SAN DIEGO -- Forget everything you've seen on CSI. In the information age, crime scene forensics are beginning to take a back seat to the science of recovering and sifting through evidence hidden on computers, cellphones and thumb drives.
Nowhere is that shift clearer than at the FBI's Regional Computer Forensics Lab here, which once lifted traces of incriminating Google searches from a suspect's hard drive to help convict him of murder. This week the lab became the sixth computer forensic lab in the nation to be accredited by the American Society of Crime Laboratory Directors, in another sign that computer forensics is no longer just about investigating hacker attacks.
"We've found video of gangsters rapping a song about a murder they committed," RCFL examiner John Leamons says.
The growth of law enforcement computer labs is an indication of how technology is increasingly involved in, or on the periphery of, criminal activity. San Diego-area law enforcement agencies founded the first regional forensic lab in 1998; there are now 14 such labs in the United States, with two more coming online this year. Last year the labs collectively performed more than 13,000 forensics examinations. The San Diego lab alone handled more than 1,000 requests from 40 law enforcement agencies in 2007, including 171 child pornography cases and 160 murder investigations.
In its early days, the RCFL examiners not only recovered the data, they analyzed it for evidentiary value based on the particulars of the case. But with exponentially growing data and caseloads, the 22 examiners here now focus on collecting and preserving data in a manner that will hold up in court, then hand that data back to the police agency for analysis.
Not surprisingly, the most valuable information comes from the files that suspects thought they had deleted, but which remained hidden in the nooks and crannies of their hard drives. "The key to computer forensics is unallocated space," says Leamons, who is on loan to the lab from the San Diego Police Department.
No one can remember a case being kicked because the lab made an error, but they can remember cases where they found evidence that exonerated people charged with crimes, Leamons says.
Cellphones pose a particular challenge, says Rebecca Adimari, one of the five examiners who work on them.
"Each has its own operating system and frequency -- there's probably over 500 makes and models and not many of them are the same," she explains. "There can be so much evidence on there."
From the unique ringtone caught on camera during a holdup -- to the accidentally recorded conversations on voice notes, to the Israeli thug keeping notes of extortion visits on his PDA -- the way people use their phones can be pretty incriminating.
"When they arrested the Arellano Felix people (a gang of Mexican drug lords later convicted of murder and drug crimes in 2007), they recovered 14 phones including one with a photo of a machine gun," Adimari says.
She has hundreds of power and data cables, since they're all peculiar to individual phones. And she has a special box that blocks signals on the phones in the lab, so no information is lost or compromised.
Examiner Patrick Lim, from the Naval Criminal Investigative Services, says he recently recovered data from a hard drive that had been burnt to a crisp. Asked if it was from an arson or a murder, Lim says he can't reveal the details.
"It was burned. That's all I can say."
