 Welcome back everyone. Today we're going to do something a little bit different. I don't usually watch police dramas because in the police dramas they usually deal with some type of digital evidence and many times they get it wrong. So today I'm going to watch Criminal Minds series that started in 2005. I've never seen it before. I'm specifically going to focus on computers or any digital devices that they're working with. Let's just see how they do. I'm going to start with episode one and I know that episode one aired in 2005 a lot has changed in digital forensics since 2005 so I'll try to give them a little bit of a break. Let's take a look at this computer system. It looks kind of like Windows. I don't know they have a folder here. I don't really know what this theme is so it looks a little bit like a mix between Windows in some things. It kind of looks like an old Mac. I bet probably a theme that they've put over Linux specifically for this video. All right so we have some sort of instant messenger and then we have a couple people here. It doesn't look like she has a lot of stuff on the desktop and nothing in the trash. So we don't really know what operating system is. I would guess it's probably Linux but they're probably trying to pass it off as Windows. So this is actually more common than you would think. People post ads online and then you get into a car with somebody and then abductions happen. If you're going to test anything like this if you're going with somebody you don't know always make sure that somebody knows where you are and what you're doing at the time. 2005 it might not have been that common for people to have cell phones so it could be difficult for her to text. So at this stage the girl is missing and they've called in this profiler to take a look at the case. 23 year old Heather Woodland. Before she left for lunch she downloaded an email with a time delay virus attached. The killer's virus wiped her hard drive and left this on the screen. So the killer's virus wiped the hard drive but left this on the screen. You can see that there's something in the back here so everything actually is still up. There's a program running that I can't really make out. I mean it looks formatted so it could be some type of email and then there's a program in the back and you would assume that that's probably an email program. It's hard to say I can't really see what the title of that is and then there's the icons for the desktop in the back and the system is still running. If it wiped her hard drive everything is still available in memory. The email for example still would have been available in memory and they could just collect RAM and then get all of the data from RAM they don't seem to they just kind of give up on this system even though there's definitely evidence they could recover the email and then potentially investigate the headers and probably back in that time find the IP address of the suspect immediately. There's still a lot of evidence here based on this picture but if they just shut the system down and the hard drive was wiped it's it's hard to say what they would get back. Once they shut the system down all of this would be lost from RAM and then depending on how the suspect formatted the hard drive if they actually zeroed out the hard drive maybe everything's gone but if they just reformatted or deleted files then you can recover pretty much everything so they're giving up on this system I think way too early and they could have caught the person much faster if they would have done RAM analysis but 2005 RAM analysis wasn't very common so next they got to log in password and tried to log in immediately that's just bad practice unless you have an absolute reason to be doing live data forensics in this case maybe they suspected that the suspect had an encrypted hard drive which 2005 is possible but it wasn't super likely really odd to log into the suspect system on the scene like that if you just find a post-it note it was a false password the false passwords actually are a thing you can have encryption and then if you put in a different password tire system essentially locks up or shuts down if you put in the right password then you can unlock the encrypted container the false password either shuts down the entire system or unlocks a different encrypted container that looks empty or innocuous the big indicator here is deadbolt defense is active so if you if you go to somebody's computer and you see deadbolt defense active and then the administrator and it only has a password to log in here like this whole thing is weird in the first place but then the first thing you should be doing is looking up deadbolt defense and see if it actually is an encryption product or there's no way that somebody who didn't know how to deal with digital evidence should be touching this especially if they think that something like this like this obvious is in there what's the number six at the bottom of the screen number of password attempts where the program wipes the hard drive this is a bit silly i don't i don't know what the deal is but it looks like the police brought in their own system we have the suspect's computer looks like on the left hand side and then some sort of password cracking system on the right hand side but they're still limited to six attempts this is totally incorrect so the deadbolt software just bypass that and focus on the data directly so if it's a popular software for example just get the encrypted data and then try to use your own basically login software to attempt password guesses against it we wouldn't be necessarily limited to six we would just make a copy of the encrypted data and then work only on the encrypted data with our own program instead of the unlocking program built in deadbolt so that doesn't really make sense if they made an image a disk a physical disk image of the suspect's hard drive then we already have a preserved copy so theoretically if they used whatever their six tries are here then we just use our copy again and then you have six more tries so like this whole setup of only six tries really doesn't make sense okay so i don't know who this person is but surrounded by computer screens with a bunch of code floating by i bet this is their technical person probably and oh man like i mean some of this stuff could be accurate but um let's see how this goes now if you guys see it and the FBI's office of supreme genius hey supreme genius yeah need you to work me some magic here i got a program called deadbolt defense and a girl with only a couple hours to live so what do you know and you got a problem deadbolt's the number one password crack resistant software out there you're gonna have to get so it's the number one password crack resistant software out there you're the FBI you already knew this they definitely have a module for attempting to to crack it if they already knew about it and it was popular enough to be the number one uh resistant software it's definitely being tested by thousands of different companies not just FBI but any other government agency would probably be interested as well they should have already known something and had tools developed for it but you know maybe not you're gonna have to get inside this guy's head to get the password you don't have to get inside the guy's head but the whole point of this is actually to do profiling so i can understand why if you can get inside the guy's head then maybe you can guess the password it might also be possible that you just ask for the password at the very beginning that's really what they should have done immediately is just kind of if they knew that digital evidence was part of this and they knew that it was password protected ask what the password is because they might be thrown off and then just give you the password but not always the whole six tries is kind of a setup for relying on profiling to get the password guys little help we're going through every one of these cds scratches wear and tear i want to know which cd he plays the most let's go that was real whenever cds were a thing going through and and finding out which cds were the most scratched or a good indicator of how much they were used so you can kind of tell something from it and in this case it's hard to say one maybe he's just trying to get the frame of mind or something yeah so this is completely unacceptable i mean it looks very dramatic but even if you're in a suspect's house you would never do anything like this because there could actually be evidence on any of these cds they could have written data to to one of the discs and the cops just come in and throw crap all over the floor that's no like this is absolutely against protocol it looks like they've been doing something but basically they've just been tearing things up this is awful uh that's terrible flipping evidence around yep good job i've been thinking about the cds so this was a thing if he's talking about cds and he has a safety pin it's definitely in the cd tray so basically that's the mechanical switch whenever you put that safety pin in there the the tray will pop out i think we may have missed the obvious the problem with that is if that cd was actually like a data cd then the suspect might have been running something from the cd and as soon as they injected it then that program might actually stop running so ejecting cds from a running system isn't usually what we want to do but i guess if they're locked out in this case and that's the only way they can find the password it makes sense i think they got lucky because it is a music cd rather than rather than data but you never know until you do it i guess a lot of labs still have devices that basically you stack all of the cds up so whenever people have these huge collections of cds you have to image all of them and then process all of them so basically we stack all the cds into this kind of tray and then it has an arm that will come up take one cd like a record player and then image one cd and then move it to a different pile and then basically image each of the cds in the stack and it's the only way that you could image you know hundreds of cds back back in the day so i think we're much better off now with usb sticks heathers alive how do you know because we're watching her right now so if this is a live stream you have you have images coming through they could probably find the ip address the connection right now for where this webcam is coming from especially 2005 it should be relatively easy to work with the isp to track this down so you can get the ip address of the stream itself it's probably not being proxied to find the ip address talk to the service provider you can pretty much identify the location immediately usually the last 12 images lined up next to each other either you see that the light bulb hanging from the wire shifting positions so this is actually interesting one big big problem is that they're still doing this from the suspects computer so they are still modifying data on the suspect system which you never do like we would just take an image you have an active stream running try to find out what you can about the stream but you wouldn't be for example trying to take screenshots and just doing all of that on the suspects computer you definitely want to be doing that on some other system that you control and then also capturing this feed probably to a system you control this is insane that this is actually on the suspects computer in this camera is basically sending one picture at a time so it's not actually a like a live stream it's just a series of images and then we have the light swinging and then this type of video analysis is used all the time for trying to figure out where things are what's happening and just give more context about about things like this so that was really all the digital evidence that they dealt with in this episode of course computers are not super interesting to look at in terms of recording so you usually see people talking about them or flashing usb sticks or throwing CDs everywhere that's just to try to make things a little bit more interesting because in reality we would be seizing all of that and then imaging each of those and then analyzing the images overall i think they could have just had somebody on the work computer either from logs if the work system kept logs most likely at the victim's work there's an email server that's centralized so even if the suspect deleted the files on her computer locally potentially the work email server would still have copies of that email or something in the trash for example so there's lots of potential digital evidence they could have gotten from the work system that would have saved them a lot of time they had the actual suspect system and they kept interacting with the suspect system you don't interact with the suspect system you either try to image it as quickly as possible or if you absolutely have to then do some live data analysis but if it was already encrypted you would shut it down you would image it and then you would try to break the encryption that's basically what you'd have to do so overall they didn't identify most of the digital evidence that was possible they didn't treat any of the systems as you should whenever you're dealing with the artifacts and they just let a lot of evidence go that could have saved them a lot of time and all of that was specifically for establishing that they can create a criminal profile so not the worst treatment of digital devices that i've seen in a prime time drama at least they were kind of accurate and you know sometimes especially first responders that don't know anything about computer systems they might try to log in lock things out alter data on suspect devices that actually happens so i guess the guy's frustration whenever the police officer logged in is kind of valid and justified because it does happen the computer expert saying that there's nothing you can do and that's that system is like the best encryption in the world it doesn't make any sense so overall pretty interesting to see i hope my commentary on at least talking about the digital evidence was interesting they're kind of right but not really it's a pretty good episode i think i'll keep watching criminal minds and see what elder shenanigans we can get up to if you like this kind of commentary be sure to like this video and then comment down below if there's any specific series you want me to watch i've probably not seen it before and i'm happy to give my opinion about their forensic techniques so that's it for today i hope you liked it thank you very much