Training Your Organization to Handle Mobile Device Evidence with Confidence
Written by Christa M. Miller   

While mobile forensics has become an integral investigative tool over the last few years, mobile device evidence is coming under increasing legal scrutiny as privacy continues to be a major topic. Courts are more closely examining the protocols used to gather or analyze the data, so it’s critical for investigators of all stripes to learn how to meet stringent evidentiary standards.

However, training can be difficult to justify during budget negotiations. Tradeoffs between training and equipment, as well as who to train and when to train them, must be made. Equipment outlays and new hires may take precedence. Sometimes, training gets cut altogether, which can lead to improper techniques during evidence collection.

Ideally, training prepares everyone within a potential chain of custody to handle mobile device evidence as appropriate for their responsibilities. Supervisors concerned about the cost of this extent of training must consider the cost of not training forensic examiners, who then lack the skills to perform due diligence, or first responders, who then mishandle evidentiary devices during a high-stakes investigation.

For these possibilities, supervisors must determine what kind of training is needed, how much and at what frequency is necessary, and how specialized an individual needs to be.

Determining training needs

At its most basic, training should prepare first responders to properly preserve and collect mobile device evidence, investigators to work with forensic examiners to get relevant data to build their case, and forensic examiners to perform a range of operations to support that case.

From there, additional training requirements may become apparent:

  • Should first responders be able to collect data on the device, along with the device itself?
  • Should investigators be able to perform a rudimentary enough examination to develop their own leads before the device ever goes to the forensic lab?
  • Should forensic examiners be prepared to support not just their own organization, but also others in their region?

Some organizations may require first responders and investigators to collect basic mobile device data in order to access actionable evidence or intelligence sooner than a forensic lab can turn it around. Others set up forensic labs when their own and neighboring agencies find that the nearest lab is still too far away or takes too long to return evidence. These labs often support smaller or similar sized agencies in their county or as part of a task force set up to combat certain types of crime.

Framing these requirements, recent legal decisions, including Riley v. California, 573 U.S. ___ (2014) and United States v. Winn, __ F.Supp.3d __, 2015 WL 553286 (S.D.Ill. February 09, 2015), mean that neither first responders nor investigators can expect to scroll through a device at their leisure. Search warrants are now the rule, and they must be particular.

The degree of particularity that courts are now measuring against means investigators must be prepared to show that their process didn’t allow them to have access to data that wasn’t relevant to their case. This could be because it didn’t fit the right timeline, or because it wasn’t the right content.

There are undeniable benefits to enabling rapid evidence collection for improved real-time decision making, decreasing the quantity of evidence forensic experts have to deal with, and increasing the overall quality of evidence in criminal investigations. However, only good training backed up by sound policy provides the right foundation for realizing those benefits.

Training for mobile device search and seizure

At a minimum, first responders and investigators should receive training on:

  • The mobile forensics process and a first responder’s place in the chain of custody of mobile device evidence.
  • Mobile device seizure, including how to preserve physical evidence found on the device and isolate the device from the cellular network.
  • Search and seizure law, including specific legal requirements and policies at the federal, state, and local levels, and how to use good judgment to determine whether a search is necessary.
  • When and how to escalate evidence for deeper, more complex examinations that may yield vital deleted or hidden information.

However, it can be valuable to train first responders to extract limited amounts of mobile device evidence for use in investigations of motor vehicle collisions, human or narcotics trafficking, missing persons, and emergencies such as active shooters or threats of terrorism.

This is because in many cases, logical data—undeleted “low hanging fruit” or evidence of a nonfelony offense—may be enough to build a case. When it provides insights into a subject’s patterns of life, including frequent contacts and communications, it may also have immediate intelligence value.

This means that first responders and investigators can have immediate access to the actionable data they need, while at the same time maintaining its legal defensibility. It also means that forensic professionals are free to focus on more complex analytical work in more serious cases.

Since speed and accuracy are equally important in the field, courses geared for these requirements should expand upon search and seizure procedures, including logical data extraction and analysis. What kinds of data are available with a logical extraction, and how to use different types of data analytics to identify leads, should be part of the discussion. Finally, documentation and reporting processes for the scene or back at the office are important to cover.

All of these issues speak to the need to train first responders and investigators on the specific evidence collection tools they’ll be using, including Faraday bags, data extraction hardware and software, and basic analytic software. It’s ideal to certify personnel as having been trained on the equipment so that if and when they are called to testify, they can draw on their certification to lend credibility to their process.

This level of training should also help investigators collaborate more closely with lab examiners when they need to escalate evidence gathering and analysis. Aside from knowing when and how to escalate mobile device evidence, a first responder or investigator should understand how to use the extraction and analytics they performed to advise a forensic examiner on what to look for further. Time frames and content types are of particular interest, although investigators should understand the difference between particularity and being too detailed.

Finally, supervisors, prosecutors, and others who are not directly involved in evidence collection, but supervise those who are, should attend a primer course that covers mobile forensics fundamentals. Topics in this course cover basic extraction and analysis capabilities, what search and seizure entails on a mobile device, and evidence handling.

As much as is possible at this level, for serious felony cases, investigators should not replace forensic examiners outright. A forensic examiner’s objective expertise is important to reduce the risk of confirmation bias and ensure that the appropriate techniques were used to find all possible evidence—both inculpatory and exculpatory—and to validate the process behind finding the evidence.

Because of the deeper expertise required in mobile forensic analysis, training becomes more important, and there is a greater variety of training to choose from. This level of training delves much deeper into mobile forensic processes, including file system and physical extraction, decoding, and analysis. It should cover processes like data carving, various search and filtering techniques, and validation. And, overall, it should be designed to teach examiners how to treat forensic examination as a science.

Both certification and vendor-neutral training become important at this level, focusing on the forensic process across a spectrum of examination tools. This level of training enhances an examiner’s credibility in court, especially when qualifying as an expert witness who can talk about the scientific processes they used to obtain and interpret evidence.

Often, forensic examiners start as investigators who build up their skills gradually, earning certifications, attending more training, and performing more examinations until they reach the level of proficiency necessary to support their own and other organizations, as well as testify in court. Forensic examiners may also choose to specialize in smartphone analysis, JTAG or chip-off extraction, and other device-specific challenges.

Working out the frequency and logistics of training

Generally, certification is only necessary every two years to stay up-to-date on the latest wireless technology, forensic collection methodology, and analytic capabilities.

For first responders and investigators, it may be necessary to conduct in-service and roll-call training more frequently. These types of training can help personnel to stay fresh by offering scenarios that encourage critical thinking. It can also educate personnel on new legal requirements and any software updates to the tools they use for extractions.

If personnel are not complying with policy and standard operating guidelines, smaller, more targeted training sessions—including one-on-one attention—may help to supplement (though they should not replace) more formal training.

Again, however, budgeting for training can be a challenge. Although refresher courses are often less expensive than initial training, delivery models other than in-class can become important. Online, on-demand, as well as web-based live training can save both time and money: personnel need not travel, and if completing courses on demand, do not need to take time out of the workweek to train.

Although online training can facilitate timely contact with instructors, as well as hands-on expertise via interactive tutorials, in-class instructor-led training does have the advantage of allowing students to interact with trainers and classmates. This can offer an especially valuable opportunity to network with people from neighboring organizations.

Above all, training should maximize an organization’s return on investment. The number of personnel who confidently use mobile forensic equipment, the number of extractions performed, and the number of cases in which mobile device evidence played a key role are all some of the metrics included in this return.

With this in mind, seek out training vendors who can provide flexible delivery models together with a solid foundation in forensic process. No matter what level of extraction capability your organization requires at one or more levels, empowering your personnel to perform it prepares your organization to handle the mounting challenges of digital crimes and evidence.

About the Author

Christa M. Miller is the former director of mobile forensics marketing at Cellebrite. She has worked for more than ten years as a journalist, specializing in digital forensics and other high-tech topics for public safety trade magazines. Miller has a B.A. in Economics from Whittemore School of Business and Economics at the University of New Hampshire, and is based in South Carolina.


< Prev   Next >

Lifting Latent Fingerprints from Difficult Surfaces

ALMOST ANYONE can find, process, and lift a latent print that happens to be in a logical and obvious place like a door handle, a beer can, or a butcher knife. But sometimes, a latent print is not just sitting there in a logical and obvious place. Sometimes, you have to use your imagination to find the print and your skills to lift it.