by Christa Miller, Magnet Forensics
An estimated 6.1 billion smartphones will be in the world by 2020, and as development of the Internet of Things—connected wearables, household appliances, vehicles, and more—continues, that number will be dwarfed by the 20.4 billion total connected devices. Understanding how these technologies work, where and how they store data, and what it all means for criminal investigations has never been more important.
Nowadays, nearly every crime involves some kind of digital evidence. As the number of connected devices and data they create increases, the numbers of staff who image, search, and analyze the evidence often remain limited. “Doing more with less” can lead to case backlogs, which can mount from months into years as digital forensics labs compete for resources with other divisions, each of which can make its own claim to public safety or corporate information security.
Unfortunately, backlogs can pose a risk to the public and law enforcement agencies as chances for successful prosecution go down the longer an investigation takes. Not only do many jurisdictions have provisions for expedient trials; but victims and witnesses—including the original investigators and forensic examiners—can also die, move far away, forget details, or even retract their statements as time goes on and the immediacy of the crime fades. Justice remains unserved, while criminals walk free.
With the stakes so high but resource constraints unlikely to budge anytime soon, leaders need to be able to stretch their thinking to accommodate the right blend of personnel, technology, and approach to the work.
Last year’s report by the United Kingdom’s police oversight body, Her Majesty’s Inspectorate of Constabulary (HMIC), highlighted specific technical skills required to conduct digital forensic investigations. It focused in on the importance of maximizing investigators’ productivity by utilizing other assets in their workflow, including technology, non-technical personnel, and non-sworn officers who have technical expertise.
How Technology Can Help
In this shifting legal and operational landscape, new ways to streamline the digital forensics process while maintaining the credibility of examinations are necessary to court proceedings, warrants, arrests, and exonerations.
Technology can and should be used alongside strategies to consolidate, analyze, and process evidence from multiple devices and cloud sources—but only when it facilitates those strategies. For example, software that allows examiners to queue up multiple devices to be imaged and processed is only useful when it then allows the collected evidence to be viewed in a single case, enabling the full context of the device/account owner’s activities to be on display.
The idea of automation, while slow to catch on among forensic examiners who once resisted the idea of “push button forensics,” has become a necessity in the ongoing drive to reduce backlogs. Automation that completes examiners’ most onerous manual tasks not only saves time; it also reduces the human error associated with parsing hundreds of thousands or even millions of pieces of data.
Automation goes hand in hand with empowering investigators at all levels, giving them a way to complete standard processes—such as triage or automation—saving more time-consuming tasks, those requiring technical expertise, or validation at the file system level for expert forensic resources.
Done well, an automated process can be scaled or adapted to fit the unique workflows associated with different types of cases, from fraud to homicide to child exploitation and beyond. Such automation not only reduces human error; it also allows highly skilled personnel to focus on strategic interventions — as opposed to spending valuable time connecting devices and waiting for them to process. It allows the important analysis to be done by trained investigators and officers that understand the context of the data that has been recovered.
At the investigation level, leveraging technology such as machine learning allows technology to uncover patterns much more quickly than a human brain could. In this context, those patterns can uncover new leads for investigators to follow up on. In a forensic context, the predictive analysis inherent in machine learning is applied to existing data to “predict” or identify patterns of communication that might indicate child luring, drug dealing, conspiracies, or other suspicious behavior.
At the examination and case-building level, meanwhile, new tactics to identify intent can solidify cases in much less time, potentially leading to speedier resolutions. This is a deeper and more complex process than simply identifying patterns and leads; it’s the proof often needed to go to trial (or strike a plea deal), and requires not just locating evidence within a device’s file system, but also correlating it to other data.
Again, because of the potentially thousands or millions of pieces of evidence in a case, manually corroborating evidence can be painstaking and risk human error. Automating the process, again, allows forensic examiners to focus on the tasks, such as validation, that cannot be automated.
Both forward-thinking and traditional leaders in public and private sector organizations are responsible for making digital evidence more accessible not only to stakeholders such as attorneys, but also to the ranks of their own personnel who are responsible for preserving, collecting, examining, and maintaining it.
Developing Digital Investigators
Building an effective digital forensic examination capability has grown into much more than the old standbys of sending “the computer person” to a few training courses. Nowadays, it involves aligning skills with a department’s needs.
In some respects, this is easier than it was 25 years ago. “Digital native” officers who are comfortable with technology can, with appropriate training, legal and operational guidance, seamlessly incorporate some transactional digital evidence responsibilities into their roles.
This starts by making it easier for junior or non-technical personnel to start the process of investigation so that senior investigators can be free to focus their unique skills to analyze and report on data. Basic digital forensics training can empower officers to triage digital devices that may or may not be evidence, or to image devices whose owners are reluctant to part with them, such as victims or witnesses who do not want to lose access to their devices – even for a limited time.
That way, officers can determine first whether any evidence even exists on a device; and if so, to secure it, in a way that preserves the evidence for a full examination and report by the digital forensics lab. It also allows the lab and digital forensics experts to create standards and best practices for the entire agency or organization and avoid any missteps at the frontline.
This model also has the added benefit of identifying the next generation of expert forensic examiners, allowing them to develop their skills The added benefit of training more officers on digital evidence is that no matter where they end up in the organization, they’ll have a better appreciation for digital forensics and its needs. Those who ultimately grow into a leadership role will be in a better position to make informed decisions in this regard.
The Balance of Privacy and Protection
Empowering a broader range of officers to handle digital evidence carries with it the responsibility to balance public safety with citizens’ privacy. No longer is digital evidence merely about call logs, text messages, and photos. We now include in search warrants and consent forms Facebook Messenger, Snapchat, and WhatsApp content; Uber and related geolocation information; chat data hidden within gaming apps; social media and cloud storage credentials; and more.
The time and date stamps associated with all this data, to say nothing of the content itself, carries with it the potential to reconstruct entire swathes of a person’s private life. While this can be valuable when the individual has been the victim of homicide, or is missing, most people still have the expectation of privacy around their comings and goings—a “mosaic” of activities that may yet shape laws, departmental policies, and standard operating procedures in the years to come.
Breaking Down Silos to Collaborate at Every Level
Beyond empowering more investigators to become a useful part of the forensic process, examiners also need to ensure that the evidence—and its relevance to the overall case—is understandable by stakeholders such as supervisors, attorneys, judges, and jurors.
Otherwise, team members are likely to find themselves isolated within organizational and technological silos, reducing investigative effectiveness as they deal with increasingly specialized workload demands on their own and attempt to communicate their findings to people who may not have the expertise to understand them.
Especially when team members have various technical skill levels, the ability to share workload, information, and expertise can make all the difference in preventing investigations from dragging on too long, or encountering obstacles such as missed evidence.
Whether tools are fully interoperable or simply allow investigators to create simple, easy-to-read, searchable reports for stakeholders, the ability to have more than one set of eyes on a case—to contextualize, find patterns, or pinpoint details that only a team member with a unique viewpoint can lend—can make all the difference in a case that moves forward as a whole story, rather than stagnating as a piece or disjointed pieces of one.
Automation, skill development, and legal and procedural changes don’t work in a vacuum. Forward leaning law enforcement agencies and their leaders know that their current operating environment is not business as usual. Digital evidence is transforming how they operate and investigate crime. Leveraging automation, empowering more personnel in agencies to handle digital evidence and balancing the security and privacy challenge are not simple tasks. It will require them to re-think policies, procedures and most importantly partnerships.
Digital investigative teams are more successful when they have sought out partners with a shared value and mission, and who know how to adapt to changing challenges. Agencies who seek out innovative thinking in their partner ecosystem will be ahead of the curve in making digital evidence more accessible to one another and to all stakeholders in a case.
Christa Miller is a content marketing specialist at Magnet Forensics. As a global leader in digital investigative technology, Magnet Forensics empowers forensics professionals and investigative teams to find more evidence and uncover the truth. To learn more about Magnet Forensics, please visit https://www.magnetforensics.com/.