Many modern-day criminals, such as terrorists and child pornographers, can’t avoid leaving digital footprints on their computing devices. A new tool is helping law enforcement officers find and follow the trail, even when it is camouflaged. What’s more, it works in the field, which means investigators and first responders won’t have to wait for findings to return from backlogged forensic labs before they can get preliminary results.
The tool is Dell’s Mobile Digital Forensics hardware armed with SPEKTOR Forensic Intelligence software by Evidence Talks, a digital forensics consulting firm in the United Kingdom. Investigators or first responders can carry the equipment in a single lightweight black case. Inside lies a ruggedized Dell laptop with a touchscreen interface running SPEKTOR and some mini-hard drive “collectors” used to collect and store the data to be analyzed, along with all the accessories they might need to process computers, thumb drives, memory cards, and cell phones.
Front-line personnel seek out all the suspect’s computers and plug the collectors into them at the scene. The collectors are generally configured to seek out all user file types—such as images, movies, and documents—but investigators have the ability to configure the collectors on-site to look for specific content types more granularly if necessary.
The collectors are plugged back into the Dell laptop, which analyzes the data using the SPEKTOR software. But the data is not downloaded to the laptop; for forensic reasons, it remains on the collector at all times. Cell phones and removable digital devices such as thumb drives are plugged directly into the Dell laptop and processed by the SPEKTOR software (again the data is never transferred).
The entire process was designed to be forensically sound so that the evidence can be used in court. It is based on the processes Evidence Talks uses in its own ISO 9001:2000-certified forensic laboratory, says Andrew Sheldon, founder and managing director of Evidence Talks.
Before every deployment, the collectors are forensically wiped of data to ensure that evidence from a prior investigation doesn’t contaminate the new investigation. “Everything we do is logged,” says Sheldon. “We can produce a log file, which records everything from the moment the collector is cleaned to the moment the report is viewed. So we can tell whether the collector was cleaned before it was deployed or not.”
And collected data is never stored on the Dell laptop; it gets stored in its own special format on the collectors to ensure that data from one investigation doesn’t taint another.
(To continue reading "Tracking Digital Footprints in the Field?," from the September 2011 issue of Security Management, please click here)
photo by Max Klingensmith/flickr