by Paul Hamrick, Nuix
Executive Summary
Law enforcement investigations have long been influenced by developments in technology; after all, new technologies create new ways for criminals to profit and new sources of evidence. Law enforcement needs to keep up with the times, dealing with technological developments in areas like firearms, automobiles or more recently, digital communications.
Over recent years, many cases have been solved after analysing electronic evidence from suspects’ devices. The wealth of information people create merely by using everyday technologies is a treasure trove for investigators to determine when a crime occurred, where it happened, who was present and any number of other connections to real people and their actions.
Investigators, however, are constantly racing to keep up as new technologies emerge, which seems to happen every day. Modern tools and techniques are well-suited to the evolving nature of electronic evidence, powering efficient investigations today and helping law enforcement agencies stay adaptable to the crimes and technologies they will face tomorrow.
Knowing The Evidence
A law enforcement entry team breaches an apartment door and finds a cache of evidence that could help disrupt and dismantle the criminal organisation that it’s had under investigation for months. In a den converted into a money counting room are mobile phones, a laptop computer and a tablet … devices used to communicate with members of the organisation up and down the chain of command. In the bedroom, a smartphone left beside the bed could help identify additional suspects and co-conspirators. The contents of a handwritten ledger could help follow the money trail and connect bank accounts and assets with the targets of the investigation. And stored away in a linen closet, an old desktop computer – long since abandoned for the convenience offered by mobile devices – stands ready to disclose closely held secrets clarifying the organisation’s structure, leadership and historic operations. All in all, a good day for investigators and prosecutors handling the case.
The DNA Of Data
Scenarios like this one are familiar to law enforcement professionals around the world. Today’s criminal investigations routinely involve the discovery, collection and analysis of digital evidence in a variety of types and formats. Across a continuum of targets including theft and fraud, assaults and homicides, drug dealing, money laundering, human trafficking and terrorism, digital evidence has forever changed investigative operations. It provides unparalleled insights into the connections between victims and witnesses, as well as correlating associations between known suspects and previously unknown co-conspirators.
Gone are the days when law enforcement professionals relied solely on documentary evidence and verbal testimonies to discern the who, what, when, where and how of a competently completed investigation. Our globally connected society and the ubiquitous presence of devices increases the importance of digital evidence in investigative operations. Devices that include smartphones, tablets, laptops, fitness trackers, GPS devices and virtual assistants make it just as important for investigators to understand how to collect, analyse and interrogate digital evidence as to know how to interact with traditional human sources.
The use of fingerprints to help solve crimes represented a sea change in 19th century law enforcement. Similarly, the introduction of DNA in 20th century investigations was hailed as “the greatest forensic advancement since the advent of fingerprinting.”[1] Now, the DNA of data is proving to be the next evolutionary change in criminal investigations. Data and the tools to collect, analyse and understand it is empowering law enforcement throughout the world.
The Value Of Digital Evidence
There is no more famous case in which the collection, analysis and understanding of digital evidence played a more important role than that of the hunt for the BTK serial killer. Between 1975 and 2005, investigators worked diligently to identify the individual responsible for the deaths of 10 people in and around Wichita, Kansas.[2]
For 30 years, investigators spent untold hours running investigative leads, speaking with witnesses and mulling over the clues contained in the letters the killer sent to the police, taunting them and their investigative abilities. But on February 16, 2005, using computer forensics, investigators identified Dennis Raider as their primary suspect. Through the analysis of a floppy disk on which Raider penned a letter to the police, investigators discovered metadata that led to Raider’s arrest.
Criminals and their organisations increasingly rely on technology to empower and expand their illegal activities. Transnational crime researcher Louise Shelly observed, “Crime and corruption are no longer limited by geographic boundaries … (T)echnology has transformed the very nature of crime itself.”[3]
The internet, social media and electronic communications provide the anonymity criminals need to obfuscate their identities and nefarious activities. The devices and applications they use to share information and orchestrate their activities are the new tools of the trade … the virtual crowbar with which they open windows of opportunity and exploit the vulnerabilities of the digital world.[4]
In its 2017 annual review, Europol identified anonymity as the most significant challenge investigators face today. The criminal intelligence agency now spends most of its time attempting to combat the digitisation of organised crime. As an example, technology allows burglars to case a street of potential victims, using data gathered from a variety of online sources to understand when the neighborhood is most vulnerable and to time their attacks accordingly.[5] The data contained on the variety of devices available to criminals has become an increasingly important source of evidence for investigators and prosecutors alike. It is the rare exception where a modern investigation does not include the review of at least some volume of data contained on a digitally connected device or an online platform used by a suspect or a victim. The data may provide insight into communications between co-conspirators, help identify a witness or suspect or assist in determining the geographic location of physical evidence.
The 1994 discovery of the IBM server used by the Cali cartel proved that criminal organisations clearly understood the value of digital data.[6] The cartel’s server contained telephone records important to the cartel for identifying potential informants cooperating with the police. The cartel also used it to track bribes it paid to government officials. Operating like any other multinational enterprise, the cartel leadership was interested in tracking expenditures, understanding profit and loss, and exploiting critical value data that would prove useful to furthering its operational goals.[7]
Only 15 years later, in 2009, investigators in Boston demonstrated the value of digital evidence by using a social media, emails, and IP addresses to identify the Craigslist Killer. Relying on digital evidence, officers obtained a search warrant for the suspect’s home where they found physical evidence linking the suspect to the murders. Among the evidence was a laptop computer that contained fragments of messages between the suspect and the victims.[8]
Now On Video
Video presents another electronic source law enforcement may rely on when conducting investigations. But video evidence presents its own challenges. Wall Street Journal technology reporter Jennifer Valentino-Devries observed that, while law enforcement may rely on video evidence to “spot a suspicious package in a crowded train station and correlate it to the license plates on a nearby car to find a potential suspect … Much of the information now being used by intelligence agencies and police is in difficult-to-analyse formats, such as video, speech-recordings, text and photos from social networks. The volume of this information can overwhelm the trained resources available to collect, analyse, and assess its value in compliance with chain of custody considerations.”[9] Look no further than the Boston Marathon bombing during April 2013 to understand the value of video in criminal investigations. Footage from the cameras located around the marathon’s finish line was an essential component to the investigation of the attack that left three dead and 260 injured. With the use of technology solutions, investigators triaged video and still photography from a variety of sources to identify the Tsarnaev brothers, eventually leading to the apprehension and conviction of Dzhokhar Tsarnaev on 30 federal charges including use of a weapon of mass destruction and the death of an MIT police officer.[10]
More Things Connected
The Internet of Things (IoT) presents the next emerging opportunity for investigators to use data to enhance investigative operations. As criminologist Professor David Wall suggested, “The emergence of (IOT) has further expanded the data flow by increasing the number and variety of devices gathering information. Your smartphone, your daily stepcounter, even your car, household goods, and house itself are all generating data on your movements and decisions and communicating this data back to their motherships.”[11]
Consider the following examples:
- During October 2018, investigators used data from a murder victim’s Fitbit, as well as video from a neighbor’s video surveillance camera, to arrest a suspect, the victim’s stepfather. The video linked the suspect to the home in which the victim was killed; the Fitbit was used to estimate the victim’s time of death and to correlate the suspect’s presence at the victim’s home with measurements of the victim’s heartrate.[12]
- In a similar case, investigators used home surveillance video to identify a suspect in the investigation of the disappearance of a 20-year-old woman. After watching hours of video, the investigators identified and apprehended a suspect while using data transmitted by the victim’s Fitbit and smartphone, and information from her social media accounts to locate her body.
The Big Data Challenge
According to Statista, in 1984 only 8% of US homes had a computer. By 2015, nearly 87% of homes had one. Today, nearly 70% of all internet users maintain a presence on social media. Many social media users of rely on the digital world to get their news, to maintain personal and professional relationships, and to share information, both good and bad. And we know that criminals use social media platforms to further their activities.[14]
Expanding Our Knowledge
Just eighteen years ago, only 25% of the world’s stored information was held in a digital format;[15] at the time, most data were stored on film, paper, analog magnetic tapes, and other non-digital media. Today, the exact opposite is true— nearly all the world’s stored information is digital.[16]
According to IBM, approximately 90% of all the world’s data was generated in the past two years.[17] Eric Schmidt, the former executive chairman of Alphabet, estimated that today we create as much information in 48 hours as we did from the beginning of human civilisation to the year 2003.[18] In his book Law Enforcement Information Technology: A Managerial, Operational and Practitioner Guide, Jim Chu recounts a speech delivered by Tom Steele, the former chief information officer for the Maryland State Police, at the annual meeting of the International Association of Chiefs of Police in 2000. Steele’s warning was prescient:“We are just beginning to realize the significance of what is happening. There is not one area of law enforcement that will go untouched. The very essence of how we do business has been impacted through greater communications and information sharing. Over the next 15 to 20 years, you will see the greatest redirection, reorganization and modification of policing since Sir Robert Peel and the Metropolitan Police.”
Chu also argued that, “(T)he train is leaving the station. In fact, the IT train has jumped the tracks and has taken off on the information superhighway. It is imperative that IT becomes a prime consideration in all aspects of the public safety service delivery chain … increasing the number of criminals being identified, apprehended, and convicted while decreasing administration and operating costs.”[19]
Today, most criminal investigations will include at least some data collected from a few devices used by a small number of suspects. However, investigators often encounter cases in which relevant digital evidence may come from multiple devices and many suspects. Some criminal organisations are even taking the next step and encrypting their information to prevent or delay its access by law enforcement.
In a March 2011 lecture at the Massachusetts Institute of Technology, Janet Napolitano, former Secretary of the US Department of Homeland Security, stated the focus on big data and the acquisition of the tools necessary to understand that data is based on the need to “(d)iscern meaning and information from millions – billions – of data points. And when it comes to our security, this is one of our nation’s most pressing science and engineering challenges.”[20]
Throughout the years since September 11, 2001, the US law enforcement and intelligence communities have undertaken a variety of initiatives to help correlate clues and identify the connections between individuals, organisations, and their activities. The proliferation of online data, including the development of social media networks, has become a dynamic repository for open source information that intelligence and law enforcement analysts have at their command.
Toward Better, Technology-Enabled Investigations
Technology can be a force multiplier; it can also make it harder to conduct effective and efficient criminal investigations.
In the post-9/11 era, the use of intelligence derived from open source and sensitive data repositories is essential to law enforcement operations. It is also essential to preventing crime. But the sheer volume of data available for analysis can potentially overwhelm agencies that lack the financial and personnel resources necessary to recognise the data’s critical value as it relates to protecting public safety and preventing crime.
IBM public safety, intelligence, and counter-fraud specialist Shaun Hipgrave observed that, “According to a recently published study, (a major issue) law enforcement organizations face when combatting fraud is the sheer amount of data generated by everyday business operations. And the amount of data captured in investigations is growing significantly by the day.”[22]
Leveraging Limited Resources
Where resources are constrained, investigators and analysts need effective, cost-efficient, and easy-to-use technology to process and analyse evidence. Otherwise, as criminologists Dale Willits and Jeffrey Nowacki argued, “(P)olice departments adhering to traditional methods of crime fighting (without implementing technology-enabled investigative solutions) are unlikely to effectively track many of these offenses … Moreover, in the absence of specialized computer skills, these crimes are often more difficult to investigative even when they arereported to police.”[23]
Ideally, law enforcement agencies’ technology in support of criminal investigations should:
- Recognise a wide variety of file types and data formats
- Connect directly to the sources where the digital evidence is stored, including file shares, email servers and archives, cloud repositories, mobile devices, forensic images, and live data from running devices and databases
- Process unstructured, structured, and semi-structured data at speed and scale, and with forensic accuracy and precision
- Automatically identify duplicates and group similar items.
Technology with these features can provide essential insight into the relevant evidence, helping to identify hidden connections between people, objects, locations, and events. Moreover, deploying advanced investigations technology increases the efficiency and effectiveness of investigators and analysts.
“Today, new types of evidence are helping law enforcement and prosecutors conduct more thorough and accurate investigations. Though the evidence used years ago continues to play a valuable part in a criminal case, the improvements in science and technology are enabling police and prosecutors to solve more crimes more reliably than ever before.”[24]
Criminal Investigations, Technology, And The Journey Ahead
There is no doubt: technology will continue to advance, and criminals will continue to take advantage of technology to further their activities. In 1908, any member of the public could buy a Ford Model T, which meant criminals could use them to get away from the police;[25] however, the New York City Police Department only began using motorised vehicles for patrol in the 1920s.[26] It takes time for law enforcement to embrace technology while remaining within the guardrails of criminal procedure. The rule of law is just as important as infiltrating, disrupting, and dismantling criminal organsations.
But in the 21st century, effectively addressing the asymmetric threats energised by technology innovations means law enforcement agencies must continue to invest in technology and training. Doing so will facilitate a more effective response to investigative tasks today and allow investigators and analysts to prepare for the emerging investigative challenges of tomorrow.
Building A More Complete Investigative Picture
Individual pieces of evidence each tell a limited story when viewed separately. Nuix contextualizes these bits of information and shines a spotlight on the relationships and connections between each person, object, location, and event—known as the POLE framework—that for years investigators have needed to make for themselves.
Relationships between these four categories of evidence are a catalyst in almost every investigation. Nuix software lets investigators take a step back to understand the broader view of data sources, the patterns they create, and the stories those patterns can tell us.
It starts with understanding what kinds of evidence fall within each of the categories. These are just a few examples, broken down within the elements of the POLE framework:
- People: Suspects, victims, associates/colleagues, employers, family members
- Objects: Electronic devices (PC, mobile, USB), email addresses, social media handles, mobile numbers, tickets, weapons
- Locations: Home addresses, public buildings, landmarks, travel origins and destinations, places of employment
- Events: Transmission of data, email, physical meetings, crimes, arrests, destruction of data or property
By intuitively categorizing and visualizing data relationships between pieces of evidence, Nuix software helps investigators identify relationships across POLE elements in greater detail than ever before. This, in turn, lets them uncover the truth faster and more accurately within their investigations and quickly solve once complex, difficult, and time-consuming investigations with relative ease.
About The Author
Paul serves as an investigations subject matter expert and helps Nuix support law enforcement agencies at the federal, state, and local levels, as well as corporate security investigations across a variety of Fortune 500 companies. Paul began his federal law enforcement career in 1986 as a Special Agent with the former U.S. Customs Service, later being appointed as Deputy Assistant Commissioner in the Office of Professional Responsibility at US Customs and Border Protection, the largest law enforcement agency in the US. After a 28-year career in federal law enforcement serving in various leadership capacities in the US Department of Homeland Security, Paul served as the Senior Manager leading investigative operations at General Dynamics Information Technology. He held this role until he joined Nuixin his current capacity.
About Nuix
Nuix delivers the total data intelligence organizations need to overcome the burdens of ediscovery, investigations, risk, compliance, and security in a world overflowing with data. Our intuitive platform processes and analyzes more than 1,000 file formats to reveal the key facts and their context – at any scale, with incredible speed.
References
[1] Aaron P. Stevens, Arresting Crime: Expanding the Scope of DNA Databases in America, Texas Law Review, March 2001 [2] Benjamin H. Smith, The BTK Killer: Then and Now, Oxygen, August 16, 2018 [3] Louise Shelley, Crime and Corruption in the Digital Age, Journal of International Affairs, 1998 [4] David Décary-Hétu & Carlo Morselli, Gang Presence in Social Network Sites, International Journal of Cyber Criminology, December 2011 [5] Europol, Annual Review – An overview of Europol Activities, 2017 [6] PoliceOne, The Technology Secrets of Cocaine Inc., July 20, 2002 [7] Brian Anderson, The Cartel Supercomputer of 1994, Motherboard, September 4, 2014 [8] Dan Clarendon, “Craigslist Killer” Philip Markoff’s Last Act Was to Haunt His Ex-Fiancée, InTouch, June 17, 2018 [9] Jennifer Valentino-Devries, Software finds place in posse: Firms scramble to cash in on law-enforcement demand for data-sifting programs, Wall Street Journal, Eastern Edition, November 4, 2011 [10] Brian Ross, Boston Bombing Day 2: The Improbable Story of How Authorities Found the Bombers in the Crowd, ABC News, April 19, 2016 [11] David Wall, How Big Data Feeds Big Crime, Current History, January 2018 [12] Jason Hanna and Stella Chan, The murder suspect denies it. The victim’s Fitbit tells another story, police say, CNN, October 4, 2018 [13] Nicole Chavez, Mollie Tibbetts case mystified police until a security camera offered a key clue, CNN, August 22, 2018 [14] Statista, Percentage of households in the United States with a computer at home from 1984 to 2015 [15] Rebecca Boyle, All the Digital Data In the World Is Equivalent to One Human Brain, Popular Science, February 11, 2011 [16] Bernard Marr, How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should Read, Forbes, May 21, 2018 [17] Jack Loechner, 90% Of Today’s Data Created In Two Years, MediaPost, December 22, 2016 [18] MG Siegler, Eric Schmidt: Every 2 Days We Create As Much Information As We Did Up To 2003, TechCrunch, August 4, 2010 [19] Jim Chu, Law Enforcement Management Technology: A Managerial, Operational, and Practitioner Guide, 2011 [20] Peter Dizikes, ‘We need to see ahead’, MIT News, March 15, 2011 [21] Serving Dope, Bronx’s Murderous Courtland Avenue Crew Found Guilty, December 11, 2012 [22] Shaun Hipgrave, Smarter Fraud Investigations with Big Data Analytics, Network Security, December 2013 [23] Dale Willits and Jeffrey Nowacki, The Use of Specialized Cybercrime Policing Units: An Organizational Analysis, Criminal Justice Studies, 2016 [24] Kristine Hamann and Rebecca Brown, Secure in Our Convictions: Using New Evidence to Strengthen Prosecution, Chicago, 2018 [25] 20FBI, A Brief History: The Nation Calls, 1908-1923 [26] Timberly Dinglas, The History of NYC Police Cars, Car Part Kings, April 13, 2015 1 2 3 4 5 7 6 8 9 10 11 12 1