By testing suspect computing devices on site, law enforcement can reduce forensic wait times and protect the chain of evidence.
Many modern-day criminals, such as terrorists and child pornographers, can’t avoid leaving digital footprints on their computing devices. A new tool is helping law enforcement officers find and follow the trail, even when it is camouflaged. What’s more, it works in the field, which means investigators and first responders won’t have to wait for findings to return from backlogged forensic labs before they can get preliminary results.
The tool is Dell’s Mobile Digital Forensics hardware armed with SPEKTOR Forensic Intelligence software by Evidence Talks, a digital forensics consulting firm in the United Kingdom. Investigators or first responders can carry the equipment in a single lightweight black case. Inside lies a ruggedized Dell laptop with a touchscreen interface running SPEKTOR and some mini-hard drive “collectors” used to collect and store the data to be analyzed, along with all the accessories they might need to process computers, thumb drives, memory cards, and cell phones.
Front-line personnel seek out all the suspect’s computers and plug the collectors into them at the scene. The collectors are generally configured to seek out all user file types—such as images, movies, and documents—but investigators have the ability to configure the collectors on-site to look for specific content types more granularly if necessary.
The collectors are plugged back into the Dell laptop, which analyzes the data using the SPEKTOR software. But the data is not downloaded to the laptop; for forensic reasons, it remains on the collector at all times. Cell phones and removable digital devices such as thumb drives are plugged directly into the Dell laptop and processed by the SPEKTOR software (again the data is never transferred).
The entire process was designed to be forensically sound so that the evidence can be used in court. It is based on the processes Evidence Talks uses in its own ISO 9001:2000-certified forensic laboratory, says Andrew Sheldon, founder and managing director of Evidence Talks.
Before every deployment, the collectors are forensically wiped of data to ensure that evidence from a prior investigation doesn’t contaminate the new investigation. “Everything we do is logged,” says Sheldon. “We can produce a log file, which records everything from the moment the collector is cleaned to the moment the report is viewed. So we can tell whether the collector was cleaned before it was deployed or not.”
And collected data is never stored on the Dell laptop; it gets stored in its own special format on the collectors to ensure that data from one investigation doesn’t taint another.
While the solution can help in many different situations, the one crime it’s perfectly suited for is finding child pornographers, says Joe Trickey, marketing brand manager for Dell Rugged and Digital Forensics. Often child pornographers know that police will search their devices for video and photo types, so they will rename all their .jpeg files something else, such as .pdf. “So that’s where we can go back and use this tool and say, ‘I want to see every file type that has been changed from its initial state,’” says Trickey.
In a recent incident in Plant City, Florida, the mobile solution led a child pornographer to confess his guilt. Plant City police officers confiscated the suspect’s iPhone, connected it to the mobile solution, and the Spektor software revealed incriminating evidence. The solution “resulted in an immediate hands up,” says Sheldon.
In one operation, the mobile forensics solution was used at five United Kingdom airports by the Child Exploitation Online Protection (CEOP) Agency to scan passengers’ digital devices for illicit images of children. This technology is also currently in use at ports of entry around the world. It allows border agents to more quickly examine a traveler’s digital devices.
If front-line personnel find data on a device that seems pertinent to the investigation, it is sent to the laboratory for closer inspection. “It’s meant to be that front-line look,” says Trickey, “but it should never replace what you can do within a forensically sound lab.”
Sheldon compares the mobile forensics solution to a breathalyzer, “which performs sophisticated chemistry, using some sophisticated hardware, but the user just needs to know how to configure it, deploy it, and read the result.”
In the United States, this technology might address issues that civil liberty advocates have raised regarding searches of travelers’ digital devices at ports of entry, says Sheldon. For example, The Constitution Project notes in a report they issued in May that these searches can lead to traveler delays and device confiscations, leaving innocent travelers fighting to get their device back from Customs and Border Protection. With this equipment, border agents would no longer have to seize the computer to examine it, he says. “They can do a review within an hour and give the user back his data when it’s a negative result.”
Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, says this technology could produce benefits for travelers crossing international borders by reducing the possibility their laptop could be seized and held by border agents. He is concerned, however, that it could lead police to overreach and search the suspects’ digital devices without a warrant after a lawful arrest. The courts are currently split, he said, on whether police need a warrant to search a suspect’s digital device obtained in the course of an arrest. Dempsey believes the Fourth Amendment is clear: a search warrant is necessary.