|
|
Published by the Drug Enforcement Administration Office of Forensic Sciences Washington, D.C. 20537 The U. S. Attorney General has determined that the publication of this periodical is necessary in the transaction of the public business required by the Department of Justice. Information, instructions, and disclaimers are published in the January issues.
- INTELLIGENCE ALERT - COCAINE BRICKS SEALED IN
A POLYMERIC COATING
The DEA South Central Laboratory (Dallas, Texas) recently received a submission of six bricks containing a compressed white powder, some with mushy, discolored regions, suspected cocaine. The exhibits had been secreted in the battery of a 2004 Nissan Maxima, and were seized by the U.S. Customs at the Brownsville, Texas Port of Entry. Each brick was about half the size of typical kilogram brick of cocaine, and was imperfectly sealed in a polymeric coating (see Photo 1). The coating was very hard and had to be removed using a hammer and chisel; when broken, it shattered like glass. Underneath the polymeric coating was a rubber like wrap, followed by black tape, plastic, and finally carbon paper. Some of the bricks had regions that were discolored and mushy, apparently as the result of leakage of battery acid through the various layers. A piece of moistened pH paper confirmed that highly acidic fumes were being emitted by the contaminated regions. Analysis of the powder (total net mass 3,061 grams) by color tests, FTIR, GC/MS, GC/IRD, and HPLC confirmed 84 percent cocaine hydrochloride. It is unknown whether this type of packaging has been previously encountered at the South Central Laboratory. - - - - - - - - - - -
INTELLIGENCE ALERT - The DEA Northeast Laboratory (New York, New York) recently received a set of hammock ropes containing internal plastic sleeves which contained a brown powder, suspected heroin. The ropes (origin not reported) was submitted by the Homeland Security (Immigration and Customs Enforcement) JFK Airport Office, after being seized from the unclaimed shipments warehouse at the airport. The ropes were about ¼ inch in diameter, and consisted of a cloth tube enclosing a plastic sleeve (see Photos 2 - 5). Analysis of the powder (total net mass 577.2 grams) by GC/FID, GC/MS and FTIR confirmed 62 percent heroin hydrochloride. The Northeast Laboratory has previously encountered similar false hammock ropes as a heroin concealment technique.
- - - - - - - - - - - INTELLIGENCE ALERT - SUITCASE FRAMES CONTAINING
HEROIN FROM AMSTERDAM
The DEA North Central Laboratory (Chicago, Illinois) recently received two exhibits consisting of black metal and plastic suitcase frame "bars" containing a tan powder, suspected heroin (see Photo 6; note that the apparent white color of the powder in the frame parts is due to the camera flash - the powder is actually tan in color (see the residual powder on the tabletop for the true color). The long black sections are approximately 2 feet in length). The original suitcases (two) were checked luggage on a flight from Amsterdam (The Netherlands) to the Minneapolis/St. Paul Airport, and were seized by U.S. Customs and Border Protection Inspectors at the airport. Some of the powder was held within the bars with tissue and tape plugs, while other bars contained bundles of powder wrapped in tan tape (that is, the tape was wrapped directly around the powder). Analysis of the powder (total net mass 1,535 grams) by FTIR, GC/FID, and GC/MS confirmed 68 percent heroin hydrochloride with small quantities of acetaminophen, caffeine, and chloroquine. - - - - - - - - - - - INTELLIGENCE ALERT -
The Forensic Services Division of the Contra Costa County Office of the Sheriff Coroner (Martinez, California) recently received a small dropper bottle commercially labelled as containing a "sour liquid candy" product, suspected to actually be a solution of LSD (photo not available). The exhibit was seized by the Walnut Creek Police Department from an dealer in Walnut Creek (located about 15 miles east-northeast of Oakland). The dropper bottle was approximately 6 x 2 x 1 centimeters in size, and contained 2.4 milliliters of a green colored, flammable liquid that fluoresced under long wave UV light. Color testing with para-dimethylaminobenzaldehyde and GC/MS of a chloroform extract confirmed LSD (not quantitated). The flammable liquid was not identified. This is believed to be the first submission of a liquid LSD solution to the laboratory. - - - - - - - - - - - INTELLIGENCE ALERT - HEROIN SATURATED IN CARDBOARD FLOWER BOXES On July 13, 2004, officers from the Clifton Police Department arrested two Colombian males and seized 10 kilograms of suspected South American heroin and $86,000. The officers were on routine patrol when they observed two males acting suspiciously in the rear lot of a video store. When the officers approached the suspects, they observed boxes of flowers and an open compartment in the floor of a hatchback vehicle by which the two men were standing. The officers also observed an opaque plastic bag inside the compartment; however, both suspects denied ownership. The officers requested that a drug detection canine be brought to the scene. The canine alerted to the bag. The bag contained 2 kilograms of a powdered substance that field tested positive for heroin. Officers subsequently obtained a search warrant for the residence of one of the suspects, where they discovered an additional 8 kilograms of heroin and $86,000. During the search, officers obtained evidence to indicate that the suspect arranged to have cardboard boxes containing fresh flowers soaked in a liquid heroin solution shipped from an unidentified source in Ecuador to the John F. Kennedy International Airport in New York. The suspect retrieved the boxes at the airport and took them to his residence, where he extracted the heroin from the boxes. Both suspects were arrested and charged with possession of heroin and possession of heroin with intent to distribute. The suspect who occupied the residence where the search was conducted also was charged with maintaining a narcotics manufacturing facility. NDIC Comment: Traffickers sometimes saturate clothing or other items
with liquid heroin. Heroin is dissolved in a liquid, and clothing or
other items are then soaked in the liquid to absorb the heroin. After
the clothing or other items dry, they are transported to the United
States. Once in the United States, the clothing or other items are
again soaked in liquid, and the heroin is extracted from the liquid
through a drying process. - - - - - - - - - - - INTELLIGENCE ALERT - OVER 22,000 OPIUM POPPY PLANTS SEIZED NEAR PELLA, IOWA On July 13, 2004, the Marion County Sheriff's Office, Mid Iowa Narcotics Enforcement Task Force, and Iowa Division of Narcotics Enforcement seized approximately 22,700 opium poppy plants growing in a rural area 2 miles south of Pella. A 70 year old male as well as 39 and 52 year old females, all members of a local Hmong family, were arrested and charged with conspiracy to manufacture a Schedule I controlled substance for cultivating the opium. (The Hmong are a tribe from mountainous regions in Laos.) The opium poppies, growing between rows of vegetables, were 24 to 30 inches high with bulbs ranging from 1½ to 2 inches in diameter. Many of the bulbs had been scored with three to four cuts per bulb to let the opium seep out for subsequent collection. None of the defendants had prior drug arrests; however, they did admit that they knew that growing opium poppies was illegal. They stated that they were growing the opium poppies for medicinal purposes. NDIC Comment: Opium poppies typically are not grown in the United
States. Most opium poppies are cultivated in four foreign source areas
Mexico, South America, Southeast Asia and Southwest Asia. The last
significant opium poppy seizure in the United States occurred in June
2003 in the Sierra National Forest in California. This seizure is the
first of its kind encountered in the Pella Marion County area, according
to the Marion County Sheriff's Office. - - - - - - - - - - - INTELLIGENCE ALERT - COCAINE IN AN AUTOMOBILE BATTERY IN HILL COUNTY, MONTANA [From the NDIC Narcotics Digest Weekly 2004;3(32):3 On July 17, 2004, a Montana Highway Patrol (MHP) trooper arrested a 46 year old male and seized 7.2 pounds of powdered cocaine from a vehicle traveling east on U.S. Highway 2 in Hill County. The trooper initially had stopped the vehicle for speeding. The driver produced a California driver's license and a vehicle registration showing that he owned the vehicle; however, since the driver spoke little English, the trooper requested the assistance of a U.S. Border Patrol (USBP) agent to serve as an interpreter. Through the USBP interpreter, the driver advised that he was traveling from California to Chicago. The driver posted bond at the scene for speeding and was released. However, [due to the use of an unusual procedure to start the vehicle,] the MHP trooper and USBP agents became suspicious and requested and received consent to search the vehicle. The search revealed a false battery with vent caps that were [modified]. A USBP agent [investigated] and recovered a white powder that field tested positive for cocaine. The Tri County Drug Task Force was notified and responded to the scene. The vehicle was impounded, and a continued search revealed that the battery case contained 7.2 pounds of cocaine and a small motorcycle battery that allowed the electrical system to function but was not powerful enough to start the vehicle. The suspect was charged with possession of a controlled substance. NDIC Comment: Law enforcement officials in the Northwest and Midwest increasingly report the use of modified vehicle batteries to conceal illicit drugs. In November 2003 Ada County (ID) Metro Narcotics Unit authorities seized 4 pounds of methamphetamine, 0.25 pound of cocaine, and $20,000 concealed inside a modified 12 volt automobile battery. In December 2003 Utah Highway Patrol troopers in Beaver County seized 10.5 pounds of methamphetamine, 3 pounds of which were concealed in a modified 12 volt automobile battery. - - - - - - - - - - - INTELLIGENCE ALERT - 19,000 OPIUM POPPY PLANTS SEIZED IN SAN MARTIN, CALIFORNIA On July 22, 2004 the DEA San Jose Resident Office and the Santa Clara County Sheriff’s Office seized and destroyed approximately 19,000 opium poppy plants growing near San Martin. The poppy plants were growing among other flowers on 11 acres close to U.S. Highway 101. A local florist rented the land to grow a variety of flowers, including the poppies, for his business. The florist allegedly did not know that growing opium poppies was illegal, and sold them from his flower shop in bouquets of 7 to 10 flowers. Law enforcement officials found no evidence that the poppies were being grown for illicit purposes, as there were no attempts to conceal the plants as well as no evidence that the plants had been scored. The investigation revealed that other florists in the area - also allegedly unaware that growing opium poppies was illegal - have been growing opium poppies as well. As a result of this incident, a local florists’ association was planning to send information to area florists advising them that growing opium poppies is illegal. - - - - - - - - - - Additional Information: The DEA Western Laboratory (San Francisco, California) assisted law enforcement officers from the DEA San Jose RO, the DEA San Francisco Division, and the Santa Clara County Sheriff's Office, in the seizure of the opium poppy plantation in San Martin, California. The plantation was reported by an individual who had served in the military in Afghanistan, and recognized the plants as being the same type of poppies that he observed during his service there. The plants were found at various stages of development and growing in five separate plots of land, interspersed among other fields of ornamental plants and flowers (see Photo 7). All plants were uprooted and destroyed except for a small sample that was submitted to the laboratory for evidentiary purposes. Analysis by TLC and GC/MS confirmed morphine and codeine (quantitation not reported).
- INTELLIGENCE ALERT - COCAINE CONCEALED IN BAND EQUIPMENT IN WEST DES MOINES, IOWA On July 27, 2004, the Dallas County Sheriff's Office arrested a 30 year old male and seized 175 pounds of cocaine from a minivan during a routine traffic stop on Interstate 80 in West Des Moines. Dallas County Sheriff's deputies initially stopped the vehicle because [of a violation]. During routine questioning, the driver indicated that he had rented the vehicle in Las Vegas and was transporting band equipment to Chicago. The minivan contained six large speakers, a drum set, two guitars, and two amplifiers. Officers became suspicious of the driver because [of certain issues with the band equipment]. Officers then called for a drug detection canine. Officers employed the canine to inspect the exterior of the van with negative results. Officers then requested and received consent to search the vehicle. During their search, officers noticed [some suspect marks on the speakers]. They subsequently removed the speaker fronts and found 55 packages of cocaine totaling 80 kilograms. Twenty five of the packages weighed 2 kilograms each, and 30 packages weighed 1 kilogram each. The packages were not stamped or marked but were uniquely concealed in several layers of plastic wrap, inner tube material, plastic, latex, additional plastic, electrical tape, fabric softener, and possibly grease. The thoroughness of packaging and concealment by using multiple layers of various materials indicates that the transportation group responsible for the shipment is experienced in drug concealment methods. The driver was arrested and charged with possession with intent to distribute cocaine and violating the Iowa drug tax stamp law. NDIC Comment: Interstate 80 is part of a primary drug transportation corridor that begins on I-15 in California and connects with I- 80 in Salt Lake City. Interstate 80 intersects with I-25 in Des Moines, providing access to Minneapolis St. Paul, and then continues through Chicago, providing access to Detroit via I-94 and I-75. EPIC Operation Pipeline data from 2002 and 2003 indicate that most cocaine seizures along I-80 in Iowa involved eastbound vehicles en route from southwestern states destined primarily for Chicago or Detroit. According to the Dallas County Sheriff's Office, this is one of the largest cocaine seizures in state history. - - - - - - - - - - - INTELLIGENCE ALERT -
The DEA Mid Atlantic Laboratory (Largo, Maryland) recently received 407,545 green tablets inscribed with a Volkswagen logo on one side and a score mark on the other, suspected MDMA (see Photos 8 and 9). The exhibit was seized in Amsterdam (The Netherlands) from a Venezuelan known to import Ecstasy tablets into the United States through Miami and Washington, DC. The tablets were round, approximately 7 mm in diameter and 3 mm in thickness, and weighed 131 milligrams each (total net mass approximately 53 kilograms). Color testing by the Marquis gave a black color; and further analysis by FTIR, GC, and GC/MS confirmed 52 milligrams MDMA/tablet. This was one of the largest seizures of MDMA tablets that the Mid Atlantic Laboratory has ever seen (however, Volkswagen logo tablets have been previously submitted).
- - - - - - - - - - - INTELLIGENCE BRIEF - "BLACK ROCK" (POSSIBLE "LOVE STONE") IN CHEYENNE, WYOMING
The Wyoming
State Crime Laboratory (Cheyenne, Wyoming) recently received
a small amount of a dark unknown substance (total
net mass 0.37 grams), alleged "Black Rock" from Taiwan
(see Photo 10). The material was packaged in a small plastic ear
plug bag, and came with printed instructions for using it as a
sexual aid (by topical application to male genitalia). The exhibit
was seized by the Cheyenne Police Department from a suspect during
a DWUI arrest. In bulk, the sample appeared to be black, but small
shards from the bulk sample were amber colored. Analysis by GC/MS
(crude solvent extract as well as following derivatization with
BSTFA/Trimethylchlorosilane 9:1) indicated a complex mixture containing
bufotenine as a minor (and the only controlled) component (quantitation
not performed). This was the first submission of "Black Rock" or
bufotenine (in any form) to the laboratory.
- - - - - - - - - - - INTELLIGENCE BRIEF - ILLICIT DRUGS AND PRECURSOR CHEMICALS SEIZED [From the NDIC Narcotics
Digest Weekly 2004;3(32):2 On July 8, 2004, U.S. Customs and Border Protection (CBP) inspectors at the Blaine port of entry (POE) seized approximately 37.8 kilograms of marijuana, 20.6 kilograms of methamphetamine, 253.8 kilograms of ephedrine, 1.14 kilograms of an unidentified substance, and $3,732, following a Vehicle and Cargo Inspection System (VACIS) scan of an inbound tractor trailer. The unidentified substance believed to be either opium or hashish was sent to a laboratory for further analysis. The contraband was discovered at the Pacific Highway commercial truck crossing inside a tractor trailer carrying furniture destined for San Francisco. Following a primary inspection, CBP inspectors referred the vehicle for a secondary inspection at the VACIS facility, which revealed an anomaly in the rear portion of the trailer. When the driver opened the trailer doors, the inspectors observed 11 hockey bags and 6 plastic garbage bags. Upon further examination, the inspectors determined that 10 of the hockey bags contained ephedrine and the other hockey bag contained methamphetamine; the garbage bags contained marijuana. The unidentified substance and currency were subsequently discovered during a search of the driver's compartment. The driver, an Iranian national who resides in Canada, was arrested and charged in the U.S. District Court for the Western District of Washington with possession of a listed chemical that could be used to manufacture methamphetamine, possession of methamphetamine with intent to distribute, and possession of marijuana with intent to distribute. NDIC Comment: Previous seizures from vehicles inspected at U.S.
Canada Border POEs have involved combinations of marijuana and
ephedrine; however, it is uncommon for such seizures to also involve
methamphetamine. Although methamphetamine smuggling from Canada
into the United States is limited, reporting from CBP and ICE indicates
that the amount of Canada produced methamphetamine smuggled into
the United States is increasing. As a result, methamphetamine seizures
by CBP officials at large U.S. Canada POEs likely will increase
in the near term. - - - - - - - - - - - INTELLIGENCE BRIEF - NEURONTIN BEING DIVERTED AND DISTRIBUTED IN NEW HAMPSHIRE [From the NDIC Narcotics
Digest Weekly 2004;3(35):1 On July 22, 2004, Enfield Police Department officers seized the prescription depressant Neurontin while investigating illicit OxyContin distribution in western New Hampshire. During the investigation, a 57 year old male offered undercover officers 10 samples of Neurontin in various dosage amounts while selling them OxyContin. After arresting the alleged distributor on charges of distributing and selling controlled substances, officers searched the defendant's residence and found additional quantities of OxyContin and Neurontin as well as five loaded firearms. Officers learned that the defendant had received the OxyContin and Neurontin from two pharmacists, one in Tennessee and one in Florida. Officers believe that the defendant knew the Tennessee practitioner because the defendant had lived in Tennessee before moving to New Hampshire 2 years ago. The defendant allegedly was distributing the pharmaceuticals to Enfield area youths. NDIC Comment: Neurontin rarely is encountered as a diverted pharmaceutical; however, law enforcement reporting indicates that the drug (sometimes referred to as Vitamin G) increasingly is being abused. Neurontin is the brand name of the pharmaceutical drug gabapentin and is distributed as a capsule (100 mg, 300 mg, and 400 mg dosages), tablet (600 mg and 800 mg dosages), and liquid (5 ml). The drug is a central nervous system depressant, and its effects include feelings of apathy, decreased position sense, euphoria, and hallucinations. It is not a scheduled drug under the federal Controlled Substances Act. Neurontin has been prescribed to treat epilepsy since 1993 and was approved by the U.S. Food and Drug Administration (FDA) to treat postherpetic neuralgia (shingles) in 2002. Some state public health agencies also report that Neurontin availability has increased in some areas because of overprescribing of the drug.
- - - - - - - - - - - INTELLIGENCE BRIEF - NORTH CAROLINA GOVERNOR SIGNS METHAMPHETAMINE [From the NDIC
Narcotics Digest Weekly 2004;3(35):2 On August 3, 2004, the governor of North Carolina signed into law Senate Bill 1054 designed to reduce methamphetamine production and distribution. The new law increases criminal penalties for the unlawful manufacture of methamphetamine and for possession of ingredients used in methamphetamine production. The law also designates as second degree murder any death resulting from the distribution of methamphetamine. Finally, the law adds 2 years to a convicted methamphetamine manufacturer's sentence if a law enforcement officer or other emergency worker is injured in a methamphetamine laboratory seizure and increases the penalty for the presence, exposure, or endangerment of a child under 18 as a result of methamphetamine manufacturing. NDIC Comment: Once concentrated
in the Pacific region, domestic methamphetamine production now occurs
to varying degrees in most areas of the country.
The highest levels of methamphetamine production occur in the Pacific
and Southwest regions. However, methamphetamine production in the Southeast
region is significant and increasing. The number of clandestine laboratory
responses reported by the North Carolina State Bureau of Investigation
in the first 6 months of 2004 (164) nearly equaled the number of responses
reported in all of 2003 (177). Moreover, children were affected in 64
of the 164 cases in 2004, compared to 69 in 2003. - - - - - - -
- - -
The Florida Department of Law Enforcement Daytona Beach Crime Laboratory (Daytona Beach, Florida) recently received a large shipment (total net mass 31.6 grams, not counted) of apparent 40 milligram dosage Purdue Oxycontin tablets (photo not taken). The exhibit was submitted by the Brevard County Sheriff's Office (Brevard County is located to the immediate south of Daytona Beach). Analysis of a methanolic extract of two tablets by GC/MS, however, indicated no controlled substances. Subsequent discussions with Purdue confirmed that they produce placebo Oxycontin tablets. This was the first submission of such tablets to the laboratory. - - - - - - -
- - -
MISSISSIPPI BUREAU OF NARCOTICS AGENT INJURED BY ANHYDROUS AMMONIA DURING A METHAMPHETAMINE LABORATORY SEIZURE [From the NDIC
Narcotics Digest Weekly 2004;3(35):2 On August 3, 2004, a Mississippi Bureau of Narcotics agent was injured while responding to a clandestine methamphetamine laboratory site near D'Iberville. The laboratory was located in a residence in a mobile home community and was reported by a citizen complaining of a strong chemical odor in the area. The 33 year old resident was arrested and charged with manufacturing methamphetamine and aggravated assault on a police officer. According to the Head of Special Operations for the Bureau of Narcotics, the injured agent was enveloped in an anhydrous ammonia mist while taking a sample from a tank that was not designed for anhydrous ammonia storage. The agent had removed his breathing mask because of the high heat and humidity before attempting to take the sample. Fellow agents flushed the injured agent's eyes with water, and he was taken to a local medical center where he was treated and released. NDIC Comment: The number of
law enforcement officers injured at methamphetamine laboratories has
increased dramatically in recent years. According to
Drug Enforcement Administration (DEA) El Paso Intelligence Center (EPIC)
National Clandestine Laboratory Seizure System (NCLSS) data, reported
injuries to law enforcement officers nationwide responding to methamphetamine
laboratory sites increased dramatically from 47 in 2000 to 123 in 2001,
127 in 2002, and 254 in 2003. Common injuries experienced by officers
often involve exposure to chemicals and combinations of chemicals used
in the methamphetamine process that are caustic to skin tissue frequently
causing serious burns and can affect the lungs, causing a series of conditions
ranging from breathing difficulties to respiratory failure. * * * * * * * * * * * * * * * * * * * * * * * * * SELECTED REFERENCES [Notes: Selected references are a compilation of recent publications of presumed interest to forensic chemists. Unless otherwise stated, all listed citations are published in English. If available, the email address for the primary author is provided as the contact information. Listed mailing address information (which is sometimes cryptic or incomplete) exactly duplicates that provided by the abstracting services. In addition, in order to prevent automated theft of email addresses off the Internet postings of Microgram Bulletin, unless otherwise requested by the corresponding author, all email addresses reported in the Bulletin have had the “@” character replaced by “ -at- ”; this will need to be converted back (by hand) before the address can be used.]
Additional References of Possible Interest:
NEW EMAIL ADDRESSES NEEDED The email addresses for the following organizations have returned rejection notices to the Microgram Editor for the past three issues of Microgram Bulletin, and will therefore be dropped from the subscription list unless a corrected email address is provided by December 1, 2004. Note that the errors include anti-spamming, mailbox full, user not found, or user unknown messages. The Editor requests your assistance in contacting these organizations, determining if they wish to remain on the Microgram subscription e-net, and if so asking them to provide a valid email address to the Editor at: microgram_editor -at- mailsnare.net [None this issue.] ---------- The following organizations (listed in the July issue) were dropped on 12/1/04: Bexar County Medical Examiner’s Office, San Antonio, Texas Carabinieri Investigazioni Scientifiche Raggruppam, 00165 Rome, Italy Louisiana State Police, North Delta Criminalistics Laboratory, West Monroe, Louisiana New Hampshire Department of Corrections, Drug Testing Laboratory, Laconia, New Hampshire Racine Health Department, Racine, Wisconsin Washington State Department of Health, Olympia, Washington * * * * * * * * * * * * * * * * * * * * * * * * * THE
DEA FY - 2005 STATE AND LOCAL The remaining FY - 2005 schedule for the DEA’s State and Local Forensic Chemists Seminar is as follows:
Note that the school is open only to forensic chemists working for law enforcement agencies, and is intended for chemists who have completed their agency’s internal training program and have also been working on the bench for at least one year. There is no tuition charge for this course. The course is held at the AmeriSuites Hotel in Sterling, Virginia (near the Washington/Dulles International Airport). A copy of the application form is reproduced on the last page of the August 2004 issue of Microgram Bulletin. Completed applications should be mailed to the Special Testing and Research Laboratory (Attention: Pam Smith or Jennifer Kerlavage) at: 22624 Dulles Summit Court, Dulles, VA 20166. For additional information, call 703/668-3337.
* * * * * * * * * * * * * * * * * * * * * * * * * 1. Title:
AAFS 57th Annual Meeting (First Posting) * * * * * * * * * * * * * * * * * * * * * * * * * EMPLOYMENT OPPORTUNITIES 1. Title:
University of Massachusetts Medical School (Second Posting)
Additional Information: Please contact Supervisor Carina Thomas at (630)
407-2096, or cthomas -at- dupageco.org * * * * * * * * * * * * * * * * * * * * * * * * *
Digital evidence examiners utilize a variety of analytical techniques. Some of the most powerful involve the comparison of the evidence with a known value or set of known values. However, the assertion by an examiner that there is or is not a match should always be caveated with an understanding of the reliability of the known value(s) that has/have been used to make the comparison. Digital evidence examiners have a variety of known value(s) tools that are available for use in most examinations. The most exacting type of known values are “standards”, followed in declining order of authority by “reference collections”, and then “controls”. Known values are used for a variety of purposes, including calibration of instrumentation, identification of data that is of potential probative value, and elimination of data that is known to not be of probative value. Computer Forensic examination software such as Encase, Forensic Tool Kit, and Ilook support comparison analyses (matching of files or file fragments), using either external values or examiner generated values. The matching technique may be a direct byte for byte comparison, or instead utilize a digital data summation commonly referred to as “hashing”. Hash Calculation There are a number of industry accepted hash algorithms. The two most commonly used for digital evidence comparisons are MD 5 and SHA 1. The former is a method developed by Ronald L. Rivest of the Massachusetts Institute of Technology, while the latter was developed by the U.S. National Institute of Standards. Typically, a hash value is expressed as a pattern of hexadecimal information such as: “015A6BF77EC100A428617D” Hexadecimal values (consisting of a base 16 mathematical system) are used to represent large numbers in a fixed length expression. For example, the base 10 values of 10, 256, and 4096 are represented in hexadecimal systems as, “A”, “FF, and “1000”, respectively. (Note that larger values are stored in smaller numeric representations when using the Base 16 numbering system). This is why a hash value can look deceptively simple, even though it may represent a very large amount of data. Standards Reference Collection As noted above, reference collections are not always of material of probative value. For example, the National Institute of Standards produces the National Standard Reference Library (NSRL), a hash data set which contains hash calculations of notable files such as application software that encrypt data, hide data using steganography, or capture keystroke data. It may be important for an examiner to know if such programs exist on the evidence currently being examined. Other types of reference collections of non probative value consist of hash calculations of files that are part of a normal operating system, or of routine application software such as word processing, financial, e mail communication, executable programs (.exe files), or application modules (.dll). These types of files are found in abundant quantities on all Microsoft computer systems. A typical desktop or laptop computer may have 10,000 to 50,000 of these files. Use of one or more reference collection comparisons should result in these files being identified as “safe” and therefore excludable from computationally intensive search tasks, thereby significantly reducing overall search time. The ability to search using a known file filter approach can result in 25% to 75% of all files being eliminated. For example, a recent test by DEA’s Digital Evidence Laboratory resulted in 84 percent of the Windows XP and Microsoft Office Suite files being identified using two leading computer forensic hash data sets ? those from the NSRL and the National Drug Intelligence Center’s Hash Keeper set. It should be noted that the NSRL hash set (four CD’s) also includes foreign language versions of the Microsoft operating system files. This feature can be very valuable in examinations of computers set up using languages other than English. Updates that include new releases or software patches (that are different, and therefore have their own unique hash values) are released quarterly. Limitations For negative or “safe” hash sets, the need to have a traceable media history is important to verify the hashes, and to avoid the exclusion of digital data that may be pertinent. Additionally, there is a technical issue that a negative or safe hash be collected from the installed version as opposed to the distribution version contained on a CD or a “.CAB” installation file, because the installation process modifies some files. [Ideally, both the distribution and installed versions should be included in order to maximize the comprehensiveness of the hash set.] Controls
The use of standards, reference collections, and controls in a digital evidence laboratory can be a complex task, but one that can result in faster examination search speeds and positive identification of digital data of potential probative value. Laboratory manager and examiners must be aware of how comparison data sets are used, understand their limitations, and lastly ensure that the data sets are properly validated. Questions or comments? e-mail: Michael.J.Phelan -at- usdoj.gov |
||||||||||||||||||||||||||||
 |
||||||||||||||||||||||||||||
