An Interview with Frank Thornton, Forensic Crime Scene Investigator and Former Police Detective
As a police officer, Frank Thornton had an intuitive hunch that computers and technology would one day play an important role in criminal investigations. His “cop’s intuition” paid off when he combined his police detective experience and his interest in technology into a successful career in the ever-developing field of Computer Forensics.
Frank Thornton’s education began at the Vermont Police Academy and he gained knowledge, experience, and occupational know-how as a sworn police officer. As computers and technology became more ingrained in peoples’ everyday lives, Thornton realized that there was a dire need for criminal investigators to delve deep into a suspect’s digital history. He is the owner of Blackthorn Information Security, a digital forensic analysis company, and his expertise in the field has led him to give testimony on critical forensic evidence in criminal cases.
Thornton is a Certified Computer Examiner (CCE), a certification that is accredited by the International Society of Forensic Computer Examiners and considered by many in the forensics industry to be the premier certification for anyone performing digital forensics. In addition, he is a member of the New England Electronic Crimes Task Force, has been a featured speaker at such conferences as Hackers On Planet Earth (HOPE) and DefCon, and has co-authored such publications as Wireless Security: Know It All and Game Console Hacking: Xbox, PlayStation, Nintendo, Game Boy, Atari, & Sega.
Read on to find out more of how Frank Thornton came to be an expert in the field of computer forensics, where he sees the field going in the near future, and why—after decades of gaining experience—he decided to go back to school to earn his online Digital Forensics degree.
What inspired you to become a police detective and then a computer forensics specialist?
My experience with computers started as a young teen in the 1970’s. My father worked at IBM, which allowed me access to IBM mainframes. Later, volunteer firefighter and Emergency Medical Technician positions lead to my being recruited by the police. Advancing through the police ranks, I became interested in forensics while working crimes scenes. While investigating crimes, I quickly learned that many people lie to the police, and those that don’t lie are often influenced by their own perceptions to the point that the things they think they saw are either poorly influenced or flat-out wrong.
Evidence based on scientific fact is very impartial, and isn’t affected by memory, perceptions, or the person’s self-interests. I began to concentrate on that, and began to find I was pretty good at using those concrete facts to separate out the lies of the criminals and misperceptions of witnesses.
In turn, the police work led to working at the State of Vermont Forensic Laboratory as a Forensic Specialist, where I spent much of my time working on homicide and other major crime scene investigations. During the police and the forensic lab careers, I still kept up my skills and knowledge in the field of computers, and was learning about how they worked internally, and how they might be applied to police work and forensics. When I finally left police work, the combined knowledge gave me the needed skills to allow me to step into the field of computer forensics.
How did you come to found your computer forensics company? How do you use your experience as a police detective in the work you do now?
In the 1990’s, while working at the State of Vermont Forensic Lab, I started seeing computers being used in crimes, but very few agencies were examining them for evidence. In those days it was typically word processing documents or spreadsheets detailing drug dealing activity.
The documents, usually authored by the accused, were a rich source of evidence and that interested me intensely. I could foresee a need for computer forensic examinations becoming a standard practice for solving crimes. The laboratory’s director wasn’t interested in pursuing that area of expertise at that time, so I set out on my own. At first, I did general computer and wireless networking along with forensic cases, but in the later years I concentrated exclusively on forensics and information security. Nowadays, my workload is mainly forensics, with a limited amount of information security work on the side. Both digital forensics and information security tend to be flip sides of the same coin, so both provide me with interesting work.
My experience as a police officer and detective taught me how to investigate crimes and how criminals think. That pays dividends in figuring out where evidence is hidden on computers and smartphones, as well as in figuring out how the evidence fits into the case, and determining the importance of a particular piece of evidence.
Finally, one important skill I learned as a detective was how to testify well. Testifying properly is a very important skill, but one that’s often underrated in forensic casework. Knowing how to conduct one’s self under cross-examination is particularly important. Trials are the ultimate decision about how well an examiner has done their work. If a forensic examiner can’t clearly explain his or her actions and conclusions on the witness stand, then their all their work will have been in vain, no matter how good their technical processes and abilities might be.
Did you hold any past positions that have played a significant role in where you are today?
Working at the as a police officer and specifically as a detective taught me how to conduct investigations and how to testify. My position at a forensic laboratory taught me how to integrate scientific knowledge and principals into investigations. Both of those positions were significant in my becoming a digital forensic examiner.
Has the forensic evidence you’ve uncovered ever been used in a criminal trial? If so, how did your findings contribute to the case?
A number of my cases have been criminal cases. Since I became a specialist in digital forensics I’ve examined computers, tablets, smartphones, and cell phones in everything from child exploitation to drug conspiracies to homicide cases. I’ve testified about digital evidence that I uncovered in a bank robbery trial, at the trial of the kingpin of a multi-state drug-dealing ring, and at the court case of a key player in an international drug smuggling operation. As a result of these testimonies, I have been accepted as an expert in digital forensics in U.S. Federal Court.
Also, in a number of other cases, I haven’t been required to testify, as the defendants have entered guilty pleas, based at least in part on the evidence I’ve recovered from their smartphones and computers. I’ve had a number of prosecutors tell me that evidence I’ve uncovered was a direct influence on getting a defendant to plead guilty and avoid a trial.
As we see in the news, many companies of all types are desperately trying to safeguard their digital information from being hacked. How does the field of computer forensics contribute to preventing and prosecuting these hackers?
Computer forensics in this context usually involves two areas: First, the forensic examination of the victims’ computers will usually reveal the techniques and software used to conduct the attack. That, in turn, will usually reveal a lot of information about the attackers, their skill levels, and the means they employed to perform the attack. Depending on the circumstances, information about the nationality, political affiliation, motivations, and other pertinent evidence may also be uncovered. In many of these cases, the information uncovered is enough to show exactly who perpetrated the crime, how they did it, and to ultimately bring them to justice.
Secondly, forensic examination of the network traffic often gives information as to how the attack was performed. The knowledge gained from the forensic examinations in these cases can help safeguard the victim and other companies and their users from future attacks.
Tell us more about how the experience you gained on the police force and in computer forensics contributed to the technical editing of the book, Digital Forensics Processing and Procedures.
Much of my general experience has been seeing the tools, techniques, and procedures be developed for forensic examination of computers and digital devices, and I was able to use that knowledge in helping the authors (Andrew Jones and David Watson) keep the book technically correct.
As far as I know, the book isn’t being used as a text in forensics education, but it certainly could be! The publisher’s blurb said “This is the first digital forensics book that covers the complete lifecycle of digital evidence and the chain of custody”[i] which I think sums it up very well. Forensic science students could use it as a soup-to-nuts reference for how to handle and process evidence using international ISO standards.
Forensics is a very popular genre for both fictional and non-fictional television shows and movies. Do you feel that pop culture has a negative influence or a positive impact?
You’ve hit both sided of the situation exactly! Forensics in fiction has a big negative influence in that it greatly simplifies processes and procedures – and often does the impossible – in order to further the story. The so-called “CSI effect” is a problem for trial lawyers. Jurors often assume that forensic evidence will prove the impossible because they have seen it done on TV shows. If the jurors don’t get that kind of evidence, they sometimes think that they case is somehow lacking everything they expected.
On the other hand, the use of forensic sciences being featured in fictionalized accounts does help popularize STEM (Science, Technology, Engineering and Math) in general, and has attracted a new generation to the field of forensic science. That’s a very positive thing in my mind.
What are some of the biggest challenges in the field of forensics today?
New devices, new apps, and new versions of operating systems mean that computer forensic examiners are continually tying to keeping up with those new releases. In digital forensics, “new” is literally as recent as yesterday, and “old” is anything over 2 or 3 years ago. The techniques are also evolving as the field adapts to a continuously changing landscape of digital devices. For example, TVs have evolved in the last several years and are now commonly sold with embedded apps and operating systems. The same principle applies to automobiles; they now have huge amounts of built-in digital technology. Wearable devices such as the FitBit or Samsung’s SmartWatch are other examples of new advances that present new challenges to forensic examiners. Digital forensic examiners have already looked at all of these devices for potential evidence to be used in court cases.
The following fictional scenario hasn’t happened yet to my knowledge, but it is entirely plausible. Think about how compelling the digital evidence would be to a jury hearing about this situation:
In a “whodunit” murder, the defendant claims to have been home watching TV at the time of the victim’s death. However, the TV’s logging functions show it was turned off at the time, and his car’s built-in GPS has tracked itself to a block from the scene of the crime just ten minutes before a witness heard shots being fired. Plus, the car’s entertainment system says it was connected by Bluetooth to the defendants’ smartphone during the drive, and the smartphone agrees, saying it was connected to the car for that same time period. Finally, the defendant’s smart watch says it was connected to the victim’s Wi-Fi network within the same timeframe as when the medical examiner has determined that the victim died.
All of those pieces of digital evidence didn’t exist even as little as two or three years ago, but all are actually being seen as having potential evidence in cases my peers and I have examined in the last few months. So you can see that keeping up with new devices and how they perform is critical to the field.
In addition to your long and seasoned career in forensics and law enforcement, you’re currently earning your Bachelor’s degree in Digital Forensics. What made you decide to pursue your degree?
Several times in the last decade, I’ve been approached by educational institutions to teach courses, only to have the offers withdrawn because of a lack of a degree. As a past adjunct instructor at the Vermont Police Academy, teaching appeals to me, and so I decided to get the degree while eyeing teaching in the future.
Are you completing any of your education online?
So far, all of my current education for the degree has been online. It’s been a great experience, and the flexibility of the online courses has allowed me to fit in my courses and assignments in between casework.
I highly recommend online courses for anyone who has a full-time job, but wants to go back to school. Plus, the instant availably of the courses means that a student doesn’t have to travel to a classroom on someone else’s schedule.
In your opinion, what type of student is ideal for the field of forensics?
Ideal students should possess several different attributes. First, they have to be tenacious to keep looking for clues even when the odds seem against them. Obviously, being detail oriented is a must, since finding something as small as one word or a single file timestamp within gigabytes of data can be critical to a case.
Another necessary attribute is critical thinking, since the students will have to look at when an item is significant in the circumstances of the case, and within the confines of the legal system.
What advice do you have for students pursuing forensics degrees?
First, student pursing a forensics degree need to pay attention to the STEM courses.
I would also recommend that they understand what the real-world career path that they may be required to through in order to get to their ideal job. Internships can often give an eye-opening view as to what their job will actually be, as opposed to what the student think it might be.
Finally, the best advice I can recommend is that always keep learning, whether it’s about the latest details of a given smartphone’s operating system, or how automobile manufacturers are integrating networking and black boxes into the latest model cars. Knowledge stagnates very quickly in this business, and outdated knowledge means an examiner isn’t capable of doing their job very well, if at all.
Students should also keep their eyes open to other experiences and other knowledge. Sometimes, the oddest bit of knowledge brings evidence into context, and can be applied to help solve a case.
The expert interviewed for this article may be compensated to provide opinions on products, services, websites and various other topics. Even though the expert may receive compensation for this interview, the views, opinions, and positions expressed by the expert are his or hers alone, are not endorsed by, and do not necessarily reflect the views, opinions, and positions of [eLearners.com] or EducationDynamics, LLC. [eLearners.com] and EducationDynamics, LLC make no representations as to the accuracy, completeness, timeliness, suitability, or validity of any information in this article and will not be liable for any errors, omissions, or delays in or resulting from this information or any losses or damages arising from its display or use.