No walls, a cloud-based collaboration system, and a thirst for innovation has brought 23 agencies under one roof to build this amazing crime-fighting unit.

As agencies look ahead, many are transforming the way they conduct investigations to maximize Digital Intelligence (DI) as a way to protect their communities against the growing threat from criminals using digital technology to carry out illicit activities.

DI is comprised of two parts—the data collected from digital sources and data types (devices and the Cloud) and the process by which agencies analyze and obtain insights from this data to more efficiently run their investigations.

James H. Barber, the visionary behind Gulf Coast Technology Center (GCTC). Former Police Chief with the City of Mobile, he is now Public Safety Director (Credit: https://www.mobilepd.org/news)

To become “DI ready,” forward-leaning agency managers are assessing their departments’ challenges then backing those down against the technological assets (and trained personnel) they have on hand to reveal what tools need to be incorporated into their workflows today to make their operation run more efficiently tomorrow.

One organization that’s embraced this strategy and moved it forward in a bold new way is the Gulf Coast Technology Center (GCTC). The vision for GCTC came from then-Police Chief, James H. Barber (he is now Public Safety Director) with the City of Mobile, who wanted to build a state-of-the-art intelligence unit within the city, but one that would ultimately serve the entire Gulf Coast. In 2015, Public Safety Director Barber called veteran lawman Kevin Levy, who is now Commander of the Mobile Police Department’s Cyber Division, and asked him to make his vision a reality.

Digital Forensics Lab at the Gulf Coast Technology Center (Credit: https://www.al.com/news/mobile.html)

Seeing Policing in a New Way

“What he [Director Barber] wanted to do was basically start an intelligence-driven law enforcement program that would keep our officers [and] communities safe, and really push the police department here into a whole new generation.

“The biggest asset for us is having all of these products that work together very well, specifically in the Cellebrite family, to allow us to tell the story from beginning to end.”

Part of Director Barber’s vision was to build an unrivaled digital forensics lab staffed by highly trained professionals to service the entire Gulf Coast.

Commander Levy started by assembling the right team of people first, which was a challenge in itself. As he describes it, “We basically recruited people to come work with me in this venture within the department who had the skills and aptitude, or wanted to go to training, so that we could first modernize the program.” The challenge was finding people, “that were willing to leave what was normal, which is riding around in a police car, and come and do something that was not normal for police, which was to stand up a lab and a technology center.”

Once he was able to assemble what he describes as his core team of “amazing people” (seasoned investigators, detectives, analysts, and lab technicians), Commander Levy could start building out the technical side of the lab.

What started with one examiner serving a single agency occupying “a closet” as Levy described their first lab, has now grown to be a multi-agency facility occupying over 8000 square feet with over 10 lab examiners.

“On any given day, we house upwards of 40 people that are participating in the program,” Commander Levy said. This includes partners that come from 27 different federal, state, and local law enforcement agencies and some military entities.

What makes GCTC unique, according to Commander Levy, is that it’s a collaborative environment in which all of the stakeholders share in the responsibility. Unlike typical agencies comprised of local officers that only serve a finite community, GCTC’s partners come from all over the country to collectively serve not just the city of Mobile, but the entire Gulf Coast region.

The GCTC model also differs greatly from the way most counties/states run their efforts. “We’ve found partners that help manage the day-to-day operations,” Commander Levy said, “so that everybody feels like they’re getting a fair shake in the direction that we go and in what cases we prioritize. There’s no paperwork, just a handshake. As long as somebody needs something as mutual assistance, we’ll do it. So it’s not just ‘What’s in the best interest for MPD?’ It’s ‘What’s in the best interest for the community and the Gulf Coast?’”

“What he [Director Barber] wanted to do was basically start an intelligence-driven law enforcement program that would keep our officers [and] communities safe, and really push the police department here into a whole new generation.”

In keeping with the cities’ vision and in partnership with other agencies, their funding and report structure is different, too. “We have not received any federal grant funding to do any of what we do. All of our partners have kicked in or chipped in in the ways that they have to have been able to do it.”

“We’re not mandated to follow anybody’s specific prescription. We’ve found the strictest guidelines and accreditation requirements that any one agency had and those are what we adopted, and typically that’s the Secret Service.

“So we try to aim to satisfy the strictest requirements whichever of our partners has so that there’s not an agency in here that is operating outside of their own agency guidelines and procedures, but then try to remain as nimble and flexible as possible so that we’re not tied down with so many regulations that we can’t function, which is typically what happens to a lot of agencies, not because of any legal law, but because their own agency developed a policy that just restricted them.”

Challenges

In order to keep cases moving, GCTC has set the bar very high by committing to a 2 ½-week turnaround period on devices. Last year, GCTC saw a little over 2,500 of those devices come through their facility. This represents a little over half of the devices for the entire region. And that number is growing.

To keep ahead of this pace, Commander Levy has equipped his team with Cellebrite Premium, which is used along with other bootloaders to handle dozens of devices in various stages of downloading at the same time. He is also a huge believer in Cellebrite Pathfinder, which is powered by AI, to help his team cut through mountains of data fast to find actionable intelligence. Utilizing a full suite of DI solutions has allowed his team to process more devices faster, which has lead to actual crime reduction and case closures. Digital evidence helped remove the most prolific offenders from the street and successfully closed cases that may have previously remained opened. Every crime type is accounted for separately, so singular percentage citations would reflect differently for each type of crime. However, digital evidence support has been requested in over 80% of the ongoing violent- and financial-crime investigations, versus 30% from just five years ago.

Cellebrite Pathfinder quickly assembles all of the connections between the suspect and those they have been in contact with to begin building valuable timelines in cases. (Pic: Cellebrite)

Growing the lab: Levy’s goal is to maintain the 2 ½-week turnaround time by growing the lab. Doing so isn’t just about adding headcounts either as Levy pointed out. “More people help,” he said, but it’s really more devices, more licenses, finding out that one person could multitask on three different machines.”

The key is not letting roadblocks slow the process down. “Finding out what that one impediment is and moving that aside so that you can continue moving down these parallel paths while somebody troubleshoots the one [holdup]” is key according to Commander Levy.

High-tech Devices: Commander Levy said GCTC’s biggest challenge comes from criminals using the latest high-tech devices for which his group may not yet have an updated solution “There have been some very creative folks [from] corrections facilities who have sort of super-engineered their own devices, and that’s more of a physical challenge. But the biggest challenge right now is from some dude who walked in, bought a brand new Samsung, walked out the door, committed a crime with it, loaded all this evidence on it, and we recovered the phone an hour later.

“You know, that one’s going to take us a little bit of time because both Cellebrite products and some other tools may or may not have gotten up to being able to bypass that… in that particular device.”

That said his team has a very high success rate in being able to lawfully collect data from 70 to 80 percent of the devices they receive.

Archiving and storage: “Keeping up with the volume of data that we have to retain for years basically, until it goes to trial, and then having somebody come back and purge what’s not needed after it has gone. That’s kind of been our biggest thing,” Commander Levy said.

“When we first started, we’d put a handful of devices on a shelf and let them spin with whatever was being loaded on them or on the box itself to go. And now, at any given time, we may have 200 to 300 devices that are, depending on which product we’re using, either connected to the Cellebrite Premium or are sitting on a shelf with some other bootloader in there spinning around.

“And so what started as a big waiting contest, now it’s sort of like an Easter Egg hunt because, with that many devices in what we call our ‘parking lot,’ on any given day, we have four, five, or six that are being lawfully accessed, or more, so we had to wait for a while, but now, pretty much every day we go in there, there’s a handful that have been accessed, or are ready to be accessed, or are accessed and on the Premium box. And that’s not counting the ones that are accessed in a relatively short period of time; you plug in, they are lawfully accessed, we go to business. These are ones that are taking longer, or we’ve had to load some sort of program on them to lawfully access them. So yeah, it’s kind of our biggest challenge.”

Managing Multiple Cases with Technology

With as many devices as they are handling and with requests rolling in from all over the Gulf Coast Region, GCTC is always running multiple investigations. What makes the way they approach investigations truly groundbreaking, however, are three things:

Triaging Cases: “We use an online, cloud-based collaboration system,” Commander Levy said, “so everything that comes in—every single phone exam, computer exam, every type of request outside of forensics that we get—it all goes into that system.” Being able to pull up cases so the entire team can prioritize the request and decide on the best people to assign to the case is a huge advantage in jumpstarting investigations.

Maximizing Analytics: The GCTC team co-joins everything in Cellebrite Pathfinder. “We don’t separate by agencies,” Commander Levy said, “so everything’s getting dumped into one master case if that makes sense. And so we’re building contact repositories [and] cross-referencing everything.”

Cellebrite Pathfinder (Pic: Cellebrite)

Collaboration: Because GCTC has so many agencies under one roof, representatives from one agency can literally lean over the cubicle to ask questions or get information from a colleague at another agency without going through a bunch of hoops. This kind of collaboration allows GCTC to move the investigative process along at warp speed.

Putting It All Together

To maximize Digital Intelligence Commander Levy and his team take a holistic approach to digital technology, using a combination of tools that work in unison to support a complete end-to-end solution.

“The biggest asset for us is having all of these products that work together very well, specifically in the Cellebrite family, to allow us to tell the story from beginning to end,” Commander Levy said

“People call and ask, ‘Hey, how does Premium work?’ or ‘How does Analytics work?’ or ‘Hey, you guys have a UFED for PC license. How do you like that?’ All of those [questions] are great… But really, what I tell people is, ‘You’re only seeing one piece of the puzzle.’ The product that works best for us is the [entire] suite of products that [enable us] to tell the whole story. Because if any one of those pieces doesn’t work, we miss that link in the chain.”

Like most departments, GCTC’s budget would not allow the purchase of all of the solutions they now use upfront.We slowly had to build a case for the program, a justification to explain not only why we wanted to buy it, but why we want to spend that amount of money every year to continue… being able to tell the story

Commander Levy pointed to a recent case study that shows how having the right tools, trained personnel, and open dialog between agency members allowed GCTC to tell the whole story, which lead from a minor crime to a major syndicate and, ultimately, to solving two homicides.

Case Study—How Two Phones Lead To A Double Homicide

About three months ago… Commander Levy’s team received a simple vehicle theft case. After a short investigation, they arrested an individual who was stealing vehicles and all-terrain vehicles.

The arresting officers uncovered two cell phones in that case—one was in the vehicle they arrested the suspect in and the other was in his pocket. This was a City of Mobile Police Department case, so they brought the two phones in.

One of the phone examiners on Commander Levy’s team happened to be from the Baldwin County Sheriff’s Office. They looked at GCTC’s collaboration cloud screen and noticed that some of the information was eerily familiar to a case they were working in Baldwin County.

The examiner asked if he could take those phones, do the exam, and run them through Analytics. When he did so, he realized that the cases he had been working in Baldwin County, were potentially related, he went a got the phones from the Baldwin County case and added those two or three cell phones to the case.

“We’re not moving backwards, we’re moving forwards. And that’s what law enforcement needs right now.”

What started with two phones now had about five phones in evidence, which were building toward one master conspiracy involving the same players.

Commander Levy said that the examiner then compared the contact lists in the two cases and quickly realized that these people knew each other, so he began adding some geopoints to the investigation.

Those two cases then became a talking point, according to Commander Levy. “We have regular information sharing [sessions] with our analysts [who] contact the investigators in all of these cases and ask them what they’re looking for and what it is they’re trying to accomplish. This is sort of part of that storytelling. So we don’t just blindly dump a phone, we examine phones and dump the evidence while our analysts are trying to figure out what it is that the “customer,” (our investigators), are looking for.

Building a solid chain of evidence starts with lawfully collecting data in a forensically sound manner to ensure data integrity and compliance is maintained. (Credit: https://www.newsbreak.com/news/)

“Once the story begins to get told, ‘Hey, we’re looking for a person that might be working for another person,’ and we realize that all of these people sort of were reporting to an unknown entity together and that they may not have known each other directly but they all have a third person in common, the case began to expand.…

“By the end of May, we had probably 15 phones that had been taken and put into this one file. So what that means is there are multiple people around.”

What started out as a car-theft ring morphed into a vehicle-theft ring and a firearms-theft ring. The firearms-theft ring then turned into a firearms-distribution ring on the street where the guns were being sold. The guns then lead to two active cases of homicide.

The investigators would have never known where the guns came from had they not seized the phones from these cars, that were being used by people who were stealing cars and guns.

According to Commander Levy, “All of that happened within about three weeks. The one homicide case had been open for almost a year, and it was one of our partner’s cases. The other homicide case was a local case here [in Mobile], and potentially—this part yet to be determined, they’re still working part of it—might potentially involve some occupied-dwelling shootings. Drive-by shootings where nobody was actually killed wouldn’t get filed under homicides, because nobody died, but we believe one of the suspects might potentially be related.”

Pointing to the power of placing everything in Analytics, Commander Levy summarized the case this way. “Had we had not reached out to all of those investigators from all of those different agencies independently during the analytical process, we would never have been able to piece together all of the pieces of the story.

“You have to focus on an area, even in digital forensics. It’s like medicine now, right? There are different disciplines, and you become an expert at different things, even within the field.”

“All of the tools came together…so we’ve created an assembly line that functions the same way the story would be told, which is: Get the data, process the data, analyze the data, and communicate directly with the requester. The product that we give back [then] is not only for the investigator but also for the prosecutor [because] we’re able to explain to them how we got the evidence and what it was.”

Telling The Whole Story In Court

The storytelling process extends all the way to the courtroom as well. Instead of sending just one investigator to court as a key witness, Commander Levy is able to send a team of specialists—each of whom plays a part in helping prosecutors lay out the case.

“By spreading out the testimonial process [and] the evidentiary recovery process, from examiners to analysts to investigators, not only do we tell the story, but we also create a more solid case, where you’re having four people come in telling the same story, versus one person whose reputation may or may not be tarnished just because the defense attorney may want the jury not to like police or whatever the scenario is.”

None of the creative ways Commander Levy’s team is attacking investigations would be possible, however, without having the right players in place who are constantly upgrading their skills through training.

Training is Key

As Commander Levy sees it, utilizing DI to its fullest extent “cannot be accomplished without a complete, second-nature understanding of intelligence: how it works, what its life cycle is, and how to use it…If you work at the Center, 25% of your time, you should be in training. The other 75% of the time, you should be working cases and solving crimes

Anything less than that, we feel, does a disservice to the officer, because technology changes so rapidly. You have to focus on an area, even in digital forensics. It’s like medicine now, right? There are different disciplines, and you become an expert at different things, even within the field. And so we recognize that. We want people to find out what their niche is, what their comfort zone is, what their wheelhouse is, and we want to send them to as much training in that area as we can, and then cross-train them with others.

Every person we send to a training class we expect to come back as a “train the trainer.” Bring us back some nugget of value that you can share with us…. And so we debrief them after they come back from training and hope that they share it with the right applicable people here.”

Doing the Right Thing

When it comes to getting community buy-in on using digital data to solve cases, Commander Levy says it comes down to ethics and communication.

“You’ve got to keep doing the right thing,” he said. “That’s why we spend so much time training people on what the laws are that cover the devices and how we’re collecting data, so that we can always be on the right side; that we made the right decision for the right reason.

Levy sees community outreach as the way to reinforce his positive message of policing.

Educating parents: “How to keep your kids safe on their phones” is one of the subjects his team teaches in schools so that community members see that law enforcement isn’t just out there to arrest kids. They’re actually out there to keep them safe. “Our number one job is to keep them safe,” Levy said. “And so we interact that way.”

“One of the very first things that we had to do was train our officers on what technology is and how it works, so that when they interact with the community, they understand about people’s privacy, but they also understand the value of that item potentially as evidence.”

Community interaction: “One of the very first things that we had to do was train our officers on what technology is and how it works,” Commander Levy added, “so that when they interact with the community, they understand about people’s privacy, but they also understand the value of that item potentially as evidence. [This way] they’re better equipped to explain why they’re doing things, rather than just going and taking a bunch of stuff and people are like, ‘My God, he took my phone.’ So educating the front line officer, that’s the number one thing.”

“You have to remember this…. The people that come in contact with law enforcement most of the time are usually having the worst day of their life, whether they’re the suspect, the victim, or [a witness]. And so law enforcement, every day, comes in contact with people who, for that one day, are having the worst day of their life. But an officer sees that every day, multiple times a day. And so a lot of them get complacent, and they don’t recognize that it’s all about the same story.

“We want to tell the story with the phone, but you also have to understand that person’s story. We [haven’t’ walked in their shoes and [seen] what they see. Officers see outside the window of the police car, but you have to remember people are on the streets looking inside the police car from the outside, and it’s a completely different perspective. And so we want to train them [officers] digitally with our devices, but if you want trust, you have to look at what it looks like on both sides of the windshield, not just one side

“I’ve tried other things and I’ve done other things over my lifetime, you know, just here and there, and nothing is more satisfying than helping somebody. And I know that sounds stupid, and a lot of people have lost hope on that, but it’s out there, I see it every day…

I know we’re doing the right thing and we’re moving in the right direction. We’re not moving backwards, we’re moving forwards. And that’s what law enforcement needs right now.”