[Third day ~ 1pm ET on Monday, February 7] [1:29] [National Sheriffs' Association Member:] Excuse me. Have you been attending some of those seminars? [Me:] A few, yea. [NSA Member:] Have you been recording them? [Me:] [Note: I think I instinctively mumbled 'no' here, but I did record several talks.] [NSA Member:] I've seen you record some of them and I think you recorded one on sex trafficking on Saturday. Can I ask that you delete that because of the victim that was in there? [Me:] Um, I absolutely did not record anything that victim said, I swear. [Note: This is true. I ceased recording during the entire segment when the victim spoke. But I did record the police speaking before and after about why the existence of sex trafficking demanded crackdowns on drug usage writ large.] [NSA Member:] We've also had sheriffs come up to us and complain about being recorded in seminars. So, if you have any recordings, I'd please ask you to delete them. [Me:] Okay. Yea, no problem. [Long silence as I walk back upstairs to sit and wait for PenLink talk on search warrants for Google Search and Location Tracking histories.] [24:25] [Loud shattering sound downstairs.] [51:35] [Me laughing like an idiot, I think because of a posting of an I Think You Should Leave meme.] [59:38] [Note: I am sitting in a chair with my laptop out about 10 feet from the second-from-the-bottom-floor conference rooms.] [Megan from NSA:] Hi there, I'm Megan with NSA. [Me:] Oh, hi. Nice to meet you. [Megan from NSA:] Hey, you're with? [Me:] Uh, Hodge Star, LLC. [Megan from NSA:] Okay, thanks for being here. What's next on your agenda? [Me:] Um, I haven't decided yet, but probably a conference in the next round. [Megan from NSA:] Okay, very cool. Well, thank you for coming. Nice to have you. [1:03:18] [Conference Attendee:] Is anybody sitting here? [1:12:32] [Sheriff James Quattrone [1]:] Hello there. [Me:] Hey, How are you doing? [Sheriff Quattrone:] Good, Jim Quattrone. [Me:] Jack, how are you doin'? [Sheriff Quattrone:] Is this yours? [Pointing to policing-related book sitting in chair next to me.] [Me:] No, it's been sitting there. And I think somebody else even put that one over there recently. [Sheriff Quattrone:] Where are you from? [Me:] Uh, kinda all over. Most recently, uh, Queens. How 'bout yourself? [Sheriff Quattrone:] Queens? Really? [Me:] How bout yourself? [Sheriff Quattrone:] I'm from Western New York. [Me:] Oh, okay. [Sheriff Quattrone:] I don't know if you're familiar with it. [Me:] No, I only moved to New York, like, a few months ago. But I lived in Silicon Valley for a long time, Texas originally. But, yea. So what part of Western New York? [Sheriff Quattrone:] Do you know Buffalo? [Me:] Uh, yea, yea, Actually I had a good friend up there that teaches up at the University of Buffalo. [Sheriff Quattrone:] So, I'm about an hour and a half southwest of Buffalo. I'm about as far west in the state as you can go. So I got Pennsylvania on the west side, Pennsylvania on the south side, Lake Erie on the north side. [Me:] How do you like it up there? [Sheriff Quattrone:] I've been there all my life. So, I can't complain. What does your friend teach? [Me:] Uh, Applied Mathematics. [Sheriff Quattrone:] Okay. I, uh, He was actually. I didn't go to Buffalo, but I went to RIT, which is in Rochester, New York. And one of my professors there teaches at the University of Buffalo. He's a retired State Trooper. He, uh... [Me:] Yea, I gave a talk up there one time. It was a pretty nice place. [Sheriff Quattrone:] You did give a talk? What did you do? [Me:] Uh, well, I was a professor for a while. I have been consulting for a while in emergency response, uh, like disaster technology stuff, like data fusion. [Sheriff Quattrone:] Did you have an exhibit down there? [Me:] No, no, I didn't unfortunately. But there were a lot of, uh, exhibits down there. I got to talk to a bunch of people. What about you? [1:14:39] [Sheriff Quattrone:] I'm a Sheriff in Chautauqua County [see 1]. I've been in the Sheriff's office for 35 years. [Me:] Have you enjoyed the conference so far? [Sheriff Quattrone:] Yea. Yea. Not been bad. [Me:] Have you been before? [1:14:55] [Sheriff Quattrone:] Not to this one. I've been to the one in, the summer conference. Summer conference, I think, like, our state association does the same thing. They move 'em. The summer conference is always in a different location, whereas the winter conference seems to always be in the capital. Cause what we'll do is, like tomorrow, a lot of us will go meet our Congressmen, Senators. And we do the same thing in the state. We meet in Albany in the winter. And then it's during the legislative session, in the summer we usually try to find a nice place to, where we can have a little vacation. This gets to be long days, but it's, um... [Me:] You can only listen to people talk for so long. [laughs] [Sheriff Quattrone:] That's true. That's true. I get tired. [Me:] Even with coffee. [laughs] [Sheriff Quattrone:] Especially with a lot of us. We're just used to movin' all the time. So, is this your first time coming to this? [Me:] It is, yea. I figured it would be a good, you know, excuse to learn about the more law enforcement side of public safety. And its definitely been an enlightening experience. [1:15:56] [Sheriff Quattrone:] So how did you get into it? [Me:] I just signed up. [Sheriff Quattrone:] Okay. What is your name? [Me:] I'm Jack. [Sheriff Quattrone:] Jack. What's your last name, Jack? [Me:] Uh, Poulson. [Sheriff Quattrone:] Poulson, like P-U-L? [Me:] P-O-U-L. [Sheriff Quattrone:] Really? The reason I ask that is, so, huh, um, I had, uh, well, my dad had a friend. Gordie Poulson. [Me:] Oh, really? [My voice raising noticeably] [Sheriff Quattrone:] Um, I used to shoot trap and skeet. Now I just shoot trap. Gordie was on our skeet team. [Me:] Oh [my voice even higher] [Sheriff Quattrone:] I call him a friend, but he was old enough to be my grandpa. I don't know if I've heard that name much. So, CEO of? [Me:] Uh, Hodge Star Scientific Computing. [Sheriff Quattrone:] Oh, okay, oh, alright. [starts to get up] [Me:] Is it time for the next round? [Sheriff Quattrone:] Yea, well, in about five minutes. I'm gonna go get a seat. Should be a pretty good one. [Me:] What was your name again? [Sheriff Quattrone:] Jim Quattrone. [Me:] Oh, nice to meet you. [Sheriff Quattrone:] Good bye. [Walking to PenLink session. There is a lot of noise from the microphone rubbing against my clothing.] [1:20:52] [PenLink's Scott Tuma:] Last breakout session of the day. Got the two minute warning for ya. Luckily, I think I'll go for about 45 minutes today and kind of open it up for questions here at the end. [Audience Member:] It's your show. We've got plenty of time, so. [PenLink's Scott Tuma:] I'll give you a little break here though. Last session's here, so. You never know what you're gonna get kinda when you're towards the end. People are gonna start clearing out. So, I'm glad to have you guys. [1:21:21] [Audience Member:] Are you familiar with ILEETA [2]? [PenLink's Scott Tuma:] I'm sorry? [Audience Member:] ILEETA. International Law Enforcement... [Scott Tuma:] Yea. [Audience Member:] So they've got their conference every year in St. Louis. And they're all the time lookin for presenters for Saturday. Everybody's, everybody's cutting out on Friday, but they have a Saturday session. I did that one year and I'm like -- I understand why they want to do it -- but I'm not doin it anymore. It's just like, you know... [Scott Tuma:] I think, I think I heard, that this one, they took 24 and they had over 125 submit. [Audience Member:] Yea [Scott Tuma:] I would have preferred to go a little earlier. But first year to to present here, so I'm excited to be here...I'm gonna peek out the door here then get things rollin here. [1:22:24] [Scott Tuma:] I'm gonna give 'em about one more minute and I'll leave the door open for a couple of minutes and get some late stragglers in and go from there. [1:23:20] [Scott Tuma:] I've got 2:15, so I appreciate y'all bein on, on time here today. Um, we're gonna talk about the importance of social media search warrants today. I've had a lot of experience over the last 15 years workin' these types of investigations and, and really trying to find the value in grabbin' data from the GMails and the Apple iClouds and the social media giants that are out there. [1:23:42] [Scott Tuma:] I come from, uh, actually, Lincoln Nebraska is my home town, right in the heart of the midwest, there. So, I've got about the same weather as out here, it's actually a little bit warmer back home right now. I'm excited to get, get back to about 55 or 60. But [1:23:59] [Scott Tuma:] I work for a company called PenLink. Anybody heard of us out there?...We do a lot of, um, we do a lot of wiretapping, and originally started there, um, with the federal government. About 34 year, our 34th anniversary is coming up here in April, and we, it really started out with a local agency coming to us and saying "hey, we've got all these phone detail call records and we need to do something with these hundreds of calls", and in 1987 that's where we started. And then in 1998 we deployed our first wiretap system. And we've got those, generally, uh, scattered all over the US and all over the world. [1:24:36] [Scott Tuma:] When I came on we also developed the software called Xnet [3]. This was our first internet-based case analysis tool. Back in '06. And it was on a separate platform. And since then we've combined all of these tools and, um, developed a software solution called PLX [4]. [1:24:55] [Scott Tuma:] Now, my bosses -- the two best bosses I've ever had, said "If you've got a problem, come to me with the problem, but also bring me a solution". And I want to show you a lot of the concepts and ideas and things that you can get for search warrants, but I'm gonna have to sprinkle in a little bit of my solution here, also, which is PLX. [Scott Tuma:] Live and historical analysis tool to be able to look at really everything in one tool. You've got your forensics tools, you've got your phone, uh, or internet based tools. This one combines all of it into one. And I'm going to sprinkle a little bit of PLX in today and I'm gonna talk a lot about what you can get from some of the different providers. If you've got any questions, just go ahead, and -- like I said -- let's take about 45 minutes. If you've got a question in the mean time, hit me up, or I'll stay a bit extra after the end for any of those. [1:25:48] [Scott Tuma:] My name is Scott Tuma and I've been doing this for about 15 years. I was in internet banking for about ten years before this, I absolutely hated it. Love what I do today. I get to work a lot of high profile cases. [1:26:00] I deal with one in New York right now. Four targets. Two and a half terabytes of Apple iCloud data. Just kind of helping on the side on this one. Found, um, backups in those Apple iClouds, which we're gonna talk about. Ten homocide victims alone saved in these Apple iClouds. Um, things like conversations and recorded conversations in WhatsApp. Um, it was a home invasion which included the safe and the video as they're going through breaking into the residence. [1:26:34] This stuff is absolute gold, but two terabytes of data is just a boatload of data and it's very hard to go through it without a solution and a tool. That's what I'm here to kind of talk about here today. PenLink has been in business for almost 35 years and we work very heavily with the feds, but we also work heavily with many, many of the state agencies. I got a chance to go to the social at about 7 o'clock last night. Ran into a couple of folks that had previously used us when they worked in the federal agencies on some wiretaps. [1:27:07] But what I really want to talk about is really the struggles that folks have today. It doesn't matter how small or how large the office is. If they write a search warrant, they're overwhelmed with a lot of data. They're overwhelmed with large volumes of data. Too much data. Over say, multiple targets. There's no standardized format for any of these companies. [1:27:29] For example, Apple iCloud sends an encrypted GPG that is password protected. That's the format they give ya. Facebook will either send a zip file or a PDF file. Many of the others send zip files that have HTML or XML based data or CSVs or XLSX text files and so on and so forth. [1:27:51] We're gonna briefly talk about how a lot of time can be wasted getting location information for, say, login IP addresses. You can have that automatically resolved and really save a lot of time to be able to pinpoint that target. Towards the end I want to show you an area that we've been seeing some extremely great success on cold cases. Bringing in some Google location data that can pinpoint me basically a meter from my location as I stand here. Really cool stuff. [1:28:21] The big one here that we've been known for for years is putting this conversation back together. I'll just give you a couple of examples along the way. Being able to get that data and being able to get that in the hands of a prosecutor can be key. [1:28:34] So, as you know, cell phones versus smart phones. About 85% of Americans own one of these fancy little computers at their fingertips. So, when we're dealing with a smart phone...You know...what is a smart phone? It's basically, that device can connect me to the internet. It can do everything. It can allow me to access email, posting websites, it can allow me check my flight that I'm jumping on -- it's slightly delayed here today -- Online purchases. Any kind of banking, I was paying my bills just a few minutes ago. Being able to access just a plethora of videos and for me to be able to post those videos and images also. [1:29:14] You know, they also actually still make phone calls too. I rarely use that device to make phone calls now. I use it for such a wide variety of other areas. So you think about these cell phones over the years. Remember these? They started out huge, they were big and heavy and bulky and they were that big brick. And they began to get smaller and smaller and smaller and more powerful. But predominantly those cell phones make text messages and allow for phone calls. If you look at the smart phones, they started out small but they got bigger and bigger and bigger and bigger. The screens just seemed to get larger and larger. And why is that? Because of social media and the ability to watch and view movies. So they can...You can do pretty much everything a computer can do and more. [1:30:00] So you start thinking about smart phone users. Um, I started doin a little bit of research here a little while ago. I'm kind of a fact to figure guy. It's gotta be interesting to me. That one's interesting. The average person, as you see, looking at their device, almost every single one of 'ems head's buried. When I go to the airport I love to just sit back and relax and I like to put this thing away. And I like to watch people -- I don't make eye contact with hardly anybody at the airport because they're all buried in trying to figure out their device. [1:30:29] Four hours, that's an increase of over 30% over the last two years on people using their smart phones. Some of the features here: the new features for the iPhone 12 and 13 in the past couple of releases. Super fast chip. The processor's way faster. It's got a better display and the camera is second to none. A lot of good stuff you can dwell from an online case. [1:30:57] So when we look at this. And we look at your folks that are runnin' these cases right now. When we look at that 85 demographic -- 85% in that full demographic -- when we look down here at the 65 and older, only 61% of people at that age have smart phones. How many cases are you workin' of 65 and older. Not very many, I hope. [1:31:21] This is where your concentration is. 95-96% of the people 18 to almost 50 have one of those digital computers on person with them almost all the time. 89.5% of smart phone users are on social media. 9 out of 10 people have social media and check it on this device. It doesn't matter what it is: might be Twitter, SnapChat, Pinger, Facebook, whatever it is. This data, you can get a search warrant for any one of these companies and be able to really tell the story of your case. Make it extremely incriminating. [1:31:56] People -- I get to speak all over and it's great -- but I always have a naysayer in the audience say "Weeelll, you're not going to be able to get the Google and Facebook data for much longer. It's going to go point-to-point encryption and you're not going to be able to do it much longer." And I always call BS on it for this reason right here: Google's ad revenue in 2020 was 182 billion dollars. [1:32:20] They are taking that information for all of the different things that happen in those Google services and they're collecting and storing essentially everything. Then, when I'm here in DC and I say "Ah, yea, Where should I go eat?", "Why don't you go across the street there and go have dinner over at that restaurant, or whatever." They are constanty, constantly tracking me. [1:32:45] As I'm sitting right here -- oh, actually, we're gonna talk a little more about it -- while I'm sitting right here, this thing is basically in its kind of dormant mode. It's locked at this point. A GMail email could come down and *bing* come to this device. Google is tracking me as that is happening. Amongst all the other Google services that could be running on those other apps behind the scenes. They're storing and saving all of that information. And I've got some really good stuff to show you here on how you can get that from just a simple search warrant. [1:33:16] Facebook's the other one. Facebook was way above projections. They got over 115 billion dollars. I'm not a Facebook guy. But I get on Facebook to see what's the new hot thing and the new trend going on. Every time I see "oh, there's that pair of shoes that, those pair of running shoes that I was just shopping for earlier". How'd the hell did they get that? They're tracking all of this information and they're storing and saving it. [1:33:42] So, search warrant return. You can get these that are 100s, if not 100s of thousands of pages long. The largest one I've ever seen was about 340 thousand pages. An online pharmacy had their own site and you're seeing message after message after message after message in the raw data. [1:34:02] Now, if you have to do this for your job, this manual process when you have to scroll down 100s of thousands of lines, or read millions of messages, it's very tedious. SnapChat, very popular communication tool. The message is deleted in 3 to 10 seconds is what SnapChat claims. You look at a message in a search warrant and you see "Oh, yea, here's the To, here's the From, here's the Date and the Time and then here's this long Media ID. That Media ID, now, I have to manually try to figure out that string value in those thousands of videos. Which one does it even tie back to? The data is great, but the way to manually look at this stuff is really difficult. [1:34:49] And that's where the solution here is the company that I work for, the PLX tool from PenLink allows you to see a homicide investigation. Where's the body? Here's one target, where I dumped it behind the house, and then there's the visual. I know it's kind of a cheesy example here, but I betcha I've seen at least ten of these examples in social media where they say "here's where the body is" and then they have a picture of the body, maybe there or maybe it's buried just like that. Very strong tool to be able being able to tell the picture here and now. [1:35:21] One of my favorites now too -- as I mentioned -- the Apple iCloud warrant. These are phenomenal. If you have an Apple ID or an iCloud email, you can write for a search warrant on that account. I'll tell ya what, I've got cards up here, and if you want your folks to get ahold of me on, uh, any templates, I've got a bunch of different templates. The iCloud stuff is really important here. [1:35:46] [Scott Tuma:] The two that I really want to point out here is: (1) you get the emails, but this one here. You get all of the backups. So, on these devices they let ya have about 5 gigs of free storage. Individuals are going to pay the 2 to 5 to 10 dollars a month to store and offload all of their images. All their videos. All their documents. Everything on that device. [Audience Member:] 99 cents a month. [Scott Tuma:] That's what you're payin? [Audience Member:] That's what I'm payin. [Scott Tuma:] Yep. If you did somethin' bad, I betcha' I could find it on that backup. Yep. Good point. Right here though, we're findin' examples here of the data here for an encrypted application like WhatsApp, you can go to the, you can write a search warrant and they'll tell ya to go pound sand. They don't have the content. It never reaches and travels through their servers because of point-to-point encryption. [1:36:39] But, when I come in here -- and I do use WhatsApp to communicate with some folks down south -- the data for those conversations are all stored in a decrypted format so I can go back and read the whole conversation from start to finish. Guess what? When you back up -- 99 cents you're paying -- you can turn off certain applications, but a lot of people have those turned on to backup by default. [1:37:06] So we're able to see some of those WhatsApp conversations. I have about a thousand recordings from WhatsApp on that New York case that I'm currently working on right now. They're all in Spanish, so I'm okay with it, but not too good on it. So I need a little help with that. [1:37:23] But there's a boatload of other things out there. We even saw on an ICAC [5] case where a guy did a remote delete from his iPad to his other iPad device. We saw that actually, as the date and timestamp when that occurred. [1:37:37] Here's what a [sounds like: app like] iCloud warrant looks like. It's a pain in the ass. It comes down as an encrypted data file, you gotta jump down about ten hoops to get to this point. To go from folder to folder to folder on down the line to finally get into some of this stuff. We've simplified a lot of the process and we actually take the ability to decrypt the file itself so you can view this stuff much much easier. [1:38:00] Here's the value of an iCloud warrant. If you come in here and you see all the backup data within the file -- these are all JPEGs and other images -- there could be a metadata .XML, excuse me, .TXT file. If we go in and look at it, they're providing you intel. If the photo that I took and I had geolocation turned on, they're gonna give that and extract that out to ya. Date and timestamp on the image. It's hard to see here, but the timestamp is 1-4-8-6-3-blah-blah-blah-5-8. I say "What in the world is that?" They actually kick it out to you, but it's in a UNIX coded timestamp. Some goofy developer wrote this, so they didn't put it in English for us to really be able to look at it. [1:38:50] Now, a tool like PLX, though, can come through and restructure that and give you that date and the time. Same way here, we've got geolocation here. This location ENC area within the raw data itself, is garbage. Until you put it into a tool here, like PLX, then you're able to decypher that and be able to map it. It's gonna save you a lot of time. [1:37:17] Now, same way. I added this one in here this morning. I was talkin' to a gentleman over a drink last night. He said "You know, where I'm strugglin is with the GMail." GMail kicks out an inbox file. It's straight-up text. This is an actual image, or a resconstructed HTML. But this is all just Base-64 encoded messaging. It's garbage to me. This thing, you tell me what that is. Well, we come back through and reconstruct it and we'll prove to you that hey, it's an image, it's a video, or, in this case, that's an Uber receipt. Yep. [1:39:54] That visual saves you a lot of time and headache. If your folks are telling you, "Ah, I get GMail and its garbage. I don't have time to look at it, it gives me this." Well, true, they are correct. But we need to be able to get you to this point to save you a lot of time. [1:40:11] These are just some of the different providers that we handle. I was talkin' to a few folks last night which use a few forensics tools to try to jam some of this stuff in. It gives them some form of intelligence but it's a little difficult for them. So you take things like a Cellebrite extract: you can load that into PLX. You can autoload your Cyber Tipline [sounds like: NICMate] information along with any of these others: AT&T and Verizon phone records, along with social media and email. In fact, we don't just load the top 10, 20 of them, we load them for over 600 different companies. So, I rarely see one come my way anymore, but that new hot social media giant that may come in: I'll get a sample of that and get that in our list for ya. [1:41:01] Now these companies change their formats constantly. Facebook drives me nuts. They change their formats for date and time and all sorts of things. We've got a group of developers that help in that role and can get you viewable data, typically within just a few hours. [1:41:21] Very important: So, the old file format for Facebook search warrants used to be the old PDF file. They'd have hyperlinks in that file so if the target deleted the data -- if they deleted the incriminating video -- it's gone. You would no longer be able to see that at all. They came out with a ZIP file format, here, I don't know, three years ago. You still have the option to get either one of them when you're downloading through the Facebook portal, either the PDF or the ZIP file. I tell folks always, always, always, always get the ZIP file, because you get the audio and the video files. Even if they've been pulled, they've extracted that information out and they can supply that in their output file. [1:42:04] If you've loaded that data into PLX, I hear this a lot, um, some case agent or investigator gave me a file and said "Here, load it and see what you can find." It's a homicide. It's an ICAC case. It's a home invasion. Just whatever. Go dig through it. We have dashboards at the beginning that kind of tell ya and give you an idea who the top 10 -- maybe -- contact IDs are. It's a little hard to see here, but is there any child exploitation information, or child pornography, in the dataset. And other heat maps and other ideas that give you kinda things that, maybe, can be some kind of red flags. [1:42:45] And then going into the analysis section. When you load the data you can go directly into the analysis section. Then you can go in and start to really identiy and start to read and look at the information: Calls, emails, accesses. This is would be where the social media messages would be. You look at the social media messages. Very small warrant for Facebook. Only 22 thousand messages approximately. You see a preview of the content call in here and you see one down here that could be a phone number. I could click on that and view that information at this point and really good idea of what's involved with that message. [1:43:26] Let's not do that. I tell people: eliminate the noise. You've got 20 some thousand messages. There's no way I could go through and click and click and click and click and view every single one of these. No matter how good of an investigator that person is, it's really hard to see that stuff. [1:43:43] So use the power of the filter. You can filter down by maybe say, Unified Messages, those are the Facebook Messenger messages. That's the fancy word that Facebook uses. Now we've taken 21 thousand messages down to something a little more manageable. Still, way too many for me. I'm not lazy, I just don't have the time to click through 4,300 messages. If we click another button, this will give us the conversation view. Now we've taken 21 thousand messages down to what is really 11 conversations, with the click of two buttons. If I want to go into one of these conversations, I can simply come in and click the small triangel or carat off to the side and then it would give me the sender and recipient, but more importantly it gives me this stuff. It gives me a preview of the small little smiley faces here. It looks like a phone number, a reference to a 45 here. We've got some good information. I could click on any one of those messages and dive right into the conversation now. So we're saving the investigators a ton of time, effort, frustration, and being able to let them come in here. So now, working that homicide, "where's the body?" "Where I dumped it behind the house." You have record flags here. Perp perp perp. Okay. We got an arrest. Finally took place. We've got the individual in custody right now. We have the ability now, let's say, six months, twelve months goes by. It finally goes to trial. I worked that case a year ago, and I tagged a bunch of things pertinent. I can simply go into the system now and click on the pertinent messages and I can bring that -- not 21,000 messages -- but the 55 perts that I deemed or tagged pertinent, 6, 9, 12 months ago. [1:45:36] I can still go back into the data and continue to look at it. But now I got this stuff, I worked on it before, and I've worked on 15 other cases in the mean time. Now I can come in, I can export the data out as HTML, as PDF, or even this spreadsheet lookin field. And I can identify whatever I want to give my attorneys. Including the images, including the videos, and everything like that. [1:46:00] This is the part where the attorneys like the conversational view at the top. It's a synopsis. The date of the first message, the date of the last message. How many of them have videos and photos. The color coding white between gray to go through the conversation and then the preview of the images. So from start to finish, now we're saving those investigators an absolute ton of time. Now, instead of working one case, they can work ten cases at one time and really use the power of the filters in here to help work the cases. [1:46:37] So, digital media is a key piece in here. You start talkin images. If your investigators are randomly going in here and lookin at images and they find one: Boom! I got guns, I got drugs, and this dude is partyin' and doin' all sort of stuff in here. That's the picture of the missing kid though. That's the one we're lookin for. [1:46:58] Okay, great. You identify that picture right now, okay. What do we see in there? I travel all the time and stay at Marriotts quite a bit and I can tell you right now, that's a Marriott. From the bed linens, to the phone, to the night stand, to the wall paper. Alright. Anybody know how many Marriotts there are in the world? I told ya, I'm a computer guy, not an investigator, so I'd be pretty lousy if I came to my boss and said "Hey, look at this". It's almost 8000 worldwide. Okay. So I have no idea where that is. [1:47:32] Visual's pretty good, but I don't know. Now let me throw this thing -- same example -- out at ya. You're going in, you're lookin at the same thumbnails. This is in PLX and the attachment section you identify that particular image again. You see a number up in the corner. That represents that that image was sent or received by the target eight different times. In a child exploitation or ICAC case that could be relatively, that could be a big step. Because if you're a state that hits on child pornographic distribution, you could hit that individual with eight counts of distribution, now, if they sent those out. [1:48:12] Now, how do you know where they link back to? This is the one feature -- one of the ones I'm most proud of. You highlight the image here and it will give you all the communications that will link it back to all 8 of those original emails or social media messages -- or text messages -- or whatever it came from. I can simply click on one of those messages now and go into the context of the conversation. Again, I can hit the record flags: perp, non-perp, privileged, and go that route. [1:48:44] Important thing: with these images though, you have to ask in your search warrants -- and, again, I have sample of them -- you have to ask for photos with EXIF data. Exchangable Image File Information. This is what Facebook gives you. They don't give you the original picture. This is another one. People always love to argue with me on this one, they say "Oh yea, Facebook doesn't give you the EXIF data. They don't give you the location data. They don't give you anything. They just give you a snapshot. You can't right click on it and go into the properties." True. But if you ask for it in a warrant, they will give this to you as text. They will give you the uploaded IP address. Which, later you're gonna see could resolve back to a specific location. The date and the time. The make and model of that device, of that camera. We make an arrest. The person, we seize the camera at that point. Guess what, now we've got the origination of that, maybe, that child pornography. [1:49:43] The main part though is that latitude and longitude down at the bottom. And so many of these missing kid cases where we come in, we get this, you ask for the EXIF data -- again, this is just an exerpt out of the legal request. Again, I can get you this stuff, samples of those for your folks -- when we look at the image and highlight that image you can go put those into a mapping sequence and identity that's our Atlanta Marriott. Right from that information. And I'll betcha you can work that case in five minutes, if that, if you can identify that kid in the thumbnails there, would be pretty slick. [1:50:29] Now, let's solidify this case even more here, okay. Um, tell you what, we'll come back to that in just one second. Keyword searching, we've got keyword searching in here. 25 thousand messages, you are working a murder case. Let's look for the words "kill" and "murder", yea, got it. We can do keyword searching. Here's where we go a little above and beyond. Think about this. You can import in a list of key terms. I get these from ICACs all the time. You've got a thousand different ICAC terms, four hundred different slang drug terms. I want to know if any of those words are in any of these -- in this case -- 195 thousand messages. [1:51:13] You can go and import that list in. Just comes in a CSV file. If you've got it, we can help you get it in there. These ICAC terms are relevant to here. I've got another called "Four Hundred Key Drug Terms" right there I could also highlight and checkbox. Checkbox that, run the query, and see what we get. My favorite one though is the regular expression, or the pattern searching. You come to us, you can call our support group, and you can say: "Hey, you know what, I'm lookin or something unique. I'm lookin for VIN numbers, I'm lookin or social security numbers, bank accounts, anything that looks like a phone number maybe." Well, how about a US based phone number that's 10 digits long, that's 9 digits, this is what this combination is. Spaces, no spaces, parentheses. And all those other combinations. Let the system go out -- not look for a specific phone number -- but in these 195 thousand messages, are there any in there? [1:52:15] And we run this query, 195 thousand goes down to 23. You're the boss, or you are the boss, and you tell your folks "Hey, go find some other phones to go up on." Well, here's 23. No spaces, parentheses, dashes, and all these other combinations. With a click of a button now that's what the query brought it back to us. Now, that is gonna save an absolute ton of time. If you go fishin and tryin to find these, it's gonna be tough. And you might miss one. You might miss two. Your folks are gonna have a little bit of trouble. They're gonna hate their job too if they're goin through that many messages. [1:52:59] I got two main areas I want to talk about. One of em is really dealin with tracking and locations of individuals. You can gather -- from a subpoena -- login information, basic login information. You can even get a live feed of that same login information. A subpoena can grant you something as simple as this: a date and a time, and an IP address where that target logged in from. Okay, I was here, I jumped on the free wifi up in the room, on both my laptop and my mobile device, and I hit the free wifi. I logged into my GMail account and it tagged itat the [oh?] IP address that's located here in the block of IPs here in the hotel. [1:53:48] So they got proof that I was here, or someone logged into that GMail account several times at that location. Pretty good stuff here. Facebook does the same thing: you ask in a subpoena -- simple subpoena -- for the login information. They'll provide that to ya. But Facebook goes a few step furthers. They don't only give you login information, but they track IPs and dates and times of other transactional stuff. When a photo, when and where a photo was uploaded. When a credit card transaction took place on Marketplace. If you're in an area where there's a lot of stolen goods -- you're workin a lot of stolen good cases -- Facebook Marketplace is awesome. People will go in and they'll take pictures -- they'll take the picture right here -- and steal that device. And you can see that it was taken because you can see off the wall that the imagery of the picture, AND the geolocation was on that image. Then the person goes and posts it on Marketplace and tries to sell it. Or, they take the picture of the stolen goods at their house and the geolocation is provided at the house where they took the picture. It's just, I mean, you know how stupid people can be, but they kind of almost help you, beg to get caught. [1:55:11] Here's how this stuff looks again, in our tool. The first five lines would be what we get that's generated from, say, GMail or from Facebook. The additional information though, can provide you a location. In this example here, my target logged into a Facebook account using a Verizon Wireless in Puerto Rico resource. Well, alright, he or she is in Puerto Rico. We also see loggin' in, I'm goin over here to Reagan in a few minutes and if I hopped on the free WiFi over there, same example. Las Vegas McCarran airport. I'm trackin this person with a simple subpoena and the resolution done here with the PenLink tool. [1:55:58] Now the beauty of this is -- and I've seen a lot of these where we resolve these targets back to almost 72% at a Starbucks, or a coffee shop. This person's going in, using the free WiFi at a library, or at a Starbucks, or wherever. And you can see those patterns every Tuesday or Thursday. 9:30 to 10:30. They're meeting individuals there but they're still online doing their thing. [1:56:26] Here's that same example. We've got the picture at the Marriott. Here's the login information that we also ask for. We see that the Marriott International, the individual logged in a variety of -- 12 different times here. There's a mapping of where the individual was logged in. You've got he or she logged into the device at the hotel and we have them on an external picture that they also took at that same location. Simple subpoenas and simple search warrants here that we're writin' on this end. [1:57:03] This is my favorite one of all, right here. The precision location. Like I mentioned earlier, this little thing right here [holding up cell phone] is trackin' me wherever I go. You've heard of it -- even if it's turned off, they're still able to getcha'. I get people that *always* try to fight me on this one and say "Well, if you turn off the geolocation piece, they can't track you." Yes and no. They can't track you maybe on a WiFi signal, but they can still track you on BlueTooth and GPS and cell signals and things like that. I haven't figured out a way to turn off all five different areas so they cannot physically track. So, and I've talked to some of my smart Secret Service guys and some of those other guys too and folks in the world and I haven't gotten an answer on how you turn it all completely off. [1:57:58] This stuff is great. When you ask for location history though, it's not subpoena data. It's classified as content. You can do a live intercept on it, or you can get it as a search warrant. But it does require a judge's signature because it's classified as content. Facebook will fightcha' tooth and nail, they'll reject it, say you gotta write a warrant for it. Just a quick sample, again. I can get you the go-by's but defining location history properly is key on what they will provide you. The target checks in at any point in a time range, we need to be -- they're hittin' a GPS signal, whatever t may be -- make sure we define this correctly. Again, we've got go-bys with all of this stuff. I don't want to bore you with legal requests. [1:58:46] This is the one that I find extremely interesting. This thing [holds up phone] get's checked approximately 86 times a day. That's once every 11 minutes by smart phone users. Think about that. It's locked right now, I've got to come over here and I've got to either use my thumb print or facial ID or type in my six digit or whatever pin. 80 times a day, on average, that's what's happening for people. Well, guess what. When that device unlocks, it opens up a whole floodgate of more things that I can be tracked by. When it's locked in this locked state right now, there's no shootin' out GMail messages and other things. When I come in and unlock it though, there's other forms, especially on the Apple device, that says *boop* *boop* Green Light, Scott's online right now. And a whole bunch of other applications: Microsoft Teams and Zoom, and all sorts of other -- on WhatsApp and on SnapChat. That says: "Oh, I'm available." So think about that. That's a key, key piece. They're unlocking their phone or viewing that, on average, about every 11 or 12 minutes. Crazy, crazy, crazy. [2:00:02] This is what a Google location history file looks like. You write this to Google in a simple search warrant and ask for simply location history. They, here's the GMail account, in this example. Or it can be a Google ID, the date and the time, but here is the cool stuff. The latitude and longitude but they give you an actual accuracy on the data that they've supplied you. They are now producing on a GPS signal and many Google services -- it doesn't even have to be a straight-up Google app like GMail -- they could be...anybody who is a...if I was in my parents' basement codin' and creatin' an app and I can integrate into Google services, Google services are still tracking me on that device. They are getting people between 1 to 3 to 5 meters in proximity on the GPS. Five is stretchin' it a little bit. [2:01:05] Now, I used to love to do this, because I would get right, right within about three feet of ya and try to make ya feel uncomfortable. With COVID I'm not gonna do that right now. That's crazy. They can get me within three feet of a precise location. I cannot tell you how many cold cases I've helped work on where this is 5, 6, 7 years old and people need to put them at a hit-and-run or it was a sexual assault that took place. I need to put this target at that location. If you write this and, man, they got the device on them, you can get really lucky. And it happens a lot. I have multiple, multiple examples of puttin' target and victim in the exact same spot. Because both of them had GMail accounts. Both of 'em had Google accounts. [2:01:50] Facebook does the same thing, the only difference here is they provide you a date and time and lat and long, but they don't provide you an accuracy. They don't give you that 1 to 3 to 20 to 30 meters. So, it's still really good stuff. SnapChat now is starting to provide a geolocations file also. They can do the same thing. They can get that proximity. They are givin' me that 4.96 meters. 39.66 meters. They're giving you that accuracy on that side. [2:02:21] Now, the value that you have here within PLX is you're takin' and loading that data in and you're able to quickly map that information. And you're able to take, maybe say, a date and a time range of maybe a 15 minute window when you know victim and target were probably at that location. Again, sexual assault, homicide, a hit-and-run, whatever it may be. If you've heard the term geofence, the geofence is very similar. Except for you're making a fence around an area, you're writing a warrant, and you're saying who was in that area at that time. In my example here, I have the two datasets from both victim and target. I've isolated it down to a, a 5, 10, 30 minute window. It's kind of cool here. We can automate this. We see our target and we see our victim here. You can even automate this where you see the dots come into this location and you see one of the dots take off. What does that signify? She didn't make it out of there. You know right where she was at. You know the accuracy, that's right precisely the corner where we found the body. Or, I should say where you found the body. Sorry, I get wrapped up, I like to help here. [2:03:36] So, Google data. One of the last things I wanna talk about. I wanna take a five minutes and talk about live. Google. The GMail email and the login information. I used to sit on my soapbox and say "You guys gotta go get this. Go get this data." People have been gettin this data for a long time. Along with the location history. Searches are the best. I go to these big huge auditoriums with hundreds, if not thousands of people in 'em and I say "Who's doin' GMail?", "yea" everybody's got their hand up and everybody puts their hand down when I say "Who's writin' Google searches?". In your Google warrant ask for all this stuff. You're gonna get device information, you're gonna get the photos and the docs and Google Voice. All sorts of cool stuff. The Map searches could be extremely useful. After they did this, if they did a home invasion, they searched for the address in their Google Maps. The searches are cool though, here. Look at this stuff [points at screen]. I'm not kiddin' ya. Multiple homicide investigations, I've seen it: "How to dispose of a human body?", "Best place to dump a body." Swear to god, that's what they search for. It's in their Google history. They cleared their browser and their cookies and things, they think it's gone. Google's the best. Not only did you search for it, this bad guy here, "Best place to dump a body". There's the website you clicked on three seconds later: SerialKiller.com. Now this one's so good, this one is one of my favorites. Nobody asks for it. This stuff is so powerful. [2:05:13] I helped out -- this one's probably been about two years now -- that I was helping the local State Patrol, Nebraska State Patrol, on a case, on an ICAC case. I got this guy, they, they proceeded to get him into custody and we got the Google searches. He was searchin' for -- I'm not kiddin' ya -- "naked 12 year olds". In questioning, they printed this search history off, and they were prepared, and they tell the story and the guy goes "Ah, I fat-fingered that. I remember that. I was tryin' to search for 'naked 21'...college age, viewin that." Okay, well why. So they slid the paper across and said, "Then why did you click on a pornographic -- child pornographic website, XXXKiddiePorn.com?" That is incriminating right there. No no no, you did search for it, and, yes, you did click on the site after that. Really powerful stuff you can take back to your folks. [2:06:15] Last area here. Last couple of minutes, I just want to briefly talk about intercepts. Um, I always hear "Ah, we don't have a wiretap law in our state" and things. A lot of that is hopefully changin'. Live intercepts are way different from a phone. A phone live intercept that we've been doin' since, you know, mid '90s -- there's a lot of costs involved with those wiretaps on phones. You've got to have monitors, you've got to have monitors there minimizing and transcribing the information on the phone calls. These are great for uncovering intelligence. They're not solely in real-time. There's a small delay. Facebook, Instagram kick out the collection of the communication and they kick it out to you at law enforcement every 15 minutes, and so on down the road. Now, SnapChat says they'll do it once a week...Groups like Cal DoJ and others have really fought 'em and they're sendin it out, actually, much, much quicker. Usually about anywhere from two to four times a day they're sending an output file. [2:07:22] One of my good friends at Cal DoJ, he runs a bunch of gang operations, and he goes up on anywhere from about 5 to 50 social media intercepts. He used to do a ton of wires in the gang unit. He switched over and they're predominantly doing all social media. That 18 to 24 demographic, they're not usin' phones for hardly anything. They're still up on the phones, because, somethin' happens and then they do make that phone call, but rarely do they make phone calls anymore. He's a big believer in it. [2:07:51] Here's how the process works. You have to create one law enforcement based email account. I always joke, you gotta get with your IT folks and it's like pullin' teeth sometimes to get that to happen. We can help you with that area. But, Facebook and others require a .gov or .org, not a .com, email account. You gotta write your, obviously, your legal paper for the, uh, intercept to happen. I've got a ton of those that folks at Cal DoJ and others have shared with me and its redacted, and I can get those to ya. [2:08:24] You get those too, you send those off to Facebook. Here's what happens. They start sendin you down an email every 15 minutes. Now, you gotta go in, you gotta click on the hyperlink here to download a zipfile directly from the Facebook portal, and you gotta do that every 15 minutes for the next 30 days. Now, this is how big of a pain in the ass Facebook is. They open up a portal for you for one hour. If you don't continuously enter that portal within 60 minutes, they lock you out. So, guess what? When you go home and you go to bed and you've got to catch a few hours of sleep, they just lock you out. Now, in the morning, you have to come back in, and go back through the portal, send them a message in the portal through text and say "Hey, can you unlock my account? Because you guys locked me out." That's Facebook for ya. [2:09:23] Now, we've automated this entire process. I'm proud of what we've done. We've listened to our customers, who said "that's horrible to be able to do". So [inaudible] into any emails, there's a PenLink service that resides locally on your agency's system within house. It goes out, and grabs the file, it basically clicks on this link automatically, and brings the evidenciary zipfile in. Anything happened in that 15 minute timespan, all of that is ingested in and stored into evidence, and a working copy goes right into the database. Which then goes over into the monitoring window for individuals to view as its happening. Or, in any type of delay that occurs. This is what it looks like. It's in three sections. This basically tells me I can monitor, in this example, four different social media or email targets. We've got one highlighted, there's a red -- it says 30 in there -- that tells me I have 30 new messages on that target. I go into here, the conversations are all broken out for me, most current at the top, I click on this conversation, and then this gives me the information that I need to see. I can read from top to bottom and see all of the little smiley faces or images or video links along with all the other information via text. You translate, and you can put a record flag on it: perp, non-perp, privileged, now at this point. [2:10:50] Now, can't remember if I mentioned it, but the folks out in California, they said they'd -- on one of the 30 day, uh, intecepts they went up on on SnapChat and Facebook, they prevented 8 homicides in the first, I think, 20 days of that intercept. The folks were goin through, the gang individuals were, targets, were going through and sayin "Hey, go meet us at the corner of such and such. We're gonna go in guns a blazin', uh, shoot the clerk, shoot any witnesses inside the convenience store. Don't need any witnesses." 8 different occurences they stopped that from happening in just 20 days. They ended up arresting everybody a little bit early on that gang... [2:11:34] Biggest thing: you get data, you get a ton of good stuff. And, like I mentioned earlier, on a phone wiretap you're gonna be payin' monitor fees, you're gonna be payin' the companies alone -- the AT&T and Verizons and so ons -- they're gonna be charging you hundreds, if not thousands of dollars to go up on, really, one wiretap on a phone. These are all free. They don't charge ya anything. Facebook, SnapChat, Instagram, TextMe, TextNow, I haven't found one that's chargin' anything right now. Now, Google does have a small fee, I think it's 60 bucks for 30 days. But I still haven't seen anybody get charged for it yet. [Audience Member:] You think Zuckerberg in Facebook is gonna start chargin since he lost all that money? [Scott Tuma:] I do not. And I get that question a lot. And that's a really good question. And I don't think it's gonna happen until somebody hits him and says "You need to start producin' it quicker than 15 minutes." Somebody comes down and says "You need to send it in real-real-time", then I think they're gonna come back and kick the expense onto you. And so, which I don't want that to happen. [2:12:43] Very rarely they -- in exigent circumstances -- I have seen it out, in a couple different areas where they were sendin down in real close to real-time. One was gettin it every two minutes: that was okay for exigent circumstances. And the other one, I believe, was getting it in, essentially, real-time. So they can produce it if you ask for it. Again, on exigent circumstances. This is my information here. I've got cards up here in front if you want. Again, if you wanna know more, if you want your folks to run through a trial system, we definitely have that all available. I can guarantee if people are strugglin with it, I would hope, 100% of the time I can make life easier for anybody workin these types of cases. It doesn't matter what type it is, from large to small, to any geographical location, that social media and that email data is really, really good stuff. [2:13:43] With that said, thank you guys for all being in here -- guys and gals -- but, uh, anybody got any questions on anything? [2:13:50] [Ohio Cop:] Yea, real quick. So, you're dealin with the iPhone stuff and cameras and all that. This is weird. Have you dealt with Sirius XM radio? [Scott Tuma:] I have not. [Ohio Cop:] So, stolen truck, Sheriff gets a call. There's a stolen truck in [sound like: Van Halen], Ohio, [sounds like: they say] area. The detective got a hold of someone, "What's in it?" "We've got a Sirius XM radio, NavCom, all that." So they got a hold of Sirius. And they said "Yea, we can ping it. We can put you within 1000 feet of the vehicle." [Scott Tuma:] Yep, I have heard of that. [Ohio Cop:] Well, they called me out with a drone. So I'm down where this truck's supposed to be and I'm flyin in the woods and stuff and I can't find it. Then all of a sudden the detective calls and says "They just called and said the truck's on the move." So we wound up over at the cemetary next to a freshly harvested bean field -- so it's completely flat right. And, the lady on the phone goes "Now, we've got the bean field on Google. Yea, Google Maps. The truck's in the middle of the bean field." I'm looking out through the cemetary goin, there's no truck. Is it buried? And they -- and I've heard from talkin to other agencies that, Sirius XM, they said, "You don't want to talk to those people. They have no clue what their system does." [Another Audience Member:] Yea, it's completely unreliable. [Ohio Cop:] It was like, wow. You might add that to your thing. "Whatever you do, don't go to Sirius XM." [Scott Tuma:] Well, I just want the pressure to be put on some of these companies to actually do this stuff. But some of the license plate reading recognition stuff, you can dump into here. So, when you're [sound like: hittin] you go over to the airport and [inaudible]...Berla is another company we have integrated with to bring in that car information with the computer stuff. I'm always lookin for ways that we can help save the day. Ah, I, It makes me not want to pay them the 15 dollars a month that I'm payin for Sirius right now after hearin that. It just depends on how much pressure is put on them if we can get them to change. Thank you very much. Safe travels, gettin back. [END] [1] https://spectrumlocalnews.com/nys/buffalo/news/2020/07/02/chautauqua-county-sheriff-levels-harsh-criticism-against-governor-cuomo-s-executive-order-on-police-reform [2] The International Law Enforcement Educators and Trainers Association (ILEETA) lists its conference as being hosted in St. Louis, as suggested by the audience member (likely a Sheriff or Chief of Police): https://www.ileeta.org/ [3] https://www.penlink.com/xnet/ [4] https://www.penlink.com/plx/ [5] Internet Crimes Against Children (ICAC): https://www.icactaskforce.org/