On a cold December morning in Deschutes County, Oregon, multiple units from the sheriff’s office packed up their gear, loaded into their vehicles and drove to what looked like a typical home in a suburban neighborhood. Yet inside, investigators say someone had been sharing child sexual abuse material with their office in what’s known as a peer-to-peer investigation.

Unique from other Internet Crimes Against Children (ICAC) investigations, the suspect had no forewarning that the illegal images they were accused of sharing, had been flagged. The account they were using was still in operation. “These [Internet Crimes Against Children investigations] are inherently dangerous,” said Lt. James McLaughlin of the DSCO. “These individuals often know that they’re looking at 10, 15 even 20 or more years in prison for these crimes. There’s a lot for them to lose.” Multiple units participated in the search, allowing for safe entry into the home. Once inside, each unit was able to focus on the information they needed to obtain. In all, nearly 40 devices, include cellphones and laptops were taken from the home by investigators.

Detective Sergeant Thomas ‘Lili’ Lilienthal, is a 17-year veteran in law enforcement and now leads the county’s Digital Forensics and Internet Crimes Against Children (ICAC) unit. He says it takes a special person to investigate these types of crimes, “the reason we do it is because we have to keep these kids safe.” This particular case remains under investigation as the DSCO is actively reviewing 160 terabytes of data related to the arrest.

An Unexpected Career Path

This image has an empty alt attribute; its file name is Image-3.png

Det. Sgt. Lilienthal is a self-defined ‘tech geek.’ He thought his love of technology would land him in the corporate IT world, but he’s spent nearly two decades in law enforcement. It’s a career that began in high school while he was working at the Best Buy Geek Squad. In 2005, a computer brought into his Geek Squad office was found to contain child sexual abuse material (CSAM), and his team alerted local police. A digital forensics detective took over the case and “that’s when I learned cops can be geeks too,” Det. Sgt. Lilienthal said. He realized he could use his passion for technology to serve his community and shifted his career focus to using his technology skills in law enforcement, specifically digital forensics. 

Det. Sgt. Lilienthal has been with DCSO for seven years and is proud how his agency supports its digital forensics unit. Every examiner in the county is a full-time examiner and can focus solely on digital forensics.  

The office works closely with other agencies within the county including the Bend Police Department, the Redmond Police Department, Oregon State Police and several federal agencies. Det. Sgt. Lilienthal said the collaboration ensures examiners are all under one roof to provide peer review and mentorship. It’s also a great way to share resources. “By joining forces with other agencies in Deschutes County, we are able to share the financial burden of tools and licensing, as well as ensuring that no examiner is getting overworked and burned out,” he said.  

The partnership between agencies allows the county to have a well-rounded lab. With its advanced digital forensics capabilities, DCSO handled more than 500 devices – more than 100 TB of data — (imaged, extracted, cloned or previewed) in the first half of 2024. 

Working with Digital Evidence  

As a digital forensics lab with more than 7,800 square miles in its jurisdiction, some investigations happen far from the lab, making it challenging to quickly collect evidence and provide actionable intelligence. This is where mobile forensics solutions like Cellebrite Premium, UFED, Digital Collector and Inspector (now part of Cellebrite Inseyets) have changed the way they operate.  “We can now have everything packed in a “bug-out” kit and handle everything on the scene to not only conduct advanced extractions but immediately provide data to assist in the investigation,” Det. Sgt. Lilienthal said.   

With the DCSO working with other agencies in one lab, having digital forensic solutions is crucial to ensure work isn’t duplicated and nothing gets missed. As Det. Sgt. Lilienthal explained, “These solutions provide ways for investigators to access information about their cases and share reports created by the examiners. A web-based solution, especially with examiners and investigators operating under different agencies and networks, ensures they can share information even if they aren’t physically together.”  Having different solutions and knowing their weaknesses and strengths also helps in prioritizing devices. For instance, if an investigator is only interested in data from Facebook Messenger, running the device through aLEAPP or iLEAPP can quickly push those messages out. This ensures that major crimes with fewer leads get more machine and examiner time, preventing a backlog.  

Streamlining Processes with Automation  

The DCSO has a standardized way of managing digital evidence and reports. They create a mirrored storage with one folder for digital evidence and one for reports to prevent confusion. “Automating the folder structure with Python scripting is pretty easy, and there are classes to build the necessary knowledge base such as the Iron Python class offered by Cellebrite,” Det. Sgt. Lilienthal said.   

He added, “This makes case collaboration simpler and helps me as a supervisor handle District Attorney and Defense inquiries into the evidence and discovery of said evidence.”  

Having several solutions to assist in automating data analysis is also vital, as it’s impossible to analyze every single piece of data on a device while a backlog is building up. With powerful enough digital forensics computers, examiners can ensure the appropriate use of machine time to simultaneously parse the data in multiple tools.   

Succeeding in Digital Transformation 

When asked about the steps agency managers should take to transform their organizations digitally, Det. Sgt. Lilienthal emphasized four steps.   

  1. Network: The first step is to network and learn from others in the field, as Det. Sgt. Lilienthal emphasized, “Digital forensics CANNOT operate on an island. You don’t know what you’re missing or doing wrong if you’ve never encountered it.” He encourages examiners to be proactive and reach out to their Regional Computer Forensics Lab hosted by the FBI, find out who their U.S. Secret Service representative is to get into classes at NCFI (National Computer Forensics Institute) and finally, reach out to their state’s Department of Justice Internet Crimes Against Children (ICAC) division.    
  2. Budget: The second step is to normalize spending on digital forensics, which Det. Sgt. Lilienthal said is no different from spending on solutions for the physical world of police work. He added that agencies should, “Get quotes from multiple vendors, identify training plans and lean heavily on NCFI if budget is going to be a big issue. As a base of your budget, you should have a line item for equipment, training and annual tools costs.” He also noted that as NCFI uses a “lottery” system, agencies shouldn’t fully rely on it as a source for equipment and training. 
  3. Be Invested: To get support from colleagues and heads, agency managers must put in the extra work to get their digital forensics unit up and running. “As with any specialized unit, you’ll likely be called at all hours of the day and be leaned on as the expert. The frontloading of investment and providing training for your staff will pay in dividends as digital forensics becomes normal for your agency,” Det. Sgt. Lilienthal elaborated. Managers must also support their staff and advocate for digital transformation if they expect their staff to get behind them.
  4. Repeat: Finally, Det. Sgt. Lilienthal emphasized that this is a cyclical process: “Continue to network and expand your scope, and solutions to your problems will come. Being reliable for your agency gets more buy-in, which increases the budget, which increases your capabilities, which shows your investment, and the cycle repeats.”  

Public-Private Partnerships  

As law enforcement agencies only have so much time, ability and understanding to access data from devices, digital forensics solutions from private companies are vital.  “Partnerships with private companies who can focus on the digital forensics methods are required to ensure we can get the data needed and prosecute a case appropriately,” he said.  

By committing to optimizing its digital forensics workflows and collaborating with other agencies, the Deschutes County Sheriff’s Office demonstrates how agencies can succeed in digital transformation and why they shouldn’t ignore digital evidence. 

While digital data, DNA and fingerprints can provide facts that make up the puzzle pieces to solve a case, Det. Sgt. Lilienthal added, “There is so much more data in digital evidence that digital forensics can glean location, information, communication, research and health information. Combining these fact-based investigative means creates a rock-solid investigation for prosecution.”