Grants to help develop ways to improve digital evidence collection

Marcus Rogers, an associate professor in the Department of Computer and Information Technology, and Richard Mislan, an assistant professor in the department, received $440,000 from the National Institute of Justice for two projects: one that is currently being used and tested and another in the conceptual stage.

"The fact is that 80 to 90 percent of cases today have some kind of digital evidence," Rogers said. "The problem is that as technology has increased and evolved, the methods to collect evidence haven't evolved nearly as fast. Both of these technologies do one thing and do it well, which will help investigators do their jobs more effectively."

Purdue's longtime association with the National Institute of Justice and its advocacy in the field of digital forensics were factors in making these grants a reality, Rogers said.

"Just recently, the institute has started looking at electronic crimes, and these grants are part of a trend to support projects to help those working on the front lines," he said. "Purdue has been actively involved in talking with the National Institute of Justice, as well as the Department of Justice and others, and I think they've gotten the message that it's in everyone's best interest to have academia involved in developing these technologies."

The institute is giving Rogers and Mislan $200,000 for work on a software program called Filehound they created with the help of computer and information technology graduate student Blair Gillam. The program makes it possible for officers and investigators working at a crime scene to quickly and easily mine specific digital information, such as photographs or spreadsheets. The information can then be downloaded and used as evidence in court.

Rogers said current technology allows officers to retrieve information from computers at the scene, but it requires investigators to sift through every file they encounter, wasting time and potentially missing valuable evidence.

"Where we're seeing the most use of this program is in child pornography investigations," Rogers said. "When an investigator is looking for photographic evidence on a suspect's computer, the suspect often tries to hide it by changing the extension on the file from a '.jpeg' or '.jpg' to a '.doc' to try to fool officers into thinking it's not a photo. But the Filehound software is able to automatically examine the coding of a file, which allows investigators to find the photos, bring them up on the screen and download the questionable ones."

Rogers said being able to identify and evaluate files quickly allows investigators to perform their jobs much more efficiently than in the past. The software also can be used to look for other types of files, such as spreadsheets, which may be evidence in financial investigations.

With Filehound, investigators take a laptop to the scene, plug in a special digital device that connects their laptop to the computer being investigated and then can quickly and easily go through files without having to have special technical knowledge, he said. The software creates a report and automatically locks the hard drive so nothing is written on it and evidence is protected.

"This technology also has a tremendous cost advantage over the way things are done now," Rogers said. "The equipment many officials use today costs about $15,000. With Filehound, the entire kit is about $1,250, which is much more affordable for smaller law enforcement agencies and performs much better."

The program is being provided free to about 85 law enforcement agencies worldwide that are using and testing it, providing feedback to Rogers and Mislan. The grant will be used to make improvements, as well as to develop a way to automatically identify photos that contain a lot of fleshtones, which Rogers said would be especially helpful during child pornography investigations, in which as many as 5,000 to 10,000 photos can sometimes be found on a single computer.

Rogers said the program will be fully operational by summer of 2007 and then can be offered to a larger number of agencies.

The second grant, for $240,000, is going toward a program called FREEAK, which stands for Forensic Rapid Evidence Extract Analysis Kit. The goal of this project, headed by Mislan, is to provide a simplified way to extract information from cell phones and other mobile devices.

"There are more than 700 kinds of cell phones, more than 35 manufacturers and about 15 networks in the United States," he said. "The problem is that there's no standard way for investigators to get this information from a phone. Right now, they're either acting as 'click monkeys,' clicking around the buttons of the phone until they find what they need, or they're just pressing the 'magic button,' using current software tools that provides at best partial evidence on some of the phones."

He said their tool would allow officers to plug in a cell phone and easily see the various information the phone contains, such as incoming calls or text messages, show how the tool acquired the evidence, and be able to isolate and sort it for later use in court.

"Right now, investigators are able to download some of the information they need," Mislan said. "However, the average amount of time that investigators have with a cell phone at the scene is 30 minutes, and downloading the information and going through it can take months."

He said their tool, which he hopes to have out by the end of the year, would make this information available almost immediately.

"When it comes to gathering evidence from cell phones, we're really in an infancy stage," he said. "The good news about that is that we have a chance to rewrite that course. This isn't rocket science, it's just a matter of keeping up with the technology and making that technology easier for everyone to use and interpret — from officers in the field to lawyers and judges in the courtroom."

Digital forensics is a graduate program in Purdue's Department of Computer and Information Technology. It consists of five courses: an introduction to digital forensics, small-scale digital devices, hardware-related essentials, an advanced technology class that looks at computer operating systems and a choice of two advanced topics classes — current trends or a research project. Currently, there are 13 master's-level students and five doctoral-level students enrolled.

Writer: Kim Medaris, (765) 494-6998, kmedaris@purdue.edu

Sources: Marcus Rogers, (765) 494-2561, rogersmk@purdue.edu

Richard Mislan, (765) 494-2563, rmislan@purdue.edu

Purdue News Service: (765) 494-2096; purduenews@purdue.edu

To the News Service home page