Mg for 1506 im by design2pro

On the Scene and In the Lab Vol.12|No.3

JUNE/JULY 2015

LESSONS LEARNED: The Boston Marathon Bombing

ALSO INSIDE

Mobile Fingerprinting Technology Detecting a Data Breach

www.forensicmag.com

Confidence in your evidence When preparing for court, you need to have confidence in the evidence you are providing for a case. That’s why we’ve developed Investigator® 24plex STR Kits*, the novel CODIS/ESS kits with a unique Quality Sensor. This internal performance control provides you with more information about your sample quality than ever before, allowing you to present your evidence in court with confidence.

NDIS

AT24PlexConfidence0615F4US_DPS_PP

ila

approved

ble in the

Start building your evidence – for confidence today! See www.qiagen.com/24plex

For up-to-date licensing information and product-specific disclaimers, see the respective QIAGEN kit handbook or user manual. Trademarks: QIAGEN®, Sample to Insight®, Investigator® (QIAGEN Group). PROM-8345-001. © 2015 QIAGEN, all rights reserved. *Investigator 24plex QS Kits are NDIS approved.

Sample to Insight

QIAGEN – Providing you with more insights into your STR analysis and DNA sample quality

Pretreatment

Sample preparation

Assay setup

Quantification

STR analysis

Background

Quality

QIAGEN is the world’s leading provider of innovative

QIAGEN has been supplying reagents and instrumentation

Sample to Insight technologies, and a key player in the

for sample preparation to analysis to forensic laboratories for

forensic community. A global company, with subsidiaries in

over 15 years, and has established a reputation for quality and

20 countries and a global distribution network in 70 countries,

reliability with customers. With its strong commitment to

QIAGEN offers a broad range of more than 500 core

quality, QIAGEN has been a forerunner in quality initiatives

products to meet the special requirements of its more than

for the human identity testing and forensics market.

500,000 customers worldwide. In addition, it has developed complete instrument solutions that enable full automation

Our Forensic Grade label denotes the sum of these quality

of laboratory procedures, as well as a broad range of

assurance and quality control activities and our dedication

universal product offerings for the NGS workflow, from

to the strictest of quality control for our forensic customers.

initial sample to final result.

Portfolio expansion Since 2010, QIAGEN has continued to drive innovation through the development of STR and quantification assays for forensic and human identification applications, and successfully commercialized this analytical portfolio around the world. Starting in mid-June, in parallel with the launch of the Investigator Argus X-12 QS X-chromosomal STR Kit, QIAGEN will be offering its new family of Investigator 24plex STR Kits, enabling analysis of the new

Team expansion

expanded CODIS marker set, to the United States market.

With the expansion of the QIAGEN HID portfolio to include

QIAGEN’s kits have been intelligently designed with your

STR’s in the United States, QIAGEN has increased its head

needs in mind and include an innovative internal PCR

count to support forensic laboratories with the evaluation,

performance control called Quality Sensor. The Quality

validation and implementation of the new family of Investigator

Sensor provides valuable insights into sample quality and

STR PCR Kits. Eight new highly technical individuals have now

assists you with downstream decision making – ultimately

joined the QIAGEN team, in order to offer you the guidance

helping you reduce unnecessary PCR re-runs, and saving

and training you need to successfully implement the new

you time and money.

expanded CODIS core loci kits.

We are confident that with the innovative Quality Sensor from the Investigator 24plex STR Kit family and the support from our additional technical staff, you will trust your case with QIAGEN!

Vol 12 | No. 3

JUNE | JULY 2015

features 6 7 10 14 18 22 21 26

FROM THE EDITOR What’s Left Behind Sean Allocca

Mobile Fingerprinting a ‘Game Changer’ for Police Seth Augenstein

Lessons Learned: The Boston Marathon Bombing Sean Allocca

Detecting a Data Breach Jacob Williams

Under the Microscope: Comparing Mammalian Spermatozoa Morphologies for Sexual Assault Cases Emily S. Boward

Do You Really Need a New Lab? Matthew T. Schwarz, Michael J. Kvasnik, Lisa H. Brauer and Kelly Williams

DNA Connection The Next Step in Rapid DNA Chris Asplen

Digital Forensic Insider A Forensic Overview of the Windows 10 Registry John J. Barbara

28 30

Most Wanted To Duct or Not to Duct: Chemical Fume Hoods in Your Facility Ken Mohr and Cy Henningsen

Safety Guys Planning for Construction: Tips for Maintaining Indoor Air Quality Vince McLeod

Who Says You Can’t Do That? Impression Evidence: Admissibility and Best Practices Dick Warrington

departments 34 On the Web 34 Advertiser Index Forensic Magazine® (ISSN #1553-6262, USPS #023-655), is a registered trademark of and published bi-monthly by Advantage Business Media, LLC, 100 Enterprise Drive, Suite 600, Box 912, Rockaway, NJ 07866-0912. All rights reserved under the U.S.A., International, and Pan-American Copyright Conventions. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, electronic recording or otherwise, without the prior written permission of the publisher. Opinions expressed in articles are those of the authors and do not necessarily reflect those of Advantage Business Media LLC or the Editorial Board. Periodicals Mail postage paid at Rockaway, NJ 07866 and at additional mailing offices. POSTMASTER: Send return address changes to Forensic Magazine, P.O. Box 3574, Northbrook, IL 60065. Publication Mail Agreement No. 41336030. Return undeliverable Canadian addresses to: Imex/Pitney Bowes, P.O. Box 1632, Windsor Ontario N9A 7C9. Subscription Inquiries/Change of Address: contact: Omeda Customer Service, P.O. Box 3574, Northbrook, IL 60065-3574, Phone: 847-559-7560, Fax: 847-291-4816, email: abfor@omeda.com. Change of address notices should include old as well as new address. If possible attach address label from recent issue. Allow 8 to 10 weeks for address change to become effective. Subscriptions are free to qualified individuals. Subscription rates per year are $120 for U.S.A., and $180 for Canada, Mexico & foreign air delivery, single copy $15 for U.S.A., $20 for other locations, prepaid in U.S.A. funds drawn on a U.S.A. branch bank. Notice to Subscribers: We permit reputable companies to send announcements of their products or services to our subscribers. Requests for this privilege are examined with great care to be sure they will be of interest to our readers. If you prefer not to receive such mailings, and want your name in our files only for receiving the magazine, please write us, enclosing your current address mailing label. Please address your request to Omeda Customer Service, P.O. Box 3574, Northbrook, IL 60065-3574. Printed in USA: Advantage Business Media, LLC does not assume and hereby disclaims any liability to any person for any loss or damage caused by errors or omissions in the material contained herein, regardless of whether such errors result from negligence, accident or any other cause whatsoever. The editors make every reasonable effort to verify the information published, but Advantage Business Media LLC assumes no responsibility for the validity of any manufacturers’ claims or statements in items reported. Copyright ©2015 Advantage Business Media LLC All rights reserved.

4 Forensic Magazine | www.forensicmag.com

David A. Madonia General Manager david.madonia@advantagemedia.com 973-920-7048 Bea Riemschneider Editorial Director bea.riemschneider@advantagemedia.com Sean Allocca Editor sean.allocca@advantagemedia.com Ernest Austin Associate Editor ernest.austin@advantagemedia.com ADVERTISING/SALES NEW ENGLAND Luann Kulbashian 973-920-768 luann.kulbashian@advantagemedia.com MID-ATLANTIC Joy DeStories 973-920-7658 joy.destories@advantagemedia.com MID-ATLANTIC Traci Marotta 973-920-7182 traci.marotta@advantagemedia.com MID-ATLANTIC Greg Renaud 973-920-7189 greg.renaud@advantagemedia.com MIDWEST Tim Kasperovich 973-920-7682 tim.kasperovich@advantagemedia.com MIDWEST Jolly Patel 973-920-7743 jolly.patel@advantagemedia.com WEST Fred Ghilino 973-920-7163 fred.ghilino@advantagemedia.com REPRINTS/EPRINTS For reprints and permissions, contact The YGS Group 717-505-9701 or abmReprints@theYGSgroup.com CUSTOMER SERVICE For subscription related matters contact Omeda Customer Service: 847-559-7560 or abm@omeda.com List Rentals Infogroup Targeting Solutions Senior Account Manager, Bart Piccirillo, 402-836-6283; bart.piccirillo@infogroup.com Senior Account Manager, Michael Costantino 402-863-6266; michael.costantino@infogroup.com

ADVANTAGE BUSINESS MEDIA, LLC 100 Enterprise Drive, Suite 600 Rockaway, NJ 07866-0912 Phone: 973-920-7000; Fax: 973-920-7541 Jim Lonergan CEO Terry Freeburg COO/CFO Beth Campbell CCO

Cutting-edge technology, legislative updates and real-world science will all be presented at the worldâ&#x20AC;&#x2122;s largest symposium to focus on DNA typing for human identification. Since 1989 forensic scientists have gathered annually at ISHI to share the latest advances in the field and network with their colleagues. Register by August 1, and save $100 off the standard rate.

Learn more at: ishinews.com

editor from the

Whatâ&#x20AC;&#x2122;s Left Behind Sean Allocca

went to work searching for forensic clues that would he tragic events that unfolded inside the eventually help convict the surviving bomber, Dzhokhar Emanuel African Methodist Episcopal church Tsarnaev. The investigation lasted months. in Charleston, S.C. last month left a nation Not only were forensic investigators at the scene, speechless. When nine people are murdered in cold but working hard back at police headquarters analyzblood, and the reason that those nine lives are cut short ing video tape evidence taken from cameras outside is the color of their skin, words do not explain what businesses along the finish line. we all feel and understand. These events are not only a reminder of With evidence on rooftops and Eventually the evidence would help identify the terrorists and bring Americaâ&#x20AC;&#x2122;s dark history, but more ledges more than two blocks them to justice. From eight cameras importantly, a token of the crucible that has been left behind. away, crime scene investigators in 2013, the department now has 130 cameras along the marathon From the unimaginable events went to work searching route. that unfolded in Newton, Conn. In another reminder of the gravto the bloodshed at the Boston for forensic clues that ity of domestic terrorism, Mr. TsarMarathon, and this most recent attack in Charleston, spontanewould eventually help convict naev was sentenced to death in a courtroom in Boston for his actions ous acts of violence are becoming the surviving that day in April 2013. While a increasingly concerning because debate over the morality of capital they are becoming increasingly Boston Marathon bomber. punishment ensued, many people, commonplace. While the national including the Police Commissioner, discussion turns once again to gun hoped that the decision would at least accomplish one control and homegrown terrorism, law enforcement thing: offer some form of closure and healing to the agencies around the country have learned how to deal families whose lives were irrevocably altered that day on with challenging crime scenes that result from ruthless Boylston Street. terrorist attacks. While the country mourns, we hope that as a nation In our cover story, Boston Police Commissioner Wilwe can diminish these violent acts in the future, and liam Evans sat down with Forensic Magazine to discuss one day eradicate them completely. Until then, law what his department learned after two bombs exploded enforcement and forensic investigators are standing by at the Boston Marathon in 2013 taking three lives, into protect the public from terrorism, and to make sure juring hundreds more, and forever changing the lives of that those responsible for such unthinkable acts are countless others. With evidence on rooftops and ledges ultimately held accountable. more than two blocks away, crime scene investigators

6 Forensic Magazine | www.forensicmag.com

JUNE | JULY 2015

FEATURE

Mobile Fingerprinting a ‘Game Changer’ for Police Seth Augenstein

heriff’s deputies in a Florida beach town were arresting a man who supplied no identification and gave a suspicious-sounding name. Right there in the public park, the authorities pulled out a new crime-fighting tool: a mobile fingerprint scanner. They identified the man with his real name—complete with warrants for kidnapping, sexual battery and armed robbery charges attached. The arrest is one of the latest examples of mobile technology improving the capabilities of law enforcement out in the field—a trend that is expanding nationwide. “It’s a game-changer for law enforcement,” said Bill Schade, the biometrics records manager for the Pinellas County Sheriff’s Office in Florida, the agency that made the arrest. The mobile ﬁngerprint scanner gives law The deputies were using the MorphoTrak mobile fingerprint scanenforcement the ability to identify individuals ner, which is in use in five states, and continues to spread to local and in the ﬁeld saving time and manpower. regional agencies, according to the company. They include the Arizona Department of Public Safety, the West Virginia State Police, the Florida Department of Law Enforcement, and various agencies in Virginia and Texas, among others. And there are more to come. “There are quite a few states coming online,” said Mike French, a forensic biometric subject matter expert for MorphoTrak. “Pretty soon it’s going to be standard.” The technology’s power is in its simplicity. Pressing one finger, then another against the scanner screen of the device is all that’s needed to then scan federal, state and local databases. The device—the size of a cell phone—buzzes when it comes up with an ID hit. “It’s really designed to do one thing—and do it well,” he said. Mobile fingerprinting first became possible about 10 years ago. But it’s only in the last few years that the technology itself has made it quicker and more accurate. The latest scanners hit the Pinellas County streets in January, and so far, there have been no legal issues arising from the use of the mobile fingerprint technology. Suspects who can be arrested would be fingerprinted back at a police station anyway, so essentially the mobile device is using the same legal powers, just in a quicker turnaround, Schade said. In Pinellas County, there are 65 devices shared among the deputies. Each device costs around $1500. The device proved its worth early on when a quick-hit on an anonymous man being booked at the county jail, revealed the person was wanted for a recent attempted homicide charge in Illinois. “The power of police is not the gun or the nightstick—it’s the information we have,” said Schade. “I think we should be using biometrics for everything.” Mobile investigative technology is continuing to improve. Currently in development are apps for iPhones, which would allow any standard phone to perform the same fingerprint check on the fly, and mobile forensics that can analyze evidence and provide investigative leads quicker. A forensics expert at a crime scene could collect evidence by tablet, send it back to the lab, and start getting results before even departing. “It could make a huge difference in not only major crimes,” Schade said, “but minor crimes, too.” Seth Augenstein is a science writer at Advantage Business Media. He previously worked as a crime reporter for the The Star-Ledger. His work can be found on the Forensic Magazine website and at www.sethaugenstein.com.

JUNE | JULY 2015

Forensic Magazine | www.forensicmag.com 7

Whatman™ FTA™ cards

High-quality media for storage and transport of DNA GE Healthcare’s Life Sciences business provides a wide var of Whatman FTA products to meet the requirements of s collection, transportation, and storage of DNA for databa forensic applications. FTA cards provide a simple solution to collect and preserve biological samples at room temperature for downstream DNA analysis.

Learn more at www.gelifesciences.com/FTA

gelifesciences.com GE and GE monogram are trademarks of General Electric Company. FTA and Whatman are trademarks of General Electric Company or one of its subsidiaries. © 2015 General Electric Company—All rights reserved. First published Jul. 2015 GE Healthcare UK Ltd, Amersham Place, Little Chalfont, Buckinghamshire, HP7 9NA, UK 29164051 AA

07/2015

DNAscan™ System

Fully integrated system for Rapid DNA DNAscan Rapid DNA Analysis™ System from GE Healthca Life Sciences business is a fast, rugged, and easy-to-us Rapid DNA analysis system developed to enable forensic and law enforcement agencies to process DNA samples in under 90 minutes, thereby helping to accelerate the criminal investigation process. GE is committed to the responsible adoption of Rapid DNA in the forensics and law enforcement communities.

Learn more at www.gelifesciences.com/dnascan gelifesciences.com GE and GE monogram are trademarks of General Electric Company. DNAscan is a trademark of General Electric Company or one of its subsidiaries. NetBio and Rapid DNA Analysis are trademarks of NetBio. All other third party trademarks are the property of their respective owner. © 2015 General Electric Company—All rights reserved. First published Jul. 2015 GE Healthcare UK Ltd, Amersham Place, Little Chalfont, Buckinghamshire, HP7 9NA, UK 29164197AA

07/2015

COVER STORY

Lessons Learned: The Boston Marathon Bombing The Boston Police Commissioner talks about how the Marathon Bombing changed policing and his department forever. Sean Allocca

oston Police Commissioner William Evans was one of the first officers to arrive at the scene of the sleepy suburban backyard where Boston Marathon bomber, Dzhokhar Tsarnaev, was holed up in an unassuming powerboat, named the Slip Away II. After a grueling manhunt that temporarily shut down the city of Boston, Evans was first in command, running on no sleep, “Gatorade and granola bars,” and screaming for his men to hold their fire. “I didn’t want any other people getting killed,” he told Forensic Magazine, about the tense moments before the take down. “When the shit started hitting the fan, I was the one who was screaming for everyone to hold their fire.” As commanding officer, Evans gave permission for government agencies to throw flash and smoke grenades into the boat that eventually led to the successful capture of Tsarnaev. But in the weeks and months that followed, piecing together the forensic evidence from one of the most notorious terrorist attacks on American soil was almost as exhausting as finding the fugitive. “We had all kinds [of evidence],” Evans said about the massive forensic investiBoston Police Commissioner William Evans was gation operation that followed. “We had clothing, body parts, ball bearings from the in charge of the operation bombs, and the metal pieces of the pressure cooker.” to capture the Boston Police investigation units brought the forensic evidence to a nearby warehouse Marathon Bomber, and where teams could meticulously analyze, process and catalogue hundreds of pieces of headed the forensic invesevidence. The entire process lasted months. With evidence on rooftops and on ledges, tigation on Boylston Street in downtown Boston in the forensic investigators found pieces of the bomb more than two blocks away from the months that followed. site of the explosion. The images that Evans witnessed when he arrived at the scene of the bombing were especially striking for him. As a prolific runner himself, Evans has finished 47 marathons in all, and 18 in the city of Boston. He had just finished the marathon that day, and crossed the very same finish line on Boylston Street—only hours before the bombs went off. “They blew up my marathon, in my city,” he said. “My guys weren’t going to rest until we got them.”

Embedded in the crowd While certain lessons learned from the bombing were multifaceted, some of the most effective new strategies implemented by the Boston Police Department have also been the most straightforward. “A lot more officers inside the barriers,” Evans said, emphatically. “Either in uniform or plain clothes, working the crowd.” Unfortunately, after the events of Sept. 11 and with the risk of terrorist attacks now commonplace around the world, extra precautions must be taken at large events, he said. “We learned that we really have to be embedded in the crowd.” In years past, police never performed bag checks at the marathon, but this year dozens of checkpoints were set up at strategic entrances and exit points. Police never asked runners to bring in personal items in clears plastic bags, but the risk of another terrorist attack remained too real a threat. “In years past, we were out there cheering on the runners as good will ambassadors,” Evans said, “but now we’re behind the crowd, we’re in the crowd.” Another important lesson that Evans witnessed firsthand in the hours after the bombing is not to depend on cell phones for communication after an attack. Although police have the ability to turn off, or

10 Forensic Magazine | www.forensicmag.com

JUNE | JULY 2015

“kill” any zone in the city, especially when dealing with the possibility of a bomb, cellular service in Boston after the attack was completely shut down. “I remember my commissioner asking me: did we do that intentionally?” Evans said. Police officers are routinely instructed to turn off private cell phones and other mobile devices, he said, to ensure that an electrical charge won’t accidentally set off the explosives. But, the sheer magnitude of calls made overwhelmed the cellular network in the area and made communication over cell phones impossible. “There were just so many family members, so many people trying to get someone on a cellphone that they became useless,” he said. The department quickly learned not to depend on cell phones in the case of an emergency, and made sure that cellphone providers are able to bring in extra generators during large sporting events. Although making a call wasn’t an option, Evans could still send emails and text messages—and maybe most importantly use social media.

The signiﬁcance of social media With all the media that descended on Boston during the search for the bombers, the police department relied on social media as an effective way to get information out to the public. By tweeting their own messages, the Boston Police Department was not only able to get possibly life-saving information out immediately, but ensured that the information was factual and reliable. “We pumped out the description of the suspects [on Twitter],” Evans said. “We pumped out to not give out information about the location of our cops. We pumped out almost everything until we finally had him in custody.” The use of social media was an important way for the department to get the correct story out to the public, instead of relying on mainstream media that all had “their little versions” of what was taking place on the ground during the manhunt. The only way to authenticate the messages coming from the police was to publish it to the public themselves. “CNN was running wild with a false report that two were in custody,” he said. “The media was running wild with a lot of stories, and the public can run wild too. The best way to control the message is by tweeting right from the source.”

JUNE | JULY 2015

Digital prevention Not only has the use of social media increased at the department, but digital forensic investigations have also taken center stage in preventing a similar attack from happening again. “The cameras on fixed posts on the outside of businesses can’t be underestimated,” he said. “Not only did we have all kinds of images from people’s phones, but the key images we got from fixed cameras.” The department had eight cameras monitoring the finish line of the marathon when the bombs exploded. For this year’s marathon, the department utilized 130 cameras.

Moving forward After the press conference was held to announce Tsarnaev’s capture, Evans and a buddy went down to his favorite, local Irish pub. “It was just like we won the war,” he said. “The college kids were all marching. We walked into the bar and they were all buying us beer. It was the best feeling in the world.” Reflecting back on the days and months after the attacks on the city of Boston, Evans said the scenes he witnessed will stay with him forever. But the response that the emergency personnel delivered was something that truly makes him proud. “We lost three lives at the scene of the marathon,” he said. “But 261 people were taken away from that scene— many who had lost limbs—and nobody died. We’re thankful for that.” Without forensic scientists on the scene, investigations like the one that helped put the Boston Bomber behind bars would never be possible. Convictions are all about rebuilding the events of a case from start to finish, Evans said, and the forensic investigators pull the whole case together. “As police we get a lot of the accolades about our response to situations,” he said. “But I always give a shout out to the crime scene people. It’s such a meticulous and labor intensive job. The forensic people, they’re the real unsung heroes.” Sean Allocca is the editor of Forensic Magazine and has worked with a number of publications including the Hoboken Reporter and the Jersey Journal. He received a Master’s Degree in Communications from Fordham University.

Forensic Magazine | www.forensicmag.com 11

Today, heâ&#x20AC;&#x2122;ll identify a three time V LUKLY PU HIV\[ [^V OV\YZ

( SHYNL WLYJLU[HNL VM ]PVSLU[ JYPTL PZ JVTTP[[LK I` YLWLH[ Vќ LUKLYZ. Yet in many cases, suspects 2

are released from custody long before DNA evidence can be processed — a serious community ®

concern. Until now. The RapidHIT System is the market leading Rapid DNA platform that delivers

HJJ\YH[L +5( WYVÄ SLZ JVTWH[PISL ^P[O KH[HIHZLZ ^VYSK^PKL PU SLZZ [OHU [^V OV\YZ YLX\PYPUN only three minutes of hands-on time. RapidHIT utilizes NDIS-approved chemistry which, with proper validation, allows reference sample upload to CODIS and other national databases. Same day DNA WYVÄ SPUN PZU»[ H MVYLUZPJ UPJL [V OH]L >OLU P[ JVTLZ [V ]PVSLU[ JYPTL P[»Z H W\ISPJ ZHML[` T\Z[ 1. US Bureau of Justice Statistics, Reentry Trends in the US 2. National Institute of Justice, DNA Testing for Arrestees, The Chicago Study 2005

888.371.4749

integenx.com/rapidhit

DIGITAL FORENSIC INVESTIGATION

Detecting a Data Breach Jacob Williams

lmost every week we learn about a data breach where attackers went unnoticed for a significant period of time. In 2014, the average number of days was 2051. Most recently, in the Adult Friend Finder breach, there is evidence that a third party detected the compromise at least two months before the breach was publicly reported. These numbers are not surprising to most seasoned incident response (IR) professionals, many of whom have worked cases where attackers have been in the network undetected for yearsâ&#x20AC;&#x201D;my personal record was a financial services organization that was compromised for seven years before being notified of the breach by a third party. In most instances, it is not until a third-party notification that an organization learns it has fallen victim to a breach. A common scenario is when an organizationâ&#x20AC;&#x2122;s machines reach out to a known nation-state infrastructure, which in turn tips off the FBI, who then alerts the organization that their machines have been compromised. Forensic examiners are then typically brought on board to investigate the cause and scope of the incident. Given the statistics, it is no longer a question of if a company will be compromised, but when. Through continuous monitoring and advance preparation, incident response and forensic teams have the opportunity to turn the tables on attackers, minimizing impact and regaining control over their networks. Unfortunately, very few organizations do continuous monitoring because it is viewed as too time-consuming and too expensive. However, when attackers are left to freely roam a network, the ramifications can prove much more costly than the cost of continuous monitoring. For IR teams, understanding the key indicators of a compromise is the best place to start.

Key indicators of a compromise Determining whether a compromise has occurred is typically a complex and time-consuming task. Fortunately there are a few key indicators to get IR teams started.

14 Forensic Magazine | www.forensicmag.com

The first step is to identify whether there is just a generic suspicion that something bad is happening on the network; or if there is more granular information, such as an individual machine behaving differently or a user that suspects they have opened a malicious attachment. If it appears that something weird is happening with the network, in-house IR teams will need to look at netflow to identify any possible odd patterns in regard to network communications. For instance, workstations talk to servers and servers talk to servers; however, it is very rare to see workstations making connections with other workstations. In most environments, that would be an abnormal pattern and an indicator that something may be wrong. Are large amounts of data leaving the network from a particular infected machine? If yes, this may be a sign that the machine has been compromised and is being used for data exfiltration. While a server might send a lot of data out of a network, it is unlikely that a workstation will send a lot of data out. This may be an indication that a breach has occurred. At this point the IR team will want to dig down further to identify whether the host has indeed been compromised; and if so, what actions specifically have been taken by the attackers.

Determining the level of a compromise In these early stages of an investigation, memory forensics is perhaps the best approach to determine if a particular host was compromised. In a memory forensics investigation, responders will take an image or snapshot of a machineâ&#x20AC;&#x2122;s random access memory (RAM) including all of the programs running in RAM and stored data, and then analyze the images. The task of acquiring memory is very straight-forward. The process for analyzing memory, however, is a bit more difficult. Fortunately memory forensics tools and courses are available and growing in popularity. As a result, memory forensics, once largely an academic field, is seeing more mainstream use during investigations today.

JUNE | JULY 2015

Once responders determine a compromise has occurred, they must determine the severity. Memory forensics can help responders characterize the attacker. For example, does this look like a common malware infection, e.g., an opportunistic infection that occurs when a user simply clicked a malicious site? Was the compromised person/machine part of a botnet (most likely a non-targeted attack)? Or does this appear to be a targeted attack? Memory forensics can help characterize the attacker and answer these important questions.

Moving ahead with an investigation At this point it is up to the IR team to decide if they have enough information to close the investigation (i.e., they found the malware); if they need to continue forward with the investigation; or, whether they should hand off what they know to a forensic team. More often than not, the decision to move forward or seek assistance from a host forensic team is determined by the indicators derived from memory forensics and the potential impact. In some cases, if there is no evidence of data exfiltration and the attack does not appear targeted, the organization may simply reimage the impacted machines. If at any point during the investigation the IR team feels out of their depth, a forensics team should be brought in immediately. If the IR team does not have the manpower to proceed or they can’t answer questions quickly enough because they lack the skills or tools to do so, bring in a forensics team. Otherwise, the longterm cost of the investigation can increase significantly. During an incident, the pressure is on to answer questions quickly. But while working in haste or with misunderstanding, evidence might not be preserved, and critical artifacts may be overwritten. Think of the plumber that has two rates – the rate when the problem first occurs and another, after an attempt to try to fix something yourself. This same analogy holds true when working with forensic experts. If you try to “fix it yourself” first, don’t be surprised if the overall cost of the investigation is higher.

What could the attackers do? Who are they? When a breach involves malicious software (or malware) running on a machine, malware Reverse Engineering (RE) is a popular method used to determine the capability of the malware. It helps answer the questions of “what can the malware do?” Can it steal email, log into banking sites, or infect office documents? Because the malware source code is only accessible to the attacker, incident response teams and forensic experts must rely on malware reverse engineering. Using a

JUNE | JULY 2015

process called disassembly, malware reverse engineering tools allow responders to determine what capabilities it has, as well as any Indicators of Compromise (IOCs) that can be used to scan for other possible variants of that malware on the network. The IOCs gathered when conducting memory forensics and/or malware reverse engineering will help IR teams determine where to look next. Malicious actors tend to reuse malicious code across multiple campaigns, so IOCs can help attribute malware from two attacks to the same threat group even if the malware hashes aren’t identical.

Prepare for the battle To prepare IR teams in the event of an actual attack, conducting a sand table exercise (a mock breach) is essential. The goal of the sand table exercise is to step through a mock breach following a team’s current IR procedures. It will identify any critical skills or tools that may be missing well in advance of a compromise. These exercises will help IR teams understand what is expected of them, what to do, and who to contact and when in the event of a breach. If an IR team hasn’t experienced a breach and they haven’t run a sand table exercise, how will they know whether or not they are prepared? Handling a breach is not something IR teams want to learn on the fly. While it may sound like a waste of time to walk through these big incident scenarios, chances are that a compromise will occur (and sooner rather than later). Taking the time to do a walk through and prepare up front will save time and money later on. The amount of money saved can be significant – just like grandma used to say “an ounce of prevention is worth a pound of cure.”

References “M-Trends 2015: A View from the Frontlines” Fireeye. 2015. June 2015. https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf Jacob Williams is a SANS Analyst, certified SANS instructor, course author and designer of several NetWars challenges for use in SANS’ popular, “gamified” information security training suite. Jake spent more than a decade in information security roles at several government agencies, developing specialties in offensive forensics, malware development and digital counter-espionage. Jake is the founder of Rendition InfoSec, which provides penetration testing, digital forensics and incident response, expertise in cloud-data exfiltration, and the tools and guidance to secure client data against sophisticated, persistent attack on-premises and in the cloud.

Forensic Magazine | www.forensicmag.com 15

Labconco forensic enclosures deliver unique features that matter the most.

How do you make crime-solving easier?

Solving crimes can be complicated. Let Labconco forensic enclosures, developed with input from forensic experts, process the evidence so you can solve the crime. It really is elementary.

t .JDSPQSPDFTTPS DPOUSPMMFE QSPHSBNNJOH GPS WFSTBUJMJUZ BOE QSPUPDPM n FYJCJMJUZ t %JHJUBM QBSBNFUFS GFFECBDL GPS IJHIFTU RVBMJUZ DPOTJTUFOU SFTVMUT t 4VQFSJPS NBUFSJBMT PG DPOTUSVDUJPO GPS EVSBCJMJUZ BOE FBTF PG PQFSBUJPO 'PS NPSF JOGPSNBUJPO DBMM 800.821.5525 PS WJTJU www.labconco.com/forensics

Elementary.

NEW!

ProtectorÂŽ Evidence Drying Cabinet

CAptureâ&#x201E;˘ BT Fuming Chamber

CAptureâ&#x201E;˘ Portable Fuming System

ProtectorÂŽ Downdraft Powder Station

,BOTBT $JUZ .0 ] XXX MBCDPODP DPN

Made in the USA

ADVERTISMENT

CApture™ BT Fuming Chamber addresses shortcomings of conventional fuming systems

yanoacrylate (CA) or Super Glue* fuming is a common technique that develops latent fingerprints on non-porous and semi-porous evidence. Because CA fuming not only develops, but also protects fingerprints by fixing them in place, many forensic scientists rely on it to process evidence. Quality of print development depends on the ability to control the consistency of the fuming process. It is important that CA fuming enclosures give precise control and flexibility over fuming parameters, as well as real time quantifiable feedback of those parameters. The NEW CApture™ BT Fuming Chamber is a topof-the-line cyanoacrylate fuming system that provides programming flexibility, quantifiable condition readings, and easy-to-use features that yield high quality, consistent results. When Labconco set out to develop the CApture BT, we worked closely with forensic scientists to ensure that we addressed and eliminated some of the frustrations they face during the fuming process. Problem. Current systems don’t allow for adjustments to program cycles. Forensic scientists often need to adjust fuming time in the middle of a cycle. As they are fuming prints, they may see that prints are not developing as quickly as they thought they would. At the same time, fuming temperature may need to be different for materials or conditions. The CApture BT Solution. The N-tegrity™Operating System gives the user complete flexibility in programming relative humidity level (up to 80%), humidity incubation time, fuming temperature (up to 425 F), fuming time and purge time for 20 storable protocols. Additional fuming time in 30-second increments can be added in the middle of a cycle with a push of a button eliminating the need to repeat a completely new fuming cycle for underdeveloped prints. Problem. Prints are sometimes overexposed to CA fumes. Evidence runs the risk of being overexposed unless the user is present to monitor and stop the process. In conventional fuming chambers, even though the fuming cycle has ended, the fuming process continues as the warming device cools and until the technician removes the glue tin. The CApture BT Solution. The Acti-Vent™ Smart Controls purges the air to protect the evidence from over exposure. Purging continues up to 30 minutes after the exhaust cycle ends. Additionally, purging may be programmed to continue during evidence unloading to protect users from fume exposure. Problem. Large evidence doesn’t fit in conventional chambers.

JUNE | JULY 2015

The CApture BT Solution. The interior dimensions are 27” w x 27” d x 44.5” high providing 18.8 cubic feet of completely usable fuming capacity and a generous diagonal length of 58.6”, accommodating long guns and similar evidence. Up to 15 long guns may be processed at once. Problem. Hard-to-read controls and inaccessible filters. The CApture BT Solution. Interior LED lights flash for 30 minutes when the cycle ends, providing the user a visual cue, readable from a distance, to remove the evidence. The display and controls are located at eye level and the filters may be easily replaced from inside the chamber without the need of a ladder. Problem. Difficult to clean interior. Conventional chambers are made of glass, plastic or painted steel which can be hard to clean. Users spend more time cleaning with their heads in the chamber, which exposes them longer to noxious vapors and solvent based cleaners. The CApture BT Solution. The durable stainless steel liner may be easily and quickly cleaned with stainless steel cleaner. In addition, the Acti-Vent™ Smart Controls Cleaning Mode enable air to be exhausted with the door open to protect the user from exposure to noxious vapors. Problem. When prints do not develop well, troubleshooting can be difficult. The Capture BT Solution. The N-tegrity™ Operating System’s diagnostic feature allows the user, with the push of a button, to review a checklist of mechanical functions to verify that the CApture BT is operating properly. By addressing the shortcomings of current systems and giving the user programming flexibility, quantifiable readings, and ease of use, the CApture BT Fuming Chamber is the NEW design standard for future CA fuming systems. To find out more about the CApture BT please visit www.labconco.com. Kelly Williams Product Manager Labconco Corporation kellyw@labconco.com ph: 816.822.3722 * Super Glue® is a registered trademark of Super Glue Corporation Yamashita, B. & French, M. Latent Print Development. Retrieved June 8, 2015 from https://www.ncjrs.gov/pdfﬁles1/nij/225327.pdf Forensic Magazine | www.forensicmag.com 17

FEATURE

Under the Microscope: Comparing Mammalian Spermatozoa Morphologies for Sexual Assault Cases Emily S. Boward

orensic sexual assault investigations often involve serology screenings, which can include laboratory tests for the indication of blood, semen, and saliva.1 Identifying which samples might be from the assailant is paramount to investigators, and determining spermatozoa morphologies can sometimes be the key to cracking the case. In order to determine human spermatozoa from that of other mammals, it is first important to understand how sperm is made in the human body. In the male reproductive tract, sperm cells are first made in the testicles and subsequently moved to the epididymis for further development.2 The cells then go into the ejaculatory duct and urethra and afterwards combine with prostatic substances.2,3 Multiple areas in the male tract contribute to the composition of semen (2 to 5 mL per ejaculation resulting in 250 to 600 million sperm cells).2,4 Flavin is found in semen, which is able to emit fluorescence with a 450 to 495 nm ultraviolet wavelength light source.1,2,4 Flavins exist as yellow, ringed chemical structures that have coenzymatic and light receptive functions.5 This constituent of semen allows for an initial screening test on forensic evidence, which can include items such as underwear, clothing, and/or bedding articles from a victim.1,2,4 Fluorescent spots on a piece of evidence are areas that can be further analyzed for the indication of semen.1,2,4 Microscopic sperm searches are standard techniques used to verify human semen on a piece of evidence.1,6 This can be done at a total magnification of 400X, and the number of sperm cells seen within a cover slipped area of microscope slide is recorded.1,4 Using a compound light microscope allows for the visualization and magnification of these specific cell types.1,2,7,8 Using the microscope starts with plugging in its power cord and turning on the power switch.7,8 The stage should be at the lowest position possible, and then the slide can be slotted onto the stage with the stage clip.9 The lowest power objective (4X) is then moved into the viewing spot on the microscopeâ&#x20AC;&#x2122;s nosepiece.9 Using the coarse focus knob, the stage should be raised to the highest position possible without coming into contact with the slide.9 The observer should view with the ocular lenses (10X) and steadily turn the coarse focus knob to a lower position until the stained cellular sample comes into clear view; the fine focus knob can be turned as needed.9 Next, the 10X objective is moved into the viewing spot and the coarse and fine focus are used as needed.8 The field of view of the slide can be changed by turning the stage adjustment knobs, which move it right, left, forwards, or backwards.7,8,9 Now the 40X objective should be moved into the viewing spot; the fine focus knob is turned until the cells can be clearly seen.8 If greater magnification is needed, the 100X objective can be used.7, 10 The nosepiece is moved to the spot in between the 40X and 100X objectives, a small drop of oil is placed onto the slide, the 100X objective is moved into the viewing position, and the fine focus is used as needed.7 The coarse focus function should only be used on the lower power objectives, never on the higher power ones.7,8,9 An observer should only fine focus when using the higher power objectives; otherwise, the objective will collide with the slide, causing damage.7, 8,9 Once finished, the objective lenses can be cleaned, first with an alcohol wipe and then with lens paper; if oil was used, the 100X objective must be cleaned.7,8,9,10 The stage should be returned to the lowest position, the 4X objective should be moved to the viewing spot, the power switch should be turned off, and the microscope should be covered.9 Throughout the magnification and focusing process, the observer can control the amount of light being shown on the cells.8,9,10 The condenser (used for focusing sample lighting) and the diaphragm (used for background lighting) adjustment functions can be used to increase or decrease the light, as needed.8,9,10 The Christmas tree stain (Kernechtrot-picroindigocarmine stain) is used to microscopically differenti-

18 Forensic Magazine | www.forensicmag.com

JUNE | JULY 2015

ate between epithelial and nuclear components of cells.1,6 The staining components include Nuclear Fast Red and picroindigocarmine.2 This results in cell nuclei being red in color and cell cytoplasms being green.1,6 Human sperm cells are small (approximately 4.6 X 2.6 X 1.5 um; 50 um including the tail)11 and oval cells with red heads, colorless acrosome tips, and green tails.1,6,12 The heads hold

nuclei and genetic material, and the tails give the sperm cells the ability to move.2,3 The acrosomes hold enzymes which allow the sperm cells to enter the eggs during fertilization in the female Fallopian tubes.2,3 When performing forensic semen identification, it is important to be aware how other species’ sperm cells differ from human sperm cells.1,6,11 The objective of this study was to investigate the morphology of nine other mammalian sperm samples (dog, cat, cow, pig, elk, sheep, horse, deer, and mouse) and compare them with a human sperm sample after treatment with the traditional Christmas tree stain.

Materials and Methods

Figure 1—Human Sperm Sample

Figure 2—Dog Sperm Sample

JUNE | JULY 2015

Known semen samples were donated or purchased from reputable sources. The standard Christmas tree staining methods were used, as follows.1,6 A small amount of sample (i.e. 10 ul in volume or a small cutting from a substrate mixed in water) is air dried and fixed with heat onto a microscope slide.1,6 The red stain is applied for 15 minutes, then rinsed with deionized water.1 The green stain is applied for 15 to 30 seconds, then rinsed with 100% ethanol.1,6 The slide is air dried, cover slipped, and viewed under a microscope.1,6 Digital photographs were taken through the ocular lens of a compound light microscope using 1000X total magnification with castor oil immersion. This study consisted of a qualitative assessment of biologically stained cells and the differences in their structure and form; measurements of the sperm cells’ dimensions were not utilized in this study. In conjunction with the higher power objective on the microscope, some magnification was used within the camera, as needed, to achieve the most effective photographic composition of the cells.

Forensic Magazine | www.forensicmag.com 19

FEATURE

Results Distinct characteristics were seen in the sperm cells from each of the representative mammalian specimens.12 Red sperm heads with intact green tails were able to be viewed in each of the samples. Differences in shape and structure of the sperm heads distinguish one species from the other.1,6,11 Most notable are the bulletlike cat sperm cells, the spindlelike horse sperm cells, the hooklike mouse sperm cells, and the circular human sperm cells.12 The dog, cow, pig, elk, sheep, and deer samples show variations of a more bulky, balloon-like form.12 Each of the animal sperm cell heads appear to be proportionally more elongated, broader, and/or shaped differently than the human sperm heads.12 None of the sampled animal species’ spermatozoa used in this study resemble those of the human sample.12

Figure 3—Cat Sperm Sample

Conclusions This research data offers additional validity for the classification and verification of human sperm cells by giving a direct comparison of human and other mammalian samples using the same standardized methods.1-6,11-13 Accurate identification of human spermatozoa is an important evidence screening technique which can then lead to DNA profiling.1,13 Understanding the differences in various types of animal sperm cells’ structures and proportions can provide more certainty in serology evaluations that require sperm searches.1-6,11-13 Even with the implementation of automated microscopy technologies used to detect human spermatozoa, forensic serologists should still be familiar

20 Forensic Magazine | www.forensicmag.com

Figure 4—Pig Sperm Sample

with the characteristics of sperm cells and how those can vary across species.1-6,11-13 References can be found at www.forensicmag.com. Emily Boward is a science laboratory technician and manager at Frederick Community College, and Biomedical Science master’s student at Hood College. esb2@hood.edu.

JUNE | JULY 2015

the

dna

connection Chris Asplen

The Next Step in Rapid DNA

apid DNA technology has reached its next significant milestone now that a new manufacturer in the field has developed instrumentation that is truly portable. While companies that have been driving the Rapid DNA industry—like IntegenX and Net Bio— have developed analyzers that are certainly lighter than your average ABI 3730, the term movable is probably a better descriptor. I’ve helped lift some of those analyzers into their transport crates, and my back certainly wasn’t saying portable. Last month at the Connect:ID Expo in Washington, D.C., I was invited to take a look at the NEC Corporation’s new portable DNA analyzer. NEC is a massive, global technology company with products and solutions in nearly every sector. But this is their first foray into DNA analysis and they have moved the field of Rapid DNA testing forward in a dramatic way. Now before we get too excited, there are a few caveats. First of all, the NEC’s new portable DNA analyzer currently only performs DNA analysis for nine loci. As such, changes will be necessary before it will be ready for FBI approval, and before profiles can be uploaded into CODIS. It’s also only processing one sample at a time. But even still, NEC’s instrumentation moves rapid DNA analysis forward significantly. It is literally built into a suitcase with wheels and a handle, and ready to go where needed. The possibilities for a truly portable DNA analyzer are transformational in the forensic DNA identification field. Even at nine loci, the ability to start the identification process immediately at the scene of a mass disaster, while family members provide samples for analysis and comparison off-site, is the kind of thing many of us have been dreaming of—even before the fall of the twin towers. Eventually, the international community might even have the ability to quickly respond to allegations of mass rape, when sexual assault is used as a genocidal and militaristic weapon, which will utilize our best DNA technology at the scenes of some of the most heinous crimes. Immigration applications can also be transformed. Whether DNA is used in the field to identify those crossing the border illegally, or if we place portable DNA analyzers in our consulate offices around the world to expedite DNA based confirmation of identity, we can

JUNE | JULY 2015

begin to integrate DNA testing into immigration issues in a truly meaningful way. The DNA testing of individuals found to be in the country illegally may actually get done, and the speed at which consular offices can process visa applications can accelerate tremendously. And as we integrate DNA analysis into creative efforts to fight human trafficking, true portability of the technology will be a monumental advantage. One application example comes from the tragic story of a young girl ripped from her home in Mexico over allegations that she was the daughter of a Mexican National living in Texas. Mexican federal police seized Alondra Luna Nuñez from her middle school screaming and crying as family, teachers and friends could only watch. The YouTube video went viral. According to Mexican authorities, the woman in Houston claimed in a 2007 petition that her daughter had been illegally taken to Mexico by her biological father without her consent. It wasn’t until after Alondra was forced to the US and testing was required by the Mexican Consulate there that her identification was confirmed. Interestingly the news of NEC’s entry into the rapid DNA market comes just as another significant step for DNA is taking place. The Arizona Department of Public Safety Crime Laboratory is officially using rapid DNA technology to test DNA from qualifying arrestees for upload to the National DNA Database (NDIS). Samples taken from the arrestees were analyzed using the RapidHIT system, which generated a full DNA profile in under two hours that was subsequently uploaded to NDIS. That too is progress that should be exciting for everyone in the forensic community. Both examples represent real progress forward toward a time when access to DNA evidence isn’t months or weeks away, but days and hours. It is progress toward a time when the power of DNA will be leveraged in a broad and diverse scope of applications that will save lives not only where our police departments are the wealthiest and most sophisticated, but wherever the technology is needed most. Chris Asplen is President of Asplen and Associates LLC, and an international forensic DNA consultant.

Forensic Magazine | www.forensicmag.com 21

FEATURE

Do You Really Need a New Lab? Matthew T. Schwarz, Michael J. Kvasnik, Lisa H. Brauer and Kelly Williams

n the face of increasing demand for services and a mounting backlog of cases, many lab directors feel their only option is to add more personnel, increase or redesign lab space, or build a new facility altogether. In some cases, one of these options may be appropriate, but in others, improvements to existing procedures and work flow may be sufficient to solve the problem. Completing a thorough work flow assessment prior to making any significant changes will reveal the most cost effective and efficient approach. Importantly, a thorough work flow assessment will ensure that maintaining or improving quality is the compelling force for any changes to the lab. Typically, it is capacity concerns that get people thinking about building a new laboratory. But often, laboratory directors donâ&#x20AC;&#x2122;t have the statistics necessary to evaluate their lab capacity in specific, concrete terms. How can managers determine how well their services align with their business model? It is important to ask whether the laboratory has the capacity needed. Given the number of people that work in the lab, the amount of space, and the type of equipment, what is the maximum possible output based on the work flow. Once you have determined that, the next question is whether your current capacity allows you to keep up with the demand. What is the ratio of samples received versus samples processed and reported over a given period of time? Is there an ongoing backlog? Could you handle an unexpected increase in demand? Once you have gathered the necessary statistics to address this question, the next step is to determine whether building a new laboratory is really the best way to improve capacity. As shown in Figure 1, personnel factors can have a significant impact on the overall functioning and capacity of the laboratory. First, look at personnel allocation and assignments. Although many laboratory directors assume that adding more staff is the best way to address a backlog, this is not always the case. In some cases, it is more cost effective and efficient to outsource the cases to non-salaried, hourly technical or subject matter experts who are dedicated only to backlog reduction. In other cases, providing targeted or customized training to existing staff, perhaps in parallel with streamlined or updated work flows may allow for backlog reduction without the need for additional personnel. Other changes to personnel, including eliminating redundant tasks or reallocating time to higher demand services, will make significant differences to overall lab performance and efficiency. It is important to conduct a comprehensive review of laboratory work flow, both overall and on a process by process basis, to identify gaps, delays, quality issues and opportunities for cost reductions or resource sharing that may be feasible and beneficial. A thorough laboratory and Figure 1 â&#x20AC;&#x201C; Factors that Impact Laboratory Capacity

22 Forensic Magazine | www.forensicmag.com

JUNE | JULY 2015

work flow assessment is likely to yield recommendations that are less costly and more easy to implement than a complete laboratory design or rebuild.

What’s the business model? Another driver for making changes to your laboratory or for deciding whether to build a new one is your business model. When looking at each service your laboratory provides, ask if a given discipline or process addresses a specific goal, i.e., an investigative lead or confirmatory test. • Does a particular test add value to the overall goals of the laboratory? • Does the demand for a particular test justify dedicated staff with particular proficiencies? • Do all the tests need to be performed onsite, or would it be more efficient to outsource some of them? In most cases, the best way to answer the build or not build question is to have an evaluation done by an outside expert who has extensive knowledge and experience in your laboratory’s discipline. An outside expert has been exposed to many laboratories, both successful and unsuccessful ones, and has the expertise to help you define your optimal strategy. Experts are objective and are not inherently wedded to any one approach. Perhaps most importantly, the expert’s assessment will help resolve specific planning issues that may not occur to the architect or others who are not subject matter experts.

Moving forward with a new or improved lab If you have decided that you need to make updates or changes to your laboratory, perhaps the most important task is to determine whether you can meet your needs by overhauling or remodeling, or if you will need to build a new lab. Both remodeling and rebuilding a laboratory can take years to complete and may be costly, so it is important to carefully evaluate each option to determine which is best suited to your needs. For example, both remodeling and rebuilding require strategies for managing workflow during the transition period—eg, mobile lab, temporary

JUNE | JULY 2015

lab, outsourcing—but the feasibility and cost-effectiveness of each option will depend on the particular situation. While self-assessment is useful, it relies on internal statistics about laboratory operations that many lab directors don’t have. Lab directors may be too invested in the status quo, or too close to the nuts and bolts of the procedures, that they can’t fully appreciate potential pitfalls. An assessment by outside subject matter experts in laboratory design, technology, forensics and processes and procedures can provide the most comprehensive and objective review. Process mapping is a useful way to better understand workflow—both as it currently is and as it could be—and to help improve the effectiveness of laboratory in meeting its goals. Process mapping involves modeling operating methods using flow charts to show sequence and relatedness of each step in the workflow. The process maps are developed through an iterative and hierarchical process in which certain key steps are expanded for greater efficiency or overall outcome. Early maps focus on the current situation, while subsequent maps focus on how the process can be improved. These techniques often identify opportunities that can increase productivity by more than 100 percent. Once new procedures or processes are developed, the information can be used to determine how best to proceed. What changes are practical? Which are affordable? Does our overall business model need to change to achieve our goals? All of this information can provide the foundation for new written SOPs, staff training, budgeting, and validation and performance checks that will need to be in place for optimal laboratory performance. Matthew T. Schwarz owns Schwarz Forensic Enterprises providing forensic management consultation services throughout the U.S. Michael J. Kvasnik is director of business development at Schwarz Forensic Enterprises. Lisa H. Brauer is director of scientific communication at Schwarz Forensic Enterprises. Kelly Williams is a product manager at Labconco.

Forensic Magazine | www.forensicmag.com 23

Your Job Isn’t Measuring. Ours Is.

The FARO Freestyle Handheld Laser Scanner and Focus3D X330 help you scan evidence and preserve a crime scene in a fraction of the time of total stations or traditional manual tools. FARO crime scene diagramming, animation and simulation softwares take the details to a whole other level, giving you ¿HOG WR ¿QLVK UHVXOWV WKDW DUH MXU\ DSSURYHG DQG FRXUWURRP UHDG\

Simple. Accepted. Relevant. FARO Technologies.

For more information on grant support, booking a demo or receiving a quote, contact us at: 800.736.0234 or visit www.faro.com © 2015 FARO | FARO and the FARO Logo are registered trademarks of FARO Technologies Inc.

Crime & Crash Investigations Just Became Easier.

The Freestyle3D Handheld Laser Scanner by FARO Technologies scans and measures tight spaces such as vehicle interiors, bathrooms, closets and small corners seamlessly while providing intuitive, real-time visualization and results. Book your no-cost, on-site demonstration today or call for a quote.

Scan. Analyze. Deliver. 800.736.0234 OR VISIT www.FARO.com ÂŠ 2015 FARO | FARO and the FARO Logo are registered trademarks of FARO Technologies Inc.

Digital

DIGITAL FORENSIC INVESTIGATION

forensic insider John J. Barbara

Windows 10 Registry Forensics: An Overview

ver the last decade or so, computers have virtually taken over control of every facet of modern civilization. Every person who uses a computer at their workplace takes for granted that computers are essential in the work environment. They store or can access all the information necessary for normal day-to-day business operations. But there is a dark side to computer use, or rather computer misuse. Regardless of how many written rules, policies, and procedures management puts into place to protect the confidentiality and integrity of their digital information and intellectual property, it seems inevitable that a breach will eventually occur. Often the breach happens when an employee intentionally disregards policy and attaches a USB device to their workplace computer. Although their intent may be just to upload some pictures to display as a desktop slide show, they could also download proprietary information. Likewise, they could unintentionally or intentionally infect the computer with one or more of the thousands of computer viruses that currently exist.

The Problem in Perspective Consider the following: Presume that an employee attaches a USB device to his workplace computer at the end of the day intending to download the company’s customer database which contains thousands of names, addresses, phone numbers, credit card numbers and so forth. After the download completes, he removes the USB device and turns off the computer. Unknowingly to him, a co-worker observed him attaching and removing the USB device. Since the workday was over, the co-worker could not inform IT Security until the next day. When IT Security confronts the alleged perpetrator, he denies the allegation. How is management and IT Security going to handle this situation to either prove or disprove the allegation? Probably the best approach would be to perform an examination of the computer hard drive to look for probative information. Normally this involves forensically imaging the hard drive in a controlled environment with one of the many forensic imaging tools. Most forensic tools incorporate automated built-in features, such as, recovering

26 Forensic Magazine | www.forensicmag.com

deleted folders, performing keyword searches, carving data from unallocated space, searching directories and files and so forth. The image could then be examined further, focusing upon the Registry, searching for any USB devices that may have been attached to the computer. Often, however, business IT department members lack the necessary qualifications or experience to perform these types of forensic examinations. This is not uncommon since IT personnel normally are not trained as forensic examiners. Under these circumstances, management may have to contract with an external digital forensics consulting firm to provide the services. In today’s digital forensics environment, examiners must have specialized training, knowledge, skills, abilities, tools and experience to ensure reliable and repeatable results when triaging a live system or examining a computer hard drive post-mortem. Regardless, it is essential in today’s business environment that management has a well-documented action plan in place such that if a breach occurs, or employee misconduct is alleged, they will have a firm foundation to support and assist with any potential civil or criminal proceedings. Failure to do so can have a detrimental effect upon the business or corporation.

What is the Windows Registry? A typical Windows OS has many forensically important areas where probative information can be found, such as in RAM (live system) or stored somewhere on the computer’s hard drive. Any examination and extraction of probative information from a live system involves the use of triage tools which themselves will make changes to those same forensically important areas. Although this violates the “golden rule” of digital forensics, in some circumstances there is no alternative. However, before doing so, an examiner must have previously verified the functionality of the triage tools and know what changes are made to a live system when those tools are used. The Registry, which is a goldmine of potential probative information, evolved over the years from the early Windows operating systems ‘WIN.INI’ and ‘SYSTEM.INI’ files. When Windows 3.1 was introduced, it was initially targeted to the corporate work

JUNE | JULY 2015

environment and used individual ‘.ini’ human readable text files which were linked to the ‘WIN.INI’ file. With the release of Windows 95, the Registry as we know it today was introduced. The Microsoft Computer Dictionary, Fifth Edition, defines the Registry as: “A central hierarchical database used in Microsoft Windows 9x, Windows CE, Windows NT, and Windows 2000 used to store information that is necessary to conﬁgure the system for one or more user’s applications and hardware devices.” Windows XP, Windows Vista, Windows 7, and Windows 8 all included a Registry. The soon to be released Windows 10 also contains a Registry and will be the focus of this and several future columns. (Data relating to the Windows 10 Registry was obtained from Windows Evaluation Build 9841). Some examples of the information contained within the Registry which Windows 10 must continually reference to function includes: • USB storage devices that have been attached to the computer • Wireless networks that the computer has connected to • Recent search terms • Lists of the most recently used files or applications • Autorun locations which list applications to run when the computer is booted • Contents of the User(s) desktop • Malware (if it has installed itself as a service)

• C:\Windows\System32\config\SECURITY: contains the security information which is stored in the “HKLM\SECURITY” Key. • C:\Windows\System32\config\SOFTWARE: contains information about the computer’s software configuration which is stored in the “HKLM\SOFTWARE” Key. • C:\Windows\System32\config\SYSTEM: contains information about the computer’s system configuration which is stored in the “HKLM\SYSTEM” Key. • C:\Users\[Username]\NTUSER.DAT: contains the Registry settings for an individual User account.

Where is the Information Stored? The Windows 10 Registry is not in actuality a central hierarchical database or one large file, but rather a set of files referred to as ‘Hives.’ These files, located in the “C:\Windows\System32\conﬁg” and “C:\Users\ [Username]\” directories, are updated each time a User logs onto the computer and are shown in Figures 1 and 2. Their contents are as follows: • C:\Windows\System32\config\DEFAULT: contains the default system information which is stored in the “HKEY_USERS\. DEFAULT” Key. • C:\Windows\System32\config\SAM: contains information about the Security Accounts Manager (SAM) service which is stored in the “HKLM\SAM” Key.

JUNE | JULY 2015

John J. Barbara owns Digital Forensic Consulting, LLC, providing consulting to companies seeking digital forensic accreditation, and has been an ASCLD/LAB inspector since 1993. jjb@digforcon.com

Forensic Magazine | www.forensicmag.com 27

Mostwanted Ken Mohr and Cy Henningsen

Answers to Facility Issues

To Duct or Not to Duct: Chemical Fume Hoods in Your Facility

ou need to select a chemical fume hood for your facility. You are familiar with traditional chemical fume hoods, but lately you have been reading about the filtered fume hoods or something referred to as “ductless.” It gets that name “ductless” because of a filter pack located in the fume hood which takes dirty hood air and cleans it before putting it back into the lab; no ductwork to exhaust air to the exterior—thus ductless. This article discusses items and issue for consideration when deciding between choosing a ducted or ductless fume hood. Here are a handful of issues to consider:

A ductless fume hood can have two to six filters that can cost anywhere from a couple hundred to a thousand dollars each. 1. What chemicals will be used in the hood? • No ductless fume hood filters we’ve seen can capture every chemical. Before you can consider a ductless fume hood you will need to develop a list of chemicals to be used in the hood, and the quantity to be used. Ductless fume hood manufacturers will review this list and let you know if they have a filter appropriate to your chemical use. • It is unlikely radioisotopes or perchloric acid would be used in a forensic facility, but if they are, a special ducted hood is needed to safely contain and vent these substances. 2. Purchase price and other cost concerns: • The upfront purchase price of a ductless hood is more than a ducted hood - a 5 foot ductless fume hood from one of the major fume hood vendors is around $28,000 (including the first set of filters), a 5 foot ducted hood is in the neighborhood of $6,000 with no services.

28 Forensic Magazine | www.forensicmag.com

• Once you factor in the needed infrastructure duct work, exhaust fans, mechanical systems, roof elements, etc. - the overall first cost of a ducted hood is more than might seem just looking at the hood. • Are you adding ducted hoods to an existing building? An engineer would need to evaluate the existing mechanical system to determine if the system could support the addition load. A larger mechanical system may be required to support more ducted hoods and this can have a large cost impact. • Filter costs. For a ductless fume hood, the filter can be anywhere from a couple hundred to a thousand dollars. Each hood can have anywhere from two to six filters. Filtered hoods are engineered to capture and contain large volumes of spent chemicals in their filters, but all have to be replaced at some point. Different manufacturers offer different types of filters and these filters are going to capture or chemically bond more of some chemical and less of others. Ductless-fume-hood manufacturers offer cost analysis, where they can look at the chemicals you plan to use in the hood and tell you how long their filters will be able to do their job before they need to be replaced. • Operating costs. A ducted fume hood, which throws heated or cooled room air out the building continuously, is going to have a much higher energy cost than a ductless hood, which filters and recirculates air back into the room, meaning much less air to be conditioning, and thus lower energy bills with a filtered hood. 3. Installation time and infrastructure: • After the purchase order has been submitted it could take 8 to 16 weeks for the ducted chemical fume hood to show up on site. During this time other work to prep the space for installation of the hood is critical; including

JUNE | JULY 2015

ductwork, controls, and exhaust air-handling systems. • Filtered hoods generally have a shorter lead time, especially if they don’t have any water or gas services. More customized units will have longer lead times. In either case, there will be less activity in prepping for a new filtered hood compared to the coordination required to install a ducted hood. • Some ductless fume hoods are taller than most ducted hoods, and ductless units require clear space between them and the ceiling for venting. In renovating an existing facility, floor to ceiling heights need to be evaluated to determine if they are sufficient to allow for a ductless hood. • If you are renovating, what is your existing building’s life expediency? If you think this number is low, a ductless fume hood could be more easily relocated to a new facility, so this may be a factor in deciding which type of hood to purchase. 4. User operation and education: • From a user point of view, once a ducted fume hood is put into place, it does its thing, and exhausts air out of the building. Most of the maintenance of the unit happens as part of managing the building’s mechanical system. Maintenance and Environmental Health and Safety staff deal with this, it happens in the background, with lab users generally not needing to know how the fume hood systems are maintained. • A filtered fume hood requires the staff to truly become familiar with not only the use and operation but with the filtration system / filter package and understanding the limits for safe filtration because the air from the fume hood is filtered and put back into the occupied space. • There also may question with a ductless hood as to who is responsible for purchasing and replacing the filters on the hood. Is this the user’s responsibility, or does the maintenance staff help with the replacement?

JUNE | JULY 2015

5. Facility flexibility and future use: • One of the best features with a ducted fume hood is that whatever you put in it gets exhausted to the outside and diluted with lots of other air that is being exhausted before hitting the atmosphere. However, the ductwork is very rigid and would require maintenance staff or a contractor to adjust the height or relocate the hood to a different spot in the facility. • One of the best features with the ductless fume hood is that there is no ductwork preventing or hindering the height adjustment of the unit or in relocating the device to a different spot in the facility.

After the purchase order has been submitted, plan for up to eight to 16 weeks for the ducted chemical fume hood to show up on site. During this time, other work to prep the space for installation of the hood is critical. This article has explored some of the pros and cons of ducted verses ductless fume hoods and discussed topics which help inform which type of hood to select. A ductless hood will be right answer for one situation, and ducted hood the correct choice for another, and we hope this article helps you make an informed decision when it comes time for you to select a chemical fume hood for your facility. Ken Mohr is a principal and senior forensic planner Crime Lab Design which provides full architectural and engineering services for forensic and medical examiner facilities worldwide. kenm@crimelabdesign.com Cy Henningsen is an Equipment Coordinator with Crime Lab Design. cyh@crimelabdesign.com

Forensic Magazine | www.forensicmag.com 29

the

Safety guys

Vince McLeod

Planning for Construction: Tips for Maintaining Indoor Air Quality

ummertime is a good time to discuss indoor air quality (IAQ) as we are taxing our heating, ventilating and air-conditioning (HVAC) systems in most areas at this time of year and many facilities undergo construction or renovation projects as well. Research suggests that improving indoor air quality can increase worker productivity between one and eight percent and averages about three percent. And, if we stop to consider that the average cost for employee salaries in a typical Class A building is around $150 per square foot, better indoor air quality can save an employer around $4.50 per square foot just from improved worker productivity.1 By its nature, construction is a messy business. It does not matter whether we are constructing a new facility or renovating an old space, the issues are mostly the same. By developing and following a good construction management plan (CMP) we can control the mess and greatly reduce the impact on indoor environmental quality. Two good resources for putting together your construction management plan are the Environmental Protection Agency’s Indoor Air Quality Tools for School2 and the Sheet Metal and Air Conditioning Contractors National Association’s IAQ Guidelines for Occupied Buildings under Construction.3 These resources discuss five or six controls to implement during your construction project. We have added one or two of our own to round out a comprehensive construction management plan.

1. Develop your Construction Management Plan Your base CMP should be written and then modified for each specific project before distributing to contractors, building occupants and employees. One main focus point should address scheduling. This is especially important if your construction or renovation project is in close proximity to occupied adjacent buildings or spaces. Refer down to source control and be sure to keep odor producing and dusty operations away from all the outside air intakes and building entrances. Construction sequencing is also important in minimizing absorption of VOCs by porous materials. This involves

30 Forensic Magazine | www.forensicmag.com

ensuring application of wet and odorous materials such as coatings, paints and sealants is completed before installing absorbent “sink” materials like carpets, ceiling tiles and upholstered furnishings. IAQ issues referred to as “time of use” problems should be scheduled on weekends or after normal hours, when the potentially affected facilities are closed. These include activities such as cleaning (see housekeeping below), roofing projects or floor refinishing. If your project is a renovation, refer to the pathway interruption and source control section for the value of isolating work areas from non-work areas. Containment and isolation are especially important when renovations must be done during working hours and when business operations run 24 hours a day.

2. Source Control Controlling sources involves preventing or eliminating pollutants from entering the building. For example, do not allow vehicles, machinery or equipment to operate or idle near entries, loading docks or air intakes. This also goes for all pollution-causing activities such as roofing tar pots, painting, concrete, block or brick cutting, etc. Powered equipment produces exhaust fumes, loaded with carbon monoxide, and the others give off chemical vapors or dusts that could be pulled into the building. Carbon monoxide, as most are aware, is potentially very harmful, causing asphyxiation and even death in very high concentrations, while paint and tar fumes, usually just a nuisance, can produce headaches, nausea and dizziness if levels build up high enough. One other aspect of source control is to locate trash containers and dumpsters away from building openings. Source control is also tied to housekeeping and worker education discussed below.

3. Pathway Interruption (Ventilation and Exhaust) Pathway interruption takes source control to the next level. When pollution-causing activities must occur inside the building we need to implement steps to isolate these dirty work areas from clean or occupied spaces. Ventilation and exhaust systems are used to control and

JUNE | JULY 2015

remove pollutants produced by these activities. If the HVAC system is already installed, we can use pressure differentials to keep pollutants generated in dirty areas from getting to clean areas. This strategy often requires building temporary barriers. We can then pump more supply air to the clean area and, if needed, increase exhaust from the dirty work area preventing pollutants from escaping to the clean sections. Depending on your climate and local weather, we may also use 100% outside air for the HVAC system, thus diluting and exhausting contaminates, provided we protect the HVAC system (more on this later). One final tactic of this control method involves using local indoor exhaust equipment. High-volume evacuation blowers combined with appropriate lengths of flex ducts are placed in the dirty area and near the contaminate source activity to capture and exhaust the pollutants directly outside.

4. HVAC Protection During construction activities it is imperative to protect all installed air handling equipment from dust, insect, moisture and microbial contamination. If the HVAC system is operated during construction it should not be done without filters. Temporary filter media with a minimum efficiency reporting value (MERV) 5 to 8 is recommended. (MERV ratings refer to how well a filter traps particles in the air, the higher the number the better the filtering.)4 New filter media must be installed when construction is completed and before occupancy. All leaks in the ducts or air handlers must be repaired promptly. Any HVAC equipment or ductwork that becomes contaminated must be cleaned or replaced prior to system start up. If the HVAC system is designed with ducted return air (i.e., ductwork under negative pressure) then the return side should be damped off, sealed with plastic or isolated during heavy construction, demolition or pollutant generating activities.

One alternative is to run the system 24 hours per day for a minimum of three days at a stable temperature and a relative humidity of 60% or less. In addition, keep the system operating 24 hours per day during the installation of all interior finishes. We strongly recommend not permitting vinyl wallpaper or other water impermeable coverings on the interior side of exterior walls. These materials tend to trap moisture and lead to mold growth and other problems. Finally, give strong preference to the use of low volatile organic compound (VOC) emitting carpets, glues, paints and other furnishings. This will reduce the amount of contaminates you have to deal with as they cure and off-gas (i.e. emit vapors as they react and/or dry).

6. Housekeeping Perform regular (at least daily) housekeeping to prevent tracking dust and debris from construction areas to clean, non-work areas. Prior to installation, store building materials in a clean area protected from weather. Before allowing occupants to move in, perform a thorough cleaning to remove contaminates from the building. Keep in mind that some conventional cleaners can be a contaminate source. Concentrate cleaning activities on spaces to be occupied and the HVAC system. For the HVAC, ensure all coils and fans are cleaned and filters are replaced with new ones in advance of performing the final test and balance and especially before conducting baseline air quality testing (which we also strongly recommend).

Wrapping up Putting a good construction management plan in effect can go a long way in protecting workersâ&#x20AC;&#x2122; health and preventing poor indoor environmental quality. By employing the control methods identified here you have done everything possible to protect the health of the construction workers during the construction or renovation and also the building occupants for years to come.

5. Interior Finishes New construction and renovated spaces are plagued with emissions from adhesives, paints, floor coverings, carpets and furnishings. Controlling indoor pollutants from these sources is best done using the HVAC system. Before applying finishes, the interior spaces should be properly weatherized, by ensuring that the drywall and plaster is cured and shows proper moisture content.

JUNE | JULY 2015

References can be found online at www.forensicmag.com. Vince McLeod is an American Board of Industrial Hygiene CertiďŹ ed Industrial Hygienist and the senior Industrial Hygienist with the University of Florida Environmental Health and Safety Division.

Forensic Magazine | www.forensicmag.com 31

Who says you Can’t do that?

Dick Warrington

Impression Evidence: Admissibility and Best Practices

good crime scene investigator collects evidence with the goal of solving the crime, and holding the person who committed the crime accountable. It doesn’t matter how great a fingerprint or shoe print is if it never gets admitted in court. During the year, Lt. Owen McDonnell of the Caddo Parish Sheriff’s Office, in Louisiana, and I show crime scene investigators a variety of ways to develop and lift impression evidence. Here, we discuss admissibility of impression evidence and best practices to make sure the evidence you find at the crime scene makes it to the courtroom.

DW: So, we’re talking about admissibility of the evidence versus admissibility of the conclusion. OM: Yes, but for the purpose of this article, let’s stick to making sure the evidence itself is admissible. Let others fight about the expert testimony. DW: Right. So, what types of problems can arise over admissibility of the evidence?

OM: The greatest problems arise over traceability of the evidence back to its location of recovery. How can we prove the impression evidence presented was Dick Warrington: Owen, let’s begin by reviewing recovered from the source the crime scene investigator the types of impression evidence that are admissible in claims? More impression evidence court, so we can then learn how is suppressed due to incomplete to collect the evidence. Impression evidence leaves documentation rather than probOwen McDonnell: Impresbehind a distinctive pattern that lems with recovery techniques. sion evidence is any evidence DW: How can problems with that leaves behind a distinctive can be developed or captured admissibility be avoided? pattern when contact occurs, for subsequent comparison to which can then be developed or OM: Through the use of captured for subsequent comparindicate the source of origin. proper on-scene documentation ison to indicate the source of orlike notes, photographs, or diaigin. The evidence can include footwear, latent prints, tool marks, bullet striations, bite grams, and complete chain of custody. marks, gouge marks in traffic investigations and others. DW: Let’s go into that a little more. How can CSIs The reliability of the source of origin determination is ensure the traceability of impression evidence to the contingent on the quality of the impression and varies scene? based on the specific discipline. DW: What makes evidence admissible in court?

OM: The recovery of the evidence remains separate from testifying as to the originating source determination. Crime scene investigators (CSI) are primarily responsible for recovery of the evidence. Expert witnesses are responsible for providing testimony as to source attribution. The court must determine if the witness is qualified to testify regarding his opinion and if the science behind the determination is sound. Going into that area involves Federal Rules of Evidence Rule 702 and the Daubert hearing process.

32 Forensic Magazine | www.forensicmag.com

OM: Prior to any development, the area with the impression should be photographed using overall, mid-range and macro photographs. Mid-range photographs are critical to establishing relationships of evidence within the scene. After the original scene documentation photographs are taken, place markers or sticky notes next to the impression area to demonstrate to the jury the exact location within the scene. Take additional photographs after any enhancement techniques showing the impression in situ. Measure and record the location both in notes and reports. Also document the techniques used to recover the

JUNE | JULY 2015

evidence. The chain of custody becomes critical and should be written documenting each and every transfer, no matter how brief.

doubt you. And if they don’t believe you about this, it may affect the credibility of your entire testimony. They may wonder, if he or she tried to fool me on that, what else is he or she not telling me?

DW: How do you present evidence in court? OM: This depends on the type of evidence. The original evidence, if available, is always the best evidence. That said, photographic enlargements and photographic documentation of the location should also be part of your presentation. Electronic enlargements are of great use in educating jurors as to the interrelationships of items within the scene. DW: What presentations are most effective in court? OM: This again depends on the evidence. There is much to be said for the jury being able to touch and hold the original evidence, as well as competent testimony regarding the evidence discovery, documentation and collection. Increasingly, we are seeing electronic presentations, such as PowerPoint, being used to project images onto screens as visual aids. With high resolution cameras and photo capture of microscopy, we can show the jury our observations in much greater detail than ever before. This is of tremendous value as the old adage of a picture being worth a thousand words stands the test of time. You can tell a jury, but allowing them to see what you saw helps them to believe it much better than mere words. DW: What are some potential problems to be aware of when presenting evidence in court? OM: Don’t overstate the value of the evidence or your skills. If you omitted a step, admit it. Don’t try to cover it up. We are humans, and sometimes we make mistakes. Another tip is to check to see how an electronic presentation will look on the same or similar equipment prior to court. If you create a presentation and the image is blurry or too low a resolution to clearly present when enlarged, avoid it. In some instances, no image is better than a bad image. Trying to convince the jury you can see something when they are looking at the same image and they cannot see it, only causes them to

JUNE | JULY 2015

DW: Any other tips, suggestions, etc. that we haven’t covered? OM: CSIs have great training and are meticulous in their documentation and collection skills. We perfectly package and document each and every piece of evidence we plan to turn in. Yet, we sometimes forget to bring that same attention to detail to the evidence that stays in our labs. While we have great memories, let’s not rely on them too much. For example, CSIs often lift a stack of prints at the scene but occasionally wait until they return to the office to finish filling out the latent cards. But, what if you mislabel a print as coming from the inside of the window on a burglary when in reality it was from the outside? While it may still be the burglar’s print, the probative value is tremendously different. One proves presence outside the window, the other proves at least their hand was inside the building. Finally, take time to learn how to use your equipment and practice your collection techniques. The scene is never the best place to use a technique for the first time. Seek the help of others. The mark of knowing what you are doing is knowing when you need help. Owen McDonnell is Lieutenant / supervisor of the Caddo Sheriff’s Office Crime Scene Investigations Division in Shreveport, LA. He provides training in crime scene, fingerprint development and comparison techniques, and workshops through IAI. He holds IAI certifications as a Senior Crime Scene Analyst, Ten Print Fingerprint Examiner and Latent Print Examiner. Lt. McDonnell holds a Master of Forensic Science Administration Degree from Oklahoma State University Center for Health Sciences. Dick Warrington is in research and development, and also a crime scene consultant and training instructor for the Lynn Peavey Company. dwarrington@peaveycorp.com.

Forensic Magazine | www.forensicmag.com 33

Forensic Magazine 4RENDING .EWS Sex Toy Turns National Spotlight on Civil Oldest Ever Homicide in 430,000 Year-Old Case Evidence of the oldest murder case ever discovered surfaced earlier this year when scientists found two almost identical wounds caused by the same blunt instrument over the left brow of a skull that is roughly 430,000 years old.

Woman’s Body Found in Suitcase at Tokyo Train Station In early June, workers were “surprised and horriﬁed” at what they discovered after opening an abandoned bag at one of Tokyo’s largest train stations—the decomposing body of an elderly woman.

Asset Forfeiture

One Michigan medical marijuana patient claimed that law enforcement ofﬁcers “took everything” from her in a drug raid last year, including TVs and her vibrator, and is speaking out against the Michigan civil asset forfeiture law that made it possible.

Amelia Earhart’s Last Photo Shoot Amelia Earhart smiles and walks on the wings of her plane in a 1937 ﬁlm that surfaced in a private library in California in June. The iconic pilot and breakout feminist was about to attempt something that had never been done before: ﬂy around the world.

Debbie Smith Says End of Rape-Kit Backlog is Near The namesake of the multi-billion dollar watershed act to eliminate the rape-kit backlog spoke with Forensic Magazine in an exclusive interview you won’t ﬁnd anywhere else. Smith talked about the end of the backlog, and why it’s absolutely essential to test every single kit.

Featured in in DFI DigitAL Forensic Featured Investigator Internet Drug Kingpin Gets Life Before being sentenced to life in prison, Ross Ulbricht, the creator of the famed online drug marketplace called the Silk Road, pleaded for leniency in a court in June. The Silk Road operation was one of largest black markets in Internet history and reportedly generated almost $200 billion in sales.

Legal Issues with Cloud Forensics Unfortunately many companies have entered the cloud without ﬁrst checking the weather. Columnist David Wilson explains the legal issues concerning storing information on a cloud-based server and what happens when that information is needed in a court of law. Read these articles and the rest of Forensic Magazine here: www.forensicmag.com

Advertiser Index Qagen ................................................................................................................ 2 Faro ....................................................................................................................24 www.qiagen.com/24plex www.faro.com Promega .........................................................................................................5, 35 GE Healthcare ........................................................................................................8 promega.com/PowerQuantSTR www.gelifesciences.com/FTA GE Healthcare ........................................................................................................8 IntengenX ...........................................................................................................12 www.gelifesciences.com/FTA www.integenx.com/rapidhit IntengenX.............................................................................................................16 ...........................................................................................................12 Labconco www.integenx.com/rapidhit www.labconco.com/forensics Labconco .............................................................................................................16 Promega .........................................................................................................5, 35 www.labconco.com/forensics promega.com/PowerQuantSTR Faro ....................................................................................................................24 Qiagen ................................................................................................................2 www.faro.com www.qiagen.com/24plex Waters ................................................................................................................36 www.waters.com/toxicology

Join the conversation on 34 Forensic Magazine | www.forensicmag.com

JUNE | JULY 2015

E R O M E A N S Z E R O W I T H P O W E R Q U A N T Conﬁdence Comes from Clear Vision. • Assess the integrity of your DNA sample to maximize your chances of a successful STR assay • Achieve reliable results with more consistent auto/Y ratios

2800M Control DNA

2800 2100 1400 700 0

50mJ UV-C 2800M Control DNA

2800 2100 1400 700 0

100mJ UV-C 2800M Control DNA

2800 2100 1400 700 0

300mJ UV-C 2800M Control DNA

2800 2100 1400 700 0

promega.com/PowerQuantSTR

200

240

280

320

360

400

120

160

200

240

280

320

360

400

Auto/Deg = 2.96

120

160

200

240

280

320

360

400

Auto/Deg = 6.44

Learn more:

160

Auto/Deg = 0.87

• Trust your zero quantiﬁcation results–zero means zero

120

160

200

240

280

320

360

400

Auto/Deg = 12.66

2800M Control DNA (10ng/μl) was exposed to the indicated levels of UV-C energy to induce DNA degradation, then quantified using the PowerQuant™ System. The DNA was amplified using the PowerPlex® Fusion System. DNA samples with elevated auto/degradation ratios yielded only partial STR profiles. © 2015 Promega Corporation. All Rights Reserved. 21423612

12301MA

PowerQuant™ System

BATTLING THE PROLIFERATION OF

IS NOT EASY. THEM CAN BE.

FORENSIC TOXICOLOGY

PHARMACEUTICAL

As new forms of “designer” drugs threaten public safety, there is an immediate need for advanced ways to classify these complex compounds. When it comes to sensitivity, reproducibility and ease-of-use, nothing outperforms Waters LC-MS based Toxicology Screening Application Solutions. To solve any drug analysis challenge that comes your way—with more conﬁdence in your ﬁndings—see why Waters solutions are all the rage. Visit waters.com/toxicology

HEALTH SCIENCES

FOOD

ENVIRONMENTAL

CHEMICAL MATERIALS