TOPIC:  Patterns: firearms, tool marks, tire tracks, and footprints 

▪ Define forensic science and how it contributes to a case, as well as explain the CSI Effect and the scientific method.

▪Summarize the history of forensic science and contributors to the field.

▪List and describe some forensic science specialties.

▪Identify the elements of a forensic investigation, how physical evidence can be produced, and forensic analysis.

▪Describe the work and work product of a forensic scientist.

▪Describe the U.S. court system, and the key rulings on physical evidence admissibility through expert testimony.

▪List and discuss major issues in forensic science today. 67 3 Digital Forensics scyther5/iStock/Thinkstock George E. Richards, Edinboro University Learning Outcomes After reading this chapter, you should be able to ▪Understand why the need for digital forensics has grown over the past 2 decades.

▪Identify the basic components and functions of a computer.

▪Define digital forensics.

▪Compare and contrast technological crimes.

▪Explain the digital forensic investigative process.

▪Understand the steps involved in finding a career in digital forensics.

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.1 Computer Basics Introduction Marc Benioff, founder of Salesforce, an enterprise cloud computing company, stated, “The only constant in the technology industry is change” (as cited in Israel, 2013, para. 7). This has to date been proven accurate. The growth of electronic communications and the ability to store data has been exponential. In 1965 Gordon Moore, a cofounder of Intel, postulated what has since become known as Moore’s law. Moore maintained computer processing speed would double every 24 months (Intel, n.d.). This has since been reduced to 18 months. The increased rate of processing—along with the increase in computer memory—and the micron- ization of components have revolutionized how people communicate. There are now more mobile devices than there are people. Barnes (2014) held that there are in excess of 7.2 billion mobile devices globally, and this number is increasing at 5 times the rate the population is.

The growth in both prevalence and complexity of digital devices has led to the increased use of these devices as tools in criminal acts.

Used in the perpetration of a crime, tools such as computers or smartphones may provide the digital criminal or cybercriminal an effective modus operandi which, in this context, means the method of perpetration. In heists and robberies in films, it is routine to have a “getaway” car. The processing speed with which digital devices can give commands provides digital criminals with a swift escape. In addition, digital devices provide perpetrators distance from the victim. With the advent of the Internet, theft no longer requires personal interaction. For example, phishing is a common digital crime that entails victims receiving e-mails from sup- posedly reputable companies that attempt to con the victims into revealing personal informa- tion such as passwords. Digital devices can be used by “phishers” to steal personal data from anyone anywhere whose personal information is stored on a device with Internet capability.

Digitization has provided perpetrators with a wealth of extensive and effective modi operandi.

As technology has advanced, so have the methods for investigating technological crime, although it is increasingly challenging for law enforcement to keep up with these advances.

This chapter will address those students interested in the subfields of computer security and digital forensics. However, any student interested in pursuing work in the field of criminal justice should have a grasp of the basics of investigating these devices, since they are impos – sible to avoid in today’s environment. In order to adequately lay the foundation on which to address digital crime and its investigation, we need to have a basic understanding of comput- ers and other smart devices. 3.1 Computer Basics In order to adequately discuss digital crime, it is essential that some of the basic terms asso- ciated with digital devices are explained. The first digital devices we recognized were com- puters. The earliest computers could weigh up to several tons and take up entire floors of buildings, but thanks to advancements in technology, they are now lightweight and portable, as well as more powerful. At its most basic, a computer is an electronic device that both stores and transmits data in binary code, which is a coding system expressed using series of zeros and ones. Binary commands given by the user direct device operations through the use of software that contains the binary codes. All digital devices use both hardware and software.

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.1 Computer Basics Hardware are the parts of an information system we see. The monitor, keyboard, mouse, and motherboard are examples of a computer’s hardware. A crucial part of a device’s hardware is the hard disk drive, which is a permanent data-storage device within a computer. The hard disk drive often comes into play in forensic investigations, since it is where much of a computer’s information is stored—including, sometimes, files that the user believes have been deleted. A hard drive can be unplugged from a computer and retain all of the informa- tion that was stored on it while it was plugged in. When a hard drive is collected for evidence, an exact copy is made to be used for analysis, to avoid unintentionally changing anything on the original.

Separate from the hard drive is a computer’s RAM, or random access memory. RAM is a quickly retrievable type of computer memory that temporarily stores the information your computer immediately requires while you’re using it. Examples of RAM data would be the details of a web page you’re viewing and any user name/password you used to log in to that web page. Unlike the hard drive, when a computer is off, the RAM is empty.

Working in tandem with hardware, software is the binary instruction for specific computer processes that are implemented thorough the hardware. These are the programs a computer uses to carry out a specific task. For example, Microsoft Office is a software package that allows you to create and edit documents. Information systems are combinations of hardware and software used to collect, store, and share data. An example of this would be a geographic information system that manages and analyzes geographic data.

Another important facet of computers today is the IP address. An IP address is a string of numbers used to identify a computer so that it can access the Internet. Its function is similar to that of a return address on an envelope. Anyone who accesses the Internet does so via a third party, often a commercial Internet provider. This provider grants your computer access to the Internet based on your computer’s IP address. The IP address is attached to all online activity you complete, a fact that is very useful in digital forensic investigations. However, an analyst can’t tell who made a certain request online, only which computer the request was made on.

Up to this point, we have been discussing computers only, but digital forensics encompasses a wide range of digital devices, including • smartphones, • smart w atches, • v oice assistants, • camer as, • tablets, • e-r eaders, and • aut omobiles.

The full list is extensive and constantly expanding. Society is more dependent on technology today than at any point in human history, and the trend shows no signs of waning. Without the ability to store information, digital devices would serve little purpose to the investigator.

The rudimentary and limited memory that characterized early computer hard drives became more complex as information storage became portable and fluid. The early, malleable 5.25- inch floppy drives were replaced by 3.5-inch disks, which were supplanted by USB drives. \251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.1 Computer Basics These drives, also known as thumb drives, weigh less than 1 ounce and may provide from 8 megabytes to 1 terabyte of storage capacity. USB drives capable of storing 2 terabytes of data are currently in development.

The information stored on the devices discussed above is referred to as data. There are two types of data that influence computer operations: visible data and latent data. Visible data is employed by the operating system and can be accessed by the user. For the investigator, it can describe any type of operational data such as documents, spreadsheets, databases, and audio and video files. Latent data, also known as ambient data, encompasses the informa- tion in computer storage not included in file-allocation tables. It is not easily viewed through the operating system, so most users do not know that it is there. Latent data is used in digital forensic investigations to uncover evidence and recover deleted files.

Data is not static. Karie and Venter (2015) describe data, and electronic evidence in general, as fragile. Any use of a digital device has the potential to damage or destroy data. This may be accidental or intentional. It may be as mundane an act as turning the device on or power- ing it down. Power surges, changes in temperature, or rough handling of the device may also destroy data. Because of this, analysts muse use a lot of care and caution when examining devices for evidence.

E-mail E-mail messages are messages distributed from one electronic device user to one or more recipients via a network such as the Internet or an organization’s intranet. As you have no doubt experienced, it is an almost instantaneous transaction. While many organizations host their own e-mail servers for employees, it is estimated there are over 1 billion web-based e-mail accounts for personal use (Magnet Forensics, 2014) with over 100 trillion e-mails sent each year (Global Digital Forensics, n.d.). Among the most popular of these are Gmail and Yahoo! Mail. A suspect’s e-mail is often searched for evidence of communications related to a crime. Perpetrators, especially novice ones, often believe deleting an e-mail permanently removes any record of it. This is not always the case.

Web-based e-mail is dependent on the use of a browser. Thus, e-mail evidence consists of browser artifacts within the cache, history, and cookies. The history and cookies provide the dates and locations visited by the user. The greatest source of evidence is to be found in the cache, where some e-mails read by the user are stored. The location of the cache within the operating system and browser may vary, depending on the browser used. Although evidence may be recovered from e-mail transmissions, the sheer number of e-mail accounts that may be used and the large number of e-mails sent also add to the time commitment of an investi- gator (Magnet Forensics, 2014).

Cloud Storage Cloud storage of data has also grown in use and adds another piece to the puzzle of digital forensic expertise. Cloud storage houses data across multiple servers and multiple locations.

Cloud storage is typically owned by a third-party hosting company that is responsible for the maintenance and protection of client data. Space is not bought in a cloud but is leased. Clients are seldom aware of the actual physical location of their data.

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.1 Computer Basics Clouds pose certain challenges to forensic investigation. “There is no foolproof, universal method for extracting evidence in an admissible fashion from cloud-based applications, and, in some cases, very little evidence is available to extract” (as cited in Barbara, 2009, para. 6).

First, the ability to access data from anywhere using any device that can accept commands and be linked to the Internet poses problems for the integrity and protection of data. It is hard to verify that data stored in the cloud is secure, even when password protected, and there are opportunities for digital-facilitated crime through the corruption or theft of data.

Human error in configuring a cloud server in 2017, for instance, led to the leak of the data of 6 million Verizon users online (Larson, 2017). Intentional criminal activity can be even more dangerous.

Requirements for the storage of data and the steps required for investigators to access the information legally differ between jurisdictions. Similar to physical evidence, whether these regulations are followed during an investigation can impact whether evidence is admitted in court.

Voice Assistants A type of electronic device first released in 2015 and growing in popularity is the virtual or smart assistant, more com- monly known as the voice assistant.

Among the most popular of these are Amazon’s Alexa and Echo and Google’s Google Home. Assisting is what these devices were literally designed to do. Acti- vated, depending on device, through voice recognition, text messaging, or uploading pictures, virtual assistants help simplify the management of one’s life through quick exchanges between the user and the device. These can relay news, weather, sports scores, and music. Bank accounts may be accessed and thermostats set.

Recently, it was discovered that these too can be hacked. Through “voice squatting,” these devices may be used to eavesdrop or to open malicious apps. Another type of virtual assistant hack, DolphinAttack, utilizes commands inside ultrasound frequencies inaudible to human hearing to assume control of the device. According to researchers at the University of Virginia and the Chinese Academy of Sciences, the possibilities of this type of phishing for the manipu – lation and theft of personal information are significant. Home security codes, bank account and credit card numbers, and other personal information can be obtained with relative ease (Wycislik-Wilson, n.d.) Voice assistants are another example of how digital crime poses a challenge to forensic analysts and investigators in maintaining a currency of knowledge regarding technological advances and the necessity of doing so. Although security precautions are constantly being developed for digital devices, it has consistently shown that these can be overcome by deter – mined and talented perpetrators. Frank Duenzl/picture-alliance/dpa/AP Images Digital criminals can target virtual assistants to gain access to sensitive information, such as credit card and bank account numbers.

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.2 What Is Digital Forensics? 3.2 What Is Digital Forensics? As you may remember from Chapter 1, Dr. Edmond Locard postulated that anytime individu- als come into contact with someone or something or enter a specific area, they will make physical contact and leave a trace (Forensics Library, n.d.). The Locard exchange principle is also applicable in the electronic or digital realm, even though the person may be thousands of miles away from the “scene.” People leave user-specific information behind when they visit a website, send an e-mail, or do any number of things on an electronic device. This information is known as a digital fingerprint, and it can often be traced back to an individual. This could be as simple as the type of font used, or it could be complicated metadata.

We noted in Chapter 1 that forensics is not a proper term for forensic science. However, it has become so ingrained in people’s minds by popular media that its use is probably inevitable now. The terms computer forensics and digital forensics are often used synonymously. This is understandable but not entirely accurate. In the 1980s computer forensics would have been an appropriate term, but due to the rise in digital devices such as smartphones that are not considered computers, digital forensics is the correct term. With mobile devices that can be carried on the user’s person and can transmit data within seconds globally, the requirements for investigations of these devices has changed along with the terminology.

Digital forensics encompasses the investigation of all manner of devices that require the manipulation of binary code to operate. There are two types of digital forensic investigations:

digitally based and digitally facilitated. A digitally based crime is one in which the com- puter is used to commit the act; for example, a phishing e-mail meant to con someone into sending his or her bank account information. Digitally facilitated crimes are those in which the digital device is the target of what are traditionally referred to as computer criminals or cybercriminals. For example, an identity thief who steals bank account information from a victim’s cell phone would be the perpetrator of a digitally facilitated crime.

Digital forensic analysts may collect evidence from a variety of mechanisms, including com- puter systems, networks, and removable media such as USB drives and external hard drives.

Even though devices may differ, digital forensic practitioners must all abide by certain legal requirements. The successful prosecution of a digital crime is dependent on the investiga- tor’s ability to collect electronic evidence in a manner that satisfies the requirements for admissibility in court (Resendez, Martinez, & Abraham, 2012). As discussed in the Chapter 2 section on the fourth amendment, the requirements for acquiring digital evidence are still evolving through litigation. The Supreme Court recently decided that a warrant is needed to place a GPS tracker on a person or a vehicle and also to gather location data from a person’s cell phone.

The hardware and software necessary for the operation of digital devices differ significantly, depending on the requirements of the device and its complexity. Consequentially, investiga- tive approaches must also be adjusted for the specifics of the device in question. In their 2018 article, Barmpatsalou, Cruz, Monteiro, and Simoes referred to several subdisciplines of digital forensics, including • comput er forensics, • audio f orensics, • cloud f orensics, \251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.2 What Is Digital Forensics? • database f orensics, • netw ork forensics, • video f orensics, and • mobile f orensics.

Digital forensics then cannot be considered only an exploration of a device to see what data might be stored on it. It requires that investigators follow established protocols governed by law. These laws address specific crimes executed through the actions of those involved using a digital device in its commission. To fully understand digital forensic science, one needs to understand how the practice has evolved and is still evolving. The Development of Digital Forensic Science The application of forensic science prac- tices to criminal investigations has evolved over centuries. The practice of digital forensic investigation is a more recent step in this progression. The active prac- tice of digital crime investigations began in the late 1970s as law enforcement began to realize the possibilities comput- ers held to assist in the perpetration of crime and storage of evidence. The first efforts at electronic forensics targeted computers that were suspected to store incriminating evidence. These early cases were primarily concerned with financial fraud. The focus of electronic investiga- tions grew in complexity as devices were networked in one facility or through an organization. The introduction of the Internet as a means of data transmission was the next step in the evolution of technological understanding for analysts.

The first training programs in digital forensics were developed in the 1980s. The Associa- tion of Certified Fraud Examiners, the National Consortium for Justice Information and Statis – tics, and the High Technology Crime Investigation Association were among the organizations that designed early digital crime curricula. In 1987 AccessData, the first company to spe- cialize in digital forensics, was founded (Information Systems Audit and Control Association [ISACA], 2015).

Both government agencies and private industry recognized the need for a means to investi- gate digital crime. The FBI’s Computer Analysis and Response Team, created in 1984, was a government pioneer in computer, and then digital, crime investigations. Other countries and government entities have also formed similar units and task forces to combat digital crime.

However, some argue that without the contribution of private technological developments, effective investigations of digital crime today would be impossible. Gogolin (2010) found in a study of Michigan law enforcement that while the number of digital-related crimes had dramatically increased, the number of qualified investigators had not kept pace. Part of the Alexpoison/iStock/Thinkstock Digital forensic analysts work with a variety of devices and technology, including computers, external storage devices, mobile devices, databases, and the cloud.

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.3 Technological Crime reason for this disparity may be the fact that an investigator who specializes in cellular tele- phone forensics may have to invest as much as $25,000 in forensic tools. This is in addition to specialized training and certifications necessary to maintain a currency of knowledge.

The Information Systems Audit and Control Association (ISACA, 2015) credits the forensic tools available today to the open source/community-driven model which makes “tool evolu- tion modular, extensible, robust, and sustainable” (p. 3). That is, innovations by the greater technological community have helped law enforcement’s digital forensic tools keep pace with the innovation of digital criminals. 3.3 Technological Crime The intended purposes of technology, regardless of how noble the aim behind the develop- ment may have been, may be thwarted for more nefarious purposes.

The perversion of technology for criminal or deviant purposes is not limited to Nazi Germany.

The original intent of the Internet was to provide a relay of networks so that during a nuclear confrontation, electronic communications used by the military would not be interrupted.

This system of networks has since served as the backbone of what we have come to know as the Internet. Those early designers and analysts could not have foreseen that their work would someday be used as a vehicle for terrorism, theft, and pornography. Case Illustration: IBM and the Nuremberg Trials In 1889 Herman Hollerith patented an electric punch-card device which could compile numerical data. The U.S. Census Bureau used his technology in the 1890 census and found that Hollerith’s device dramatically reduced the time necessary to summarize popula- tion data. Soon other countries began to lease Hollerith’s equipment, and his business grew. He eventually merged with three other corporations to form what became known as International Business Machines (IBM).

When Adolf Hitler became chancellor of Germany in 1933, the ruling Nazi Part y soon implemented policies of Jewish persecution. The challenge facing the Nazis was how to effectively identif y, track, and manage Germany’s Jewish population. A subsidiary of IBM, IBM Germany, marketed the Hollerith technology to the Third Reich and tailored the tabu- lation for the specific purpose of identif ying Germany’s some 600,000 Jews (Black, 2001).

It worked with chilling efficiency. The data collected via the use of the Hollerith device was used by the prosecution in the Nuremberg trials.

Relect On It As we have stated previously, technology is constantly changing and the crimes associated with it change as well. Using the above example regarding the Hollerith device, how might contemporary digital technology be used to identif y and target people for victimization by government? How might future technological advances be used for the same purpose?

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.3 Technological Crime As technology has evolved, the enacting of laws addressing the criminal use of technology have sought to keep up with this ever-expanding evolution. For example, the Computer Fraud and Abuse Act of 1986 prohibits conduct that abuses or damages computer systems, particularly those that have a federal interest; these include computers that are used by or for the federal government or in commerce. In 2003, in response to the ever-growing amount of unsolicited commercial e-mail, congress passed the CAN-SPAM Act, establishing standards for the sending of commercial e-mail. Law 18 U.S.C. 1029 makes credit card (and other access device) fraud a federal crime with punishments of up to 10 years in prison. Law 18 U.S.C. 2511 prohibits the unauthorized interception, use, and disclosure of any electronic communica- tions. In 2017 President Barack Obama signed an executive order that called for the creation of a voluntary risk-based cybersecurity framework. This is another example of how the fed- eral government has recognized possible harms that may come from a cyber-based attack on public or private infrastructure (ISACA, 2015).

The specter of cyberterrorism is a growing concern for law enforcement agencies globally.

Cyberterrorism is the use of digital devices and systems to orchestrate a terrorist attack on a government or entity. The recent discovery that Russian state-sponsored hackers had infiltrated American power grids following similar interference in the 2016 U.S. presidential election has emphasized the need for greater security in digital infrastructure (Sanger, 2018).

The following sections outline a selection of the most common digital crimes.

Hacking Hacking is the use of a computer to gain unauthorized access to data in a system.

The perpetrator is known as a hacker.

Hacking can be malicious or nonmali – cious. Malicious hacking may take the form of information theft, systems sabo- tage, and vandalism. Simple intrusion, when a hacker defeats the security of a system just for the challenge, is consid – ered nonmalicious.

Hackers may employ several techniques.

Through vulnerability scanning, network computers are checked for known weak – nesses. Passwords may be cracked by dis- covering them in stored data or intercept- ing them when transmitted electronically.

Spoofing attacks utilize bogus websites that mimic legitimate sites and trick users into entering their user names and passwords.

There have been many large hacking incidents in the past 10 years, including two massive data breaches suffered by Yahoo! in 2013 and 2014, which exposed the passwords of over a billion users (Goel & Perlroth, 2016). In 2017 hackers breached credit bureau company Equifax’s customer database, exposing almost 150 million customers’ sensitive information, including Social Security numbers and addresses (Borak & Vasel, 2018). Alex Milan Tracy/Sipa via AP Images In 2017 hackers gained access to Equifax customer data. The breach of one of the three major credit bureaus exposed the personal information of nearly 150 million individuals.

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.3 Technological Crime Identity Theft Identity theft is the stealing of personal information so that the criminal may impersonate the victim. Identity theft has been addressed at the federal level by 18 U.S.C. 1028A, known as the Identity Theft Penalty Enhancement Act. Identity theft is most commonly associ – ated with the perpetrator seeking financial gain. Access to a person’s Social Security number may allow an identity thief to open a credit line in the person’s name. Bank accounts may be accessed electronically and funds transferred to a perpetrator’s account. Children may be the victims of identity theft when their Social Security numbers are used to open credit lines.

This can be made more complex when the perpetrator uses a fake name and a real Social Security number.

Cyberbullying Advancements in technology, especially surrounding social media and cell phones, have also been credited in contributing to bullying. Traditionally, bullying required physical intimida- tion or contact. However, the Internet and cellular technology have made these requirements obsolete. Cyberbullying, which is bullying that takes place through electronic communica- tion, allows anyone with a rudimentary knowledge of digital devices, regardless of size or age, to bully another. It most often takes place via social media, texting, instant message, and e-mail. Citing a study of American teens aged 13 to 17, Osborne (2012) wrote that 46% of “heavy” cell phone users (those who send in excess of 60 text messages per day) suffer from cyberbullying on their cell phones, compared to only 23% of “normal” users. Case Illustration : United States v. Drew One of the first instances of cyberbullying that contributed to a suicide was the death of Megan Meier on October 17, 2006. Meier had a history of suicidal tendencies and had exhibited these as early as the third grade when she shared with her mother she wanted to kill herself. Because Meier was overweight and bullied throughout her elementary and middle school years, her parents enrolled her in a Catholic school where they believed the standardization of uniform and curricula would reduce her torment at the hands of other students (Pokin, 2007).

Like so many adolescents, Megan Meier and a neighbor, Sarah Drew, had an off-again, on- again friendship. When Meier ended the friendship, Drew’s mother, Lori, decided to seek revenge. Shortly after this, Meier began receiving messages on her MySpace account from a 16-year-old boy, “Josh Evans.” From his picture and the f lattering attention he paid to her, she soon became infatuated with him (Pokin, 2007). For 6 weeks, Meier and Evans used MySpace to get to know each other. According to her mother, Meier’s self-esteem grew dur- ing this time. However, Meier was devastated when Evans told her he no longer wanted to talk with her, because she was not nice to her friends. He also told her, “The world would be a better place without you” (Steinhauer, 2008). Devastated, her pain was further accentu- ated by bulletin board posts stating she was a slut. Shortly after this, she hung herself in her bedroom. Meier was 3 weeks shy of her 14th birthday (Pokin, 2007).

Josh Evans never existed. The MySpace account of Josh Evans was a bogus account created by Lori Drew to avenge her daughter for Meier ending their relationship. Sarah Drew and an (continued on next page) \251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.3 Technological Crime Cyberbullying can be more harmful than regular bullying, since it can take place at all hours of the day (instead of just school or work hours) and the messages stay online permanently.

The fact that it takes place silently makes it harder for authority figures to see it taking place and take steps to help the victim. Like bullying, cyberbullying can lead to depression, anxiety, decreased performance in school, and many other negative effects (StopBullying.gov, 2017).

Cyberbullying has on occasion ended in suicide on the part of the victim when the victim has had a history of mental health issues or suicidal risk factors.

Although the interpersonal violence associated with violent crime is not present in cyber- crime, the damage caused by cyberbullying is equally real. All 50 states plus the District of Columbia have laws against bullying, and 48 of those laws explicitly include electronic bully- ing (TeenSafe, 2017).

Nonconsensual Pornography A relatively new criminal phenomenon that requires digital investigation is nonconsensual pornography, also known as revenge porn. This occurs when photographic imagery, taken in the context of an intimate sexual relationship, is released online without the knowledge of one of the participants. It is often done as a means of lashing out at the partner who ended the relationship. Revenge porn has been described by victims as feeling like rape. A Chicago woman related how, after her divorce, her ex-husband took video shot during their honey – moon of the two of them having sex and uploaded it to a website. One of these clips had in excess of a million views. She was upset by the response of law enforcement, which was not especially helpful. Upon reporting it, she was told by officers, “Next time don’t be identifiable if you choose to do something like this” (Fink & Seagall, 2016, para. 15). This issue has not Case Illustration : United States v. Drew (continued) employee of Lori Drew were also involved in sending messages from the fictitious Evans to Meier. It was their plan to draw Meier in emotionally and then abruptly end the relation- ship. They were aware of the bullying and lack of self-esteem Meier had routinely experi- enced (CBS News, 2008).

Shortly after their daughter’s death, Meier’s parents were contacted by a neighbor whose daughter had been encouraged to join in with the Drews. The girl had the password to the MySpace account, and the guilt over Meier’s suicide led her to confess her involvement to her mother. When the ambulance arrived at the Meier home the night of Meier’s suicide, Lori Drew called the girl to tell her something had happened to Meier and not to mention the MySpace account to anyone (Pokin, 2007).

Lori Drew was convicted of three misdemeanor charges of computer fraud. The jury dead- locked on the charge of conspiracy. (Steinhauer, 2008). Drew appealed the decision, and the conviction was reversed in 2009. Criminal charges were not filed against Drew, because local prosecutors stated there was no existing criminal charge they could apply to the case (Pokin, 2007).

Reflect On It Profile the possible victim and perpetrator of cyberbullying. What are their characteris- tics? Where should the digital forensic investigator look for evidence?

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.4 The Digital Investigation Process yet been addressed by federal law. State governments have been more active in defining non- consensual pornography as criminal, with over 40 states plus the District of Columbia hav – ing statutes making nonconsensual disclosure of intimate images illegal (Cyber Civil Rights Initiative, 2018). 3.4 The Digital Investigation Process It is essential that investigators follow an established protocol for collecting and protecting digital evidence. There are a variety of specialists that may be employed in the collection of digital data. These may focus on data recovery, data conversion, cryptoanalysis, and IP inves – tigation. Digital forensic analysts may be called to the scene to process the evidence, or they may process it in a laboratory, later. This will depend on the types of devices used and how complex the investigation is considered to be.

Concern over digitally based or digitally facilitated attacks is not necessarily the jurisdiction of sworn officers. Indeed, not all digital forensic analysts and investigators are found within the law enforcement community. Private businesses may also employ or contract with digital forensic specialists to determine if employees are incorrectly storing data, sharing private information with unauthorized parties via e-mail, or at risk of social engi\ neering attacks.

Zatyko (2007) proposed a digital forensic investigation model containing eight steps and articulating a strict adherence to a precise, scientific process. The stages of Zatyko’s investi- gative model are as follows:

• Obtain sear ch authority: An investigation admissible in court is dependent on the legal authority to initiate and conduct a search and/or seizure of evidence. A search may be conducted with either the permission of the owner of the device or through a court order. Without this authority, any evidence is inadmissible. Forcing or coerc- ing someone to give a password or access to a device is not permitted.

• Document chain of cust ody: Documentation of digital evidence handling and pro- cessing must be chronologically kept to avoid possible later claims of evidence tampering. A fuller discussion of the chain of custody will be presented later in this chapter.

• Image and hash: Once e vidence is found, the investigator should duplicate and hash it to ensure the copy is valid and the integrity of evidence maintained. This is cov- ered more fully in the “Collecting Evidence, Imaging, and Hashing” section later in this chapter.

• V alidate tools: In most digital investigations, forensic tools need to be validated to ensure they are capable of contributing to the investigative process. Investigators must be able to depend on the tool’s reliability and accuracy. This topic is covered further in the “Validating Tools” section later in the chapter.

• Anal yze: Investigators are expected to assess evidence that is uncovered to ascertain if it either confirms an illegal or illicit activity or demonstrates lack of evidence for illegal or illicit activities.

• R epeat and reproduce (quality assurance): A key component of the scientific method is that experiments are able to be repeated and reproduced by the same scientists or others. This same process holds true for digital forensic investigators; additional \251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.4 The Digital Investigation Process tests by other analysts should confirm their findings. This and the previous step are covered more fully in the “Utilizing the Scientific Method in Digital Forensic Investi- gations” section later in the chapter.

• R eport: The process of documentation includes both the full notes of the investiga- tion and a summary of findings by the investigator. This is what will be used in court and is the foundation of a successful prosecution. The forms should be standard- ized depending on the agency conducting the investigation, to ensure consistency.

The report should be written as soon as possible from the initial investigation notes while it is fresh in the investigator’s memory. The report should include facts only, not conjecture.

• Pr esent expert testimony: It is common for the forensic examiner to be called to tes- tify in court. The examiner may be asked questions about the evidence, how it was uncovered, and how it was protected, as well as his or her training, experience, and qualifications. For the testimony of an expert witness to be effective, the attorneys involved on both sides must have a rudimentary knowledge of the digital investiga- tion process to know what questions to ask, how to ask them, and how to coach the expert in answering the questions. The expert also has to be able to explain complex technical terms and procedures in such a manner that a jury can understand the issues involved. Documenting the Chain of Custody of Digital Evidence As discussed in Chapter 2, all the talent, work, and dedication of a digital forensic analyst means nothing if the legal requirements pertaining to the collection of evidence are not fol- lowed. A key to protecting the chain of evidence is to limit the number of people who come into contact with the evidence. Seldom is the digital forensic investigator the person who discovered that a crime occurred. The investigation usually begins with a report by a citizen, and an officer then responds.

An example of the steps followed by a first responder in a digital crime investigation follows.

1.

Joe Smith r eports to the local police that he has received harassing texts from an unknown sender.

2.

Officer Car la Hernandez takes Smith’s report and secures Smith’s cellular telephone.

This includes photographing the device, taking video of it, sketching it in the context of where it was when the incident was reported, taking notes of her interview with Smith, and beginning the chain of custody process.

3.

Officer Hernandez then det ermines if the device is on or off. She may examine it to see if the screen saver is on, lights on the device are lit, or sounds are emitted from it, and feel for heat from the power source. Most mobile devices go into power- saving mode if not used for a specified amount of time, but they are still active. If the device is on, it needs to stay on, as turning the device off could result in evidence being deleted or a password or biometric log in needing to be being reinstated.

4.

Officer Hernandez then collects the de vice (along with any necessary power cables) and obtains the device password from Smith. (Devices may now be activated by facial scans or fingerprints, which may require the device owner to change the set- tings so that law enforcement can have access to the device. If the device owner is unwilling to provide access to the device, this can cause delays, but the problem can be overcome by forensic technicians trained in bypassing access controls.) \251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.4 The Digital Investigation Process 5. Officer Hernandez should k eep the device powered, unlocked, and in airplane mode (if it was on when collected) until delivered to the crime laboratory. It is impor- tant that Hernandez isolate the device from cellular or Wi-Fi networks to prevent evidence tampering. The phone should be packaged and labeled in such a manner that it is not damaged. It should also be protected from dramatic changes in temperature and moisture. If the device was backed up on a computer, Her- nandez should take the necessary steps to secure this device also.

6.

Officer H ernandez then transports the device as soon as possible to the crime laboratory, where she signs it over to an analyst/technician who begins the process of examination.

In addition to the mobile telephone used in the previous example, computers, e-readers, tab – lets, virtual assistants, and removable media are also possible sources of evidence. On occa- sion, the investigation occurs where the devices are located, in which case it is necessary to clone the device on the premises. However, it is preferable to use a laboratory, where the conditions may be controlled. With each type of device, there will be some differences in the collection of evidence. However, the key to maintaining the chain of evidence is to proceed carefully and document every step of the process. Collecting Evidence, Imaging, and Hashing An essential facet of a digital investigation is the collection and preservation of evidence. Digi – tal evidence can be easily damaged through user manipulation, by power surges, or during transport. To avoid altering the original piece of evidence, an exact copy is made through imaging and hashing. The imaging of a digital device is done through the exact copying of data stored in files, folders, or entire drives into a new file, folder, or hard drive. Then, in order to shorten the time necessary to search through the data, a process called hashing is used, in which a string of characters is transformed into a shorter format that represents the original string. It is important that an exact copy be made during the imaging phase because if the copy is off by even a small margin, the hash values will be significantly incorrect. Once the copy is created and hashed, it can be analyzed without fear of altering the evidence.

A newer avenue of evidence collection for digital forensic investigators is social media. Inves- tigators will often check to see if a suspect has a social media presence during the course of an investigation. Sometimes people post incriminating evidence on their social media pages without realizing that anyone can view it and that it can be used against them. Even when posts or photos are deleted, they can often be recovered from a suspect’s device or from other places on the Internet if they have been shared. Additionally, people often allow their social media to broadcast their location when they “check in” somewhere or tag a photo with the Rachel Leathe/Bozeman Daily Chronicle via AP A digital forensic analyst demonstrates the process of removing information from devices, such as computers or cell phones, in a way that prevents the information from being altered.

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.4 The Digital Investigation Process location where it was taken. This information can be used by law enforcement as well. In one example, detectives were at a dead end when a suspect used his Facebook account to “check in” at a strip club, leading the police to his car in the parking lot, which provided enough evi- dence for them to arrest him when he walked out of the club (Knibbs, 2013).

Encryption Encryption of data is one of the larger problems that law enforcement faces in collecting digital evidence. As defined by the National Forensic Science Technology Center (n.d.b), encryption is the “procedure that converts plain text into symbols to prevent anyone but the intended recipient from understanding the message” (p. 15). The level of encryption of a digital device can easily stymie examination. Karie and Venter (2015) hypothesized that as encryption standards for the protection of data increase and the associated algorithms become more complex, it will become more time-intensive for investigators using cryptanalysis to uncover and reconstruct evidence. There is currently no standard approach to cryptanalysis. With- out the cooperation of the suspect in giving the investigator the encryption key, uncovering encrypted data is impossible.

Validating Tools The fourth step in Zatyko’s (2007) recommended digital crime investigation process was to validate the tools. Due to the vast amounts of data digital devices may store and the complex technical knowledge necessary to understand digital processes and programming, tools to assist investigations have been developed to speed the process of analysis and ensure the validity of evidence discovered.

Of the digital forensic tools available to investigators, some address only one aspect of an investigation while some have wider-ranging capacities. The application and use of the tool depends on (a) the type of act perpetrated and (b) the device used. Digital forensic tools are classified into the following categories.

• Disk and data captur e tools: These copy an image of the entire disk and all of the data on it to be analyzed.

• File view er tools: These are designed to view a specific file or type of file.

• File anal ysis tools: These scan and report details about examined files.

• R egistry analysis tools: These collect information about the running processes on a host.

• Int ernet analysis tools: These are designed to monitor traffic between computers and the Internet.

• E-mail anal ysis tools: These examine the content and transmission of e-mail.

• Mobile de vices analysis tools: These analyze data on mobile devices (phones, tablets, etc.), who created the data, and to whom it may have been sent.

• Mac OS anal ysis tools: These analyze devices using Apple operating systems.

• Netw ork forensic tools: These analyze network systems.

• Database f orensic tools: These examine databases for evidence (InfoSec Institute, 2018b).

Many digital forensic tools can perform a variety of functions, which means one tool can fall under several of the above categories. For example, Digital Forensics Framework is an \251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.4 The Digital Investigation Process open-source piece of software that is designed to be used by professionals or the forensic lay – man. It may be employed to access remote devices, recover hidden or deleted files, and ensure the chain of custody. It can create reports as well, making it a disk and data capture tool and a file analysis tool, among other categories. Computer Aided Investigative Environment is another open-source software package that was developed to use existing forensic tools in a user-friendly manner, making it also a multipurpose tool.

X-Ways Forensics was created for digital investigators and is considered one of the more advanced tools currently available. Among other tasks, it can assist analysts with disk imag- ing and cloning, automatic detection of deleted or lost hard disk partition, and various data recovery techniques. EnCase is another tool with the ability to multitask, and it also produces a report once the analysis is completed (InfoSec Institute, 2018b).

Through multiple rounds of testing, it has been shown that these investigative tools accu- rately assess what they aim to assess. This testing is done through replicating investigations using the tool in question and using a tool that is known to work and then comparing the results. Finding a tool to be valid means that the tool is known to be accurate for the purposes of digital forensic investigation. It is important to use tools that have been validated, because this not only ensures that the investigator gathers accurate data, but also that the data holds up in court against scrutiny. If a tool has not been validated, a judge or jury may not trust that the results are accurate.

Utilizing the Scientific Method in Digital Forensic Investigations As discussed in Chapter 1, the scientific method is the cornerstone of research practices in the natural, applied, and social sciences and has many applications in forensic science. Foren- sic analysis depends on established and recognized scientific practices. However, criminal investigations are not scientific. They cannot be standardized and repeated like experiments, since every investigation is unique. What follows is a discussion of the five steps associated with the scientific method, with examples of how these might be mirrored in digital crime investigations. The first step of the scientific method is the question. This articulates what the researcher or investigator wishes to learn. For a digital forensic analyst investigating accounting fraud uncovered through a routine examination of a public computer terminal, the question would be who was involved. The second step is the hypothesis. A hypothesis is a conjecture based on information gathered during the initial investigation that may explain the phenomenon under investigation.

In 2000 U.S. Air Force captain Marty Theer was murdered in North Carolina. The question was who killed him. Upon questioning neighbors of the Theers, police discovered there was mari- tal discord between the two. This information led to the hypothesis that Marty Theer’s wife, Michelle Theer, had a hand in his murder. Police then obtained a warrant to search Michelle’s computer. Officers uncovered e-mails between her and U.S. Army staff sergeant John Diamond that revealed evidence of a sexual relationship and documentation of conspiracy to commit murder. Both Diamond and Theer are now serving life sentences for Captain Theer’s murder.

The third step is the prediction. This is the use of inductive or deductive reasoning to derive logical consequences based on the hypothesis. The BTK Killer eluded police for over 30 years until his apprehension in 2005. The killer sent the Wichita, Kansas, Police Department a floppy disk with his writings on it. In a deleted file on the disk, police uncovered the name \251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.4 The Digital Investigation Process Christ Lutheran Church and determined that the file was last modified by someone named Dennis. Police found that a man named Dennis Rader was a deacon at the church. The (cor- rect) prediction made by detectives was that Dennis Rader was the BTK Killer.

Testing is the fourth component of the scientific method. In a science experiment, at this point, researchers conduct experiments to determine if the hypothesis is supported by the find – ings. In a criminal investigation, the testing stage is the collection of evidence to determine if the prediction is supported by the evidence. In 2009 James Cameron, an assistant attorney general in Maine, was indicted on 16 charges of trafficking in child pornography. Cameron, using five different aliases, uploaded pornographic images of children onto a Yahoo! photo album. The investigation began when Yahoo! analysts uncovered these pornographic images and informed the National Center for Missing and Exploited Children, which then contacted the Maine State Police. The Maine State Police’s Computer Crimes Unit traced the owner of the account and found it was Barbara Cameron, James Cameron’s wife. Cameron had used her account to store and share images. When Cameron’s computer was seized by police, evidence uncovered pornographic stills of children and the text of an Internet chat regarding sex with minors. The process of evidence collection by the Maine State Police would be the forensic equivalent of testing.

The fifth step is analysis. This occurs when researchers view the results of their experiment and interpret what these mean. In a digital forensic investigation, the investigator, who may be a law enforcement officer or one who works for a private firm, examines the evidence col- lected and comes to a determination of whether a criminal act has occurred.

Consider an example of a man accused of using his office computer to arrange the sale and shipment of narcotics. One of his coworkers reports seeing an open e-mail on the man’s com- puter in which he offered to meet and deliver drugs. Officers immediately begin an investi- gation. The man is pulled in for questioning. His office computer is seized, and his e-mails are read. Over the course of the investigation, officers discover that this man and his mother are diabetic, and that in the e-mail in question, he offered to give her some of his insulin pen needles until she could get her prescription refilled. In this case, through analyzing the evi- dence discovered in the course of the investigation, officers determined no crime had been perpetrated.

In conclusion, while digital forensics itself may not be a scientific enterprise, the scientific method is routinely employed in the course of investigations. Criminal investigations often bring in multiple different specialties from all across forensic science. Following the scientific method helps keep the process rigorous and ensure that best practices are followed in all areas of an inquiry. Think About It Consider a crime of identit y theft in which you have a suspect and have access to his or her digital devices. How would you, as a digital investigator, use the scientific method to frame your investigation?

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Section 3.5 Digital Forensics as a Career 3.5 Digital Forensics as a Career How does one become a digital forensic analyst or investigator? First you will need to pick a specialty, since it is possible for a person to have technical training and knowledge in a few areas but not in every area. As discussed in Section 3.3, digital forensic specialties include computer forensics, audio forensics, cloud forensics, database forensics, network forensics, video forensics, and mobile forensics, among others (Barmpatsalou et al., 2018). It is com- mon for one digital investigation to require the services of several specialists in uncovering evidence.

Each area requires specialized training and education. There are some colleges and universi- ties that have degrees dedicated to digital forensics; however, university-level instruction in this field is usually delivered through specific courses and concentrations, not degree pro- grams. A degree in computer science is also desirable for those wishing to enter the field. The education obtained in computer science programs can serve as a baseline of knowledge on which to build expertise in digital forensics.

In technical fields especially, continuing education is essential for those who are considered experts. This can be demonstrated through a required number of training hours per year or through maintaining certifications that test one’s knowledge and require annual training. For instance, the International Association of Computer Investigative Specialists (n.d.) offers the Certified Forensic Computer Examiner (CFCE) certification. It is composed of two phases. The first phase is peer review. It requires prospective candidates to complete four scenario exer – cises in a mentored process. After each of these exercises, applicants are required to submit reports. During the second phase, certification, candidates complete an independent exercise and must successfully pass an examination. Those who hold the CFCE must undergo recerti – fication to maintain their credential.

The Global Information Assurance Certification (GIAC) organization offers a variety of cer- tifications pertaining to digital security and digital investigations. Among the certifications offered are the GIAC Security Essentials, with a focus on cyber defense; the GIAC Certified Forensic Examiner, which specializes in incident response and forensic investigations; and the GIAC Penetration Tester, which certifies expertise in penetration testing. As with the International Association of Computer Investigative Specialists, each certification requires testing and renewal.

As of mid-2018, the average salary for a forensic computer analyst was nearly $70,000 (Pay – Scale, 2018). Salaries vary significantly by location. As careers progress and analysts move into management positions, salaries increase significantly. The level of experience also influ- ences salary levels. In a survey of forensic analysts, it was found that 5 years of experience Think About It Are you interested in a career in digital forensics? Is there a specific specialt y you are drawn to? How would you work toward this career goal?

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Conclusion can boost salary levels by 53% (InfoSec Institute, 2018b). Keep all of this information in mind when considering a digital forensic specialty for a career. Conclusion Digital forensics is an evolutionary progression in the practice of forensic investigations. As a discipline, it has made significant strides in the past 2 decades obtaining professional sta- tus. Under the rubric of digital forensics are several subspecializations, each requiring addi- tional training. Education and certifications requiring practitioners to possess certain levels of knowledge have been developed to ensure competence in the field.

While the type of evidence sought in digital investigations differs from evidence uncovered in traditional forensic investigations, the approaches of each mirror those of the other. Effective digital forensic investigations are dependent on employing the scientific method, an under – standing of applicable laws, and ensuring and protecting the chain of evidence. Investigators or analysts gain this knowledge from a combination of education, training, and experience.

Society has grown increasing dependent on digitization of devices and electronic communi- cations. As technological advances continue to be made, new means of criminal modi ope- randi will be developed to exploit weaknesses in their security. For this reason, the need for qualified digital forensic analysts will continue to grow.

Key Ideas • Comput er technology has grown exponentially, and digital devices are now used in all areas of life.

• Digital f orensics encompasses the investigation of all manner of devices that require the manipulation of binary code to operate. Methods for digital forensic investiga- tions have grown in complexity and continue to grow alongside the digital devices used for crime.

• Digital crimes encompass mor e than financial crime. Technology may used for per- sonal harm also.

• Stat es and the federal government have been active in creating legislation to address digital crime.

• It is essential f or digital forensic investigators to follow established protocols and use validated tools.

• Documenting the possession and pr otection of evidence through the chain of evi- dence is essential to a successful prosecution.

• Continuing education is essential f or the digital investigator. Even so, it is not pos- sible for a digital forensic investigator to have technical knowledge and training in all areas of investigations. Critical-Thinking Questions 1. Consider y ou are an expert witness. How would you explain the hard drive, RAM, and the difference between the two to a jury of nonexperts?

2.

H ow do you believe Moore’s law (that computer processing speed will double every 18 months) will influence the challenges faced by forensic investigators in the future?

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Conclusion 3. What ar e the challenges faced by legislative bodies in creating laws that address digital crime?

4.

P eople are often conned into revealing personal information through phishing or social media scams. What are some signs you would advise people to look for in determining whether an e-mail or a communication is real or a ploy? Key Terms binary code A coding system expressed using series of zeros and ones.

CAN-SPAM Act A law that prohibits sending significant amounts of unsolicited commer- cial e-mail.

cloud storage A storage system that houses data across multiple servers and multiple locations.

Computer Fraud and Abuse Act of 1986  A law that prohibits conduct that abuses or damages computer systems.

cyberbullying The use of electronic com- munication to bully a person, typically by sending messages of an intimidating or threatening nature.

cyberterrorism  The use of digital devices and systems to orchestrate a terrorist attack on a government or entity.

digital forensics The investigation of all manner of devices tht require the manipula- tion of binary code to operate.

digitally based A crime in which an elec- tronic device is used to commit the act; for example, identity theft.

digitally facilitated A crime in which the digital device is the target of what are traditionally referred to as computer or cybercriminals.

encryption A means of preventing others from understanding a digital message by changing regular text into symbols. external hard drives A form of removable data.

hacking  The use of a computer to gain unauthorized access to data in a system.

hard disk drive A nonremovable data-stor- age device within a computer.

hardware The parts of the computer vis- ible to the user.

identity theft  The stealing of an individ- ual’s personal information to impersonate him or her digitally.

Identity Theft Penalty Enhancement Act Under this act, a defendant can be charged with knowingly using, without law- ful authority, the identification of another person.

IP address A string of numbers used to identify the computer, but not necessarily the user, used to access the Internet.

latent data The information in computer storage not included in file allocation tables and not easily viewed through the operating system.

phishing A cyberattack involving e-mails supposedly from reputable companies in order to con people into revealing personal information such as passwords.

RAM An acronym for Random Access Memory. It is a quickly retrievable type of computer memory that temporarily stores the information your computer requires immediately and for future use.

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. Conclusion revenge porn Photographic imagery, taken in the context of an intimate sexual relation- ship, that is released online without the knowledge of one of the participants.

software The binary instructions for specific computer processes that are imple- mented thorough the hardware.virtual assistants  Devices designed to sim- plify the management of one’s life through quick exchanges between the user and the device.

visible data  Data that is employed by the operating system and can be accessed by the user.

Web Resources Become a Forensics Expert ht tps://w w w.cyberdegrees.org/jobs/computer-forensics Cyber Degrees developed this web page as an overview of digital forensic careers. It pro- vides a partial list of colleges/universities that offer digital forensics–related programs.

Computer Forensics ht tps://w w w.us-cert.gov/sites/default/files/publications/forensics.pdf This website was created by US-CERT and serves as an overview of the computer forensic process. The section titled “Why Is Computer Forensics Important?” does an excellent job of outlining how computer (digital) forensics is essential in the protection of information systems.

Computer Forensics Examiner Job Outlook & Salary Info ht tps://w w w.forensicscolleges.com/careers/computer-forensics-examiner This website details the job outlook for computer (digital) forensic investigators. What prospective investigators in this field will find is that projected growth is promising and salaries are well above average.

Digital Forensics—Davin Teo—TEDxHongKongSalon https://youtu.be/Pf-JnQfAEew This TED Talk on YouTube is the story of Davin Teo and how he found a career in digital forensics. While most jobs in digital forensics are not as dramatic as Teo’s career has been, it serves as an interesting perspective on how people create a career path.

\251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution. \251 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution.