As loathsome as cases involving possession of child pornography are, they take on an even darker dimension and more serious legal ramifications when police are notified of a suspect who is alleged to be the actual perpetrator who is sexually exploiting a child.

Such was the case for Lieutenant Corey Davis, when in the fall of 2017, police in Glastonbury, CT received information alleging that a male suspect in their jurisdiction had images and video of a female child being sexually exploited.

Little did Lt. Davis know that the case would eventually become a federal investigation involving the Department of Homeland Security, the National Center for Missing & Exploited Children, some of America’s leading digital intelligence experts, and dozens of devices.

Lt Corey Davis
Lt. Corey Davis and his team used Analytics and AI to narrow the number of relevant devices, which enabled them to find images of child exploitation that weren’t in their standard hash sets.

Like many officers, Lt. Davis has worked his way up through the ranks, spending five years as a patrol officer before moving to the Narcotics Taskforce where he worked as an undercover officer.

After three years, he moved back to patrol duty as a supervisor before being transferred to the Investigations Division. When the sergeant in charge of the regional computer forensics lab retired, Lt. Davis was asked to take charge of the entire lab operation, eventually overseeing a staff of 17 investigators from 10 departments.

At the outset of the child exploitation investigation in Glastonbury, Lt. Davis was the Digital Forensics and Investigations Supervisor for the Connecticut Center For Digital Investigations (CDI). His job was to oversee the digital forensics for the investigation.

When it was alleged that a minor was involved, Lt. Davis immediately sought assistance from federal authorities. After obtaining a search warrant, federal agents and Lt. Davis’s own officers searched the home of 63-year-old James Ripberger. What they found was astonishing.

An online article by Alex Wood published by the Journal Inquirer quotes Prosecutor Nancy V. Gifford’s sentencing memo as saying that Glastonbury police and federal agents discovered “‘a very large collection of child pornography’ on electronic devices, including 2,231 pornographic pictures and 20 videos.’”

The Case

The Journal Inquirer article also references the sentencing memorandum filed by Ripberger’s lawyer, John D. Maxwell, which said, “Ripberger met the victim around 2010 when she was living with her father in Glastonbury … Her grandmother lived near Ripberger, and he [Ripberger] agreed to watch the girl at his house while she waited for her father to get out of work and pick her up.”

An online article by David Owens of the Hartford Courant said that, “James Ripberger, who moved to Connecticut in 1998 from Louisiana for a job, accumulated about 20 videos of child pornography, more than 17,000 images of what the government described as ‘child erotica’ and multiple images and videos of a young female whom he watched after school and who Ripberger surreptitiously recorded in various stages of undress.”

The article goes on to quote federal prosecutors who wrote in a sentencing memo, “‘The fact that children suffer the sexual abuse, and the abuse is recorded, is a horrible reality. The child’s abuse is then exacerbated by people, like the defendant, who download those images for his own disturbing gratification.’”

The Challenge

The challenge for Lt. Davis and his team was to go through all of the evidence seized from Ripberger’s home. “We had a known minor victim,” Lt. Davis recalled in an interview for this article. “Our goal was to find just data on that victim. My role was to find a way to do that efficiently.”

Lt. Davis reached out to a list of service providers asking the broader digital forensics community about potential technology vendors his department could work with for image recognition software that would identify evidence involving the victim. Lt. Davis was contacted by a representative from Cellebrite who put him in touch with the National Center for Missing & Exploited Children (NCMEC).

Founded in 1984 by John and Revé Walsh and other child advocates, NCMEC is a private, non-profit organization that serves as the national clearinghouse and resource center for information about missing and exploited children.

NCMEC’s worldwide database of missing and exploited children is an invaluable resource for investigators working child exploitation cases.

While NCMEC does not actively participate in investigations, copies of seized materials can be sent through law enforcement liaisons who can compare seized data to information in NCMEC’s database to determine whether an exploited victim has appeared in any other cases in the U.S. or internationally.

NCMEC also works with a broad array of technology vendors, including digital intelligence companies that want to provide meaningful assistance in missing and exploited children cases.  In the Glastonbury case, NCMEC’s partnership with Cellebrite allowed Lt. Davis’ team the means to work directly with Cellebrite’s digital intelligence experts.

A technical team from Cellebrite, including R&D engineers, flew to Glastonbury to assist Lt. Davis in setting up the proper digital intelligence solutions to begin sorting through the 50 devices seized from Ripberger’s home. It was eventually determined that these devices contained more than 35 TB of data. To gain a perspective on how mach data that really is, see infographic below.

The biggest job was isolating which devices had child-related matter on them and, ultimately, what data related directly to the known victim. Lt. Davis’s team had never investigated a case involving so many devices and so much data.

Manually sorting through each device and the thousands of files contained on them would have been impossible. Fortunately, digital intelligence technology including AI and advanced analytics allowed the team to begin quickly parsing the data.

The Solution

“What was important was being able to visualize [all the evidence in] the case together as one,” Lt. Davis explained. “Gathering images from each device and uploading them into a single case file, then being able to immediately pick out which devices had images we were interested in [was crucial].”

Analytics and AI was used to narrow the number of relevant devices, enabling Lt. Davis’s team to find images of child exploitation that weren’t in the standard hash sets Glastonbury PD normally uses to parse data.

As Lt. Davis explained, “It does become important to have a function that can tag images in a gallery view to add to the efficiency of the examiner and workflow. We were able to find a lot more images that we would not have identified without the technology to help us.”

Lt. Davis’s team employed Cellebrite Physical Analyzer during the investigation to search for evidence on cell phones that were seized. “For the most part we were uploading to Cellebrite Pathfinder (Formerly Analytics Enterprise) to ID the images on the drives,” Lt. Davis said. “We then utilized Griffeye to look for child exploitation images, categorize them, and generate a report that would tell a prosecutor how many illegal images were found.”

Setting Up The Technology

Here is how the digital intelligence technology was arrayed to sort through the devices:

  • Elasticsearch DB were kept on SSD and MongoDB was placed on internal spinning HD to support thumbnails. Evidence source (E01) and decode directories were placed on customers’ new Synology NAS array.

  • POV system initially had 64G Ram. This was upgraded to 256G after the first week to support the load. (IMAN was creating a very large load.)

  • Slowdowns with E01 decoding as well as IMAN were experienced due to network latencies across 1Gb network to NAS.

  • Each device was given its own case to improve IMAN performance through IMAN UI.

Following the investigation, technicians assigned to the case noted that by leveraging nudity and face filters, as well as image-face matching, they were able to find many general media events of the victim. They were also able to identify a handful of highly inappropriate images—some  were child-exploitative and a few that were Category 1 abuse.

The Outcome

The investigation, which eventually involved assistance from NCMEC, Homeland Security Investigations, the Glastonbury Police Department, and the Connecticut Center for Digital Investigations, led to the indictment of James Ripberger in December of 2017.

A press release dated December 21, 2017 from the Department of Justice, U.S. Attorney’s Office, District of Connecticut stated:

John H. Durham, United States Attorney for the District of Connecticut, today announced that a federal grand jury in Hartford returned an indictment yesterday charging JAMES RIPBERGER, 62, of Glastonbury, with one count of receipt of child pornography.

As alleged in court documents and statements made in court, on October 12, 2017, law enforcement officers conducted a search of RIPBERGER’s Glastonbury residence and seized computers and electronic storage devices.  Preliminary analysis of the seized items revealed more than 125 images and videos of child pornography.

If convicted of receipt of child pornography, RIPBERGER faces a mandatory minimum term of imprisonment of five years and a maximum term of imprisonment of 20 years.

Following his trail, James Ripberger was sentenced to 150 months (12 ½ years) in prison for receiving child pornography followed by 10 years of supervised release. A state case against him is still ongoing.

Lessons Learned

Lt. Davis’s department learned a number of valuable lessons during the investigation that may help police chiefs faced with similar challenges:

  • Tap External Resources: Reaching out through his service representatives provided Lt. Davis and his team the opportunity to partner with NCMEC and Cellebrite. This partnership provided the necessary technology and database resources that eventually led to the incriminating evidence on which the case against James Ripberger was built.

    Regardless of the size of your department, knowing how to tap into your local task force and who to contact at the beginning of an investigation for credible assistance is paramount. This is why awareness and education about available resources is so important.

  • It’s All About Efficiency: Solutions that can find child-exploitative materials immediately are critical. Investigators need the ability to quickly weed out files that are not relevant.

  • Keep Current: “It’s important for me to have technology that can find the evidence you want quickly in large data sets,” Lt. Davis said. “This was the first time we faced such a huge data base to sort through. As we do more child exploitation cases, we’re seeing bigger data sets. Users have larger hard drives. We have to keep up with our technology.”

Recommendations

Based on this case and similar investigations he’s been involved with over the years, Lt. Davis has the following recommendations for police chiefs:

  • Manage Workflow. Investigative teams need to come up with a solution to maximize their workflow so they don’t get bogged down in things that are unimportant to the case.

  • Don’t Forget Cell Phones: Digital forensics teams need to have a software suite that is capable of doing thorough examinations of cell phones. Seventy percent of the cases Lt. Davis’s team works on involve cell phones. The “2020 Annual Digital Intelligence Benchmark Report” shows an even higher percentage with 97% of cases involving smartphones as the main evidence source.

    Computers come next—investigators need the ability to analyze hard drives. Survey data shows that computers are a primary evidence source in 45% of cases.

  • Take Advantage of Data in the Cloud: Evidence stored in the Cloud is becoming more important. Benchmark Report data supports this claim with one in every two cases now requiring access to cloud-based data.

  • Invest in Training: Investigators and patrol officers need to understand the volumes of critical evidence that can be gleaned from cell phones, computers, and the Cloud. Educating investigative teams on how to gather and analyze digital evidence through proper training is critical, as is knowing which external resources, from both the public and private sector, can offer assistance. Training and education are key.

Conclusion

Digital evidence was critical in solving this case and supporting a strong sentence, but police chiefs need to consider the broader value that digital evidence can provide not just for solving fraud and child-exploitation cases, but for homicides, burglaries, robberies, narcotics investigations, and human trafficking cases.

As Lt. Davis  described, “Digital intelligence is going to lead the way now and in the future. I’m hopeful that law enforcement can better fund investigators who want to be trained in the digital investigative field.”

Investigators need better tools to sort, review, and analyze data that comes from many sources. Just as importantly, they need training to maximize the efficiencies digital technology can bring to departments to solve more cases faster.

It is critical that modern investigative teams have the ability to automatically merge large quantities of disparate mobile, cloud, computer, and telco data through artificial intelligence to identify patterns, reveal connections, and uncover leads with greater speed and accuracy.

The role that digital data plays in investigations is surging. Data shows it has grown 82% in three years. Police chiefs need to respond by improving their digital intelligence strategy.

The Glastonbury case shows how digital technology can maximize the efficiency of data collection and analysis to build a strong case. It also points to the importance of building partnerships between individual departments and the private sector that can open the door to a much broader set of resources.  

By investing today in technology and training, police chiefs can transform their agencies to deal with the criminal challenges of tomorrow and better protect the communities they serve.