Digital Forensics Policy: Expectations and Acceptance
Written by André Champagne   

Time flies and, as we all know, things never stay the same. In 1934 the Boston Police Department started using two-way radios, the first CAD system was installed in St. Louis in 1965, AT&T enacted the 911 emergency number in 1968, computers were installed in police vehicles throughout the 1970s and 1980s, electronic fingerprint systems became widely used in the 1990s, and in recent years a flurry of technological advancements from GPS tracking to body cameras have been implemented in many agencies.

Twenty years ago digital forensics was virtually unknown, ten years ago it was barely an infant, and today it is growing faster than a weed on a warm spring day. The growth of this field has been enormous and has outpaced the ability to keep up on items like tool development, research, training, and sound policy implementation. In addition, there has been a lack of education for law enforcement management, judges, detectives, and the public on the importance of digital forensics, how it can be leveraged to solve crimes, and the limitations of this emerging science.

In order to get a deeper understanding of digital forensics and mobile forensics, we need to first understand how we define them. Most people refer to examining computers, mobile phones, and related devices as computer forensics or digital forensics. The Merriam-Webster dictionary describes “forensic” as “…relating to the use of scientific knowledge or methods…” Traditional forensic sciences include DNA, serology, fingerprint comparison, and trace evidence. Each of these traditional forensic disciplines have long been considered a “science” and there are robust policies and procedures, training and education requirements, and accreditation standards in place for each of them. Although digital forensics and its child, mobile forensics, are starting to mature, there is still a wide gap between how practitioners, management, and agencies perceive and approach them and how they perceive and approach traditional forensics.

Now that we have briefly explored a little history we need to ask a few questions:

Is digital forensics treated like a science by you and your agency? Are there quality-control standards implemented for digital and mobile forensics? Are there policies and procedures in place that define your agency’s approach to digital forensics and are they current? Do these policies and procedures have a section specific to mobile forensics? Do you have current mobile forensic tools and are you well trained on them? Is time of the essence in your mobile forensic investigations? Is there a “best practice” that you follow when doing traditional digital forensic examinations and mobile forensic examinations?

Regardless of your role in the digital forensics chain, ponder these questions and how the answers may affect the quality of the digital forensics work product as well as the attitudes and general conception of this scientific discipline within your agency.

In the following passages we will touch upon the expectations an agency may have for their digital and mobile forensics units and ultimately what level of service an agency is willing to accept.

Expectations

A very important aspect of digital forensics is to understand the expectations set upon an agency. This is likely even more important when dealing with mobile forensics. If expectations are set too high then it will likely lead to unobtainable goals, missing evidence, human errors due to unrealistic time deadlines, and frustration for all involved.

To meet expectations, agencies also need to have well-trained staff and they need to have access to the appropriate tools of their trade. Digital forensics is an expensive endeavor; if an agency undertakes the task of mobile forensics, then these costs are even greater. Practicing digital forensic examiners understand that no one tool is sufficient to process all items. With a long list of operating systems, file systems, custom applications, and hardware components, a single examiner typically needs several different hardware and software tools to finish a job. These tools need to be updated and upgraded over time. Examiners need to be trained and their skills refreshed over time. Having a highly qualified digital forensic examiner on staff requires a similar system in place as an agency has for their sworn officers. Sworn officers are supplied with the proper equipment to do their jobs and they are constantly trained in order to meet agency and state requirements. The commitment an agency has to training and equipment will reflect directly on the quality of work a digital forensics unit produces, as well as what types of devices it can process effectively.

In mobile forensics processing, it is virtually impossible to know how long it will take to acquire and analyze a particular device. There are thousands of devices, new devices coming out every month, a myriad of operating systems, many types of file systems, and identical models often have completely different configurations. An examiner might be able to get a logical acquisition from one device, a file-system acquisition from another, and a physical acquisition from yet another. A logical acquisition could take as little as a few minutes while a physical acquisition may take many hours. Some mobile devices, such as many running Windows operating systems, may yield an examiner little in terms of an acquisition, and these devices may require manual inspection and the photographing of relevant information directly from the device screen.

An acquisition is just the first hurdle to jump. Once an acquisition has been obtained, then the focus turns to examination or interpretation of the acquisition results. For some, no real examination is required and a simple report containing items like call logs and text messages can be produced and then passed on to the appropriate parties. In other instances, there may need to be additional analysis performed such as keyword searching, data carving, and database analysis, to name just a few. It is important to remember that no automated tool recovers everything, and oftentimes a skilled forensic examiner is required to ascertain if there is additional information, where it is, how to interpret it, and how it impacts the investigation.

So, is your agency expecting “drive through” forensics (a term coined by my coworker, Detective Sims), where a mobile device can be dropped off and a few minutes later it will be acquired, examined, and a report produced? For the agencies expecting such results, they will likely be very disappointed. This expectation of service is simply too high of a threshold to be realistic.

Are you ever asked to acquire a device while someone waits and then you find out the acquisition will take two hours or the acquisition keeps failing? These examples are reasons that management needs an understanding of the basic science involved in mobile forensics so they can develop sound policies. An agency should outline general expectations for mobile examinations within their official policies. These expectations do not need to be specific, but they should generally outline reasonable outcomes, time frames, and known limitations that may hinder or prevent an expected result. Sound policy that is followed and understood by all involved will help alleviate frustration and allow forensic examiners to approach their work knowing that they will not be seen as the problem when an exam requires additional time or when specific forensic artifacts are unattainable.

Expectations may also vary for examinations performed in the lab versus those performed in the field. Field staff may be limited in skills and tools; in such cases, the extent of their forensic inquiry should be limited. Unless information is needed for exigent circumstances or there is a high probability that no additional forensic analysis will be required beyond what is being performed in the field, devices should be processed in a controlled environment by forensic examiners. A move toward decentralized mobile forensics, however, is a current trend that bucks this advice and recommends more field processing.

A decentralized approach to mobile forensics, where the analysis of devices is done in the field, complicates things tremendously and can lead to unreasonable expectations. In theory, decentralized mobile forensics sounds like a potential way to address laboratory backlogs—and for some agencies, it may be something to consider. But for most, this will likely do nothing to increase efficiency and simply add to agency expenses and frustrations.

As mentioned previously, mobile devices are extremely diverse and acquiring devices can often be problematic or take many hours. In addition, the equipment to do mobile forensics is still fairly expensive, usually requires a piece of hardware similar to the size of a tablet or laptop, and requires a bag full of cables and adapters. Many law enforcement vehicles simply don’t have the room for this equipment and many agencies have a hard time funding mobile forensics equipment for a lab environment yet alone funding multiple units to be used in the field. Any equipment used in the field is also subject to a greater environmental impact (heat, cold, humidity, vibrations, sunlight, water, etc.). There is no doubt that decentralized forensics is becoming more popular, but with current forensic processes and equipment available, it is highly unlikely that this method will be a major component for most agencies until at least several years from now.

Decentralized mobile forensics could be considered more like pure data acquisition than actual forensics. Is this really forensics if the only items needed or reviewed include items like call logs, contacts, text messages, and images? Technically, the answer to this would be Yes, if scientific knowledge or methods are used, but one could argue that it is nothing more than a simple data dump. Data acquisition in the field may be the future for mobile triage, but it will likely not be sufficient for those cases requiring deep analysis and a sound forensic approach that will hold up under the scrutiny of cross examination. The key for each agency is to understand what their expectations are for mobile forensics so they can implement the policies and procedures to meet those expectations.

Acceptance

Acceptance is the process by which agencies adapt to the results of their expectations. Once expectations are defined, then acceptance of the forensic process and work product begins. Acceptance is an ongoing process and it oftentimes will lead to modification of expectations.

An agency needs to decide whether it is willing to accept the level of training provided to their digital forensic examiners. Does it provide the examiners with the skill sets needed to meet the expectations of the agency? Do the tools provided to these examiners allow them to process devices effectively and meet agency expectations? In addition to these items, every agency must also decide if it will accept numerous other things as set forth in policy expectations. These items may include accepting time frames for completing exams, quality of the final report, and field triage capabilities, to name just a few.

If an agency finds that something is not acceptable, then it should be immediately addressed in the policy expectations. This process of keeping policy current reflects an active commitment by management to the success of the digital forensics unit and will help maintain a positive and engaged staff.

Sound policy that defines expectations does not substitute for quality forensic practitioners and technical process. Rather, it should be considered as a complement to them and a guide that will help an agency navigate the scientific world of digital forensics and mobile forensics.


About the Author

André Champagne is currently a forensic investigator for the Wright County (Minnesota) Sheriff’s Office. He has also worked as a forensic examiner for the Illinois Attorney General’s Office High Tech Crimes Bureau, lab manager and senior forensic examiner for Flashback Data in Austin, Texas, and senior IT specialist and systems administrator at the Anoka County (Minnesota) Sheriff’s Office. In all, Champagne has more than 20 years of experience in public safety IT and forensics. He holds numerous forensic certifications (CFCE, ACE, CME, others), has served on the Minnesota HTCIA board and currently serves on the Century College Computer Forensics Advisory Board (2009-Present).

 
< Prev   Next >






New Books

Bloodstain Pattern Analysis

Most forensic disciplines attempt to determine the “who” of a crime. But bloodstain pattern analysis focuses on the “what happened” part of a crime. This book is the third edition of Blood-stain Pattern Analysis. The authors explore the topic in depth, explaining what it is, how it is used, and the practical methodologies that are employed to achieve defensible results. It offers practical, common-sense advice and tips for both novices and professionals. www.crcpress.com

Read more...