This year’s nomination for Case of the Year, from a colleague of winner Det. Eric Pahlberg of the Sacramento County Sheriff’s Department, noted that investigation of child pornography suspect Benjamin Kendrick could have ended at any point with simply the “low hanging fruit” found on the suspect’s hard drive.
However, Pahlberg argues that case circumstances demanded he go further – that it’s possible to balance preview with in-depth investigation, and that a tight network of investigators followed the case through to its successful conclusion.
HTCIA: You could’ve said “good enough” at several points in your investigation, and would not have found crucial evidence if you had. What motivated you to keep digging?
EP: The circumstances of the case motivated me. There were interesting problems to be solved, and once I realized I could identify an abused child who was in danger, it was important to follow through to rescue her.
In most cases, your goal as an investigator is to determine that a crime occurred, prevent further damage or loss, document the circumstances of the crime, and to show the suspect committed the crime. When the suspect has an explanation, you want to fully investigate to either prove his story is true, or to prove it is not true, whichever way the evidence leads.
This was a serious crime when it started with the investigation of distributing child pornography. Because the forensic evidence showed there was another suspect in Brazil and a child who was in imminent danger, I had to follow up on leads until I could not think of anything else to follow.
Fortunately, this is the age of social networking, and the Internet reaches across countries and continents. The suspect in Brazil posted enough information and images of herself online to locate her in Brazil. Because we work on a task force, I had access to an FBI Special Agent that was working in Brazil. The investigation was forwarded through the Special Agent to the Federal Police and Prosecutor in Brazil. The suspects network globally, and so can we.
HTCIA: Digital triage is a big topic because of the sheer amount of evidence on suspect hard drives. When should investigators stop at triage, and when should they dig more? Should they ever worry about missing a Kendrick?
EP: I have been in trials where I have prepared a forensic examination report that filled binders, and had only a few pages introduced as evidence in court. A lot of time and effort was wasted because it was not needed.
But, if I had not done the work, and did not prepare a thorough report, the questions would have come up about what I did not find and why. I try to err on the side of examining too much, rather than too little.
In my reports and while testifying, I talk about what I observed and what I searched for. I also explain what I did not examine and why. I will always admit that among the huge volume of data that is stored on modern hard drives, there may be evidence that I did not observe or did not recognize.
Triaging is important, particularly when there are multiple computers and multiple hard drives to process. In the real world, an investigator cannot look at every file stored on every hard drive and every device. Triaging is how the investigator can focus on the devices that may have been used by the suspects and are likely to contain the evidence, or just identify the owner of a stolen device without spending time examining everything on the device.
The investigator should be very careful to search for, and document any exculpatory evidence, but especially with a case like check fraud, there may be a point of diminishing return in finding every possible shred of evidence on a hard drive.
I think an experienced investigator can evaluate the physical and digital evidence that has already been found, look at the circumstances of the case, and strike a balance between a quick preview and a full examination. In most cases, the original evidence will still be available if the circumstances change and a further examination needs to be done.
HTCIA: How long have you been investigating Internet crimes against children? What brought you to it?
EP: I am very new to investigating Internet Crimes Against Children. I am assigned to a task force that has an ICAC component, so I have assisted over the years with search warrants and computer forensic examinations. For more than a decade, I have been primarily assigned to investigate identity theft crimes.
I recently had the opportunity to cross train with some Internet based tools and techniques, and that led me to work on some child porn cases. But no matter what the crime, we mostly use the same basic tools; surveillance, search warrants, computer forensics, witness interviews, etc., coupled with a lot of report writing.
HTCIA: How long have you been an HTCIA member? What’s your favorite aspect about the organization?
EP: I am a bit lazy about maintaining memberships in professional organizations. I have been an HTCIA member off and on since around 2001. I was at the HTCIA conference in Long Beach when the World Trade Center and the Pentagon were attacked. There were some reports of possible cyber attacks that day also.
Those incidents turned out to be unrelated, but it did not seem at all unrelated at the time. The attendees and instructors were all trying to arrange to get back to their agencies without flying. I remember thinking that even though the attack was in cities on the other side of the continent, there were a lot of HTCIA members at that conference who were critical to the response in the following days and weeks.
HTCIA: Anything else you would like us to mention?
EP: If there is one thing I have learned from each assignment in my career, it is the importance of working with a good team. Starting with good partners in the jail and on patrol, to working at the Sacramento Valley Hi Tech Crimes Task Force, I know that many of my successes have been the result of working with great partners. This case was just one example.
Our Task Force has members that each bring unique experiences, skills, and tools to the team. The Kendrick investigation would not have been as smooth without the cooperation we have with the various partners on the Task Force.
When I needed to stop Kendrick as he was fleeing on the highway, we had a CHP partner who could make that happen. When I needed a background check run on the co-defendant, I had a partner with connections to NCMEC. When I was ready for the investigation to continue to Brazil, I had an FBI partner who could make that connection. When I needed to find residences and conduct interviews in Ione, I had an Amador County SO partner to help.
I see the membership with HTCIA in a similar way. The connections we make with other HTCIA members allows us to learn from each other’s experience, find experts for specific problems, and just learn what are the latest issues in the field.