Kathleen Vilac, a civilian member on the RCMP's Integrated Homicide Investigative Team (IHIT) in British Columbia, recalls one of the first cases she assisted as a member of the Digital Field Triage (DFT) Program.
It was 2012, and it was a shaken baby case. A computer was seized by IHIT and given to Vilac to search for evidence that could potentially further the investigation.
In the past, digital evidence would have been sent directly to a digital forensic specialist at the Technological Crime Unit (TCU) in the province. The specialists in the unit remember calling up the investigative teams they supported in the early days to let them know they were there to assist with correctly seizing and processing digital evidence.
"Back then, we had less work relative to the investigators that we had here," says S/Sgt. Clint Baker, the operations non-commissioned officer of the TCU in B.C. "But the pendulum has swung in the other direction. Now name any type of investigation and it could involve digital evidence."
When the use of cellphones and computers exploded, just about every seized device would be sent to the TCU, whether there was evidence on it or not. They had more work than they could handle.
"It doesn't do anybody any good if they send us something and it sits in the queue for two years and they can't get any meaningful evidence off of it in a timely fashion," says Baker. "We have to be relevant to the investigators."
A new approach
To relieve the backlog, the TCU members developed the DFT program in 2009.
It was a new concept in the tech crime world. Typically, only digital forensic specialists were allowed to do forensics or analysis.
"We had to break down that barrier," says Sgt. Ben Hitchcock, who helped develop the program. "Our DFT members don't do analysis. They do extraction and create an observation report. That distinction is very important."
DFT members report on what they observe. "Anyone can see the fact that there's a child exploitation image on a computer," says Hitchcock. "However, they can't say how the image got there, how it was put on the computer, or when it was put onto the computer — all that information requires a digital evidence specialist to provide a higher level of analysis."
The program frees up the digital forensic specialists to focus on their work in their lab. A DFT member can determine if a digital device has evidence on it and if it needs to be sent to the TCU for further analysis.
"We only attend a search warrant now if there's an element of complex nature or if it's something that requires our expertise," says Sgt. Gerry Louie, the DFT program co-ordinator.
The DFT members also put evidence into the hands of the investigator faster.
"It's no longer stale post-mortem information," says Hitchcock. "Now the investigators are able to get emails, text messages — anything written on the computer — within hours of the arrest."
In the case of the shaken baby investigation, after Vilac extracted the data from the computer, she found evidence that the suspect had done an Internet search for infant cold and flu medication before the crime was committed. And post-offence, the suspect searched the term shaken baby syndrome and the effects of it.
"Anytime you find anything like that that can assist the investigators in pressing charges or as information to use during an interview with the suspect, it's very exciting and satisfying," says Vilac. "It's a 'Gotchya!' moment."
Cross country
The DFT program has trained more than 200 members across B.C. Interested front-line RCMP police officers and civilian members, like Vilac, can sign up for the five-day Digital Computer Field Triage training course or the four-day Digital Mobile Field Triage training course to become a member.
And the program has also gone national. The RCMP's National Division TCU uses it, as does the TCU in Ontario. It's also been implemented by the Ontario Provincial Police and supported by the Canadian Association of Chiefs of Police's e-Crime Committee.
"We have had interest from around the world as well," says Hitchcock. "Digital evidence is becoming the evidence in cases. And as a small parent unit, we can only do so much, but if we expand that to a second tier that has more people, we can do so much more."