Credentials

 

Summary of Qualifications

 

Twenty  five years of law enforcement experience as a member of the Pennsylvania State Police marked with criminal investigative and administrative success.  Recognized authority, instructor and advisor on criminal related activity involving the use of computers, and the forensic examination of computers.

 

 

Professional Experience

 

Full Time Troop Computer Crime Investigator April 2002 to present.  Conduct criminal investigations involving the use of a computer.  Conducted forensic examinations on computers submitted as evidence to the Pennsylvania State Police by other State Police officers, Federal agencies, and local police agencies.  Conducted training classes on the techniques used to investigate computer crimes.

 

Part time Instructor – Butler County Community College, August 2006 to Present-

Developed and instruct Digital Forensics I and Digital  Forensics II curriculum core classes for Associate Degree program, Applied Science – Computer forensics.

 

Owner – Advanced Forensic Recovery of Electronic Data, August 2007 to Present.  Owner and operator of Advanced Forensic Recovery of Electronic Data, a data recovery business specializing in Simple Data Recovery and Forensic Data Recovery

 

Part Time Troop Computer Crime Investigator July 1999 through April 2002.  Conducted criminal investigations involving the use of a computer.  Conducted forensic examinations on computers submitted as evidence to the Pennsylvania State Police by other State Police officers, Federal agencies, and local police agencies.

 

Criminal Investigation Unit Supervisor, May 1996 through April 2002, Troop D, Butler.  Supervised the day to day activities of the Criminal Investigation Unit, reviewed reports, conducted employment evaluations, and supervised and participated in the investigations of major criminal incidents, including robbery, rapes and homicides.

 

Staff Services Unit Supervisor, November 1994 through May 1996, Troop D, Butler.  Supervised the day to day activities of the Staff Services section.  Reviewed reports, conducted employment evaluations, maintained the evidence room, and supervised the Forensics Services Unit.

 

Patrol Unit Supervisor April 1992 through November 1994, Troop P Towanda, Bradford County, and Troop D, Butler.  Supervised the day to day activities of patrol unit members, reviewed reports, conducted employment evaluations, and served as the on-scene supervisor at a variety of traffic and criminal related incidents.

 

Patrol Unit Member, Troop F, Coudersport, Potter County, October 1986 through April 1992.  Performed various patrol functions conducted criminal, and traffic related investigations.

 

 

Professional Training

 

The Pennsylvania State Police - Computer Crime Investigations - and related update training.

 

EDCAP Services - Introduction to Data Evidence Collection and Preservation.  Introduced the student to the collection and preservation of electronic data.

 

The National White Collar Crime Center, Basic Data Recovery and Analysis (Cybercop 101), 03-26-1999.  36 hours of instruction relating to the handling, recovery and analysis of computer related evidence

 

 

 

The National White Collar Crime Center, Advanced Data Recovery and Analysis, 05-04-2001. 40 hours of instruction relating to the handling, recovery and processing of computer related evidence.  Special emphasis was given to Windows 9.x, Windows ME, with some emphasis on the Windows NTFS file system.

 

Butler County Community College, Introduction to Computer Forensics, spring 2002.  3 Credits

 

Butler County Community College, Security Systems, summer 2002. 3 Credits

 

Butler County Community College, Data Communications and Networks, spring 2003.  3 Credits

 

Butler County Community College, Micro computer Applications, fall 2003.  3 credits

 

AccessData – Intermediate Computer Forensics, 02-20-2004.  24 hours of instruction relating to the recovery of computer related data using AcessData’s Forensic Tool Kit, and other Access Data software including Password Recovery Toolkit, Registry Browser, and FTK Imager.

 

Digital Intelligence - Network Forensics Essentials, 07-16-2004.  36 hours of instruction relative to Basic Network Forensics.  The course included the installation and configuration of popular Network Operating Systems such as Windows XP, Windows 2003 Server, Netware, and Linux. From a forensic perspective, instruction was given on how to gain both file system and operating system access while still ensuring the integrity of evidence.

 

The National White Collar Crime Center - Advanced Data and Recovery Analysis - Microsoft Windows NT/2000/XP, 03-11-2005.  36 hours of instruction on the handling and recover of computer related evidence from Windows NT / 2000 / XP operating systems.

 

International Association of Computer Investigative Specialists, Certified Electronic Evidence Collection Specialist, 04-29-2005.  16 hours of instruction on the Collection and preservation of Electronic evidence.

 

International Association of Computer Investigative Specialists, Forensic Computer Examiner Training Program, 05-06-2005.  80 hours of instruction on computer forensics, followed by 1 year series of   rigorous forensic examinations and reporting, culminating with a Certification examination.  Re-certification is required every 2 years.

 

New Horizons Computer Learning Centers, A+ Certification – hardware 07-07-2005

 

New Horizons Computer Learning Centers, A+ Certification – Software 07-23-2005

 

The National White Collar Crime Center Windows Internet Trace Evidence Cybercop 302 (INET), 01/26/2006.  32 hours of training dealing with Windows Internet Trace evidence.  The course revolved around obtaining and analyzing trace evidence from popular web browsers like Internet Explorer, Netscape and FireFox, as well as obtaining trace evidence from popular chat software programs such as AIM, MSN messenger, Yahoo Chat, and others.

 

The National White Collar Crime Center, Cyber Investigation 100 (STOP) Secure Techniques for Onsite Preview, 03/21/2006.  16 hours of instruction relating to secure techniques for previewing hard drives for evidence, onsite, prior to confiscation.

 

Guidance Software EnCE Certified Examiner – Guidance Software encase certified examiner status obtained 07-18-2007.

 

Vista Forensics, 10-05-2007.  7 hours of training. This advanced AccessData class provided the knowledge and skills necessary to analyze Microsoft Windows Vista operating system artifacts and file system mechanics using Forensic Toolkit (FTK), FTK Imager, Password Recovery Toolkit (PRTK), and Registry Viewer.

 

Windows forensics, 10-23-2007 – 10-25-2007.  21 hours of training.

This advanced Access Data training course provided the knowledge and skills necessary to conduct forensic examinations and recover artifacts from computers installed with the Windows XP, Windows 9x and Windows2000 operating systems.

 

Encase Advanced Computer Forensics, 05-19-2008 – 05-22-2008. 32 hours of training.Hands-on course where participants learned advanced data recovery techniques of artifacts in many of the file systems supported by EnCase. Emphasis was placed on file system artifacts. This course provided in-depth coverage on topics including:

 

· Recovery of  NTFS artifacts in NT 4.0, Windows 2000, and Windows® XP

· Examination of  the NTFS Registry

· Recovery of  NTFS log files

· Technical issues associated with NTFS file systems

· Instruction about hardware and software RAIDs

· The learning of the principles of encrypted data recovery

· Linux and Unix file system artifacts

· Instruction on  how to recover Linux partitions

· Instruction  about Macintosh® file system artifacts

Advanced NTFS data recovery techniques

 

New Horizons Computer Learning Centers ,NetPlus training, February 2009. 40 hours of instruction regarding computer networking, networking components and architecture.

 

AccessData – Certified Examiner certification obtained 07-07-2009

 

 

 

AccessData MAC Forensics, 07-27-2010 – 07-29-2010.  21 hours of training

This course provided the knowledge and skills necessary to recover and analyze forensic artifacts from the Macintosh operating system using Forensic Toolkit® (FTK), FTK Imager, and Password Recovery Toolkit® (PRTK). Participants learned GPT drive structure and sound methodology for imaging Macintosh hard drives as well as how to obtain date and time information from Macintosh systems.In addition to working with the Macintosh operating system, participants recovered artifacts from Macintosh-associated programs such as Safari and Firefox browsers, iChat, and Apple Mail. Participants also learned how to recover artifacts from iPod and iPhone.  Recover iPhone artifacts including address book and calendar information, call history, text messages, photos, and voicemail.

 

AccessData Call Detail Records and GPS Devices, 09-10-2010.  7 hours of training in the examination of call detail records, cell phone tracking and the extraction of digital evidence from GPS devices.

 

AccessData  Bitpim and Cellular Phone Artifacts, 10-01-2010. 7 hours of training in the examination of cellular phones using Bitpim Software.

 

AccessData Internet Forensics, 01-04-2011 – 01-06-2011. 21 hours of training.  The course centered on how to conduct an effective Internet-application-based investigation. This advanced AccessData training course provided the knowledge and skills necessary to use tools to recover forensic information from Internet artifacts. Students learned where and how to locate Internet artifacts including Web Browser artifacts, artifacts from various chat programs, and artifacts from web based online social networks like Facebook, and Myspace, as well as other web based communication programs such as Skype.

 

Guidance Software – computer forensic II, 03-01-2011 – 03-04-2011.  32 hours of training using Encase software to create logical evidence files, locate and recover deleted partitions and folders, conduct keyword searches and advanced searches using GREP expressions, use of the Virtual File System and Physical Disk Emulator, examine system registry and compound files, exporting of files and directories, using hash values and hash libraries to identify files, identification of system artifacts like the recycle bin and user folders, prepare reports and evidence for court presentation, recover swap file, file slack and spooler file artifacts, and the recovery of printed and faxed documents.

 

Public Safety Institute Mercyhurst College -Cyber Terrorism Intelligence Training, 03-31-2011.  8 hours of training. Using the Internet and Internet search tools for advanced searching of information.

 

AccessData – Boot Camp, 04-05-2011 – 04-07-2011. 21 hours of computer forensic examination training using Forensic Tool Kit version 3.2

 

AccessData – Windows 7 forensics, 05-24-2001 - 05-26-2011. 21 hours of computer forensic training using Forensic Tool Kit, Password Recovery Toolkit, and Registry viewer to examine and analyze system artifacts relating to the Windows 7 Operating system.

 

 

EXPERT TESTIMONY

 

05-30-2007 Recognized as Expert Witness Court of Common Pleas, Lawrence County Pa.  Judge J. Craig COX

07-10-2007 Recognized as Expert Witness Court of Common Pleas, Lawrence County. Pa. Judge PICCONE

09-25-2007 Recognized as Expert Witness Court of Common Pleas, Beaver County. Pa.  Judge John P. DOHANICH

03-10-2009 Recognized as Expert Witness Court of Common Pleas, Lawrence County Pa.  Judge J. Craig COX

09-22-2011 Recognized as Expert Witness Court of Common Pleas, Butler Co. Pa., Judge Timothy McCune.