A System Reboot for Child Pornography Detectives
Early in the morning on November 17, 2010, Steve DeBrota received an urgent call. The assistant U.S. Attorney for the Southern District in Indiana was attending a Department of Justice convention in Washington, D.C., the kind of event filled with Powerpoint slides and a blur of indistinguishable meetings. But for DeBrota, a Butler alum who had been in his job for nearly 20 years at the time, the day would stand out in his memory. The person calling from 600 miles away shared some of the most sickening details he had ever heard, in a line of work where sickening details were routine: prosecuting child pornography.
The call came from a longtime friend, Indiana State Police lieutenant Chuck Cohen, a 16-year veteran of the force in charge of the Internet Crimes Against Children Unit. Cohen was at the scene of a raid in Bloomington—specifically, the residence of 26-year-old David Bostic, a suspected child pornographer discovered online by an undercover officer. Investigators from the FBI and Brownsburg and Kokomo police departments ransacked the house, while another team analyzed the seized evidence in an RV-turned-rolling crime lab. There, they also interviewed Bostic, leaning on him to identify the victims in the images they found.
As DeBrota and Cohen talked, they realized the material uncovered in Bostic’s files—the most extreme they had seen over the last two decades—signaled a troubling turn in the already dark work they did. Detectives discovered 400 pornographic images and videos of infants as young as 2 months old. Some of the children were bound in a sadomasochistic manner. Based on intelligence the team had gathered from Bostic’s inbox in a matter of minutes, they concluded the images were just the leading edge of a much larger stock of child pornography.
Before he could launch a wider investigation into the origin of the files, DeBrota needed to secure approval from his new boss, a green U.S. attorney who had been on the job only a month: Joe Hogsett. As it turns out, Hogsett happened to be at the same conference. “We have an opportunity here,” DeBrota told him. “We can catch a group of really bad guys.”
Hogsett approved the broader investigation, which in the following months spanned nine states and four European countries, from Louisiana to London. So began Operation Bulldog, a takedown of an international child pornography ring that would have never been possible without a high-tech and unorthodox crime scene investigation technique—one that the FBI and others had panned and criticized as unreliable only years earlier—developed by an unlikely trio of cops and computer geeks from Indiana.
When DeBrota first started in the U.S. Attorney’s office in 1991, internet crimes as we know them didn’t exist yet, because the internet as we know it didn’t exist. The first computer-related case he prosecuted was later that year, “a bulletin board dial-up thing with 5,000 members,” he says. Growing up, his family owned the first IBM personal computer in Indiana. In college, he was a rare physics and political science major at Butler, a guy who felt equally at home in a law library and a computer lab.
About a decade after DeBrota worked his first crime, personal computing and use of the internet became more common. As a result, online crimes against children began to consume a lot more of his work time. And he chafed at what he saw as an anachronistic way of investigating such felons. In the 1990s, criminal justice experts and forensic examiners reasoned that digital evidence should be gathered and evaluated in the same way as physical evidence such as DNA was: in a centralized lab. But in labs run by bureaucrats, such evidence could languish for anywhere from six months to a year. Meanwhile, the victims of child pornography remained exposed to their tormentors and the communication trail among networks of offenders grew cold. “All of those leads would dry up during that time,” DeBrota says.
The solution, as many officials saw it, was to build larger and more efficient labs. DeBrota, an avid fan of spy novels, had another idea. Instead of taking evidence to a lab, what if he took a lab to the evidence? The technological equipment necessary to comb through such evidence had shrunk in size, after all.
DeBrota’s idea met resistance from the start. Few crime-fighting agencies recognized the validity of processing evidence outside a central lab. And FBI officials balked, claiming that analyzing evidence on the scene would demand too much technical expertise. Worst of all, a forensic examiner might be accused of altering files on a computer just by logging on. Defense attorneys could have a field day in court rejecting that evidence.
DeBrota, an avid fan of spy novels, had another idea. Instead of taking evidence to a lab, what if he took a lab to the evidence?
The only support DeBrota could garner was from Cohen, the Indiana State Police captain, who would eventually purchase the RV to house the equipment necessary for field triage trips. As they began using the vehicle and speaking about the new technique at criminal justice conferences, their explanations often elicited laughs. “We were getting questions about whether this was an academically sound process,” DeBrota says.
At one of those conferences, though, DeBrota and Cohen met Marc Rogers, a former beat cop from Winnipeg, Canada, who had built a reputation as an expert internet criminologist. Like DeBrota, Rogers fancied himself as something of a computer hobbyist. He had created one of the first rural internet service providers in Canada, and built custom computers for friends, racking up maybe $10,000 a year on the side while working robbery cases by day. Rogers’s supervisors at the Winnipeg Police Service caught wind of his expertise and assigned him as a detective in a nascent computer crimes division. Soon, he traded the mundane work of a beat cop for investigating child pornography and international terrorism cases. Rogers even uncovered a hacker group in Eastern Europe that was targeting a U.S. missile facility.
It was exciting work, but Rogers wanted to know what made computer criminals tick. His restless intellect led him into academia. In 2003, he landed at Purdue University, where he became a professor and head of the university’s Computer and Information Technology Department. While teaching Introduction to Computer Forensics in 2004, Rogers stumbled on a solution to one of the biggest problems with DeBrota and Cohen’s on-scene method: extracting files from a computer without altering them. Thanks to a new piece of technology called a write blocker—a palm-sized device that allowed examiners to acquire data from the machine without disrupting files—that would no longer be a problem. “It was the digital equivalent of taping off a crime scene with yellow tape, and then putting cellophane over the scene to prevent tampering,” Rogers says.
Over drinks at hotel bars on the criminal justice conference circuit, Rogers, Cohen, and DeBrota tinkered with the on-scene model of digital evidence gathering. In 2006, Rogers, with DeBrota and several other Purdue professors as co-authors, published what would become a well-received, peer-reviewed paper, “Computer Forensics Field Triage Process Model” in the esteemed Journal of Digital Forensics, Security, and Law.
“In cases such as child abductions, pedophiles, and missing or exploited persons, time is of the essence,” the authors wrote. “In these cases, investigators dealing with the suspect or crime scene need investigative leads quickly; in some cases, it is the difference between life and death for the victim(s).” The triage model, as Rogers, DeBrota, and Cohen saw it, included four basic steps: find usable evidence immediately; identify victims at acute risk; guide the investigation; and assess the offender’s danger to society.
The journal article changed attitudes internationally about their method. A decade later, the trio’s model is now used by most major law enforcement groups in the world. DeBrota alone has used it to extract hundreds of confessions and rescue thousands of children.
Back in Bloomington, child pornographer David Bostic’s computer hardware was proving to be a gold mine. As detectives analyzed the evidence on site, Cohen and DeBrota realized they were dealing with a target who could lead them to a network of other pornographers. A quick examination of Bostic’s hard drive exposed co-conspirators across the globe. It was possible, DeBrota reasoned, that his team had discovered the first organized group of nepiphiles—people attracted to infants rather than older minors—who trafficked online.
In the weeks that followed the Bloomington raid, DeBrota’s task force executed similar raids—using their field triage model and sometimes mobile labs—in states such as Pennsylvania and South Carolina. Abroad, raids rippled across the Netherlands, Sweden, Serbia, and the United Kingdom. Millions of images were recovered, and 24 members of the ring were captured. Nine people were sentenced in Indiana, including Bostic, whom a judge gave 315 years in prison.
In less than the six months it would have taken under the old model to uncover the first evidence against Bostic, DeBrota had brought down an entire criminal organization.
On February 23, 2011, only months after Operation Bulldog began, the London Metropolitan Police showed up at the residence of Domminich Shaw. There, they found diapers. Authorities questioned Shaw, who had no children, about that fact. He admitted they were part of a “fantasy” he harbored. Eventually, detectives discovered Shaw was at the center of the international child pornography ring. In less than the six months it would have taken under the old model to uncover the first evidence against Bostic, DeBrota had brought down an entire criminal organization.
DeBrota extradited Shaw, who was scheduled to be sentenced in Indianapolis shortly before this published, marking the end of Operation Bulldog. (“You have to call it something,” DeBrota says about the investigation’s title. “Bulldogs have the characteristic of being tenacious. When it was all over, I realized I had gone to Butler University, and that might have had something to do with it, too.”)
When authorities swarmed the Zionsville home of former Subway pitchman Jared Fogle last year, media images of Fogle stepping down from a mobile lab beamed the trio’s innovation around the world. Similar raids now occur on a regular basis throughout Indiana. The Indiana State Police conduct roughly one mobile lab investigation a week, and they’re considering purchasing a third lab (each costs about $100,000) to deal with the growing number of these cases.
Using the mobile labs and the investigation model he helped pioneer, DeBrota has never lost an internet crimes case or had evidence suppressed in court. Any doubts about the method seem backward now, he says. When asked at conferences to explain the thinking behind the method, the spy-novel-loving prosecutor turns to a metaphor James Bond might like. “Instead of treating a computer like a red wine, you treat it like an extra dry martini—consume it right away while it’s still cold,” says DeBrota. “In about the time it would take for a martini to go from cold to room temperature, you can get useful information in almost every case we encounter.”