.
Cost: Unknown; scalability via site user licenses
Backup Tool: Harvester Portable & Harvester Server Pinpoint Labs (Links to an external site.); I
liked this product because it had the capability for jobs to be remotely launched and monitored
while a client is still working. It also offered self-collection kits which can be installed on
portable hard drives and mailed to satellite offices. I ultimately chose Nuix because it seemed to
be a more robust suite that integrated with Legal Holds and Case Management.
30. Incident response and forensics pertaining to intrusions, APT and malware infections
Selected Product: FireEye Security Suite (Central Management, Malware Analysis,
Endpoint Security)
Selected Vendor: FireEye (Links to an external site.)
Founded in 2004
I chose this company and product because it seemed to be the best option for supporting
this fairly large company. It allows for software to be remotely updated from a centralized
management standpoint and doesn't rely on the end-user. It protects is designed as a Malware
Protection system for web security, email security, file security, and malware analysis. The
software crowd sources threat intelligence so that if an emerging threat is detected in another
company running the software, you will be notified and updates are ongoing. The software can
be installed as a service so that it can work on all systems and servers deployed in the company
or as a program pre-deployed on company workstations. In 2013, the company bought
Mandiant (Links to an external site.), which was another highly rates security suite and in 2014
bought nPulse which allows for network forensics and investigation on enterprise levels as
needed in our company. I liked that the software had real-time indexing which gave the ability to
enable packet search and retrieval in minutes because time is crucial in responding to intrusions.
I chose a Security Suite as opposed to a hodge podge of individual applications because I felt
that this would provide better all-around protection, especially with its ability to run as a service.
31. Resources:
Best Practices for Seizing Electronic Evidence
https://www.fletc.gov/sites/default/files/imported_files/training/programs/legal-
division/downloads-articles-and-faqs/downloads/other/bestpractices.pdf
Managing Sex Offenders’ Computer Use http://www.kbsolutions.com/forensicclass.pdf
Determining Need for Internet Monitoring: Internet Behavior and Risk for Contact Offenses
http://www.kbsolutions.com/monitorgrid.pdf
Sample Computer Use Agreement for Sex Offenders
http://www.kbsolutions.com/socompcnt.pdf
Suspicionless Searches in Probation and Parole in Light of Samson v. California
http://www.marcharrold.com/documents/Suspicionless_Searches_Samson_v_California.PDF
Monitoring Probationer Internet Habits
http://www.marcharrold.com/documents/Monitoring_Probationer_Internet_Habits.PDF
Virtual Home Visits
http://www.olemiss.edu/depts/ncjrl/pdf/05-HARRO.pdf
The Search and Seizure of Computers and Electronic Evidence (contains video)
http://www.olemiss.edu/depts/ncjrl/FourthAmendment/fai_2005symposia.html
Microsoft COFEE (free software)
COFEE means the Computer Online Forensic Evidence Extractor tool that fits on a USB
drive and automates the execution of commands for data extraction and related
documentation. Distribution is limited to law enforcement agencies. Access to the
COFEE product requires verification of employment with a law enforcement agency and
agreement to the terms and conditions of the Microsoft/NW3C Sublicense Agreement.
Building a Low Cost Forensic Workstation
http://www.sans.org/reading-room/whitepapers/incident/building-cost-forensics-workstation-895
Selected Freeware Field Examination Packages
Field Search published by www.justnet.org/fieldsearch
Helix published by www.e-fense.com/helix
SPADA published by www.cops.org
32. Popular Internet Monitoring Software
Spector Professional published by www.spectorsoft.com
Spector Professional for Macintosh published by www.spectorsoft.com
E-Blaster published by www.spectorsoft.com
CSWeb published by www.securitysoft.com
ActMon published by www.iopus.com
Impulse Control published by www.InetPPC.com
Cyber Sentinel published by www.trueactive.com
Desktop Surveillance published by www.toolsthatwork.com
Remote Monitoring Applications
CSWeb published by www.securitysoft.com
Impulse Control published by www.InetPPC.com
