ROD AMMON: Welcome to this edition of the IAAI’s CFITrainer.Net podcast. Before we begin, the fire investigation community around the world lost a great friend in the past month or so, Sandy Burnett. I knew Sandy for almost 20 years, and he was always there for me and the people that I work with, a great spirit with a huge mind, a caring soul, and a smile always while we were together. The man had no throttle when it came to giving to the fire investigation community. He donated unlimited time to doing the right thing to help those in need while never making you feel like you were asking too much. Thanks, Sandy. All of us will miss you.

Today, we’re looking at two topics on the technology and forensics cutting edge that are going to be explored in much greater detail at IAAI 2018 ITC. Today, we’re going to get a taste of those two topics and give you an opportunity to register for 2018 ITC. Our first topic preview is how internet-connected homes are affecting fire investigations. Here to talk with us about smart homes and the implications for the fire investigator is one of the presenters of this class at 2018 ITC, Michael Custer of Kilgore Engineering, Incorporated. Welcome to the podcast, Michael.

MICHAEL CUSTER: Thank you for having me.

ROD AMMON: So give us some examples of how homes and businesses and vehicles are becoming smart. What types of devices are we talking about, and what do they do?

MICHAEL CUSTER: Well, it’s very broad in terms of when you consider both vehicles, homes, businesses, but what we’re seeing in all of those is how communication is affecting them. In homes and residences, commercial structures, we’re seeing internet-connected devices that are being used to control lighting systems, heating systems, and even industrial processes. And then in smart cars, you’re also seeing the effects of sensors and communications, the ability to make decisions on their own.

ROD AMMON: There’s a lot of – boy, it seems like you can control almost anything from your phone now.

MICHAEL CUSTER: Yes, it seems that way.

ROD AMMON: So how are these devices creating challenges for fire investigators?

MICHAEL CUSTER: Well, in homes in particular and businesses, one of the concerns that we always had in fire investigation is making sure that we have all potential parties involved in the investigation, and a lot of times we’re able to do that by narrowing the focus of the investigation to a particular area, an area of origin. And when we do that, we use a number of techniques to get to that point, but after we get there, we’re able to say we have these different parties who have interest in this. It maybe installers or manufacturers or others who have equipment there or who have touched equipment there, and we can rule to that area, and we get them involved and we go through the process. But when you have these internet-connected devices, you now have the opportunity where decision logic or decisions are being made maybe at a different part of the facility or even on the cloud where algorithms, smart technology is making decisions based on sensor information and switches and actually could be triggering devices that are in your area of origin. So it may be a situation where we have to expand our focus and get more companies involved during the investigation than would typically be if you just had a system that was completely local.

ROD AMMON: So a lot of new potential ignition sources to examine.

MICHAEL CUSTER: Well, it could be some of the same ignition sources, but the control for those ignition sources may be remote. It may not be local, so for instance, if someone has a light that’s a traditional light, and if you were to come to the conclusion that because the light turned on, a loss occurred, if it’s a typical light, the only way the light turns on if someone flips the switch. But when everybody has internet-connected devices, now the light can come on because of a number of reasons. Maybe someone locally triggered the switch via a phone or maybe there’s a process that’s on a remote server that triggers the switch to turn it on. So you have to start to expand your thought process and take it beyond, well, it had to be something here local that controlled this or caused an event to occur.

ROD AMMON: So how do you deal with that when you’re coming up with sort of a framework for a new hypothesis?

MICHAEL CUSTER: Right. One of your concerns obviously, and this is why we wanted to have the class, is first to just educate people that there is a potential that this could exist. And then after you are in a scenario where you believe that this does exist where there could be an external control, then you’re going to have to halt your examination at that point and make a determination if it’s going to be important to have additional parties there. And that’s just going to be a group effort where you’re working with attorneys. You’re working with engineers, the fire investigators. Everyone is going to collectively decide who that party is and work through that process, much the same way we do when we have a physical item and we’re trying to determine who the manufacturer is.

ROD AMMON: Collectively rings a bell, so it makes me think about data collection and how that’s useful for the timeline and key events. Can you speak to that a little bit?

MICHAEL CUSTER: Oh absolutely, and that’s a great point, too. One of the benefits that we get from these systems is it’s very similar to an alarm system where an alarm system is remotely monitored, and we’re able to go and extract logs from either the alarm company or potentially the tenant or business owner who may have information even there locally on the system. And we can begin to grab, say, an alarm time, a reporting time, other information that comes from the system, so we’re able to collect data from those systems. Well, these internet-connected devices could give us that same opportunity where we now have additional information that we can gain about the events that occurred before a loss. If you assume it’s a fire, you could go back potentially working with the company who provides these cloud-based services and see when a switch came on or when it turned off or when a receptacle was energized or de-energized. And those are potential information sources that we didn’t have before.

ROD AMMON: Interesting. So I’m thinking that probably leads to some new legal challenges when you’re examining these devices and obtaining the data.

MICHAEL CUSTER: Oh yeah, absolutely. And I think it’s going to be a challenge because one of the issues obviously is going to be getting access to that information, and I don’t think that that really, at this point, has been fleshed out exactly how that’s going to take place. And then another issue that’s going to come up is that this data, even if you could gain access to the raw data, it may be proprietary or even encrypted, and so then there’s going to be another step of trying to get to data that you can actually use.

ROD AMMON: I’m imagining that you’ve already had several situations where this is – where you’ve been involved, and that’s part of why you’re doing this class. Can you give us a little bit of a tease about what the framework of the ITC class is going to be like, what people are going to walk away with?

MICHAEL CUSTER: I hope that they’re able to take away a respect for the complexity of these systems and an understanding that, if they find themselves in an investigation and they believe that, let’s say, an Internet of Things device is involved in their area of origin, that they need to step back and make some considerations before they move forward. As far as the class goes, I hope it’s exciting. We have a new presentation platform that we’re going to use that’s actually an Internet of Things device, so as we progress through our platform and give the presentation, there is actually a – it’s a cognitive service that listens to what we do during the presentation and actually directs the presentation. So slides will move forward. Videos will start. We have the ability for lights to come on and different things as we go through the presentation, and it’s all these internet-connected back-end sources that are listening to what we’re saying. And through the internet in real time, making decisions about what should happen next in the presentation. And the reason we’re doing that is really just to show the power of these services and why we’re going to see more and more of this as we move forward in both homes, industry, and commercial.

ROD AMMON: Sounds like a fun and experiential way to have a class, a real nice twist.

MICHAEL CUSTER: Well, I hope so. One of the issues is obviously ours is a four-hour session, so we want to be able to keep people’s attention, keep them interested in what’s happening, and hopefully give them some really good information along the way, and that’s just on the Internet of Things. We’re also going to talk about smart cars, electric cars, and renewable energy sources, too.

ROD AMMON: So as we wrap up, I had one thought. How do you keep up with change?

MICHAEL CUSTER: Well, one of the things that I do in addition to the forensic work is I also have a background in electronics and computer software, and so in the process of developing the idea for providing this presentation to IAAI, I’ve done a substantial amount of work on back-end systems for internet-connected devices, and in fact, have developed the presentation platform that we’re going to use. So I think one of the best ways to stay up with things is to agree to teach about it, and that really forces you to dive into it and to stay current with what’s happening with the technology.

ROD AMMON: That’s an excellent answer. I hadn’t thought about teaching to keep up with things, but it’s obviously common sense, and it’s pretty exciting that you’re going to be able to bring that kind of depth to ITC. You’re going to be doing the presentation also with Ron Kilgore.

MICHAEL CUSTER: Right. Ron Kilgore is going to be co-presenting this, and that’s exciting because Ron brings just a tremendous amount of experience in fire-related investigations. Kilgore Engineering has about 30 years of experience, and Ron’s been there the whole time, and is very respected in the industry. And I’m excited to have him come along and provide his insight for this class.

ROD AMMON: Well, it sounds like it’s going to be a real forward-looking session, and it sounds like an exciting atmosphere as well as you teach people to take on these new challenges stemming from technology. All right, we’ll look forward to seeing you at ITC 2018.

MICHAEL CUSTER: All right, well, thank you so much for the call and the opportunity just to discuss this.

ROD AMMON: Thanks very much.

MICHAEL CUSTER: All right, have a good day.

ROD AMMON: Now, let’s look a little more closely at the data-gathering aspect of those electronic and internet-connected devices. 2018 ITC offers a class on recovery data from fire-damaged electronics. Retired Special Agent Tully Kessler will be teaching that class. He was a member of ATF’s digital investigations branch for 15 years, and he’s a certified forensic computer examiner, specializing in data recovery from fire and explosion-damaged electronics. Mr. Kessler, welcome to the podcast, and I have to say thank you very much for taking the time after putting in a full day down there at ATF NCETR (The National Center for Explosives Training and Research)

TULLY KESSLER: Well, thank you, sir. I appreciate the opportunity to visit with you.

ROD AMMON: So I think sometimes – I’ve been around – we’ve been working with fire investigators for over a decade now, and I think a lot of times we get focused on physical evidence: burn patterns, fingerprints, tool marks. And sometimes maybe we don’t put enough weight on electronic evidence and how it’s growing to be more important every day. What type – why can this type of evidence be very fruitful for the fire investigation?

TULLY KESSLER: Well, there’s multiple ways it can be. One of the ways I got involved in this was working with the NRT and the ATF CFIs, and many times they would bring me the closed-circuit television DVRs that had been in a major business or whatever scene they were working, or maybe one from across the street, but mostly the burned up ones. And that’s how I kind of got started in the specialty field is recovering the video to be able to show them the progression of the fire or sometimes even who set the fire.

ROD AMMON: So what other types of evidence – what types of devices and data are we talking about?

TULLY KESSLER: For the class, I will be talking mainly about computer hard drives, the types of drives, but we will also get into cell phones and iPads and that type of data storage. The class is going to be more about how to talk to a digital examiner or a data-recovery company so that you’re both speaking the same language.

ROD AMMON: I think it’s an excellent point. I was chuckling to myself about the videos when you first started talking because we started out really as more of a video production facility, and I remember getting some of those videos and how horrible they would be. And not only would people say, clean them up, but they would ask you to zoom in at the same time.

TULLY KESSLER: We still get that.

ROD AMMON: I bet you do. So I want to get a little bit into that relationship with digital experts, but can you give some examples or maybe an example or two of some data that can be recovered that might surprise people?

TULLY KESSLER: Well, some of this is a little older case. I was asked to rebuild two different phones from fire scenes off of a homicide victim in the fire scene, and at that time, we didn’t have the chip-off technology and the ISP technology and everything they have now, and the only way to do it was to tear the phone apart, clean the circuitry up, do any repairs, if possible, and put it in a new body and start it up. That has come a long way since then, so I’ve done those types of cases. I have literally found—and it was after I retired—a case where we had video of the owner setting his own fire. I don’t think you can get much better than that.

ROD AMMON: Yeah, and I’m sure that will be an interesting case to discuss when people get to ITC. Let’s talk a little bit about that relationship with digital experts. What kind of things should people expect when they go to the class?

TULLY KESSLER: Well, what got me started thinking about this as an idea for a class was I would get cases from fire investigators where they had already paid, say, a data-recovery service or somebody else to recover video specifically from the CCTV DVRs. And they’d get something back from them, and it doesn’t play, and it was an issue of communication more than a lack of capability on the data-recovery company or possibly the examiner. It was they weren’t speaking the same language. They said, here’s a hard drive. Repair it, and give me all the videos off of it, and so the data-recovery company repaired the hard drive, did a head swap, and then, because you don’t know what you don’t know, they carved the hard drive for video files using headers and footers and got back a bunch of gobbledy-gook to the investigator. And the reason is, is the foreign-made and mainly the Chinese made DVRs don’t use regular video files like you do on Windows computers and off your iPhone and all of that. So you have to have a little more in-depth knowledge to be able to recover that data.

ROD AMMON: That’s an excellent point. So in other words, if somebody had a bunch of .movs on their phone or something else, but they went over to a DVR, it may not even look like a video file.

TULLY KESSLER: In fact, there are no files on the CCTV DVRs. There is on the foreign manufactured. There are some DVRs that use .mov files or whatever, but these foreign ones, the little single-box, fairly cheap ones, there’s no file structure in it.

ROD AMMON: Wow.

TULLY KESSLER: It’s a Linux operating system. Each company has their own engineers that create it, and it’s a database-type setup, and there’s no – there’s literally no files to be seen, and it’s – you’re reverse engineering the work they’ve done.

ROD AMMON: So the moral of the story there is if you don’t know what you’re asking for or how to ask for it, you may end up in trouble, so you’re going to be teaching some of that in the class.

TULLY KESSLER: Yes, and you’ve spent a lot of money and obtained nothing.

ROD AMMON: That would be painful, not to mention the evidence could be damaged.

TULLY KESSLER: Correct.

ROD AMMON: What else would you like to let people know about what they can learn when they take your class?

TULLY KESSLER: We’re going to visit about some of the frailties of the different types of storage medium and how to – especially for the CFIs, what they need to be storing their photos and videos that they take at scenes on so that they don’t have issues because that’s another job that I do frequently for different investigators is their card in their camera – all of a sudden, everything is gone, and they don’t have it backed up anywhere else or they’re storing all of their pictures on these little cards, and they’re not meant for permanent storage. So we’re going to talk about what people can do to long-term store safely their files.

ROD AMMON: I think it’s – what you’re discussing related to backup and how we deal with our own data or in the case of investigators, how they’re dealing with their data is an important issue because I think it’s sort of funny. All of us talk about how important it is to back up. I think most of us also need a good direction on how to actually do it and how to take into consideration not only getting a good backup on a regular basis, but my guess is the evidence chain that you need to maintain.

TULLY KESSLER: Yes, and talking about the evidence chain, that that’s another area that I’m going to talk about. There’s companies out there that do data recovery and can recover your files and stuff, and they’re very good at what they do, and some of them will say, and I’m not dogging any particular company here, but some of them – oh yeah, we can do it to meet court standards. Well, there’s some questions as an investigator that you need to ask them, and if you don’t know the right way to ask them, they may not actually meet the standards needed to get the files that they recover into court. And they may do some – they may cause enough issues that there’s spoliation problems, so we’re going to talk about that and how the investigator will know that, okay, these people know, they’re going to follow the procedures that’s going to keep this evidence good so that we can use it later if it gets to court. Also, going to talk about you’ve just recovered electronics in a fire scene. What’s the next step?

What – I get a lot of cases in where it’s been sitting on a shelf for a year, sometimes two, three years, and it was wet when they sealed it in that plastic bag. That causes major issues. Sometimes we get lucky. Sometimes we don’t. So we’re going to talk about how to package, how to store. If you have to ship it somewhere, what’s the best way to package and ship? I get things all kinds of ways. Slap three computers in a box, no packaging, no bubble wrap, no nothing, and box it up and ship it, and they’re surprised when it gets here and there’s nothing I can do with it because UPS beat the crap out of the box getting it to me.

ROD AMMON: I can imagine that can be very frustrating. It’s interesting; just the one or two things that you mentioned seem like enough reason to scare me to want to be there because I think so often I hear that there are a limited number of cases where you actually go to court, but when you do, if you’re not ready with that evidence and things aren’t all prepped and handled properly, a lot of work could go by the wayside.

TULLY KESSLER: Yes, and for some of us, we had to learn that the hard way a long time ago. For me, it seems any time I’ve ever taken a shortcut on a case of any kind, that’s the one that’s going to go to trial. And if you’re not willing to step up and say, yeah, I screwed up and this is what I did, then it’s not only just losing the case but possibly losing a career. So there’s no need to take those shortcuts. Yeah, it takes a little bit more time, but do it right the first time, and you don’t have to back up and try to fix it.

ROD AMMON: And best-case scenario, go to your class and go to other classes where you’re going to learn the proper way to handle your photography, handle your electronic data, and be able to recover it from scenes. Thanks very much for your time, Tully.

TULLY KESSLER: Hey, thank you.

ROD AMMON: We hope this quick look has given you just a few more reasons to register for IAAI 2018 ITC, which will take place May 20 through the 25th, 2018 in Frisco, Texas. Now is the time to register. You’ll have time to make your travel plans or get the department approvals you need. Visit iaaiitc.com for more details on the classes offered and register today. Again, that’s www.iaaiitc.com for more details. That concludes this podcast. Stay safe, and we’ll see you next time on CFITrainer.Net. For the IAAI and CFITtrainer.Net, I’m Rod Ammon.