Virtualizing The Digital Forensics Lab

When the spread of COVID-19 spurred businesses and governments to close their doors and require employees to work from home, questions arose for those working in the criminal justice system. Operations couldn’t end, but to what extent would they be curtailed? How could people be protected from infection and still do their jobs within the bounds of proper procedures?

To address some of these issues, the National White Collar Crime Center (NW3C) ran a number of webinars. In April, “Investigators, Examiners, and Analysts Working Remotely: Police and Prosecutor COVID-19 Challenges and Opportunities” and “COVID-19 Considerations for Collecting and Handling Digital Evidence” focused on digital forensic lab operations in particular.

Setting the stage for remote work

“There was very little time in this situation to create planned defenses for these rollouts of equipment,” said Jim Emerson, a vice president at the National White Collar Crime Center (NW3C). “We either had policy on the shelf, or we rapidly jumped into getting the job done.”

In one unnamed US-based public-sector lab,* both conditions came into play. Its stage for lab virtualization had already been set in 2018, when lab managers came up with a model for cloud implementation.

The move was a way to save money by decentralizing lab operations, as increasing volumes meant transferring digital evidence from satellites to central lab — even on USB drives — had become unwieldy. Lab personnel spent hours copying datasets over, as well as answering attorneys’ questions about how to decrypt and open files.

The overall process had become difficult to manage and could even lead to discovery issues. Transitioning some forms of digital evidence to a secure cloud deployment was the lab’s way of dealing with these issues. 

Among the initial criteria were data management, access keys, compliance, threat monitoring, and remediation. Data resilience and redundancy were important, as was the ability to set timers to delete or purge evidence once data retention requirements were exhausted.

Scalability, support, and budget factored into the decision as well. The lab pays for what it uses, including storage, processing, and even a virtual machine. Once implemented, the lab used the deployment to manage video, larger datasets, and non-contraband items to be turned over to defense for discovery.

The solution is so cost effective that it eliminates other costs associated with copying data, including the USB drives needed for every extraction. Now, lab staff simply provide attorneys with a secure link to download the data. The solution inadvertently turned out useful in the pandemic.

Coping with a state of emergency

When the state that’s home to the unnamed lab declared an emergency due to rapidly increasing COVID-19 infection rates, the lab’s team — now working from home — learned on the fly about how to manage new evidence intakes, active investigations and their existing queue, and quality control, as well as non-case routine matters such as server upgrades, hiring, and purchasing decisions.

Some of the constraints the lab found included:

  • Limited access, especially because the lab wasn’t closed outright and examiners needed to deal with evidence in transit.
  • Not enough encrypted storage and examination laptops to accommodate all staff. In certain circumstances, desktop workstations were delivered to people’s homes that could accommodate them.
  • The ability to make and measure progress so the lab would be able to prepare for an influx of post-COVID cases and not fall behind once back to work.

In other states, forensic labs limited intakes of both physical and digital evidence to minimize interaction between examiners, detectives, attorneys, and members of the public unless the case was an emergency, said Brandon Epstein, a forensic video analyst at the Middlesex County (New Jersey) Prosecutor’s Office.

Shifting between lab and home

Epstein said in the “unique space” of digital forensics, the majority of analytical work can be done remotely, which “changes the landscape and abilities” of forensic examiners. Because most forensic examiners are already equipped with laptops that they can bring into the field — whether crime scenes or satellite offices — transitioning to home offices isn’t much different from an operational standpoint.

At the aforementioned unnamed lab, however, even with a cloud deployment, transitioning the physical office to a virtual one wasn’t simply a matter of using Microsoft Teams and OneDrive, Skype or WebEx and Zoom meetings to discuss initiatives and cases. It also involved careful coordination, security, and workflow considerations.

Together the team came up with best implementation ideas, including data management and both physical and information security. Policy and standard operating procedures governed what examiners could and couldn’t do from home. They included:

  • No contraband or sensitive data of any kind allowed at home.
  • No original devices could leave the lab space. Lab personnel could take copies of certain datasets home, but only work from those backups or copies — and track everything that went home and returned.
  • Evidence had to be encrypted at all times, workstations locked, and any notes or reports strictly guarded so they wouldn’t be accessible by people in the home environment.
  • Case files and data needed to be segregated as clearly as they would be in the lab environment.
  • Digital evidence handling/transfer – no original devices leaving the lab space

On the leadership side, lab managers were required to check in to make sure people had all the resources they needed, with the support of their lab, so they could follow the policies. For example, new purchases or replacements for broken technology were still a manager’s responsibility.

Epstein’s lab had similar policies in place. Home offices needed to be secured and unshared, and if something out of the ordinary happened, it needed to be reported and documented up front.

Emerson cautioned that a distributed workforce changes an organization’s “risk profile.” “You can’t expect to add, change, even subtract technology from an enterprise without creating or changing the risk profile of that organization,” Emerson said.

The risk profile thus shifts from “bring your own device” to “bring your own network,” said Emerson. “In some cases, the technology might be from Best Buy, or directly from the ISP,” he explained. “It might be agency equipment, if the agency was prepared to push equipment out.”

Even at that, he continued, questions must be asked and answered. “Who else has access to that equipment? Is it something that is truly locked down, or something that can be shared unintentionally? Is it inadvertently possible, if we walk away from the keyboard… that something else is happening with that system that’s connected to the organizational edge? And what else is logically attached to the home network? Is the home network simple? Is it broken up into different virtual, local area networks?”

Pointing to guidance from the SANS Institute, well as the Multi-State Information Sharing and Analysis Center (MS-ISAC), Emerson offered some basic guidelines:

  • Ensuring employees harden their home networks
  • Updating router firmware and changing wifi passwords regularly
  • Configuring / updating / patching / managing software as needed
  • Using strong, unique passwords across devices
  • Limiting outside access to devices and the home network 
  • Using a virtual private network (VPN) to secure data in motion and comply with Criminal Justice Information System (CJIS) requirements

Of course, said Epstein, some work could only be done in the lab. Acquisitions and working with contraband were examples, as was the use of tools geolocated to the lab whose licensing agreements prevent their off-site use. 

With the cloud deployment at the unnamed lab, personnel didn’t have access to systems that weren’t online, or to original devices or evidence in custody. To ensure lab work still got done without unnecessarily risking examiners’ safety, the team coordinated which member would go to the lab during a targeted time frame on a given day each week. That examiner would work from a list of needs, then distribute completed materials as needed when they were done.

As evidence transitioned to the lab from the satellites, team members evaluated the new intakes in terms of hazardous conditions. They logged who delivered it, where it came from, and what condition it came in.

The protocol was similar in New Jersey, where Epstein said “hazardous conditions” could include some non-COVID health risks; for example, opioid overdose deaths. Even though limiting intakes also meant limiting the number of personnel in a lab at a given time, Epstein said that because the chemicals used to make these drugs can be toxic, examining exposed devices needed to be done with two people rather than just one, in case one person gets sick.

Maintaining chain of custody

Securing data and workspaces isn’t just important for privacy protection. In general, unexplained interruptions in the chain of custody can make it harder for the government to authenticate evidence and prove that it is what the government says it is.

The shift to remote work opened the question of whether evidence might find its way home with forensic examiners, and that, said Epstein, is the issue. The more potential sources — whether people or pets — could interact with the evidence, the higher the likelihood that the defense could claim it couldn’t be properly authenticated. 

On the other hand, because the Federal Rules of Evidence Rule 901 allows for authentication by a witness with knowledge, an examiner who kept the evidence in secure location and acknowledges that the home was suboptimal but can demonstrate what they did, how, and why to preserve the evidence, is in a better position than one who cannot.

“Did you know what you were supposed to do, and did you do it?” Epstein explained, summing up the key elements that ensure the evidence and the rights of all involved are secured:

  • Procedures that help examiners to keep evidence from being altered
  • Policy that authorized an examiner’s actions
  • Lab protocols that maintain the validity of tools and processes

The protocols in particular should stay the same even during a pandemic, Epstein continued, adding: “[You have to be able to say that you] did what you would always do and the evidence is just as valid — and damaging — as it always was.”

Policies that require original evidence to be stored at the lab, and for work to be done in a secure home location, offer one way to handle this. Examiners should plan to analyze only a working copy on their issued (not personal) laptop, said Epstein, and to minimize any changes to the extent possible.

Epstein said in his jurisdiction, original evidence adheres to normal policy, with “deviations” allowed only for working copies. In other jurisdictions, agency examiners interact with evidence through an encrypted tunnel, which provides a home user with remote access to their work computer. “[They make a] conscious effort to minimize deviation so it doesn’t tangibly affect the chain [of custody],” Epstein said.

Epstein said another consideration is how to store seized evidence temporarily prior to booking it into an evidence locker at the lab. “A custodian of evidence for any length of time needs to think about network isolation,” he said. Adequate Faraday bags, charging capabilities, even keeping the device in AFU mode prior to booking and analysis should all be a matter of policy for all agencies responsible for evidence, as should any COVID- or non-COVID-related evidence decontamination.

On the other hand, Emerson added, an insider threat — whether a disgruntled employee, or an unwitting one — could compromise this setup, especially in a “less than optimally controlled environment.” Many agencies have no way to audit home setups as they would at work, such as pulling logs, or to implement strict policies, such as access denial to USB devices. The best alternatives: monitoring and training, as difficult as they are to do with a distributed audience.

At the unnamed lab mentioned above, managers believe the only way to implement a virtual workforce is trust going both ways between managers and workers. Part of that is the creation of clear interim policy directives, as well as concrete ways of managing people’s virtual work within that policy framework. This includes prioritizing virtual work, such as what type of data people are asked to work on from home.

That has a knock-on effect on security, as well. “We want to minimize access and limit access to what is essential,” Emerson said. “So if we had a compliance policy scenario that was working quite well before this happened, we want to ensure it continues to happen — to the extent that it’s possible and/or there’s some exception to policy that’s been made knowingly [and] evaluated [for] risk.”

An underrated way for employees to manage risk is by developing routines and minimizing distractions, much like they would in the lab environment. This kind of discipline, as well as strong communication, reduces the risk of mistakes. “This is an emotional time for a number of people,” said Emerson, adding that this can lend “a great sense of urgency” to work tasks. Employees need now more than ever to slow down and become more deliberate.

Lessons with an eye towards the future

As difficult as the transition to remote work was, the team at the unnamed lab discovered some silver linings. The virtualized setup gave them more time to shift priorities, focus on investigations, and clear old cases. And, with zero commute time, they could better balance their lives, and their overall level of satisfaction rose.

Team members became smarter about prioritizing what to collect and what to analyze while working from home, which improved their efficiency. Over time, their satisfaction also improved from a sense of “ingenuity” and the knowledge that they could successfully manage such a drastic change. 

The team has since tested the proof-of-concept ability to upload reports including exportable formats from any platform: phone extractions, digital reports, and items for tagging.

Eventually the lab will also upload transcriptions and translations, making them text searchable data. For example, a human trafficking case might have audio files — voicemails — in the thousands. Reducing it all to text would render investigations and discovery more manageable.

There’s also the possibility that forensic examinations themselves could be done in the cloud. Recording and storing extractions to the deployment would enable the team to investigate in real time.

The lab director acknowledges the caveats associated with virtualizing a digital forensics lab. For one, the lab isn’t accredited because managers aren’t satisfied that it’s appropriate for the field itself. On the other hand, he added, cloud-based forensics already exists in many private-sector companies.

In the meantime, the lab maintains its own manuals for operations, quality control, and training, all of which allow for the creation of any type of directive the team needs to be flexible and handle the situation.

The pandemic may have forced unprecedented changes in work and home structures, but also presented opportunities to reexamine the way things were being done — and improve them. Within the bounds of requirements imposed by established justice requirements, labs have started to take the first steps towards practices that save time and money, optimize efficiency, and make virtualization part of labs’ normal way of doing business.

*Anonymized at the lab director’s request

Leave a Comment