The IAAI and CFITrainer.Net present these podcasts with a focus on issues relating to fire investigation. With expertise from around the world, the International Association of Arson Investigators produces these podcasts to bring more information and electronic media to fire investigators looking for training, education and general information about fire investigation. Topics include recent technologies, issues in the news, training opportunities, changes in laws and standards and any other topic that might be of interest to a fire investigator or industry professional affected by fire. Information is presented using a combination of original stories and interviews with scientists, leaders in fire investigation from the fire service and the law enforcement community.
ROD AMMON: Welcome to this edition of the IAAI’s CFITrainer.Net podcast. Before we begin, the fire investigation community around the world lost a great friend in the past month or so, Sandy Burnett. I knew Sandy for almost 20 years, and he was always there for me and the people that I work with, a great spirit with a huge mind, a caring soul, and a smile always while we were together. The man had no throttle when it came to giving to the fire investigation community. He donated unlimited time to doing the right thing to help those in need while never making you feel like you were asking too much. Thanks, Sandy. All of us will miss you.
Today, we’re looking at two topics on the technology and forensics cutting edge that are going to be explored in much greater detail at IAAI 2018 ITC. Today, we’re going to get a taste of those two topics and give you an opportunity to register for 2018 ITC. Our first topic preview is how internet-connected homes are affecting fire investigations. Here to talk with us about smart homes and the implications for the fire investigator is one of the presenters of this class at 2018 ITC, Michael Custer of Kilgore Engineering, Incorporated. Welcome to the podcast, Michael.
MICHAEL CUSTER: Thank you for having me.
ROD AMMON: So give us some examples of how homes and businesses and vehicles are becoming smart. What types of devices are we talking about, and what do they do?
MICHAEL CUSTER: Well, it’s very broad in terms of when you consider both vehicles, homes, businesses, but what we’re seeing in all of those is how communication is affecting them. In homes and residences, commercial structures, we’re seeing internet-connected devices that are being used to control lighting systems, heating systems, and even industrial processes. And then in smart cars, you’re also seeing the effects of sensors and communications, the ability to make decisions on their own.
ROD AMMON: There’s a lot of – boy, it seems like you can control almost anything from your phone now.
MICHAEL CUSTER: Yes, it seems that way.
ROD AMMON: So how are these devices creating challenges for fire investigators?
MICHAEL CUSTER: Well, in homes in particular and businesses, one of the concerns that we always had in fire investigation is making sure that we have all potential parties involved in the investigation, and a lot of times we’re able to do that by narrowing the focus of the investigation to a particular area, an area of origin. And when we do that, we use a number of techniques to get to that point, but after we get there, we’re able to say we have these different parties who have interest in this. It maybe installers or manufacturers or others who have equipment there or who have touched equipment there, and we can rule to that area, and we get them involved and we go through the process. But when you have these internet-connected devices, you now have the opportunity where decision logic or decisions are being made maybe at a different part of the facility or even on the cloud where algorithms, smart technology is making decisions based on sensor information and switches and actually could be triggering devices that are in your area of origin. So it may be a situation where we have to expand our focus and get more companies involved during the investigation than would typically be if you just had a system that was completely local.
ROD AMMON: So a lot of new potential ignition sources to examine.
MICHAEL CUSTER: Well, it could be some of the same ignition sources, but the control for those ignition sources may be remote. It may not be local, so for instance, if someone has a light that’s a traditional light, and if you were to come to the conclusion that because the light turned on, a loss occurred, if it’s a typical light, the only way the light turns on if someone flips the switch. But when everybody has internet-connected devices, now the light can come on because of a number of reasons. Maybe someone locally triggered the switch via a phone or maybe there’s a process that’s on a remote server that triggers the switch to turn it on. So you have to start to expand your thought process and take it beyond, well, it had to be something here local that controlled this or caused an event to occur.
ROD AMMON: So how do you deal with that when you’re coming up with sort of a framework for a new hypothesis?
MICHAEL CUSTER: Right. One of your concerns obviously, and this is why we wanted to have the class, is first to just educate people that there is a potential that this could exist. And then after you are in a scenario where you believe that this does exist where there could be an external control, then you’re going to have to halt your examination at that point and make a determination if it’s going to be important to have additional parties there. And that’s just going to be a group effort where you’re working with attorneys. You’re working with engineers, the fire investigators. Everyone is going to collectively decide who that party is and work through that process, much the same way we do when we have a physical item and we’re trying to determine who the manufacturer is.
ROD AMMON: Collectively rings a bell, so it makes me think about data collection and how that’s useful for the timeline and key events. Can you speak to that a little bit?
MICHAEL CUSTER: Oh absolutely, and that’s a great point, too. One of the benefits that we get from these systems is it’s very similar to an alarm system where an alarm system is remotely monitored, and we’re able to go and extract logs from either the alarm company or potentially the tenant or business owner who may have information even there locally on the system. And we can begin to grab, say, an alarm time, a reporting time, other information that comes from the system, so we’re able to collect data from those systems. Well, these internet-connected devices could give us that same opportunity where we now have additional information that we can gain about the events that occurred before a loss. If you assume it’s a fire, you could go back potentially working with the company who provides these cloud-based services and see when a switch came on or when it turned off or when a receptacle was energized or de-energized. And those are potential information sources that we didn’t have before.
ROD AMMON: Interesting. So I’m thinking that probably leads to some new legal challenges when you’re examining these devices and obtaining the data.
MICHAEL CUSTER: Oh yeah, absolutely. And I think it’s going to be a challenge because one of the issues obviously is going to be getting access to that information, and I don’t think that that really, at this point, has been fleshed out exactly how that’s going to take place. And then another issue that’s going to come up is that this data, even if you could gain access to the raw data, it may be proprietary or even encrypted, and so then there’s going to be another step of trying to get to data that you can actually use.
ROD AMMON: I’m imagining that you’ve already had several situations where this is – where you’ve been involved, and that’s part of why you’re doing this class. Can you give us a little bit of a tease about what the framework of the ITC class is going to be like, what people are going to walk away with?
MICHAEL CUSTER: I hope that they’re able to take away a respect for the complexity of these systems and an understanding that, if they find themselves in an investigation and they believe that, let’s say, an Internet of Things device is involved in their area of origin, that they need to step back and make some considerations before they move forward. As far as the class goes, I hope it’s exciting. We have a new presentation platform that we’re going to use that’s actually an Internet of Things device, so as we progress through our platform and give the presentation, there is actually a – it’s a cognitive service that listens to what we do during the presentation and actually directs the presentation. So slides will move forward. Videos will start. We have the ability for lights to come on and different things as we go through the presentation, and it’s all these internet-connected back-end sources that are listening to what we’re saying. And through the internet in real time, making decisions about what should happen next in the presentation. And the reason we’re doing that is really just to show the power of these services and why we’re going to see more and more of this as we move forward in both homes, industry, and commercial.
ROD AMMON: Sounds like a fun and experiential way to have a class, a real nice twist.
MICHAEL CUSTER: Well, I hope so. One of the issues is obviously ours is a four-hour session, so we want to be able to keep people’s attention, keep them interested in what’s happening, and hopefully give them some really good information along the way, and that’s just on the Internet of Things. We’re also going to talk about smart cars, electric cars, and renewable energy sources, too.
ROD AMMON: So as we wrap up, I had one thought. How do you keep up with change?
MICHAEL CUSTER: Well, one of the things that I do in addition to the forensic work is I also have a background in electronics and computer software, and so in the process of developing the idea for providing this presentation to IAAI, I’ve done a substantial amount of work on back-end systems for internet-connected devices, and in fact, have developed the presentation platform that we’re going to use. So I think one of the best ways to stay up with things is to agree to teach about it, and that really forces you to dive into it and to stay current with what’s happening with the technology.
ROD AMMON: That’s an excellent answer. I hadn’t thought about teaching to keep up with things, but it’s obviously common sense, and it’s pretty exciting that you’re going to be able to bring that kind of depth to ITC. You’re going to be doing the presentation also with Ron Kilgore.
MICHAEL CUSTER: Right. Ron Kilgore is going to be co-presenting this, and that’s exciting because Ron brings just a tremendous amount of experience in fire-related investigations. Kilgore Engineering has about 30 years of experience, and Ron’s been there the whole time, and is very respected in the industry. And I’m excited to have him come along and provide his insight for this class.
ROD AMMON: Well, it sounds like it’s going to be a real forward-looking session, and it sounds like an exciting atmosphere as well as you teach people to take on these new challenges stemming from technology. All right, we’ll look forward to seeing you at ITC 2018.
MICHAEL CUSTER: All right, well, thank you so much for the call and the opportunity just to discuss this.
ROD AMMON: Thanks very much.
MICHAEL CUSTER: All right, have a good day.
ROD AMMON: Now, let’s look a little more closely at the data-gathering aspect of those electronic and internet-connected devices. 2018 ITC offers a class on recovery data from fire-damaged electronics. Retired Special Agent Tully Kessler will be teaching that class. He was a member of ATF’s digital investigations branch for 15 years, and he’s a certified forensic computer examiner, specializing in data recovery from fire and explosion-damaged electronics. Mr. Kessler, welcome to the podcast, and I have to say thank you very much for taking the time after putting in a full day down there at ATF NCETR (The National Center for Explosives Training and Research)
TULLY KESSLER: Well, thank you, sir. I appreciate the opportunity to visit with you.
ROD AMMON: So I think sometimes – I’ve been around – we’ve been working with fire investigators for over a decade now, and I think a lot of times we get focused on physical evidence: burn patterns, fingerprints, tool marks. And sometimes maybe we don’t put enough weight on electronic evidence and how it’s growing to be more important every day. What type – why can this type of evidence be very fruitful for the fire investigation?
TULLY KESSLER: Well, there’s multiple ways it can be. One of the ways I got involved in this was working with the NRT and the ATF CFIs, and many times they would bring me the closed-circuit television DVRs that had been in a major business or whatever scene they were working, or maybe one from across the street, but mostly the burned up ones. And that’s how I kind of got started in the specialty field is recovering the video to be able to show them the progression of the fire or sometimes even who set the fire.
ROD AMMON: So what other types of evidence – what types of devices and data are we talking about?
TULLY KESSLER: For the class, I will be talking mainly about computer hard drives, the types of drives, but we will also get into cell phones and iPads and that type of data storage. The class is going to be more about how to talk to a digital examiner or a data-recovery company so that you’re both speaking the same language.
ROD AMMON: I think it’s an excellent point. I was chuckling to myself about the videos when you first started talking because we started out really as more of a video production facility, and I remember getting some of those videos and how horrible they would be. And not only would people say, clean them up, but they would ask you to zoom in at the same time.
TULLY KESSLER: We still get that.
ROD AMMON: I bet you do. So I want to get a little bit into that relationship with digital experts, but can you give some examples or maybe an example or two of some data that can be recovered that might surprise people?
TULLY KESSLER: Well, some of this is a little older case. I was asked to rebuild two different phones from fire scenes off of a homicide victim in the fire scene, and at that time, we didn’t have the chip-off technology and the ISP technology and everything they have now, and the only way to do it was to tear the phone apart, clean the circuitry up, do any repairs, if possible, and put it in a new body and start it up. That has come a long way since then, so I’ve done those types of cases. I have literally found—and it was after I retired—a case where we had video of the owner setting his own fire. I don’t think you can get much better than that.
ROD AMMON: Yeah, and I’m sure that will be an interesting case to discuss when people get to ITC. Let’s talk a little bit about that relationship with digital experts. What kind of things should people expect when they go to the class?
TULLY KESSLER: Well, what got me started thinking about this as an idea for a class was I would get cases from fire investigators where they had already paid, say, a data-recovery service or somebody else to recover video specifically from the CCTV DVRs. And they’d get something back from them, and it doesn’t play, and it was an issue of communication more than a lack of capability on the data-recovery company or possibly the examiner. It was they weren’t speaking the same language. They said, here’s a hard drive. Repair it, and give me all the videos off of it, and so the data-recovery company repaired the hard drive, did a head swap, and then, because you don’t know what you don’t know, they carved the hard drive for video files using headers and footers and got back a bunch of gobbledy-gook to the investigator. And the reason is, is the foreign-made and mainly the Chinese made DVRs don’t use regular video files like you do on Windows computers and off your iPhone and all of that. So you have to have a little more in-depth knowledge to be able to recover that data.
ROD AMMON: That’s an excellent point. So in other words, if somebody had a bunch of .movs on their phone or something else, but they went over to a DVR, it may not even look like a video file.
TULLY KESSLER: In fact, there are no files on the CCTV DVRs. There is on the foreign manufactured. There are some DVRs that use .mov files or whatever, but these foreign ones, the little single-box, fairly cheap ones, there’s no file structure in it.
ROD AMMON: Wow.
TULLY KESSLER: It’s a Linux operating system. Each company has their own engineers that create it, and it’s a database-type setup, and there’s no – there’s literally no files to be seen, and it’s – you’re reverse engineering the work they’ve done.
ROD AMMON: So the moral of the story there is if you don’t know what you’re asking for or how to ask for it, you may end up in trouble, so you’re going to be teaching some of that in the class.
TULLY KESSLER: Yes, and you’ve spent a lot of money and obtained nothing.
ROD AMMON: That would be painful, not to mention the evidence could be damaged.
TULLY KESSLER: Correct.
ROD AMMON: What else would you like to let people know about what they can learn when they take your class?
TULLY KESSLER: We’re going to visit about some of the frailties of the different types of storage medium and how to – especially for the CFIs, what they need to be storing their photos and videos that they take at scenes on so that they don’t have issues because that’s another job that I do frequently for different investigators is their card in their camera – all of a sudden, everything is gone, and they don’t have it backed up anywhere else or they’re storing all of their pictures on these little cards, and they’re not meant for permanent storage. So we’re going to talk about what people can do to long-term store safely their files.
ROD AMMON: I think it’s – what you’re discussing related to backup and how we deal with our own data or in the case of investigators, how they’re dealing with their data is an important issue because I think it’s sort of funny. All of us talk about how important it is to back up. I think most of us also need a good direction on how to actually do it and how to take into consideration not only getting a good backup on a regular basis, but my guess is the evidence chain that you need to maintain.
TULLY KESSLER: Yes, and talking about the evidence chain, that that’s another area that I’m going to talk about. There’s companies out there that do data recovery and can recover your files and stuff, and they’re very good at what they do, and some of them will say, and I’m not dogging any particular company here, but some of them – oh yeah, we can do it to meet court standards. Well, there’s some questions as an investigator that you need to ask them, and if you don’t know the right way to ask them, they may not actually meet the standards needed to get the files that they recover into court. And they may do some – they may cause enough issues that there’s spoliation problems, so we’re going to talk about that and how the investigator will know that, okay, these people know, they’re going to follow the procedures that’s going to keep this evidence good so that we can use it later if it gets to court. Also, going to talk about you’ve just recovered electronics in a fire scene. What’s the next step?
What – I get a lot of cases in where it’s been sitting on a shelf for a year, sometimes two, three years, and it was wet when they sealed it in that plastic bag. That causes major issues. Sometimes we get lucky. Sometimes we don’t. So we’re going to talk about how to package, how to store. If you have to ship it somewhere, what’s the best way to package and ship? I get things all kinds of ways. Slap three computers in a box, no packaging, no bubble wrap, no nothing, and box it up and ship it, and they’re surprised when it gets here and there’s nothing I can do with it because UPS beat the crap out of the box getting it to me.
ROD AMMON: I can imagine that can be very frustrating. It’s interesting; just the one or two things that you mentioned seem like enough reason to scare me to want to be there because I think so often I hear that there are a limited number of cases where you actually go to court, but when you do, if you’re not ready with that evidence and things aren’t all prepped and handled properly, a lot of work could go by the wayside.
TULLY KESSLER: Yes, and for some of us, we had to learn that the hard way a long time ago. For me, it seems any time I’ve ever taken a shortcut on a case of any kind, that’s the one that’s going to go to trial. And if you’re not willing to step up and say, yeah, I screwed up and this is what I did, then it’s not only just losing the case but possibly losing a career. So there’s no need to take those shortcuts. Yeah, it takes a little bit more time, but do it right the first time, and you don’t have to back up and try to fix it.
ROD AMMON: And best-case scenario, go to your class and go to other classes where you’re going to learn the proper way to handle your photography, handle your electronic data, and be able to recover it from scenes. Thanks very much for your time, Tully.
TULLY KESSLER: Hey, thank you.
ROD AMMON: We hope this quick look has given you just a few more reasons to register for IAAI 2018 ITC, which will take place May 20 through the 25th, 2018 in Frisco, Texas. Now is the time to register. You’ll have time to make your travel plans or get the department approvals you need. Visit iaaiitc.com for more details on the classes offered and register today. Again, that’s www.iaaiitc.com for more details. That concludes this podcast. Stay safe, and we’ll see you next time on CFITrainer.Net. For the IAAI and CFITtrainer.Net, I’m Rod Ammon.
This program provides a primer on accreditation, certification, and certificates for fire investigation training.
A fire occurred on the night of Feb. 20, 2003, in The Station nightclub at 211 Cowesett Avenue, West Warwick, Rhode Island.
Arc Mapping, or Arc Fault Circuit Analysis, uses the electrical system to help reconstruct a scene, providing investigators with a means of determining the area of a fire’s origin.
This module introduces basic electrical concepts, including: terminology, atomic theory and electricity, Ohm’s Law, Joule’s Law, AC and DC power.
A fire occurred on the evening of June 18, 2007, in the Sofa Super Store in Charleston, SC that resulted in the deaths of nine fire fighters.
This module looks at the many ways fire investigators enter and grow in the profession through academia, the fire service, law enforcement, insurance, and engineering.
This module will present a description of the IAAI organization.
This module takes a closer look at four of the most commonly-reported accidental fire causes according to "NFPA Fact Sheet.
This program brings three highly experienced fire investigators and an attorney with experience as a prosecutor and civil litigator together for a round table discussion.
One of the legal proceedings that may require the fire investigator to testify is a deposition. Depositions are often related to civil proceedings, but more and more jurisdictions are using them in criminal cases.
Deposing attorneys employ a variety of tactics to learn about the expert witness giving testimony, to try to unsettle that witness to see how he/she handles such pressure, and to probe for weaknesses to exploit.
The program discusses the basics of digital photography for fire investigators as well as software and editing procedures for digital images intended as evidence.
This self-paced program is an introduction to discovery in civil proceedings such as fire loss claims and product defect lawsuits.
This self-paced program is an introduction to discovery in criminal proceedings.
This module covers the foundation of DNA evidence: defining, recognizing, collecting, and testing.
This program provides a practical overview of how to perform the baseline documentation tasks that occur at every scene.
This module will discuss the techniques and strategies for conducting a proper science-based fire scene investigation and effectively presenting an investigator’s findings in court as an expert witness.
This program explains the basic principles of how electric and hybrid vehicles are designed and work, including major systems and typical components.
This program presents critical safety information for how to interact with electric and hybrid vehicles.
This module presents critical electrical safety practices that every fire investigator should implement at every scene, every time.
In this program, we will look at emerging technologies that fire investigators are integrating into their daily investigative work with great success.
This self-paced program examines the fire investigator's ethical duties beyond the fire scene.
As social media has emerged as a powerful force in interpersonal communications, fire investigators are being confronted with new questions...
Should you work for a private lab as a consultant if you are on an Arson Task Force? How about accepting discounts from the local hardware store as a “thanks” for a job well done on a fire they had last year?
This module takes investigators into the forensic laboratory and shows them what happens to the different types of fire scene evidence that are typically submitted for testing.
This module teaches the foundational knowledge of explosion dynamics, which is a necessary precursor to investigating an explosion scene.
This module addresses the foundations of fire chemistry and places it within the context of fire scene investigations.
The program is designed to introduce a new Palm/Pocket PC application called CFI Calculator to users and provide examples of how it can be used by fire investigators in the field.
This module examines these concepts to help all professionals tasked with determining fire origin and cause better understand fire flow dynamics so they can apply that knowledge to both to fire investigation and to fire attack.
This module provides a road map for fire officers to integrate and navigate their fire investigation duty with all their other responsibilities and describes where to obtain specific training in fire investigation.
The evaluation of hazards and the assessment of the relative risks associated with the investigation of fires and explosions are critical factors in the management of any investigation.
This module will describe the most commonly encountered fire protection systems.
This module presents best practices in preparing for and conducting the informational interview with witnesses in the fire investigation case.
This module provides instruction on the fundamentals of residential building construction with an eye toward how building construction affects fire development.
This module provides introductory information on the Hazardous Waste Operations and Emergency Response (HAZWOPER) standard – 29 CFR 1910.120.
This module teaches first responders, including fire, police and EMS, how to make critical observations.
The program examines the importance of assessing the impact of ventilation on a fire.
This program discusses how to access insurance information, understand insurance documents, ask key questions of witnesses, and apply the information learned.
This module offers a basic introduction about how some selected major appliances operate.
This program introduces the fire investigator to the issues related to the collection, handling and use of evidence related to a fire investigation.
This program takes you inside the National Institute of Standards and Technology (NIST) archives of some of the most interesting and instructive test burns and fire model simulations they have ever conducted.
The program provides foundational background on the scope of the youth-set fire problem, the importance of rigorous fire investigation in addressing this problem, and the role of key agencies in the response to a youth-set fire.
This module provides a thorough understanding of the ways an investigation changes when a fire-related death occurs.
This self-paced program will help you understand what to expect at a fire where an LODD has occurred, what your role is, how to interact with others, and how to handle special circumstances at the scene.
This program will introduce the fire investigator to the basic methodologies use to investigate vehicle fires.
This module presents the role natural gas can play in fire ignition, fuel load, and spread; the elements of investigating a fire in a residence where natural gas is present; and the potential role the gas utility or the municipality can play an investigation.
This self-paced program covers fundamental legal aspects of investigating youth-set fires, including the juvenile justice system, legalities of interviews and interrogations, arson statutes, search and seizure, and confidentiality.
This program explains what lithium-ion batteries are, how they are constructed, where they are used, safety concerns, and how they can cause fires and explosions.
This program discusses the latest developments in expert testimony under the Daubert standard, including the MagneTek case recently decided in the United States Circuit Court of Appeals.
This module focuses on how to manage investigations that have “complicating” factors.
This module uses the Motive, Means, and Opportunity case study to demonstrate how responsibility is determined in an arson case.
This program covers the general anatomy of a motor vehicle and a description of typical components of the engine, electrical, ignition, and fuel systems.
This self-paced program is the second part of a two-part basic introduction to motor vehicle systems. This program describes the function and major components of the transmission, exhaust, brake, and accessory systems.
This module educates the investigator about NFPA 1033’s importance, its requirements, and how those requirements impact the fire investigator’s professional development.
This module reviews the major changes included in the documents including the use of color photos in NFPA 921 and additional material that supports the expanded required knowledge list in NFPA 1033 Section 1.3.7.
The program illustrates for the fire investigator, how non-traditional fire scene evidence can be helpful during an investigation.
This module introduces the postflashover topic, describes ventilation-controlled fire flow, illustrates how the damage left by a postflashover can be significantly different than if that fire was extinguished preflashover.
This module demonstrates the investigative potential of information stored on electronic devices.
This module explains the relationship between NFPA 1033 and NFPA 921
This module lays the groundwork for understanding marine fires by covering four basic concepts that the investigator must understand before investigating a marine fire.
In this module, you will learn more about how cancer develops, what occupational exposure risks to carcinogens exist at fire scenes, and how to better protect yourself against those exposures.
The use of the process of elimination in the determination of a fire cause is a topic that has generated significant discussion and controversy in the fire investigation profession.
This module teaches the basics of the electrical power generation, distribution, and transmission system.
This module presents the basics of natural gas and its uses and system components in a residence.
The basics of the scientific method are deceptively simple: observe, hypothesize, test, and conclude.
This module explains the principles of search and seizure under the Fourth Amendment, as contained in the amendment and according to subsequent case law, and applies them to typical fire scene scenarios.
This module addresses the foundations of thermometry, including the definition of temperature, the scales used to measure temperature and much more.
This program presents the results of flame experiments conducted with a candle.
This self-paced program explains to non-investigators the role of the fire investigator, what the fire investigator does, how the fire investigator is trained, what qualifications the fire investigator must meet.
This module will untangle the meanings of "undetermined," straighten out how to use the term correctly, talk about how not to use it, and describe how to properly report fires where "undetermined" is the cause or classification.
This module will advise fire investigators on how to approach the fact-finding procedures necessary and validate a hypothesis.
This module provides an overview on how structures can become vacant and eventually abandoned.
This self-paced program provides a basic framework for structuring the management of fire cases and fire investigators.
This module illustrates how wildland fires spread, explains how to interpret burn patterns unique to these types of fires.
This module presents the key elements of the initial origin and cause report and methods of clearly presenting findings in a professional manner.