Embed Size (px)
Citation preview
Drowning in Digital Data, Law Enforcement Moves to Team-Based Forensic Technology and Processes to Speed Up Investigations
WHITE PAPERWHITE PAPERWHITE PAPER
Forensic collection and analysis of digital data from
suspects’ computers is essential in just about every
law enforcement investigation today. Mobile phones,
tablets, laptops, desktops and networks store
information that can prove if a suspect was at a certain
location when a crime occurred, what Internet sites
they recently visited and a treasure trove of additional
information to determine charges and case strategy.
Emails, files, chat logs, video, images data from gaming
stations and even smart home devices like Amazon
Echo® help law enforcement unlock key evidence.i One
estimate shows up to 90 percent of all crimes have
an electronic component to them. In 75 percent of
these crimes, electronic evidence from computers and
mobile devices is critical in resolving the crime.
To handle this flood of digital evidence, law
enforcement agencies have been building up their
digital forensic expertise, technology and processes
to bring criminals to justice using digital evidence.
Certainly, large federal law enforcement agencies
have massive expertise and sophisticated digital
investigative capabilities. State Attorney General
Offices have also forged cybercrime and computer
investigative offices, as have major U.S. cities. Smaller
police departments and rural sheriff offices that lack
these resources engage local, regional and state digital
investigative resources to perform forensic acquisition
and analysis of digital evidence for local crimes.
Similarly, many federal agencies rely on federal crime
labs for analysis support.
Still, forensic teams at all levels of law enforcement
are overwhelmed by the exploding demand for
their services. A 2015 Rand report, shows that law
enforcement forensic teams are challenged with “the
considerable quantity of evidence analyzed by examiners
and challenges in obtaining the necessary support, in
terms of both funding and staffing.”ii
With skyrocketing digital data and insufficient resources,
law enforcement digital labs are looking for ways to
improve efficiency, team collaboration and troubling
backlogs to speed the path to justice. This paper explores
the complexities and challenges facing law enforcement
in managing digital evidence as it makes its way through
digital forensics and investigative workflows. We will
discuss new approaches, emerging technology solutions
and best practices for law enforcement professionals as
they transform their capabilities to leverage digital data to
bring criminals to justice.
Drowning in Complex Digital DataDigital data creation and storage has mushroomed and
there’s no end in sight. With over 4 billion cell phone users
in the world in 2017, iii there is no doubt that criminals
carry around the breadcrumbs of their nefarious activity
on their mobile phones. Investigators must carefully
examine gigabytes or terabytes of data collected from
phones, laptops and computers. Digital examiners must
be able to interrogate anything from emails and files to
social media, texts, chat logs, video, audio and images,
and overcome encryption and passwords that block their
access to data.
Examiners also face a multitude of operating systems
(Windows®, iOS®, Android™), along with miniaturized form
factors, motherboards, memory chips and other hardware
from which they painstakingly attempt to extract data.
CCT footage and video with proprietary codexes present
analytical problems for examiners too. Deleted information
hiding in unallocated space or slack is a primary target
for examiners. To deal with all of the data volume and
variety, law enforcement forensic teams require digital
forensic technology that includes forensic data acquisition
capabilities, file signature analysis, hex viewers, Internet
browsing visibility, file fragment reconstructions and data
recovery, to name a few key capabilities.
Don’t Send Your Digital Examiner on a Wild-Goose ChaseWith the massive data volumes on computers,
investigators and prosecutors must learn to be very
specific in their requests to forensic examiners. When
a detective’s instruction is “just get me everything,” an
examiner is likely to go into spasms. Given the gigabytes or
even terabytes of data on computers and devices, these
overly broad requests delay analysis, requiring examiners
to root around completely irrelevant information. Teams
can get what they want faster and have less extraneous
data to comb through on their end if they give examiners
more specific requests.
A recent Police Chief article included these observations
and examples of the type of instruction specificity needed
for a child pornography forensic examination:
“Just a few of the pertinent issues are how many images
are enough to prove the allegation, whether it is relevant
that images were sorted or viewed, if it is important when
the images were acquired and in what manner, and if it
matters whether images were distributed to others and to
whom. It is counterproductive for an examiner to spend
days examining terabytes of data to locate every unlawful
image when a smaller number of images might prove the
case. It is even more important for the examiner to know
the appearance of a likely molestation victim so that an
attempt can be made to identify similar images.”
To execute specific instructions and to remain within the
confines of the warrant, law enforcement will want to equip
examiners with a forensic platform that empowers them to
filter out unwanted and irrelevant information quickly, to
zero in on the most compelling evidence.
The Backlog MorassIn a groundbreaking study, the Rand Corporation found
that the overarching problem facing law enforcement
When a detective’s instruction is “just get me everything,” an examiner is likely to go into spasms.
digital evidence investigations is the lack of forensic staff
and resources to handle the exploding digital forensics
need. Many computer investigation departments have
a huge backlog of investigations because their staffing
is woefully low and they lack budget to keep up with
efficiency-boosting technology. For better or worse,
competing with funding demands for more police on the
streets, for example, makes it hard to get city councils
to fund forensic staffing and technology requests. As
astounding as it sounds, some departments have 18, 12
or 6-month backlogs of digital evidence awaiting forensic
analysis in pending cases. Such lengthy delays can mean
leads go stale, witnesses’ memories fade and criminals go
unapprehended.
Ending the One-Examiner, One-Machine LimitationGrowing caseloads, backlogs and limited staffing resources
challenge forensic labs to nimbly manage multiple cases
and shift team resources as priorities change. Shifting
examiners assigned to a project is no easy matter
in environments where examiners work in silos on
unconnected workstations. All the case data is on that one
computer, accessible only by the one examiner assigned
to that case. But what if a “drop everything” case comes
along, requiring that examiner with special expertise to
shift to an urgent matter? His current cases will lie fallow,
unless another examiner can efficiently step in to continue
progress. Migrating data from one machine to the new
examiner’s machine is cumbersome and time consuming.
In a one machine, one examiner environment, sharing “hot
evidence” across the team is also painfully slow because it’s
locked from view in one machine.
Leading crime labs have moved away from the one-
examiner, one-machine model to a team-based approach
where all case data is centrally stored and accessible by
the team based on credentials. Administrators can easily
shift projects to get the right resource on the right project
at the right time. Managers can turn on and off examiner
access rights to case data in the central database, allowing
examiners to easily shift on or off cases as priorities and
specialized skill needs change. The technology also gives
forensic lab managers the ability to better manage their
teams from a centralized console with dashboards and
access to case data, ending the time-consuming need to
log on to individual examiner’s machines to monitor cases.
Processing Speed Gives Investigators an Earlier LookImagine how frustrating it is for detectives and
investigators to wait to see their case data because their
forensic group has a huge backlog. Whether it’s digital
evidence the investigators need to make further arrests
Leading crime labs have moved away from the one-examiner, one-machine model to a team-based approach.
or prepare their case with the prosecutor for a grand
jury or preliminary hearing, delays cause problems. Every
minute that ticks by could mean criminals are covering
their tracks or witnesses leaving the area. A lack of
processing speed hamstrings many digital labs intent on
getting their investigative team evidence they need to
move forward.
Yet, a major processing breakthrough exists for digital
forensic teams. Improved forensic technology offers
distributed processing that harnesses multiple processing
engines to power through large data volumes. Data from
multiple cases can be processed simultaneously, rather
than one by one with the limited processing power of a
single workstation. This processing power and speed is a
key driver of leading crime labs reducing their backlogs—
getting initial data to investigators in a matter of weeks
rather than many months.
Armed with distributed processing, examiners can rapidly
process the data and share it with investigators much
earlier. With their nuanced understanding of the case,
the investigators’ early look at the data can help focus the
forensic analysis on areas most likely to generate relevant
evidence to help the case. For example, investigators or
detectives combing through initial emails, call logs or GPS
information might find additional accomplices or witnesses
they weren’t aware of prior to seeing them mentioned
in this data. The best teams build ongoing examiner-
investigator “early case assessment” meetings into their
processes to keep the entire team focused on relevancy
and what is needed for arrests and eventual prosecution.
This avoids spending needless time conducting forensics
on data unlikely to bear fruit for the case.
Flexible Technology Sharing Key to Early CollaborationFaster data processing is not the only technical key to
smarter, faster investigations. Once the data is ready,
faster, for investigators to look at, they need a way to
leverage technology to poke around the data. Sending
them batches of data to scroll through, or worse, print,
is both risky and inefficient.
Leading law enforcement organizations are using forensic
platforms that enable administrators to give investigators
limited rights to the forensic platform to review data. The
forensic platform administrator can give investigators
secure, role-based access at the case and data level via
a web portal. This highly secure, flexible credentialing
gives investigators visibility into their data early on, but
cordons them off from other cases, any classified data
and manages any risks that would jeopardize data integrity
and chain of custody. The forensic team controls all
access rights.
The forensics team can hide advanced analysis tools in
the platform to unclutter the investigators’ screens when
they give them access, making the platform easier for
investigators to learn and use. These emerging platforms
let investigators take advantage of key word or date
searches to zero in on key facts, and use email analytics
to quickly see communication patterns by the suspect,
accomplices and victims. Investigators familiar with case
nuances can use technology to speed up review of images
or pictures in a thumbnail panel, efficiently moving through
quantities of images.
In addition, the technology supports local law
enforcement’s remote viewing of data when they partner
with state or federal crime labs on forensic analysis.
Bringing local law enforcement in earlier promotes faster
case progress and critical early decision making on
evidence to support charges and additional warrants.
Bringing local law enforcement in earlier promotes faster case progress and critical early decision making ...
©2017 AccessData Group, Inc. All Rights Reserved. AccessData is a registered trademark owned by AccessData in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as property of their respective owners. 012017
Whether it’s for investigation, litigation or compliance, AccessData® offers you powerful solutions that put the power of forensics in your hands. For 30 years, AccessData has worked with more than 130,000 customers in industries from government to legal, from corporations to international business, to understand and focus on your unique collection-to-analysis needs. The result? Products that empower faster results, better insights, and more connectivity. For more information, visit accessdata.com
Visit us online: www.accessdata.com
International Sales +44 20 7010 [email protected]
Conclusion Cybercrime, fraudulent schemes, child pornography and
other criminal behavior is not going away anytime soon. In the
digital age, data volumes and complexity in criminal cases will
overwhelm law enforcement unless they find a new way—fast.
New team-based approaches and high-speed data processing
forensic platforms are starting to make a dent in these big
problems facing government crime labs. Capabilities to do
deep forensic analysis on mobile phone and computer data to
uncover hidden evidence is crucial for successful prosecutions
are table stakes for today’s labs. Yet many law enforcement
digital labs remain plagued with massive backlogs, complex
data challenges and barriers to effective team management
and collaboration.
i Can Alexa help solve a murder? Police think so — but Amazon won’t give up her data. Washington Post, Amy B. Wang, December 28, 2016
ii Digital Evidence and the U.S. Criminal Justice System, Identifying Technology and Other Needs to More Effectively Acquire and Utilize Digital Evidence,
2015 Rand Corporation and the National Institute of Justice
iii Number of mobile phone users worldwide from 2013 to 2019 (in billions). Statistica
iv Growing Challenge of Computer Forensics by Charles L. Cohen, First Sergeant,
Indiana State Police, The Police Chief, August 2016
v Rand Ibid.
Law enforcement agencies can’t afford to wait any longerThey must invest in new approaches to break the stranglehold on their efficiency in today’s digital environment. When considering technology and process improvement investments, law enforcement leaders will want to look for:
• Technology to assign and manage a team approach needed for large scale, complex cases
• Faster, distributed processing to power through reams of digital data, and get investigators an earlier look at data
• Ability to centralize all case data for effective teaming
• Secure, flexible credentialing that allows examiners to safely give investigators the ability to search and review key data for collaboration
• Solutions to handle the data complexity of thousands of data types, applications, systems and devices you face
• Examiner reports that are more digestible for investigators and prosecutors with graphical timelines, bookmarking and notes, and that are easy to customize for different audiences
Learn more here about how the AccessData® team-based approach, high-speed processing and advanced forensic analysis platform can take your team to a new level of efficiency to support your pursuit of justice. The stakes are too high to wallow in solvable problems any longer.
Global Headquarters+1 801 377 5410588 West 300 SouthLindon, Utah
North American Sales+1 800 574 5199Fax: +1 801 765 [email protected]
