Digital forensics research often depends on casework: specific problems with a device, operating system, app, or artifact that a forensic examiner needs to solve.
That isn’t always the case, though. Sometimes the problem has a broader scope, or the examiner doesn’t have the time or resources to dive deep. That’s especially true in smaller law enforcement agencies, where a forensic examiner may not even have a full-time position. In larger agencies, which often assist smaller ones, data volumes and caseloads can stymie research efforts.
Enter academic institutions — universities and colleges:
- Campuses and their satellites can offer lab space and funding that might fill an important resource gap in a region.
- Students studying digital forensics can devote more time and attention to especially challenging technology that can confound casework.
- Trained in science, these academic researchers can bring more scientific rigor to their digital forensic research.
- Testing protocols can lend structure to fairly volatile digital environments and frame how data is interpreted.
- Because academic research is designed to be shared, it’s much more open and transparent than the proprietary research done at for-profit services labs, for whom the results are a competitive advantage.
- At the same time, though, academic research can end up in commercial tools.
Ultimately, academic research can help to solve cases and, when results are published and new tools developed, contribute to the broader investigative and scientific communities.
Still, challenges persist:
- Academic research has to be useful to investigators on a practical level, so that they can apply the methodology in their own work. That requires fairly transparent communication between investigators and researchers, so researchers can understand what’s required and investigators understand what’s possible.
- The case data being examined is deeply personal. Sometimes, it’s contraband — only sworn law enforcement officers can examine it.
- Other evidence may not be available to work with until after it becomes public record as a result of trial.
- Time can also be a factor. Homicide, missing-person, or victim-rescue situations might demand a solution faster than researchers can provide it.
So, who’s collaborating, and how are they making it work?
What collaboration can look like
In the United States, some universities run digital forensics labs that are used jointly by law enforcement and researchers toward solving research problems.
For example, DeSales University hosts the David M. Petzold digital forensics laboratory of Lehigh County (Pennsylvania). “DeSales basically donates classroom space to the county, and the county has put their digital forensics lab in our academic building,” said Joseph Walsh, director of the Master’s of Criminal Justice program and an Assistant Professor of Computer Science and Criminal Justice at DeSales University, in a 2019 podcast episode at Forensic Focus. “It’s a really nice partnership for us to be able to help out the county, and the county actually allows our students to serve as interns in the lab.”
At Marshall University, the digital forensics lab is likewise a partnership with the West Virginia State Police — an original goal of establishing the lab. Josh Brunty, an associate professor at Marshall University, said in a 2020 Forensic Focus podcast that the lab was built using federal grant money and staffed with both Marshall and WVSP employees. Today, additional partnerships with federal agencies have given students even more opportunities.
Some of the examples Brunty pointed to include award-winning smartwatch forensics research, which included the development of an open source tool; decryption of messages sent or received through encrypted messaging apps; and dark web research.
“[Our research is] not something that four or five years from now, it’s going to finally trickle down to digital forensics,” said Brunty. “It’s something that we want to get into the hands of analysts and [law enforcement] agencies, so they can use it right out of the gate.”
In the United Kingdom, some government agencies facilitate the relationship between law enforcement agencies and academia. The Defence Science and Technology Lab (Dstl), for example, funds research projects and suggests potential novel project ideas for graduate and post-graduate students.
It’s an outgrowth, said Dstl forensic analyst Holly Duns, of Dstl’s mandate to provide expert scientific and technical support — including research, evaluation and advice — to defense, Home Office, police force, and other government departments’ operations.
Because the Dstl lab isn’t directly involved with casework, she added, analysts can focus on technical problems versus case outcomes. “There is no specific device, software or operating system that we work with,” she said. “Each of our work packages have been very diverse and have included drones, Bitcoin, smart homes, Google Fuchsia, car infotainment systems and our most recent project has been on MAC randomisation.”
While Dstl isn’t directly engaged with collaboration between law enforcement and academia, its Digital Crime Scene (DCS) team’s Extra-Mural Research (EMR) “enables us to encourage academics and companies to be more involved with [digital forensics] problems and strengthens our ability to deliver impactful science and technology research,” Duns explained.
To that end, she said, Dstl contracts “a significant proportion of our research… to academia, small and medium enterprises and industry.”
In a similar vein, the Netherlands Forensic Institute (NFI), an independent entity, cooperates on its Hansken “digital forensics as a service” project with university-based researchers. “[They] don’t do case investigations, but they develop technology and methods and tools,” explained Harm van Beek, a senior digital forensic scientist at NFI. “So their goal is to use the platform as a means for getting their results to work in practice” — and to share the knowledge they glean from this research.
Developing future investigators and their managers
In his 2019 podcast with Forensic Focus, Graeme Horsman, a lecturer at the United Kingdom’s Teesside University, pointed out: “… digital forensics is a massive field, and those studying at undergraduate level can only cover so much of that field.”
More advanced research requires more advanced researchers, he went on, describing Teesside’s postgraduate study program. As students work through aspects of computer science and forensics, as well as principles from the legal and intelligence fields, programming, data science, and other fields, it informs what they’re able to bring to their lab work.
At the same time, said Brunty, it’s important to balance foundational science with practical skills the students can use as soon as they graduate. “So you not only get a more well rounded student, but you get a more realistic student that goes into this field thinking, okay, this is the foundation that I was taught on. This is [how] I can be of value to this laboratory.”
Along with the programming, writing, and mathematics fundamentals taught at the university level, hands-on learning comes from open source and commercial software. Brunty cautioned that educators need to keep up with that, too — no small feat in an industry where the landscape looks “totally different than it was in 2005” — “but it produces better students in the long run,” he said.
That’s experience that Walsh said is especially helpful when they go on the job hunt. “I think it’s a really great opportunity for them because they get to walk into a job interview saying that they have this previous experience and they’ve gotten to use the tools,” he said.
Of course, growing towards a job role relies, at least in part, on expert faculty. For students to be able to demonstrate employability when they graduate, said Brunty, professors’ own practical experience — “a model that I can keep feeding myself as I continue to teach” — has to guide them.
The value lies not just in what students and practitioners encounter currently, but also in providing a foundation for what they might encounter in the future. “How does that training teach them to adapt to that newest mobile phone update that locks them out of that device?” Brunty asked by way of example.
Academic rigor, practical solutions
Academic research is known for being, well, academic — projects that look at a problem in a new way, but may not mean much for people solving the problem in the “real world.”
At the Master’s level, Horsman said, “There’s opportunities to engage with that practical experience, both in industry and on the university campus with practical research projects that have real-world applicability, where they’re undertaking research and activities that can directly harvest results that can be applied to local and national police forces,” he observed.
With digital forensics, though, technology — both what’s used in the commission of crimes, and what’s used to solve them — is advancing far too rapidly for research not to have some practical value.
That’s because digital forensics labs themselves struggle to keep up. “Where we do share some problems with academia,” said Duns, “establishing and completing research on the more immediate problems facing LE can be challenging to balance due to the nature of the work.”
Academic research, then, tends to focus on longer-tail problems, while labs like Dstl’s break down large-scale problems — such as data volumes, encryption, and emerging or not well understood technology — to smaller, manageable chunks. This way, the team can share solutions in a more timely manner.
“Because of the rate of change in technology, [Dstl] aim to work rapidly on a project for a number of months and then distribute our findings rather than pursue a topic to a complete solution,” Duns explained.
She continued: “We also have to be aware that every unit has different capabilities and often our efforts are aimed at supporting the smaller units or more niche areas which may not have easy access to R&D support.”
To that end, as Horsman put it, academic solutions could be “a product, a knowledge, a procedure… a benefit in the sense of improving processes, or just… something that hasn’t been developed before. Or even… add to a process that’s already in place, but… maybe give it a little bit more of additional functionality, or validates existing work, for example.”
At the NFI, for example, Hansken researchers are collaborating with academic researchers in Norway to apply artificial intelligence techniques in an explainable manner for evaluating evidence. “Hopefully [this will end] up in the platform as a module that can be applied in multiple cases,” said van Beek.
Another facet of practical support can come from law enforcement requirements. At Dstl, for example, Duns pointed out that support for U.K. labs needs to account for their efforts to adhere to ISO 17025 for casework. As a result, Dstl’s support includes both “validation of methods and more recently… development of ground truth datasets that can be used as part of the validation process,” she said.
On the other hand, much of Dstl’s work involves what Duns called “novel” challenges in which methods are discovered — and not yet validated or accredited. “[A]s part of our datasets work it is the intention to provide the support so that [the methods] can in the future be formally validated,” she explained.
Part of that support, she said, involves “evaluating our research… to understand the potential for data modification in accordance with the necessary [Association of Chief Police Officers] guidelines.” That way, when methods are released to agency labs, appropriately trained practitioners can verify the techniques “to provide confidence in the results of any casework examination,” said Duns.
Blending disciplines and perspectives
Academic research can also explore practical challenges in new ways — such as the opportunity to blend forensic disciplines. “I think it’s becoming more multifaceted in the sense of, there’ll be a digital presence, there might be a biological presence,” Horsman said. “And how do we handle those? What do we do with them? How do we process the information in the right order? Who gets the first go at what?”
Likewise the use of chemistry. “We partnered up with VTO Labs out of Colorado to look at their damaged devices,” said Brunty. “We looked at what type of cleaning agents would be best for those damaged devices coming out of water, fuels and oils. What is the protocol for that cleaning?”
“Softer” sciences like psychology are in play, as well. At Teesside, said Horsman, the team’s crime scene scientist has considered how electronic devices at crime scenes might indicate usage behavior, which in turn could inform collection practices. For example, investigators might choose to focus on the heavily-used gaming consoles rather than the box of old mobile devices gathering dust in a closet.
At DeSales, Walsh said one new program is a homeland security concentration around counter-terrorism investigations in digital forensics. “So that particular focus would kind of marry together the digital forensics courses, as well as courses that are taught by our terrorism experts, and give students an idea of how they would look for evidence of terrorist activity on computers and other electronic devices.”
The blend of perspectives isn’t only valuable on a practical, lab-based level. It can also be valuable when it comes to the courtroom. That’s because science and law don’t always mesh, as Brunty, who serves as executive secretary of the digital evidence subcommittee of NIST’s Organization of Scientific Area Committees (OSAC), pointed out.
“You have judges and attorneys and officers, and folks in the court that interpret things completely different than scientists and analysts and folks working in DFIR,” he observed.
At the same time, he added, “…most of our evidence, whether it be a civil or criminal court, is going to go into a court of law. And we have to abide by those standards that the court has set, through rules of evidence and prior case, but we also want to keep this a science….
“Because science is ever changing. We’re still in that infancy where we’re trying to establish legitimacy, but at the same time, we want to have a field that’s willing and able to change, but stay in the rails that the court wants us to say.”
The tension between science and law creates the need for what Brunty called “evolving standards and best practices, that align with ebbs and flows that we’re seeing in the court.” Part of that, of course, is providing students with the scientific foundation they need to provide effective expert services — including testimony.
For example, said Horsman, a practitioner’s ability to help a non-technical stakeholder visualize thousands of pieces of data is “a valuable skill [that is] starting to go hand-in-hand with some of the more core digital forensics skills that you would typically associate with this area of study,” he reflected.
Making collaboration happen
Relationships are at the core of good collaborations. “We work directly with law enforcement (LE) representatives from across the country who provide us with a priority work load and areas they believe require further research,” said Duns.
That’s especially important as Dstl doesn’t involve itself in casework. “We meet with our user group quarterly to gain a better insight into the areas in which they require more research,” she said, “and to get their perspective on what may have the potential to become an issue in the future.”
Research results are shared with the entire community of law enforcement digital forensics units in the U.K. and beyond. “[T]he end goal is to produce a single source of awareness for [law enforcement] by providing a relatively high-level forensic briefing on a particular topic,” said Duns.
These briefings can take the form of a quarterly bulletin, conference presentations, and/or close-contact stakeholder discussions. “There is a multiplying effect of having a central team working on a topic and pushing information out to 50+ LE entities,” Duns added. “Although the work is only initially provided to those on our mailing list, our research is often forwarded onto other areas within policing and government.”
In turn, she said, these publications can result in independent requests for assistance, often from various boards within the U.K.’s National Police Chiefs Council (NPCC). “LEA’s can contact us at any time to discuss any of the work we have done and receive a more detailed explanation of our findings,” said Duns. “Specific queries or problems are addressed on an individual basis where support and advice is provided where appropriate.”
Ultimately, ingraining academic research more deeply into law enforcement processes isn’t just about the technical solutions themselves, but also about cultural change. The more forensic professionals with graduate and postgraduate degrees, the more support — especially at managerial or command levels — for continued research and development.