The ability to collect digital evidence in the field — away from a forensic laboratory — has long been a need in corporate, private, and law enforcement investigations.
That’s only accelerated over the past decade, as more people’s mobile devices are veritable extensions of themselves — their habits, communications, interests, observations, and other data. Those pieces of data can be especially critical in the early stages of an investigation, to identify both suspects and victims and to capture evidence and actionable intelligence in real time.
However, few people can afford to part with their devices for hours, days, or even weeks while a forensic examiner processes them in a lab. And waiting until later to ask for evidence — or asking users to upload it to a police server — increases the risk that a victim or witness might forget, change their mind, and/or delete the content.
Mobile forensics “triage” tools therefore fill a gap, enabling investigators, first responders, even probation/parole officers and others to capture valuable content with users’ consent. This way, they can preserve the evidence in case it does need to go to a lab for deeper processing and/or if a statement is later recanted.
Mobile Field Tool Requirements
At first glance, evaluating a field mobile forensics tool might appear to be as simple as its ease of use: its user interface, as well as its footprint. For example, some solutions rely on a mobile device rather than a laptop (with the caveat that a smaller device is easier to lose).
Also important: the tool’s ability to capture a wide array of content — call records, messages, contacts, calendar items, browsing and download histories, search terms, WiFi connections, installed apps, user accounts, pictures, audio and video files, even some deleted data.
However, no standard exists for field tools to adhere to. ISO/IEC 17020:2012 is designed for field sampling — the process of collecting evidence, not the tools used to do it — at a location other than the one listed in the scope of accreditation.
There are deeper issues, too. Greater court scrutiny and news media coverage about government access to private data means the ability to document user consent.
Additionally, according to Katherine Hansen, a deputy district attorney and digital evidence specialist with the Denver (Colorado) District Attorney’s Office, a “huge need to fill” is a tool’s ability to obtain limited extractions, or filter data, to certain types of content from a specified time period.
That’s because prosecutors want to ensure they respect citizens’ private data. They want proof that police won’t treat a consent search as carte blanche to “fish” for evidence or set up dragnets for suspects, but rather, that they see it with the same gravity as an affidavit for a search warrant.
That doesn’t preclude the need for full extractions in the field, so a tool that has this option can be valuable.
Evaluating a field tool is also about its end users and their needs. For example, before choosing a field tool, the Denver DA’s office conducted a survey to find out what end-user detectives and patrol officers would value most. They asked respondents to rank the following criteria:
- Consent capabilities
- Time for extraction
- Ease of use
- Level of extraction (texts vs. text from a certain date etc.)
- Ease of training
The eight respondents focus on investigations involving missing or exploited children, domestic violence and sexual assault, and other cases where obtaining mobile data at a crime scene has value. To those ends, they generally rated ease of use, level of extraction, and time for extraction more highly than they did consent capabilities, portability, or ease of training.
“Consent forms are still used regardless of the device capabilities,” one respondent reflected. Another said, “The software and subsequent updates should ‘just work’. Complex training, especially with any requirement for on-going training, will make it difficult for detectives to use this software reliably.”
The survey also asked respondents how long (on average) a witness allows them to be in possession of their phone during the course of an average investigation, as well as what kinds of situations or investigations they saw a field tool being the most useful.
Respondents generally have less than two hours to collect data — or less if on scene. “Maybe longer if you can get them at the police department or DA’s office,” said one respondent. Another said, “We have had them a day or more but it would be easier to get more cooperation with a quicker turnaround.”
Other factors of concern included the amount and type of data collected (especially social media data), and ease of installation and review, and evidence admissibility.
Two factors play into admissibility when it comes to a field tool: how it captures the data, and how it transmits the data.
How a tool captures the data can make a difference in how it’s authenticated. Data extraction from a mobile device is the capture of a forensic image that allows for analysis — either a limited one on scene, or a deeper one back at the lab.
This isn’t always possible, however. When a device screen is damaged, rendering data unreadable, or when an app offers encryption and the data wouldn’t be able to be parsed in a typical forensic tool, screenshots may be necessary. Screenshots are harder to authenticate in court, and may need to serve more as an investigative starting point. On the other hand, many tools that have a screenshot capability also offer optical character recognition (OCR) to capture text to run keyword searches against.
How the tool transmits captured data also determines how it supports admissibility, specifically with regard to chain of custody. Wi-fi access could be important, but standard operating procedures (SOPs) should be in place to ensure users rely on only approved, secure wi-fi hotspots (for instance, a department-issued hotspot device) and not just any that’s local.
Nine tools currently support some combination of these needs.
ADF Solutions Mobile Device Investigator (MDI)
The laptop-based MDI leverages ADF Solutions’ Digital Evidence Investigator platform for advanced logical acquisitions of Android and iOS devices. This gives users basic visualization tools — timeline and gallery views, along with basic link analysis — and “prosecutor-ready” PDF, HTML, CSV or VICS format reports with acquisition speeds of up to 4GB of data per minute.
Much of MDI is oriented to child exploitation investigations, with feature sets such as image categorization and PhotoDNA. Video preview and frame extraction capabilities, as well as image classification, are also features.
Time-saving features like keyword and hash value searches that can be run concurrently with extraction are also possible, along with filters and picture categorization. Screen captures are an option with MDI, allowing users to extract text and annotate their captures.
For teams in multilingual communities, ADF’s 230-language Rosoka Entity Extraction and Language Translation Gisting is available as an add-on.
Blockchain Security SmartPhone Triage
SmartPhone Triage, a product of Taiwan-based Blockchain Security, is designed to use screen capture and recording to collect data from Android and iOS devices during law enforcement and corporate investigations.
A “smart robot feature” automates hands-free scrolling & clicking. SmartPhone Triage also claims up to 99% accurate OCR, which captures text from video as well as images, and includes a keyword filter, as well as cross-case keyword search.
Finally, SmartPhone Triage stores full or selected collected evidence, along with the hash value of a PDF report, on a blockchain.
Cellebrite has two field capture tools: Frontliner and Responder. Frontliner is the on-scene selective digital evidence capture tool, designed as a mobile application to be installed on an Android device.
Frontliner is a lighter weight, lower cost alternative to Responder, which can be installed on a laptop (though it provides for full physical as well as selected data extraction, along with various data filters and viewing options).
The app relies on a wireless, rather than USB, connection to acquire data, which can be password protected. Additional chain of custody features include the ability to take pictures or videos, record audio, and tag them with identifying metadata.
Frontliner’s reports can be shared in real time with other investigators or prosecutors, and/or the data can be ingested into Cellebrite Investigation Solutions for deeper analysis.
In addition, Cellebrite’s Commander tool enables supervisors to define permissions and policies at system and user levels, update the tools, manage features, audit usage, and do it all remotely.
Magnet Forensics’ SHIELD
Magnet SHIELD is a free tool designed for frontline, non-technical personnel to be able to capture, simplify reporting, and even share digital evidence from consenting victims and witnesses in the field. It can be downloaded and installed on any Windows 10 device, or bundled on a Microsoft Surface Go tablet.
Because it’s designed for frontline personnel, SHIELD doesn’t pull forensic artifacts — but it does include metadata associated with the target device as well as the videos and images it stores, which is crucial for admissibility. The metadata could include geolocation information.
Target devices don’t need to be mobile — any USB device or memory card, including DVR or CCTV storage, can be acquired as long as the file format is supported. If evidence can’t be directly acquired, SHIELD supports video recording.
Finally, a standardized PDF report can be automatically generated to upload to a digital evidence or records management system — or share directly with prosecutors.
MCM Solutions’ Detego Lite
The Detego suite of modular products includes Detego Lite, a tool with a small form factor that’s targeted for use by military, law enforcement, intelligence analysts, and corporate customers. It can acquire logical and deleted data from smartphones, tablets, SD and micro SD cards along with other media types — including simultaneous acquisitions.
MSAB Tablet & MSAB Raven
The MSAB Tablet relies on a touch screen user interface or detachable keyboard to extract data and view it immediately via XAMN Viewer software. Its workflow can be configured according to user ability and requirements while still maintaining chain of custody.
MSAB Raven, targeted mainly to military or intelligence field operators, compresses the mobile form factor even further — relying on an Android operating system (on smartphone, tablet, or computer) to house its collection of applications. These include extraction capabilities for mobile devices, unmanned aerial systems (UAS), and other storage media.
Raven’s MobEx app in particular allows for logical extractions via Bluetooth. Another app, Odin, enables the operator to view, search and filter the results, as well as run them against watch lists and other data repositories.
Oxygen Forensic Kit
Oxygen Forensic Kit is designed more for forensic examiners’ field use than it is for first responders. It consists of Oxygen Forensic® Extractor preinstalled on a ruggedized tablet PC, which has screen lock bypass and unlock capabilities. It extracts logical or physical mobile device images as well as importing device backups and images, allowing for keyword search during extraction. A USB dongle comes with the kit so operators can run Oxygen Forensic® Detective for lab-caliber analysis. The kit weighs only three pounds.
Paraben Mobile Field Kit (MFK3)
Paraben’s built-to-order MFK3 comprises a laptop with E3: Device Seizure (E3:DS) software preinstalled, along with an Image Analyzer add-on. It’s capable of handling logical, file system, cloud, chip dump, and physical extractions, as well as device lock bypass, from smartphones, feature phones, and GPS devices. It also supports app data processing, search and index functions, OCR, image carving, and data recovery.
Susteen DATAPILOT 10
DATAPILOT 10 runs on Windows 10 and is designed to capture logical and physical images — including some limited deleted data — not just from Android and iOS devices, but also from external media devices such as DSLR cameras, UAS, digital voice recorders, and USB drives.
It’s described as being able to capture “all text messages on Android devices in under 5 minutes,” but also that a full physical image could take up to an hour or two and may be better done in a lab using Susteen’s Secure View software.
The hardware is ruggedized but not bulky to facilitate transport. Built-in menus offer a step-by-step interface. By linking with the target device, DATAPILOT makes it possible to view each screen, even if the original device is damaged.
Its “Timeslice” feature enables the collection of data within a given timeframe, as well as only specified types of data in an easy to understand format. A built-in viewer gallery allows the user to review images and play videos. It stores captured data locally or, alternatively, networked or external storage media.