By Mark Bowser, Computer Crime Specialist, National White Collar Crime Center, Fairmont, West Virginia; Ben Lewis, Computer Crime Specialist, National White Collar Crime Center, Fairmont, West Virginia; Jan Fuller, Computer Forensic Investigator, Redmond Police Department, Washington; and James Emerson, Chair, IACP Computer Crime and Digital Evidence Committee, and Senior Vice President, ICG Incorporated, Princeton, New Jersey
ame one major crime that has nothing to do with digital evidence. This is a difficult task since digital media has entered every aspect of modern life, as it has also entered the lives of criminals.
Even the most mundane activities are touched by digital media. Some of them are obvious, such as visiting an ATM or using a global positioning system (GPS) device to get directions to a destination. Others are more subtle, such as walking the aisle of a local grocery store while being filmed on digital cameras and mundane activities such as paying for gas through a credit card transaction. These are just a few examples of how people are exposed to, use, and are tracked with digital media.
How much does digital media affect people? Consider a typical day:
When people get up in the morning, they typically turn on their cell phones, alerting the cellular network that they are now capable of sending or receiving phone calls. They log in to their office computers, make purchases online, or use search engines to find answers to questions.
At lunch, they program their smartphones’ GPS applications to locate new restaurants. On their way back to the office, they use their phones again to look up afternoon appointments. They check their emails, and some update their statuses on social networking sites to let others know that they are looking forward to the end of the workday.
On the way home from work, they call home to ask what items are needed for dinner; all the while, their travels are being recorded from one cell phone tower to the next. At home, they settle in for their nightly rests, but only after they answer a few personal emails or watch movies downloaded from some known or unknown vendor on the Internet.
Modern society has become reliant on digital media, and police agencies are no exception. Much of law enforcement has transitioned to paperless reports. Dispatch conversations are digitally recorded, and patrol cars have laptop computers installed in them to provide officers a broader communication network.
Criminals are no different. They also are dependent on digital media, and they use the same smartphones and computers in their everyday lives as law-abiding citizens and law enforcement. Consider the following scenario:
A local law enforcement agency’s gang investigation leads investigators to obtain and execute search warrants at multiple locations for drugs and weapons. Investigators notice gaming consoles are present at both locations. The consoles are powered on, and a chat window is open showing what appear to be messages regarding the gang’s criminal activities. A gang member subsequently admits that members use the online gaming network to communicate with gang members because they feel it provides less risk of monitoring by local and state law enforcement.
Investigators from a small, local agency are immediately confronted with the following questions:
- How should these devices legally be seized and examined?
- Does the local agency have a policy for preservation of these appliances?
- Does the agency’s one trained forensic examiner have competency with game consoles?
- Does the agency’s small lab have appropriate hardware and software for forensic acquisition and examination of the game consoles?
- Is there an appropriate expert at a regional lab or a neighboring agency who can assist?
- What data will be retained or lost if the device is powered off?
- Is it appropriate to involve the manufacturer or the operator of the online game network?
- How do investigators contact a trustworthy and appropriate expert to provide a preservation letter or a subpoena regarding evidence contained on their network?
This scenario could easily involve smartphones, GPS devices, electronic book readers, tablet computers, or countless other computing appliances in addition to the industry-standard laptop or desktop computers, which may require unique forensic skills and tools to legally and effectively preserve and examine evidence critical for a criminal prosecution or exigent circumstances to protect life.
Many law enforcement executives may not be surprised by this scenario, as they and their agencies are immersed in the use of technology daily. In an era where resources available to public safety are diminishing, however, increasing amounts of technology and associated digital evidence must be addressed by officers at all levels. It is essential that each agency clearly understand existing capabilities and skills needed to provide police services for their jurisdictions in the information age.
In 2001, the National Institute for Justice conducted a study to assess the needs of state and local law enforcement agencies in this area and found a growing gap between need and capability. This article postulates that every law enforcement agency would benefit from local assessment of capabilities, skills, tools, and processes necessary to identify, preserve, and examine digital evidence legally and effectively. Consider, for example, the National White Collar Crime Center (NW3C) notional model (see figure 1).
Figure 1: NW3C Notional Digital Evidence Capabilities Model
People have established their social reliance on digital devices and media, and this creates challenges for law enforcement in responding to and investigating crime. How should law enforcement respond? First and foremost, it is imperative to recognize what items can—and often do—contain digital evidence.
Once officers are able to correctly recognize digital media or devices, they should then develop an understanding as to what evidence of criminal activity could be contained on the media or devices, how to protect evidence from contamination, and how to properly package and transport those items. Frontline officers should have the skills and tools necessary to conduct a preview of data on a computer system, allowing a cursory look at a victim’s or a suspect’s computer without adding or changing any data on it.
Law enforcement detectives often hear from digital evidence forensic examiners that the turnaround time for processing digital evidence could be a month, if not years, and staffing issues for these specialized units are difficult and expensive to maintain. What can be done?
The most efficient way to improve performance is by providing the first tier of training to frontline patrol officers (see figure 1). This training should specifically aid officers with identifying what digital media is and what could contain something of evidentiary value in a criminal or civil proceeding. It should also teach how to properly seize those items without destroying the evidence, as well as what procedures should be used to process this evidence to garner investigative information, including how to triage or preview digital media or devices.
By educating frontline officers on how to conduct an onsite preview of digital media, law enforcement executives can empower officers to determine what steps need to be taken next. Make an arrest? Obtain a search warrant and seize the digital media for further forensic examination? Clear the case because of no evidence of criminal activity? Any of these are possibilities.
The second tier to consider is a less broad group consisting of investigators or crime scene processors who already have experience or training on identifying, seizing, triaging, and previewing digital media without losing its evidentiary value.
This tier is learning more intermediate skills such as how to create a forensic image (that is, an exact duplicate of original media containing all data including deleted and unallocated files) and how to conduct a live image capture. Live imaging is becoming increasingly relevant with the increased use of encryption by the public. If digital media is encrypted and the device or media holding it is powered off, there is a strong likelihood that no usable data can be obtained for analysis or investigative leads.
Once a forensic image is created, the image can then be used by a third tier of personnel to conduct a complete exam and an analysis of a digital device or media for use in a court proceeding.
The third tier is the most defined group of personnel, identified by their aptitude, extensive knowledge, and desire to process digital media.
Staff members involved in this third tier need advanced training to include conducting advanced examinations and analysis of all types of digital devices and media (for example, cell phones, GPS devices, home computers, computer servers, and web-based storage and other storage devices, including game consoles). This group will be the most expensive to train, and the equipment and software needed could be cost prohibitive for an agency. There are, however, outside resources at agencies’ disposal, such as federal grants, educational institutions, and private partners.
Personnel trained in the tier one and tier two areas should reduce the case workload of the tier three examiners, which in theory will reduce the turnaround time of processing digital forensic cases.
No matter how an agency chooses to tackle digital forensics, a variety of resources are available, depending on the agency’s location. These include fusion centers, regional computer forensics laboratories, task forces, and jurisdictions with their own examiners.
The key to law enforcement’s response to digital evidence is training. There are plenty of free or low-cost training programs that offer many of the tier one, tier two, and tier three courses, including SEARCH Group, Incorporated; the International Association for Computer Information Systems; the Federal Law Enforcement Training Center; the High Technology Crime Investigation Association; and the NW3C. With the emphasis on digital evidence–related investigations, it is important that agencies develop complementary relationships with members of the prosecution staff by encouraging their participation in the development and learning experience of their personnel. When prosecutors take even a basic digital evidence class, they come away with a greater understanding of how much information must be processed for just one case.
Digital devices and media are a part of everyone’s social, professional, and personal lives. Digital evidence is just another form of evidence that can be found at the scene of any crime and can be the basis of an investigation. With the rising cost of managing a police department and the drastic reduction of primary budget sources that many agencies are experiencing, it is time to reassess local capabilities and look at a more comprehensive training model that will aid and streamline the investigation and conviction of wrongdoers without breaking a department’s budget. ■
|The IACP recently formally established the Computer Crime and Digital Evidence (CCDE) Committee, which previously operated as an ad hoc subcommittee of the Private Sector Liaison Committee. The mission of the CCDE Committee is to “strengthen law enforcement capabilities to prevent, investigate, and prosecute information-age crimes involving digital technologies and evidence; promote expert collaboration among agencies, government, businesses, and academia; identify resource needs; advocate for enhancements and sharing; and advise association leadership and members.” James Emerson, one of the authors of this article, is chair of IACP CCDE Committee.|
Please cite as:
Mark Bowser et al., "Computer Crime and Digital Evidence: What Every Police Chief Should Know," Technology Talk, The Police Chief 78 (June 2011): 84–85.