Technologically Speaking spends some time with Shane Cullen, program manager for the Forensics and Criminal Investigations Program at S&T. Like last week’s guest Patty Wolfhope, Shane understands the unquestionable value and importance of S&T’s efforts to catch criminals on the dark web and beyond. In this second installment of our two-part series on digital forensics and child exploitation, Shane discusses the role these tools play in catching the criminals who commit unthinkable acts, as well as other applications of the technologies in investigations. He also delves into the ways artificial intelligence is streamlining the process of sifting through (sometimes disturbing or voluminous) data and how this protects investigators.
Run time: 24:26
Recorded on: January 5, 2023
Host: John Verrico, Chief of Media & Community Relations
Guest: Shane Cullen, Program Manager, Forensics and Criminal Investigations
[00:00] Dave: This is Technologically Speaking, the official podcast for the Department of Homeland Security, Science & Technology Directorate, or S&T, as we call it. Join us as we meet the science and technology experts on the front lines, keeping America safe.
[00:00:15] John: Hello and welcome to today's episode of Technologically Speaking. I'm your host for today, John Verrico. Today we're going continue our conversation on digital forensics, kind of part two to a discussion we had previously with Patty Wolfhope. With me is our very special guest, Shane Cullen, who's program manager for the Forensics and Criminal Investigations Program here at S&T. Hello Shane. How are you doing today?
[00:00:40] Shane: Hey, good. Thank you and thank you for having me. Yeah, thanks for joining us. You know, Shane, you've got one of the really interesting programs here, at S&T. First of all, I wonder how do you even get into a field like digital forensics?
[00:00:54] Shane: So, I started off within Homeland Security and the Secret Service. I was on the vice-presidential detail and, did, law enforcement and then came over to DHS S&T in about the 2005 timeframe. And the focus of our group at that time was assisting our law enforcement investigators throughout Homeland Security. So, I have a military background and then worked in private industry for a while. And then as I.
[00:01:16] John: What service? I didn't realize you were a serviceman.
[00:01:18] Shane: Oh yeah, I was in the Army, as a sniper in One Hundred First Airborne Division. And then, uh, got out, went to college, and then was in private industry for a few years, and then, went into Secret Service.
[00:01:28] John: So digital forensics, how is that different and how would you describe that if you were to describe it to a bunch of high school students or to your, great Aunt Tessie.
[00:01:39] Shane: Yeah. So, our investigators within Homeland Security have a lot of different legal authorities. So, they investigate a broad range of criminal activity. I don't think the general public's aware of all the things that are involved in everything from financial crime to transnational organized crime, drug smuggling, the whole gamut of, criminal activity. And so digital forensics is not a, not a new discipline, but an emerging discipline where, criminals have evidence on everything from small scale devices like your cell phone and laptops that we seize in court ordered investigations and pull the data off of to see evidence of their crimes all the way up to, dark web websites where people are, selling illicit, materials like drugs or engaged in, production distribution of child pornography. Our investigators will look into that as well, and they use tools to collect data, organize it, and investigate it, and then bring it to court to prosecute criminals. So digital forensics is a broad discipline that encompasses a big range of activities. Well, it sounds like there's also a broad range of crimes that take place in the digital spectrum.
[00:2:47] John: Tell me some of the kinds of things that you get involved with.
[00:02:49] Shane: Sure, in Homeland Security we have the Coast Guard, which has a law enforcement, mission, the Secret Service, which does financial crime investigation. They also do traditional crime investigations. Immigration and Customs Enforcement, ICE, does a substantial amount of investigations of transnational organized crime, people getting smuggled across the border, drug crimes. Customs and Border Protection or CBP regulates trade. And that's just kind of a taste. So, we have a broad range of needs, and it spans the gamut. Like I said, everything from, seized devices in investigation all the way up to, so for example, in the, in current events, with the conflict in Ukraine, Russia is, getting sanctions and, the enforcement arm of the US government, uh, looking at regulating that trade to Russia is the CBP and ICE. They conduct investigations into those activities and make sure that everybody adheres to, the law with regard to sanctions and the selling materials that could be used for military purposes to say Russia or North Korea or Iran or other, adversarial states.
[00:03:50] John: Wow, that's something I never even thought of. When you think of kind of digital forensics and digital crimes, you think about scamming and things like that. You know, and I talked to your colleague Patty Wolfhope about some things going on in the child pornography and child exploitation realm, which are also absolutely horrifying. But you just didn't even think about the fact of talking about, kind of nation states doing trade amongst each other as being things that, that we would be looking at. So this is really interesting stuff. You mentioned the dark web. What is the dark web? How would you describe it?
[00:04:24] Shane: Yeah. In a simple way you can think of it as, you've got your spaces that are legitimate and legitimate places to conduct commerce. Then the dark web would be kind of an illegitimate place to conduct that same kind of commerce. So for example, in a child exploitation environment, that would be a website where everybody who's a member gets their own access code to, dial into that environment, to that website where they can either view illicit activity or exchange it or produce it. And the material almost doesn't matter, right? It can be child pornography, or it could be people selling or exchanging drugs or any kind of illicit activity. And that's the dark web and the simplest terms.
[00:05:07] John: Is the dark web a whole different place, or is it just a term that we've used to express people using the internet for dark purposes?
[00:05:16] Shane: Uh, it's both, right? You can have secure enclaves where people do their illicit activities and you might have legitimate websites where people are doing illicit activities, so would fit kind of definition of both. But it's very challenging for our law enforcement investigators to get into those environments and collect the evidence that they need. A sample of the challenge that we're facing, there are websites where there are 2 million members, for, child exploitation materials, right? And every individual who's exchanging and producing material on those websites is committing a felony. So as an investigator, you're getting into an environment where there's 2 million people who might be subject to a felony charge. So how do you organize that data? How do you associate the chat traffic with one individual and build a case against that individual? You're talking about enormous amounts of data that have to be organized and then analyzed and then presented in a way that can be used in a prosecution, which is enormously challenging. Think about trying to investigate 2 million people, in a dark website.
[00:06:23] John: So, what are some other types of applications other than in the child pornography world understanding that some of this stuff is law enforcement sensitive.
[00:06:32] Shane: So, for example, Secret Service does the mission of financial crimes and with the evolution of the financial markets with crypto, non-fungible tokens or NFTs blockchain, this is changing the face of financial transactions and its making. Investigation of those crimes, very difficult using legacy methods. So, our investigators are coming to us, asking for us support in, developing new tools to try and track those transactions, make sense of them, and identify how and where, illicit funds are moving in this very challenging environment where you much increased anonymity and much increased, encryption and protections for people engaged in these activities.
[00:07:18] John: With there, there's so much legitimate business in the crypto world, which I don't understand at all by the way. But there's a lot of legitimate trade going on there. How do you differentiate the legitimate stuff from the stuff that is, not so legitimate.
[00:07:31] Shane: It's very hard. So, you can think of when our investigators are doing, these investigations, they're doing a full court press, right? And they're doing the traditional means of an investigation. So, a digital investigation is probably always going to have a piece of a traditional investigation, they're going to be relying on informants who give them tips on where to go in a particular transaction, or they may be relying on other traditional means of investigations to facilitate that digital investigation. So, the two kind of blend together, and when we're asked to provide technology support, we're looking at that whole chain of activity and we're assisting our law enforcement investigators with technologies to assist them on those kind of more traditional sides of the investigation, as well as the digital side.
[00:08:19] John: So, it sounds like it's principally evidence gathering.
[00:08:23] Shane: Yeah. Evidence gathering, tracking, there's, so there's an intelligence side to law enforcement work, and then the prosecution side, so when you're building a case and putting things together. Yeah, those two things are very closely interrelated. Are there anything that, any things that you can talk about, like some successes that you can point to that shows how this kind of investigatory process really helps to solve crimes?
[00:08:48] Shane: Sure. Yes, one of the things that, DHS S&T helped facilitate the creation of a system called iVe. And what iVe did was, we had investigators coming to us asking us for help on. Pulling data off of, GPS systems and GPS systems in cars, for example. And before we helped them, they didn't have this capability. So, you might have a case where an individual would say, ah, you know, I wasn't at the murder scene. I had nothing to do with that. But you could pull that GPS data from that vehicle that was seized in a court order, pull that GPS data and say, well, your car was at the site of that, murder. And it showed you at locations where the victim was seen. and that helps them build that case and know where that suspect was, where they went. And that's an example of a tool that S&T developed and is being used in investigations at the federal, state, and local level.
[00:09:41] John: I think I remember a conversation, quite a while ago when we talked about the fact of a, vehicle going out to a crime scene and because of smart vehicles, having so much data in them, uh, nowadays, you know, they were able to tell that, there were, was passenger weight in the driver's seat as well as in the passenger seat. And when they arrived, there was weight in both seats. And then, only the driver's seat was occupied when they left the site and all that in insane, level of detail that you realize your car is tracking you on. And so, it sounds like the capabilities, that we're working on help us to decipher that information or pull that information out of electronic devices.
[00:10:19] Shane: Yeah, exactly. And vehicles are a great example of that. that capability didn't exist before. And of course, you got to stress that we're not pulling this data. Over the air or without an explicit court order. So, the scenario we're using here is, an individual is arrested, their vehicle seized under a court order, and then, subject to, that type of investigation where we pull that data off of the, the vehicle.
[00:10:43] John: So, Shane, with all of the types of capabilities that you're helping to create for investigators, what would you say to people who have concerns about their privacy?
[00:10:51] Shane: Yeah. So, the biggest thing I'd say is that the tools that we're developing are all used. with court orders, right? They are subject to review by grand juries and judges and, have to fit within an organization's legal authorities. In addition to that, there's another layer within S&T where we have, our own privacy organization that very rigorously assesses the impact of each tool that we develop. And, uh, we've had tools that we've had to back away from because our privacy folks that, they may not fit into a acceptable limit for privacy. So we've backed away from that type of research. So, there are very stringent controls that we must adhere to, to, uh, get a tool developed and deployed in the field.
[00:11:35] John: I think it's important to note too, that, you know, these tools aren't just used on Joe Public. They really are only brought to bear when there is a crime that is being investigated and that, that's a really important point to get clear to people. I think.
[00:11:49] Shane: Yeah, absolutely. These tools are not sitting in a passive mode listening in on people. That's never the case. Our investigators do not, we don't know how the manpower or the resources to do that, even if people wanted to. Right. And so,
[00:12:02] John: Or even a reason
[00:12:04] Shane: They do not engage in that kind of activity, and the tools are not designed to do that.
[00:12:07] John: I guess the need for digital forensics continues to evolve as well because, there's just, there is so much data out there. What are some other kinds of tools that you could describe, that can help us to find bad actors in the digital space?
[00:12:21] Shane: I can't talk a lot about the details of these systems, but you can think of them as programs on your, laptop or computer that'll help take in. So, when you get large volumes of data, going back to that example we're talking about with, 2 million offenders in a dark web site doing child exploitation, you’ll, you're looking at terabytes, sometimes petabytes of data.
[00:12:42] John: What's a petabyte.
[00:12:44] Shane: So that's, uh, what, uh, a thousand, terabytes. yeah. So, it's a lot of data and our investigators will, we will develop basically programs that can be loaded on to our investigator's computers that'll help them ingest all of that data and make sense of it. When that comes in, it's extremely highly disorganized. It's, you can think of it as a, just a ball of, uh, data that our investigators have to, with legacy tools they'd have to organize manually. So, you might get, hundred terabytes worth of photos, which is millions of pictures. And an individual had to individually, manually organize, look at all those pictures and see is their evidence of a crime in these million pictures on this laptop or in this environment? And then would have to pull those out and then put them in a separate file. So, a lot of law enforcement investigations are happening in that fashion. And what we're trying to do is automate that process. so, it speeds up investigations. And sometimes investigators will say, we just don't have the resources to look at a case that's going to be that complicated, and that case will go by because, uh, they don't have the resources to do it. And so, providing these tools, changes that paradigm. So now they will attack those cases and they can pull data out on timeframes that are workable for a prosecution. And another aspect is, our investigators suffer from P T S D in looking at, evidence, associated with these crimes. And automating that process protects our investigators from P T S D too, because we can create automated tools that recognize specific types of crimes and pictures, and that kind of research is ongoing as well.
[00:14:27] John: That's a really key point so that people themselves don't have to look at these images. Now, let me just ask, we're talking, automation, we're talking digital analytics. If we had to process a million photos and a human being had to look at one, how many, how long would it take a human being to look at and analyze a million photos?
[00:14:46] Shane: We've gotten some good metrics on just that kind of question, and we've talked to our investigators where they’ve characterized it as, what used to take person months of effort have been reduced down to person hours or minutes. and so, an investigator used to take a month or two months to organize the video or chat traffic or the images, and now that can be reduced down to just minutes through an automated process.
[00:15:16] John: How do you teach a computer to recognize these types of images?
[00:15:22] Shane: Yeah. So there, there's an entire training process for artificial intelligence. You have to train a computer just like a human to recognize, these images. You're getting down to pixel level formation, that associates with, certain times of crimes.
[00:15:37] John: How does this make you feel that you're able to assist our investigators in this way?
[00:15:42] Shane: Oh yeah, so I mean it's really a dream position and it's also a team effort. We've got two other federal project managers on the team who are also helping our investigators. And it’s a privileged place to be in where we can help our investigators, where they can come back and tell us, hey, this year we saved 56 kids, out of one field office with I.C.E, or, we helped, put away dangerous criminals. There are tools we've developed to our end users that have helped in very high-profile cases. the Boston Bomber, for example. Ghislaine Maxwell's apprehension, the F.B.I led that, but some of our tools assisted in that. and those are just examples of some of the high-profile cases that we've helped with.
[00:16:25] John: How do you describe this? How do you tell people what you do, when you're at a family gathering or whatever?
[00:16:33] Shane: Yeah well. It's, uh, basically, I summarized to say that we're, helping to, rescue victims and prosecute criminals. People tend to think of our law enforcement investigators, particularly in I.C.E or C.B.P, as investigating or going after, folks who are migrants who are coming across the border and enforcing immigration law. And that's a function that they have. But one of the important functions they have too, is that these populations coming across the border are very vulnerable. They are exploited by folks all up and down that chain of migration. And I know a lot of investigators within I.C.E, and C.B.P and other organizations within DHS who are very motivated to help protect these people. So, a kind of common scenario is that folks coming across the border are helped by what are called coyotes, who are people who take advantage of people coming across the border and they smuggle them across the border. They'll get them into a say a safe house that's a basement in a place like Phoenix, Arizona, or the border of Texas. And though these coyotes are getting paid by migrants, and then the coyotes will basically imprison these people and call the families and say, hey, I'm not letting them out unless you give me another $25,000 or whatever.
[00:17:45] John: There are so many, unsung stories out there, about, you know, the real mission of, uh, DHS. And our role here at S&T is to support that mission with technology, right? And we don't tell these stories quite often enough, which is why I love this podcast and the way that we've created it to help. Tell these stories and shed some light on some of the things that go on behind the scenes. So I'd like to talk a little bit more about some of those other types of, crimes that we would, get involved with.
[00:18:13] Shane: Our investigators, not only take on case work that involves financial crimes. Going back to the Secret Service example. I remember a few years ago, there's cases in Oklahoma where criminals were putting their own, credit card readers on, gas stations and, people were running their credit cards through.
[00:18:30] John: Yeah, the skimmer devices.
[00:18:32] Shane: Yes, skimmers. And, so the Secret Service was assisting state and local law enforcement in characterizing those devices and trying to track down those transactions to identify some of the criminal suspects. Our investigators are also involved in this kind of like everyday crimes as well. Our labs get casework from state and locals, frequently when state and local organizations run into roadblocks, with, because, they may not be as well funded or have as big, uh, forensics lab as some of the federal organizations do. They'll send case work up and our investigators will help in those types of cases too.
[00:19:08] John: So, the technologies that we're developing, they're not only available just to the DHS level investigators, but they’re also available for use by, law enforcement agencies at all levels.
[00:19:19] Shane: Most of the time we try and target tools that can be shared at all levels. A couple of examples would be, I mentioned the GPS device, capability iVe that's available to the state and locals as well. We have another, digital forensic investigative tool called Autopsy that was funded with S&T research money that's available State and locals as well.
[00:19:39] John: What does that one do? Could you describe that one a little bit?
[00:19:41] Shane: It offers a capability to a, what's the way to characterize this? You’ve got evidence on a seized device, a laptop or cell phone, and you need to organize that data to do that. Prosecution but it's a much lighter weight system than some others. And it's optimized to be simple and used by investigators that may not have a ton of training, right? it gives you that kind of rough order magnitude to organize data and evidence on a device, maybe not to the nth degree and, of some other capabilities, but enough to get you, some intelligence on a particular crime or even to organize it, to take it to court eventually.
[00:20:23] John: I remember that. It's like a high-level sorting system basically to say, okay, this stuff is all innocuous and this stuff is the stuff we need to look at I imagine that the challenge is even larger when we're talking about the fact that these are international crimes.
[00:20:36] Shane: Yes. absolutely. And that touches on a very important aspect of the work that we do too. We will collaborate with international investigators. A transnational organized crime doesn't respect the border. they, uh, collaborate with people, across the world. So our law enforcement investigators will also frequently be, a party to, international task forces. And the nature of that work will require specific tools that we can share with our foreign partners. So, we will also collaborate with our law enforcement investigators to make sure that the tools are tailored for the missions and the kind of partnerships that are required to investigate international crime.
[00:21:13] John: What did you really want to be when you grew up, when you were a kid? Where did you envision yourself? I feel like, uh, yeah, my career pathway peaked when I was in the hundred first Airborne Division. That was where, that's really where I wanted to be. but then you get into that position, you realize, oh, you cannot do this kind of a job forever.
[00:21:28] Shane: So, uh, you've got to move on and find a new career path at the time, Secret Service was undergoing a big hiring push and was able to get into the organization. That kind of set me on the career path to, evolving jobs within Homeland Security.
[00:21:41] John: Shane being exposed to so many types of crime that you see going on out there and how these technologies are brought to bear to try to combat that crime or to investigate those crimes. What keeps you up at night? What do you worry about the most? So we hope to keep criminals up at night with the tools that we develop that, are hopefully hunting them down and, capturing them and saving victims. But I would say that the thing that, I think motivates always in the back of our folks' minds, is that there are people out there that are being victimized that we could help.
[00:22:11] John: What do you do for fun?
[00:22:13] Shane: Oh, fun exercise. My wife and I love to go out hiking. We just got back from Las Vegas where, we do not go out there to gamble, but we go and climb the mountains that are outside the city and, get in the woods, get out in the desert, that kind of thing. And then, I'm a technologist too and I love to get educated on technology just generally.
[00:22:34] John: Is there anything else that you would want people to know about, the work that you do or about Shane Cullen? Because one of the things that we try to do in this podcast is to really let people out there understand the personalities of the people that are working behind the science here.
[00:22:51] Shane: I, I just wanted to stress that, it's really a team effort. We've got an incredible team at S&T. Alex Banks is another project manager who's on our team doing work and developing things for our end users. Dan Woods has been working on, helping out our investigators as well for quite a few years, and all these folks who are developing technologies that are transitioning to our partners in the field Patty Wolfhope, who we spoke with is really passionate about fighting child sexual exploitation. Operational frontline investigators. We're working with them every day and developing tools that are relevant to their uses and then making sure it fits their use cases and their missions. it's very much not a case where we are big brains thinking in a closet and then we, ta-da 10 years later, come out with a tool that you might use or maybe not, we want to make sure that our things are optimized for, mission use, and that's a big team effort and that's probably the thing that is most gratifying to be a part of.
[00:23:49] John: That's absolutely awesome.
[00:23:50] You've been listening to Technologically Speaking, the podcast of the Department of Homeland Security Science and Technology Directorate, and our special guest today, Shane Cullen, who's the manager of our Forensics and Criminal Investigations program here at S&T. To learn more about the Department of Homeland Security Science and Technology Directorate, visit our website or follow us on social media at DHS SciTech.