Sunday, July 17, 2011

Exclusive: An Interview with Sandra Osborne: Part I

Detective Sandra Osborne providing expert testimony in Casey Anthony Trial
Brad Garnett of the Digital Forensic Source blog, had the recent opportunity to interview Det. Sandra Osborne of the Computer Crimes Squad for the Orange County Sheriff's Office. Det. Sandra Osborne provided expert testimony, on behalf of the State of Florida, during the Casey Anthony Trial. This is a detailed and in-depth interview. We discuss an array of issues with Sandra; including but not limited to, her law enforcement career, digital forensics, the Casey Anthony Trial, and digital forensics in the courtroom.This is Part I of our series with Detective Sandra Osborne. 

Author's note: This series takes you deep inside the workings of a large law enforcement agency, through the lens of a forensic examiner; sharing her experiences and reflections in what the media is calling, "the trial of the century", Casey Anthony Murder Trial. It was great to interview Sandy and spotlight the career of a fine law enforcement and digital forensic professional. In regards to the Casey Anthony Murder Trial, this interview focuses on the digital forensics and the expert witness testimony. For readers that have never testified in court as a witness, you should take a lot away from this interview. For the reader that has provided expert witness testimony or has testified in a legal proceeding regarding digital evidence, you should also take something away from this interview. 

Q: Thank you for taking the opportunity to speak with DF Source, Sandy. Please tell our readers a little bit about yourself. How long have you been in law enforcement and digital forensics? How did you get started in the Computer Crimes Squad with the Orange County Sheriff's Office?

A: My name is Sandra Osborne (formerly Sandra Cawn). My family settled in Florida in 1847, just 2 years after Florida became a state in the union. That makes us true Florida Crackers. We are called crackers because we used to be all cattle ranchers and orange grove owners. It was the crack of the cattle whip that branded us as crackers. I am a 21-year veteran of the Orange County Sheriff's Office in Orlando, Florida. Prior to my service here, I was legal secretary for our prosecutor's office for 6 years. So, I guess that puts me at about 28 years in law enforcement. I have the distinct pleasure of having worked with a great prosecutor, Jeff Ashton twice on big, first time ever cases. Jess Ashton brought the first human DNA case presented in a United States court, to our 9th Judicial Circuit in Orlando and I was his law librarian at that time. I had to research European human DNA court cases and bovine (cow) DNA for case law guidance. The only DNA cases in the U.S. at that time were a result of the cattle rustlers taking blood samples to identify their cattle. It was pretty cool. The second case he and I worked on together is, of course, Casey Anthony on trial, which we’ll discuss later.
I started my career in patrol, like most cops do. And, like most 1990's police departments, they liked to assign the small-in-stature women officers to the roughest parts of town. What doesn't kill you makes you stronger. My first 3 years of patrol was in a little town northeast of Orlando called Apopka. It's a pretty rough little place and I weighed all of about 120 lbs at that time.
During my first few years on the street, I realized I had a knack for processing crime scenes. Being a former secretary, I had a flare for detail. My Sergeant used to comment that I often took too long to clear a call and my reports were too long to read. In my 5th year on the department, I joined our crime scene investigations squad as a sworn LEO. We have since replaced the sworn officers with civilian CSI's. Although I didn't like the idea at the time, it was the best thing for the Agency. We have a top-notch CSI Squad.

While I was a CSI, the OJ Simpson case happened. That case changed everything we ever knew about crime scene processing. We changed all our policies; we had to start wearing gloves, carrying bleach for our shoes and hand sanitizer / wipes for our equipment, biohazard bags were now a standard, and many other changes came down in a hurry. All these new changes took a toll on our budget; it was expensive, to say the least. I believe this was our first introduction as a police agency to crime scene science coming into the new millennia.
The OJ Simpson also started what we call the CSI effect. All of sudden, crime scene work was fascinating to everyone. We got bombarded with volunteers and interns wanting to job shadow. We accommodated many for a while, but it became so invasive that we had to limit our visitors to a legitimate few who needed the college intern hours. We had to make it very hard for people to get in so we could get our work done. Then we started seeing all the Hollywood CSI shows on t.v, which fueled the fire even more. People can't get enough!
Funny (but sad) CSI story- I went to a suicide call where a young man hung himself from a rope in his back yard tree. He was cut down when I got there and was lying on the grass. When the medical examiner investigator got there with the gurney, I took the "head" end and he took the "feet end". As we moved across the bumpy grass, I gripped the gurney underneath so I could lift up the wheels for a smoother travel. Well, the gurney didn't lock out and we hit a bump, which collapsed the gurney and trapped my hands inside the rails. The gurney and the deceased went down to the dirt and so did I because my hands were trapped inside the gurney next to the victim's head. When we landed, my face was right at his nose! Instead of throwing up, I started laughing and didn't stop until they released my hands. There are many stories I could tell from my CSI days. I loved that job.
So, from the CSI squad I went to sex crimes and child abuse investigations. In my opinion, this was the hardest job of my career. I did about four years in sex crimes and the other two or so, in child abuse. I found the job transition difficult. As a CSI, I didn't have to interview anyone or know him or her personally. I just had to photograph and pick up stuff. I never had to fight anyone, except once when I had to keep a family member away from a body so I could work. As a detective, I had to get to know each victim and usually their families as well. I didn't like it. It gets very personal and that makes it hard not to bring that stuff home to your family. Fortunately, I have a very supportive family! I got really jaded working sex crimes cases. Many victims lie and say anything and everything that will get them out of the trouble they found themselves in. One of the last cases I worked involved the infamous "Octopus Man". He's the bad guy who breaks into the house very quietly and attacks the victim while she sleeps in bed. The man grabs the victim around the throat with one arm while holding a knife to her throat with the other. Then with his third hand, he unclothed the woman and himself while with his fourth hand he put on a protective device. He then battered the victim repeatedly. She had no injuries, anywhere and there was no sign of forced entry. The bottom line was that the victim's husband went to play cards with "the boys" and she was angry so she made up this story so he would have to come home to her. Of course, there were many legitimate cases, too many to count. But I digress. I did get to work child abuse cases for a couple of years, which included SIDs deaths and child abuse deaths in children. During this assignment, our very old Medical Examiner retired and we were introduced to Dr. Jan Garavaglia (a/k/a the infamous "Dr. G."). She is awesome and great to work with! She changed many of our policies regarding how we were working death cases.


It was during my tenure in sex crimes and child abuse that our agency decided to go "paperless." We were introduced to our new laptop computers and new report writing software. We had to set up our own Outlook email and I panicked! I was very good with a typewriter, but I knew nothing about computers and was very upset at this new change. Several of the detectives actually refused to learn about them and transferred out. I had to make a choice, quit or learn. I decided to learn. I started taking some very basic computer classes with NW3C (National White Collar Crimes Center). I learned the FAT file system by studying a cartoon choo-choo-train. No kidding! I had no idea how to tell the difference between the Registry and Windows Explorer. It all looked the same to me. The more I studied, the more I realized that I was hooked. For me, it was like coming back to the crime scene squad; only my crime scenes now were in digital format. As soon as I got a chance, and a position became available in the computer crimes squad, I put in for it and got it.
My sergeant in computer crimes, Sgt. Kevin Stenger, likes to tell everyone that he is the sergeant and I am the squad. There are only two of us for the whole county and we are one of the largest agencies in Florida with about 1500 sworn and about 900 civilian support staff. Since joining the squad, I have taken almost 800 hours of computer forensic related training. I belong to our local U.S. Secret Service Electronic Evidence response team as well as IACIS (International Association of Computer Investigative Specialists). I obtained my IACIS CFCE certification in 2007 and my EnCase (EnCE) certification in 2009. I've only been actively doing computer forensics for about 4 years, so I have a lot to learn still. I learned very quickly that the best way to learn is to teach, so I jumped right in with coaching responsibilities for IACIS. This past year, I was chosen to be a team lead/topic leader for the courtroom testimony block of instruction at our basic training event that we hold every year in Maitland, Florida. I am in the process of revamping this block, mainly because of my recent experiences in the courtroom.

Q: Sandra, you have had the opportunity to work with some great people throughout your career, not to mention, experience many different areas of law enforcement. Having a very supportive family is crucial to having a successful LE career, which I'm glad you mentioned. You also mentioned your work and experiences in the CSI squad and the CSI effect on law enforcement. We could spend this entire interview discussing the CSI effect on law enforcement. I want to focus on the first part of what you said, regarding civilian CSI's. You said that having your agency switch from sworn to a civilian CSI squad was the best thing for your agency. This is something that we are just now seeing in digital forensics. As law enforcement, we are very territorial, slow to change, and want others to follow the footsteps we chose (i.e. Go put your time in patrol and then come talk to me). I think this is very important in order to grow digital forensic capabilities for law enforcement, that we put the right person in the right position. We've seen this at the federal level where civilian forensic examiners are being hired and it is good to see this working it's way to the local level. Explain how the civilian model for your CSI squad is working for your agency and do you think this model could or should be applied to digital forensics within law enforcement?

A: Like many cops, I was also very, very resistant to the idea of having civilians doing police work. I felt “lesser” people were shoving me out. Gun toting, badge carrying lawmen (and women) are trained to be in total control of everything. When things get out of control, take care of it however you know how. How many times have we heard, "We must go home every day with the same number holes we came to work with”? Civilians can't control a violent situation! They are not trained to fight, shoot, investigate crimes, write a police report or testify in court. It used to be my opinion that only cops were capable of all these things and that a civilian could not possibly understand the dynamics of crime scene/police work. Although I am still a strong believer in the law enforcement mentality where investigations are concerned, I have been proven wrong many times. Non-sworn personnel can be a very strong asset to any police department, with the proper mindset, training and equipment. What I mean by proper mind set is that police work isn't a career that everyone can or should do. Some people are just not "cut out" for it. On the other hand, a capable investigative analyst can do more to solve crimes than any street cop ever could, given the proper bulldog mentality, training, and equipment. Like you, I have realized over the years that sworn cops tend to dislike change; changes in themselves and changes in their working environment. With the technology age in full swing, things are changing constantly (and always were). We must adapt, learn and grow if we are to succeed in this business. Looking back now on my CSI days, I realize we were stagnant, not growing and not learning new technologies. Our college-educated civilians came in with just the right stuff we needed to move ahead. Our non-sworn CSIs still work within the para-military, sworn LEO chain of command. This command structure is very strong with our Agency and it works well for us.

My views of non-sworn personnel working in computer forensics are the same. Again, I strongly believe that digital crime scene work is not for everyone. I often ask others this question; "Do you believe it is better to train a cop to do computer work or is it better to train a computer geek to be a cop?" I believe the answer is "both." A good examiner, in my humble opinion, must possess the qualities of both the geek and the sworn officer. We can all learn from each other and we must. I agree with you, Brad, that we must put the right person in the right position; put the round peg in the round hole. Unfortunately and at least with our Agency, the vast majority of officers believe it is in their best interest for their careers to be promoted at every opportunity. Therefore, few choose a specialty and stick with it. For instance, as a 21-year veteran and with all my experiences, I have no rank. I have no desire to move up that ladder. I only want to be good at investigating crimes and mentoring others. As a result, I have been told I will not be promoted, even though I tested for corporal rank twice and made the list both times. It is the policy of our sheriff that in order to be promoted, you must go back to road patrol. I tested for corporal only because my sergeant is retiring very soon and I wanted to have some control over who would work in the computer lab with me. Actually, I was hoping to fill his position and add a third person (non-sworn) to our lab, but with all the budget crunches, that is not likely to happen. I declined the offer to promote out to a midnight patrol shift merely to satisfy the promotion requirement. How would that benefit the agency? We currently have no cross trainers to fill my spot. I feel that by staying in the computer lab and declining the promotion I am doing the best thing for the agency. I am not unique to this dilemma. Our helicopter pilots and K-9 officers (and others) are also very specialized and they can't get promoted in place either. Yes, I'll take that cheese with my whine. 

Q: Sandra, I think you hit on some very good points. We are gradually seeing law enforcement, "move with the cheese". Having civilian forensic examiners work with sworn forensic examiners or under the sworn chain of command is very important to ensure agency objectives are fulfilled and policy followed correctly. Earlier, you mentioned that you have been doing digital forensics for about 4 years with your agency. That seems to be the common denominator from talking to fellow LE forensic examiners; we chose to adapt to our work environment and quickly became the to go to person when it came to fixing computer problems around the office and next..."Hey, there's an NW3C class coming up and we need to send someone. It's FREE. Would you go?" Now, we become the experts and realize we found our niche; attend more and more training, get certified, and now (hopefully) we get a forensics budget (or upper echelon support within agency) and begin working cases. The 4 years that you have been doing digital forensics, what are some of the challenges that you see from your perspective that we face as law enforcement? What about the digital forensics community overall where law enforcement, private sector, intelligence, and academia converge?

A: Your explanation of how the computer expert gets started is right on target. The person who has the patience to remove the paper jams from the copier becomes the go-to person for everything from VCR clock setting to video file conversion. For me, however, it was exactly the opposite. It seemed every time I walked near a piece of electronics it would try to spark and catch on fire. It was the running joke in the office not to let me near anything you might want to use again. I was horrible! 

It is interesting that most examiners we find have been doing the job officially for about 4-6 years. This must be because only few agencies were buying into the technology before that. Many examiners have been doing computer forensics for a decade or more just for the love of doing the work. My sergeant has the #51 DOS forensics certification. He started our lab in 2002 with a few small pieces of equipment and DOS / disk edit. There are a few challenges that we face in the computer forensics realm of law enforcement. Obviously, the cost of doing business is steep. Typically, the people who control the purse strings do not understand the need to replace a perfectly good workstation every 4-5 years. It is a never-ending battle to explain the need to keep up with the ever-changing software and hardware technologies. The rapid pace at which electronic technology is evolving is the topic of Moore's Law. Since the 1970's, experts have been trying to predict how many transistors can be crammed into smaller and smaller circuit boards and how much faster computers would perform year after year. In 1975, Moore predicted that the complexity of computer components doubles every 2 years. We are certainly not waiting 2 years any more for technologies to make their way to the market. Moore predicts eventually, by 2015 - 2020, the size of a chip would be the size of an atom and you can't get any smaller that. Intel and some others predict that the size of the circuit card would just get bigger and we could stack the chips for more, more, more power. For those things that make me afraid or that I don't do well, what I did (and still do) have is a sense of humor and a desire to learn. Computers were both of those things for me; I was afraid of the technology. After all, I was born in the early 1960's. We grew up with transistor radios and 3 stations on a push/pull knob television. I still had a push/pull knob TV when my husband and I started dating in 2004. He laughed at me forever and we still joke about it. That mentality sounds ridiculous to me now. I was permitted to attend NW3C training because they were still traveling to Orlando to teach and it didn't cost the agency anything to let me go. When my administration decided I wasn't quitting, they paid for me to go to IACIS basic and here I am, grabbing everything I can get my hands on.
Another challenge we face is keeping good quality employees at the police department. The agencies have it made where we are concerned. They get a cop when they need a cop and they get a computer examiner when they need an examiner. For instance, in 2004 when the central Florida area endured 4 major hurricanes within a month, we examiners (and other specialty units) were out delivering water to mobile home parks and directing traffic in 12-hour shifts. On one occasion, I had pet duty at the main operations building because we were housing employees who lost their homes or working 12-hour details and their pets were staying with us too. The civilians were at home or volunteering if they wanted to, but they were not required to work.
We get requests from folks who want to learn what we do because they are getting ready to retire and they see the potential to earn more money as an examiner when they leave. Obviously, we don't waste any time entertaining those who are not really interested in putting their skills to work for us. What should we do about those who come to train, get all the schools on the agencies' dime and then leave once they get a year or two under their belt for a more financially lucrative position outside? This is a major drain on the budget with no benefit to us.
The growing trend in police agencies around the country is to hire more and more non-sworn personnel to fill non-combat positions in the department. The justification is that civilian personnel are paid less, they require less agency-issue equipment (cars, uniforms, guns, etc.) and they are required to come in with more educational and specialty qualifications than the cops-turned-examiner have. We heard this reasoning when the decision was made to convert our CSIs to non-sworn positions. The way our retirement benefits work for non-sworn is that they receive much less return on their retirement pension plans than the sworn LEO's too, so there is another savings to the budget. This theory is still in play, although I believe we proved it completely wrong with the CSIs. They came to us with masters’ degrees in chemistry and biology. We have to pay for that in the form of a higher salary. We have a strong career path plan for our non-sworn employees to accommodate upward mobility for them to get promoted and increase their earning potential. For the CSIs, there is little room for promotions within the unit, so we had to come up with pay increases for higher certifications. Step 1 certifications earn $1000 per year extra, Step 2 is $2500, and Step 3 is $5000 per year. We didn't figure that in their entry level salary and the sworn officers do not have this. Furthermore, Florida State legislation has ruled that CSI's and any other personnel who handle biohazard materials as a regular part of their workday are entitled to high-risk benefits, just like sworn LEOs. Well, there you go. We hired them at competitive pay based on the industry standards in the private sector, we pay them extra for their certifications and now we contribute the same amount of % to their retirement benefits as sworn LEO. So, we didn't save money there after all. For the record, I'm glad we pay them that way. They deserve it and then some!

I believe the arguments are the same in the computer forensics community. The same rules will apply as with the CSI. If you want good and qualified people, you will have to pay them. Otherwise, they go where the money is. The main reason I don't leave the agency is because I am deeply rooted there and I have less than 4 years to go to retire with 25 years on. The second reason is the same as I stated before; there is no substitute for loving what you do every day. I love catching bad guys! Even if I am not making the arrest, I know I helped in some way. I have to believe that is why many of us came to love this job in the first place. It's a double bonus that we get to be cops and do computer forensics.




Q: Sandra, very insightful. Watching technology advance over the next five to ten years and beyond should be interesting, but even more interesting will be to see how the digital forensics community adapts. I have found that I am doing more of a triage approach, when case officer requests an examination (i.e. mount forensic image and run set of tools against image, based on the case; or, even just a forensic preview to gather mission critical data). Then if a full digital forensic examination is necessary, utilize EnCase or SIFT Workstation for forensic analysis. This has helped prioritize cases and aid with case workflow. How have you had to adjust your forensic tactics in the last few years to handle larger capacity hard drives and devices that you just can't remove the hard drive from and throw onto a write-blocker?

A: I hope every examiner is adapting to the ever-increasing numbers of devices being submitted to us these days. Not too long ago we were following the exact protocols for wiping every target drive, overwriting with "0", and reformatting it before imaging evidence files onto them. That was time consuming a cumbersome. Now that we have a server / NAS, we just create a new folder named appropriately for the case and image the devices to that folder. Sometimes, like you, we preview devices before imaging them if the investigator is not sure which device may contain the evidentiary files. Previewing is a huge time saver, although you may not locate hard to find evidence this way.

We rarely conduct "find all" examinations anymore. We focus the exam on the specifics of the search warrant and only that. Of course, any other contraband located will be dealt with appropriately. If there is no warrant (consent), we still try to focus the exam as much as we can. Conducting an active file preview is very important and it helps cut down on time. Examine the obvious files that the user has access to before going to the obscure, harder to find stuff. Knowing where to find files of interest on the OS you are working with saves times too. If you can tell immediately the difference between WinXP and Win7, than you know that the user files are not in the same place by default. Merely poking around the drive to see what you can find is not a very efficient way to conduct a thorough exam.

I will always remove the HDD and bridge it with a hardware write blocker, when possible. We use a LiveView CD for practice, but I've never had to use one on an evidence drive. I have used SPADA2 on occasion to preview in the field. And then there was this one time when a whole group of us assisted our local probation officers as they conducted surprise computer checks on the registered sex offenders late in the evening hours. The fourth and last house I was assigned to check was a young man who had four computers all live and on line in his bedroom at midnight. They were all running Ubuntu. Two other examiners and myself could not get our write blockers to recognize the removed disk drives, of course. We wound up just poking around live in the machines. I told him, "You won this one." Not only were we very tired but none of us could do anything "forensic" with the equipment we had. What a disaster!
We don't seem to get called out to the field much anymore. I wonder if that is the case everywhere. My sergeant ran all our CSI's through an 8-hours computer collection class and certified them via IACIS protocol in how to seize computer / digital evidence. They were happy to learn and we are happy to keep them trained. Our detectives collect digital evidence at almost every scene. If we were to go out on every one (as we used to do) we would never go home. With 2 teams of crime scene investigators working 24/7 collecting evidence, that is just too much for the 2 of us to keep up with. We do lose the opportunity to catch the RAM and to see what apps were running at the time they shut the machines down, but we have to draw the line somewhere. If they are faced with a server or a bunch of machines that they believe are networked together, they'll call us out.

Another time saver for us is that our agency (mercifully) purchased 5 CelleBrite devices. They are scattered around throughout the tactical squads, robbery, narcotics, and the computer lab. We continue to train as many people as possible in how to use it for on scene consent to searches and for searches incident to arrest prior to booking the suspect into the jail. For now, we are still permitted by law to search the contents of a cell phone, if it is reasonable to believe the phone may contain evidence.

Our crime analysts and a particularly clever programmer that works with them, created a master database that it searches all the "little" databases that we have access to, and then compiles a comprehensive report. They wrote code that will extract the phone contacts out of the CelleBrite report.xml file and run it against all the other databases in our system. The new database reports every time a number is found and whom it comes back to. For example, if a phone number is stored as the name  "drug runner" in one guys' phone but that same number is stored in another phone as "Joe Smith", that phone number will report back to us with the two different references.  We are identifying our suspects who may have reported themselves as a victim or they were listed as a witness at one time all because our database had the number. We are connecting multiple suspects together who we may have never known were companions. The other local agencies within our county love it. Pretty cool stuff!

I have a question for you. How much information do you believe examiners should be including in their reports? I had lunch with my favorite prosecutor last week and he said we should be putting everything in our reports; including, every picture on the drive (allocated), email, document, etc. UGH! How many times have you included event logs, jump lists and stuff like that in your reports? If you bookmark a particular file, do you also bookmark and explain in your report EVERY other time you find references relevant to that file, even if it's not really evidentiary? For example, if I bookmark a document, should I also be documenting the application that opened it, the temp file that Windows created while it stood open for a while, etc.? Maybe the EMF or Spool files with metadata, but everything else? Some examiners find everything there is to find for every file they find and report on it. Wouldn't this make testifying to all those facts much harder than it needs to be? Maybe I'm not doing enough.
  • DF Source response: Sandra, I'll stick with the standard response we utilize in forensics, "It depends". I would say what is relevant in one case, may not be relevant in another. Also, including every file (/dir listing) in a report that a jury may potentially see would be cumbersome, unless it is all "relevant". However, if you are doing forensic timeline analysis using a tool like Log2Timeline, it will bring context to your forensic analysis. Log2Timeline is a powerful tool and is great for creating a super-timeline, incorporating your event logs, registry, link files, internet history, etc. Rob Lee wrote a great article in March of 2010 on the SANS Computer Forensics blog, outlining super-timeline creation, utilizing the SANS SIFT Workstation. Volume Shadow Copies (difference files) can also be important, for showing historical information or lifecycle of a particular file. I think the bottom line is the investigator, forensic examiner, and prosecuting attorney have to be reading from the same sheet of music. As a forensic examiner, we need to ensure the investigator knows what forensic capabilities we have, and moving away from, "Here's this computer. Find evil." Is it a sundae without a cherry on top? No. Just because there is an illicit image on a suspect's hard drive, we still need to put him at the keyboard. I think any forensic artifact (or a missing artifact is an artifact in itself) that shows user interaction with the computer system should be included in the report, based on the time that you are looking at when the "event" or alleged crime occurred. Of course, YMMV!

Stay tuned for Part II in this series, as we'll discuss the Casey Anthony Trial and digital forensics in the courtroom.

1 comment:

Matthew said...

After reviewing some of the video from the trial, it became apparent to me that a way of pulling text out of images would be a useful process for keyword searches.

This is an example of a script I am working on to extract text from images using the program tesseract. Once the text is exported from the images, it can be indexed and exported text can be used as a reference to help find keywords. This tool does have an error rate and alone it would not be ideal for as a valid process, but it used in conjunction with other tools can help locate images with valid key words.

In the video example I use one of the images questioned in Casey Anthony Trial.

http://www.youtube.com/watch?v=mQSUQv5xO8g

Feel free to comment on the video, feed back is always welcome