Fighting to Uncover the Evidence
When recent Notre Dame graduate Christina Casino started as an intern in the Cyber Crimes Unit three years ago, she did not expect the stark reality she confronted in her second week on the job.
She went with the police to serve a warrant at the home of a suspected child pornographer. After the team secured the house — and made the owner put on some clothes — Casino entered to collect technological evidence: computers, phones, thumb drives and more.
“We had to wear Hazmat suits with facemasks and Vicks under our noses,” Casino said. “It was repulsive, feces everywhere, no power, no water. The smell was so bad. I was afraid there was going to be a dead animal.”
She said the unit’s director, Mitch Kajzer, called it the second-worst house he’d seen in a long career of serving criminal warrants. For a student who grew up in Stamford, Connecticut, and went to private schools, Casino said, “It was a huge eye-opener.”
“I definitely wanted to experience that because I know I’m so sheltered,” said Casino, who now works in cyber risk at Deloitte. “I think it’s better for me that I know that exists and that I experience it now. I could get a roadblock like that and be like, ‘How do I deal with this situation?’ Now I’m way more prepared to go into any part of the U.S. or the world.”
Junior intern Julia Gately echoed that theme.
“Taking college students who are only immersed in academics and bringing them into this world can be beneficial for everyone involved,” she said. “Just being able to actually see the real world impact, see who’s been arrested, who’s been freed based on the work that we've done at the unit is incredible.”
Gately is one of eight Notre Dame interns in the St. Joseph County Cyber Crimes Unit, which expanded again this year after last year’s move from the county jail to Hammes Mowbray Hall on campus. The students participate in every step of a cybercrime case: researching suspicious online activity, building suspect profiles from social media and public records, writing warrants to get information and search homes, collecting tech evidence on site, and performing digital forensics on anything that stores bits and bytes.
The experience thrusts their classroom learning into the real world. While Notre Dame is not the only university to partner with a local police department to provide hands-on digital forensics, it is the only program that swears in its undergraduate interns as law enforcement officers with actual police powers. As a result, the students get official badges — which stay in the office — and do all the unit’s investigative work, save the dangerous initial entry into a suspect’s home.
“What the community gets out of it is very high-quality workers who come into it with a lot of native knowledge,” said Kajzer. “They’re very adept with technology. There’s probably not a day that goes by that I don’t ask one of them something about a new technology.”
While the county’s Cyber Crimes Unit began in 2003, the internship started when Kajzer returned to the unit in 2015 after earning a master’s degree at Notre Dame. He was teaching at the time in Notre Dame’s Idzik Computing and Digital Technologies (CDT) program. He noticed that a student in his forensics class had been accepted as one of a few general interns in the county prosecutor’s office.
Kajzer asked the student if he was interested in working instead in cybercrimes. When that worked out, as did another intern the next semester, Kajzer went to Psychology Professor Chuck Crowell, the director of the CDT minor in the College of Arts and Letters, to formalize the relationship. Crowell secured funding from the consulting firm Deloitte to begin the program and be able to pay three interns.
“Our thought was, if we get a sophomore, they will walk out the door with three years of experience doing some really incredible things,” Crowell said. “They’ll be irresistible to employers at that point.”
“My hope is that we will have dozens of students that will help solve the crimes that are the hardest for law enforcement to solve.”
In one notable early success, the owner of a Granger tanning salon was convicted and sentenced to four years for filming nude or partially nude women during spray tans. After one victim caught him filming on her own video, a student investigator discovered two more illegal videos in a cloud account connected to the owner’s business computer, including a 17-year-old who also did not consent to being recorded.
St. Joseph County Prosecutor Ken Cotter said moving the cybercrime office to campus provides more space and resources for the students, allowing them to balance work with their studies.
“My hope is that we will have dozens of students that will help solve the crimes that are the hardest for law enforcement to solve,” Cotter said.
Last year, 22 students with a range of majors from film studies to economics applied for four open spots as the team grew to six, allowing the unit to catch up with its caseload despite an 85 percent increase. Clearing out the backlog, Kajzer said, “is really unheard of” in any police unit in an era of tight government budgets. This year’s team has eight students.
Across the country, backlogs at digital forensics labs are often six to nine months, Kajzer said, and locally that process sometimes took a year. During that time, suspected predators often remain free to do more harm while the incriminating evidence sits waiting in a lab.
At Notre Dame, the student investigators regularly process cell phones in just four hours for cases ranging from child exploitation to drug sales and even murder.
“I knew we could get through more investigations with the extra manpower, which would then open up the avenues for the second prong, which is the research part of it,” Kajzer said. “Figuring out new ways to use technology to aid investigations — that’s really exciting.”
On a Friday morning last year, the students watched a training video on the information collected by Apple watches, Fitbits and other wearable technology. Their discussion was practical if a bit morbid: whether a heart rate monitor would record a person’s time of death or simply shut off if the person wearing one died. Hard to test that.
“What we’re looking at today is pattern-of-life information,” Kajzer said. “Not just a point in time where a crime happened, but the whole pattern of what their day was, where they went and who they were with.”
In the unit’s campus office, Kajzer wears a gun and bulletproof vest but acts as much like a professor as a police officer, discussing methods and theory from the pervasiveness of technology to the limits of privacy.
Another research project involves the discovery of a little-known cache of phone data tracking location for anyone using Google Cloud. As a result, the unit used the location data to definitively exonerate a suspect who claimed he was not present at the time and location of a crime.
Cybercrime investigations generally involve a series of warrants, not just the well-known warrant needed to search a home. Following a recently closed case from start to finish can illustrate the elaborate legal process followed in these investigations.
Matt Ridenour, a 30 year-old Mishawaka man, was sentenced to 15 years in prison for possessing and creating child pornography on Nov. 14, making it possible to talk openly about the case. It began in March 2017, when Eric Tamashasky, a deputy prosecutor who also teaches courses in the CDT program, downloaded a contraband video through a peer-to-peer sharing program.
Tamashasky wrote a subpoena to Comcast to provide the account owner of the sharing computer’s IP address, which is a unique string of numbers assigned to each device connected to a computer network that uses the Internet Protocol for communication.
Many of the unit’s cases involve child exploitation, and most begin with a tip from the National Center for Missing and Exploited Children (NCMEC). When an online company such as Google or Dropbox finds that a known child porn image was downloaded using its service, the company alerts NCMEC. If the IP address geo-locates to St. Joseph County, NCMEC sends the information to the Cyber Crimes Unit at Notre Dame. Kajzer generally scans the images first to relieve the students of that burden, but only after writing a warrant to himself to allow looking at the company’s files now on his computer.
Since Tamashasky had already viewed Ridenour’s images, Kajzer assigned the case to Casino on July 5, 2017.
Armed with the name of the IP address owner, Casino used open-source intelligence techniques to build a profile of the suspect. She checked everything from social media sites and relatives to property and arrest records, taking a screen shot of any hits to copy into a detailed report that eventually ran to 37 pages. She pasted in phone numbers, birth dates, social media pictures and more.
“We know so much more about you than you even know,” Casino said. “It’s all online and public, and we take advantage of that for our investigations.”
Casino quickly identified that three people lived in the Ridenour home, and that the likely suspect was the son of the IP address owner. She could have written warrants to obtain private Facebook information or to connect his screen names to the ownership of various social media accounts, but neither was necessary in this case. Next, Kajzer drove her by the house in Mishawaka to take pictures, providing license plate numbers to check for ownership records.
Casino wrote a warrant and received a judge’s approval to search the Ridenour home on July 11, just six days after starting the case.
“It’s usually cut and dried,” said Sam Alptekin, another recent graduate. “It’s very definitive when we find incriminating evidence. It’s very rare to find a picture with an explanation.”
Casino and another intern put on their badges and bulletproof vests for the raid. They met to review the plan with other police officers and Tamashasky at a staging area, where Kajzer turned on his body cam video.
After a short drive, the students sat in the car about a block away while Kajzer and eight or nine other officers surrounded the house. The officers knocked and called and received no response, but they found that the back door was open and entered. The video shows Kajzer’s gun drawn in front while a disoriented and shirtless Ridenour walks into the kitchen. The officers scream directions and cuff him.
After the house is cleared, Casino and another intern entered with evidence kits, including rubber gloves, notepads and tech supplies. They connected to the suspect’s computer to preview evidence, which can be useful in questioning the suspect. They collected anything that stores digital information, logged it and took it back to the lab for forensic analysis.
The first step is to make a digital copy of all data that preserves the original evidence intact. The interns are trained on a forensics tool called Magnet AXIOM, which Casino used to divide the data into categories. The interns used to have to scan through hundreds or thousands of thumbnail pictures, but the program can now search, for instance, for images with more than 60 percent skin tone.
Inspecting the media section, Casino found that Ridenour had been using a screenshot program to record video chats with underage boys on an international chat site called Omegle. His laptop stored more than 300 videos of these chats involving nudity.
“That constitutes creating child pornography, so then he was taken into custody,” Casino said. “It eventually became a federal case.”
“The amount of data coming off phones these days is absurd.”
Casino traced Ridenour’s history of downloading the programs he used, plus transferring the videos to another hard drive for storage. She also wrote a warrant to Omegle to provide the IP addresses of all the computers from Ridenour’s illegal chats. She matched the times and addresses in an attempt to identify, geo-locate and inform parents about this predatory behavior.
The detailed report is crucial because cases can take years to go through the criminal court process. The students could be called to testify in court, though none have so far because most of the cases don’t go to trial.
“We do the best investigation we can and then turn it over to the second part of the criminal justice system,” Kajzer said. “We can’t control the rest, so I try not to get emotionally involved.”
Many cybercrime cases do not involve endangering children. Homicides and drug trafficking often involve phones that have been confiscated during an arrest. Some suspects provide their password, but the police can also use various password bypassing techniques if needed, plus a special bag that prevents anyone from remotely wiping the phone.
“The first phone I ever went through was a homicide phone,” Casino said. “Those are interesting. You usually have one or two phones in those situations. You can upload them together into AXIOM and filter them, so you can find if these two phones talked to each other, and you want to find these conversations only. The amount of data coming off phones these days is absurd.”
Mike Chapple, a Mendoza College of Business analytics professor who acts as the students’ internship advisor, said the experience the students get in applying their skills sets them apart in opportunities ranging from the FBI to technology firms.
“Most of our students have some kind of internship,” Chapple said. “Being able to do that within the school year and within law enforcement is what’s unique and what gives them credibility. No other students can say they are sworn law enforcement officers and have worked on active investigations.”
Junior Julia Gately said she joined the Cyber Crimes Unit because she believes that the law and legal system are a hands-on way to improve her community. The ceremony of swearing to protect the public and abide by the Constitution made a huge impact, she said.
“When they handed me the badge, I almost cried because I could see everything that I had worked for, up to that moment, just being handed to me right then and there,” she said. “I've always had so much respect for police officers and the badges that they carry and being able to carry one of my own has really given me a sense of the responsibility that I hold.”
Gately witnessed the impact her mother had teaching in Chicago public schools for more than 20 years. She said she’d like to help people by using technology to find the truth, while also changing the perception of law enforcement. Her work in the Cyber Crimes Unit is a powerful first step.
“It’s given me something bigger than myself to believe in, which is exactly what I think Notre Dame tries to instill in all of its students,” she said. “It has really given me a purpose in life which I appreciate more than anything. It's the reason I wake up in the morning.”