Models in Collaborative and Distributed Digital Investigation In the World of Ubiquitous Computing and Communication Systems
Michael Losavio, Deborah Keeling and Michael Lemon
Abstract Ubiquitous computing and communication systems produce ubiquitous electronic evidence of use in many disciplines. For law enforcement, the use of digital evidence has expanded beyond electronic child exploitation materials into other traditional areas of criminal justice, including homicide, robbery and narcotics trafficking. This expanded utility is also available to any information community in need of historical data. But the growth in the distribution and volume of this information and its storage media create challenges for collection and the validation of reliability. Several ad hoc and distributed models for investigative process may assist both law enforcement and the curation and archival communities. We examine and discuss the data from these models and the future of distributing digital forensic expertise for broad use.
Authors Michael Losavio teaches on computer engineering and criminal justice issues at the University of Louisville and has taught in Egypt and Mexico. His J.D. is from Louisiana State University.
Dr. Deborah Keeling received her Ph.D. from Purdue University in sociology and is chair of the Department of Justice Administration of the University. Her research interests are in democratic policing in Europe and Asia and electronic crime.
Michael Lemon is a detective for the Bowling Green (Ky) Police Department and a M.S. student in digital forensics at the University of Central Florida.
1. Introduction Ubiquitous computing permeates the world. The number of cell phones exceeds the U.S. population.1 With the proliferation of digital technology comes a commensurate growth in transactional and content- related electronic information. This creates unprecedented opportunities for the collection of electronic evidence.2 Criminologist James Allen Fox of Northeastern University attributes, in part, the 2011 decline
1 Kang, Cecilia, “Number of cellphones exceeds U.S. population: CTIA trade group,” Washington Post Tech Blog, October 11, 2011, http://www.washingtonpost.com/blogs/post-tech/post/number-of-cell-phones-exceeds-us- population-ctia-trade-group/2011/10/11/gIQARNcEcL_blog.html (accessed December 20, 2011) 2 It also presents an unprecedented means of automated surveillance of citizens, an issue of civil liberties and authoritarian oppression of greater and greater importance in violent crimes in the United States to improvements in digital investigation and electronic surveillance.3 Issues of digital investigation are not confined to criminal justice. One survey of divorce attorneys of the American Academy of Matrimonial Lawyers found that two- thirds of members used the social networking site Facebook as a primary source of digital evidence for divorce proceedings; the strong majority noted an increase in the use of such evidence over the past several years.4 And this extends far beyond criminal investigations into civil forensics, data analytics and, indeed, the ways needed to preserve and validate the memory of the world for future generations. Duranti,5 Endicott-Popovsky and others have explored the application of digital forensics to the “born-digital” world as a crucial domain for preserving truth in an electronic world. Kirshchenbaum, Ovenden and Redwine have systematically addressed the relationship of digital forensics and born-digital data for cultural heritage.6 Digital forensic systems could solve key issues facing archivists with electronic information, such as data recovery and discovery, authentication and accessioning. Yet, there are shared challenges across all of these disciplines for the effective use of digital forensics in a world of ubiquitous computing. The responses of the law enforcement community may aid all disciplines in meeting them. Law enforcement digital forensics needs have grown with the ubiquity of electronic evidence associated with all types of criminal investigations. Many investigators now look for digital evidence in any case. Either through training, conversations with other investigators or television, use of digital evidence is becoming more and more common in police work. Officers now seek digital evidence as they would surveillance videos, fingerprints and DNA. One fetal abduction/murder investigation shows the value of digital forensics to any investigation.7 The female suspect presented to the local emergency room with a newborn child. When she was examined the ER staff notice the infant had organs attached that should still be in the mother if the mother were still alive. This led to an investigation of what actually occurred. The examination of the suspect’s computer and cell phone found a scheme to acquire an infant. Evidence from the computer showed contacts with several pregnant females on social media sites and searches of the Internet for how to do a home Caesarean section delivery of a baby. She claimed to help single mothers during their pregnancy. One person seemed to have more contact with the suspect than others; this person and the suspect talked about meeting on the day of suspect’s “delivery.” The suspect’s cell phone contained the digital trail from that point. Text messages between the pregnant female and the suspect showed her planning to pick up the female and take her shopping for baby clothes. After the planned time to meet, the texting goes quiet for two hours. The suspect then texts her husband pictures of her new baby which she “delivered” in her vehicle.
3 Devlin, Barrett., “Crime Down Across Nation,” Wall Street Journal (Online) [New York, N.Y] 20 Dec 2011 4 Margaret M. DiBianca, Ethical Risks Arising from Lawyers’ Use of (and Refusal to Use) Social Media, 12 Del. L. Rev. 179, 183 (2011) (citing Am. Acad. of Matrimonial Lawyers, Big Surge in Social Networking Evidence Says Survey of Nation’s Top Divorce Lawyers, (Feb. 10, 2010)). 5 Duranti, Luciana, “From Digital Diplomatics to Digital Records Forensics”, Archivaria 68 (Fall): 39-66 (2009); Duranti, Luciana and Endicott-Popovsky,” Digital Records Forensics: A New Science and Academic Program for Forensics Readiness,” 5 Journal of Digital Forensics, Security and Law 2 (2010) 6 Matthew G. Kirschenbaum, Richard Ovenden, Gabriela Redwine (research assistance from Rachel Donahue) Digital Forensics and Born-Digital Content in Cultural Heritage Collections, Council on Library and Information Resources, December, 2010, http://www.clir.org/pubs/abstract/reports/pub149 (accessed July 23, 2012) 7 Barrouquere, Brett, “Kentucky woman sentenced for death of expectant mom,” Associated Press, http://www.kentucky.com/2012/03/02/2091640/kentucky-woman-sentenced-for-death.html (Accessed August 24, 2012)
2 Eventually she confessed and showed where she had immobilized the victim, bound her and removed the baby from the victim’s abdomen. The digital evidence identified the victim, confirmed that the suspect was not pregnant, located the victim and showed premeditation. This case demonstrates how digital evidence can be interwoven into the fabric of most types of criminal investigation. But time, funding or access needed for a thorough digital forensics examination are concerns in all cases, whether law enforcement or civil authorities. A two-tier technical problem continues to create backlogs in examinations despite the ever-increasing power of forensic computers. Without a solution to these problems the forensic examinations will face continuing challenges as to resources. First, the increase in the average size of hard drives in the typical digital case is outpacing the speed and processing power of the forensic computers.8 What was once considered an extra-large hard drive a few years ago now comes standard on most computers. But the power of computer processors and their ability to examine more data in less time has failed to grow at a similar rate. Any benefit a new forensic computer gives the examiner in its ability to process more data at a faster rate may be lost due to new larger hard drives that take longer to process. The second issue has been the proliferation and ubiquity of mobile devices. A few years ago a typical case contained one computer and, perhaps, some type of external media. Now the average adult has more than one type of electronic device; a typical case contains multiple items like a laptop computer, cell phone, tablet computer and related media. Each cell phone may potentially be broken down into three pieces of evidence: the cellular device, a SIM card and a SD card. Each item can contain data and must be examined separately. A cellular device overall could have up to 64 GB of data stored locally and 32 GB stored on the external media. The cell device examination alone may address 100 GB of information. Various models of collaborative and distributed digital investigation have been discussed and implemented for addressing this growth in ubiquitous electronic evidence. One example is the Regional Computer Forensic Laboratory (RCFL) program of the United States Federal Bureau of Investigation (FBI), involving regional collaborations of the FBI with state, regional and local law enforcement to provide centralized, highly trained digital forensic services. The laboratories are designed to provide centralized access to expertise and services in digital forensics. Yet as the demand for digital forensic services has grown, so has the need to develop and expand such expertise to local agencies. The Internet Crimes Against Children (ICAC) program9 and the Secret Service National Computer Forensic Institute program 10 for local law enforcement are other models for distributing digital investigative expertise to local law enforcement agencies for their home implementation. Two RCFLs have experimented with hybrid models that provide distributed digital forensics expertise and tools to local law enforcement agencies supported with the high-level expertise of the RCFL:
1. The FBI’s Kentucky Regional Computer Forensics Laboratory11 and the University of Louisville have implemented and are monitoring a distributed digital forensics mini-lab project linked to the state RCFL and using a triage model to allocate resources to cases;
8 Beebe, Nicole Lang, and Jan Guynes Clark (2005) "Dealing with Terabyte Datasets in Digital Investigations," Research Advances in Digital Forensics, M. Pollitt and S. Shenoi (eds.), Springer, Norwell. 9 FVTC Internet Crimes Against Children Training and Technical Assistance Program, http://www.icactraining.org/ (Accessed August 25, 2012) 10 National Computer Forensic Institute, Class Schedule, http://www.ncfi.usss.gov (Accessed August 25, 2012) 11 http://www.krcfl.org/ (Accessed August 25, 2012)
3 2. The FBI’s Kansas City Heart of America Regional Computer Forensics Laboratory, working with forensics software vendor Susteen,12 has implemented a “Virtual Cell Phone Kiosk” program13 that provides local law enforcement statewide access to a shared pool of cell phone forensic software licenses for device analysis.
These initiatives have developed in an environment of financial stress on law enforcement. Both criminal justice and civil litigators use various ad hoc means within the rules of evidence and the rules of criminal procedure and civil procedure to exploit digital evidence. Some of these methods have led to disturbing results, such as in the Julie Amero prosecution by the State of Connecticut,14 but may also be found to have sufficient indicia of reliability.15 Review of all these within the context of an evidence regime can help better measure the key issues of reliability and direct the appropriate use of resources. This is true whether for the evidence regime of the United States, Korea or international tribunals.16
2. The Evidentiary Continuum 2.1 Evidence across a continuum and foundations for reliability Rules of evidence serve a gatekeeper function to assure a floor of reliability. After that, it is left to a finder of fact whether judge or jury, to assign a particular weight to the evidence and, considering all the evidence together, make factual conclusions to a legally required level of certainty Digital evidence must meet those requirements of “weight” and probable certainty though it is important to distinguish the levels of certainty needed for different parts of the justice process. The reasonable suspicion and probable cause requirements for, respectively, an investigative stop and search/arrest warrant, are at the low end of the probability scales. As Carrier has noted, digital evidence may initially be used at that lower probability to obtain a search warrant that itself secures the evidence needed to prove guilt to a higher level of certainty.17 For criminal prosecutions in the United States, that higher level is defined as “beyond a reasonable doubt;” for civil actions it is defined as “more likely than not.” The requirements to establish that basic floor of reliability vary with certain types of evidence. Three categories of particular interest to digital investigations are lay evidence, technical evidence and scientific evidence. These are important distinctions, as each requires a higher level of validation and digital evidence be found in each of these categories. Use requirements for this type of evidence may vary with jurisdiction.18
12 http://www.mobileforensics.com/ (Accessed August 25, 2012) 13 See www.harcfl.org/Downloads/Documents/harcfl_virtual_cpik_flyer.pdf (Accessed August 25, 2012) 14 Cringely, Robert X., “The Julie Amero Case: A Dangerous Farce,” Infoworld, December 2, 2008, http://www.pcworld.com/businesscenter/article/154768/the_julie_amero_case_a_dangerous_farce.html (Accessed August 23, 2012) 15 United States v. Ganier, 468 F.3d 920 (6th Cir. 2006) 16 Browne, M, Williamson, C., Barkacs, L. The Perspectival Nature of Expert Testimony in the United States, England, Korea, and France, 18 Conn. J. Int'l L. 55 (Fall, 2002); U.N. Doc. IT/32/Rev.7, Part 6, Section 3, Rules of Evidence, Rule 89, (1996), International Criminal Tribunal for the former Yugoslavia, Rules of Procedure and Evidence, , entered into force 14 March 1994, amendments adopted 8 January 1996. 17 Carrier, Brian, File System Forensic Analysis, Addison Wesley 2005 18 Imwinkleried, E. P. Giannelli, P., Scientific Evidence, (2007) 4th Ed. , pg 2, fn 1, Mathew-Bender and Co, San Francisco, California
4 This distinction as digital evidence was first enunciated by one federal court of appeals in financial prosecution United States v. Ganier.19 The Court observed that “…the categorization of computer-related testimony is a relatively new question,” and found that a digital forensic examiner’s analysis and conclusions from Windows Registry data required special knowledge of computers and forensic software “well beyond that of the average layperson.” This testimony was of “scientific, technical or other specialized knowledge,” not lay witness evidence, and required compliance with the relevant rules of evidence and procedure to assure those conclusions were reliable. Digital forensic examinations that require the application of special knowledge to draw factual conclusions fall within this domain. When challenged, the witness must be able to establish the reliability per FRE 702. What sometimes is conflated is that expertise with particular forensic tools may be used to locate evidence, but the fact of the evidence itself is not a conclusion based on that special knowledge. That testimony, such as to the presence of digital contraband, is lay fact witness testimony. The expert evidence may lie elsewhere, such as in an analysis of Registry data leading to the conclusion that the digital contraband or digital evidence was created on a particular time or date via a particular mechanism. It is important to separate issues relating to technical systems that find evidence from technical systems that produce conclusions that themselves are evidence and must meet the standards of FRE 702. Further, technical expert evidence and scientific expert evidence may be separate domains that also become conflated. These distinctions may be seen in comparing digital forensics as generally practiced and computational forensics, where computing systems are used to derive factual conclusions in a variety of areas. Digital forensics systems generally serve to find evidence, acting as pointers to that which is presented to the forum. Computational forensic systems, such as information retrieval or data mining tools, may similarly point to the actual evidence. But they may also derive conclusions, such as to chemical or genetic composition, where the conclusions are the evidence. Lastly, rules of procedure, or how a forensic inquiry proceeds in a court of law, differ in civil actions from criminal prosecutions and differ from one jurisdiction to the next. Criminal prosecutions place a greater burden on the prosecution in that it must establish the entirety of its case on its own. Civil actions permit the parties access to each other so as to ease the burden of proving the facts at issue; they also permit greater sanctions where one party fails to cooperate in the fact-finding process. For digital investigations, parties in civil proceedings may, in effect, be able to require the opposing party to help establish facts at issue relating to digital evidence or face sanctions for not doing so. But in criminal matters, the prosecution must usually carry that burden in its entirety.
3. Review of Distributed Models 3.1 U.S. F.B.I. Regional Computer Forensic Laboratory (RCFL)) The Regional Computer Forensic Laboratory (RCFL) program of the United States Federal Bureau of Investigation (FBI) promotes regional collaborations of the FBI with state, regional and local law enforcement to provide centralized, highly-trained digital forensic services. The federal government provides funding for the regional facilities and training for staff; in turn, state and local agencies staff the laboratories. The facilities meet classified standards and are equipped with digital forensic systems vetted by the FBI. Staff are trained to FBI standards for the examinations of devices. In turn, the RCFLs accept cases from their service area agencies for analysis in both federal
19 United States v. Ganier, 468 F.3d 920 (6th Cir. 2006)
5 and state prosecutions. The RCFLs also offer examination facilities, particularly cell phone kiosks, for local officers to use as they bring devices to the labs and examine the devices themselves.
3.2 Internet Crimes Against Children (ICAC) program The Internet Crimes Against Children (ICAC) program distributes digital investigative expertise through 20 specialized training and support for state task force development. It is a national collaboration of 61 task forces representing over 2,000 federal, state and local agencies. The focus is on cyber enticement and child pornography cases and is a response to the growth in children and teenagers using the Internet. The Office of Juvenile Justice and Delinquency Prevention asserts that, since 1998, ICAC has supported investigative training for more than 338,000 officers in the U.S. and 17 countries and its Task Forces have been involved in the arrest of more than 30,000 individuals.
3.3 U.S. Secret Service The Secret Service training and equipment program for local law enforcement is coordinated through its National Computer Forensics Institute.21 The NCFI provides classrooms, mock court, computer forensic laboratory and other facilities for training state and local law enforcement from across the United States. Its programs range from several days to several weeks in length and topics from basic computer evidence collection to network intrusion response. Travel, lodging, per diem and training expenses are all paid by the NCFI, making its programs available even to police departments in financially-challenged jurisdictions. After the training law enforcement officers are given the equipment, software, toolkits and manuals for conducting computer and electronic forensic examinations. The NCFI program also includes prosecutors and judges in its training program, creating a broad, coherent expertise on computer forensic and digital evidence issues within the system of criminal justice in the U.S. These programs have served key roles in distributing expertise and, with the FBI program and ICAC Task Forces, offering central support for ongoing activity.
4. New Collaborative and Distributed Models 4.1 Kentucky Regional Computer Forensics Laboratory - University of Louisville Digital Mini- Lab Project The University of Louisville has implemented and monitors a distributed digital forensics mini-lab project linked to the Kentucky RCFL and using a triage model to allocate resources to cases. This established and supports digital forensics “triage” stations around Kentucky as part of a larger effort by the Kentucky Regional Computer Forensics Laboratory (KRCFL) and the University of Louisville to make computer forensics more easily available to law enforcement in Kentucky, with no
20 Internet Crimes Against Children Program, Office of Juvenile Justice and Delinquency Programs, U.S. Department of Justice, http://www.ojjdp.gov/programs/progsummary.asp?pi=3 , (accessed December 20, 2011); FVTC Internet Crimes Against Children Training and Technical Assistance Program, http://www.icactraining.org/ (accessed December 20, 2011) 21 United States Secret Service, National Computer Forensics Institute, http://www.ncfi.usss.gov/ (accessed December 20, 2011)
6 law enforcement agency in the state more than 90 minutes from a facility. While the triage sites or “mini- labs” collaborate with the Kentucky Regional Computer Forensics Lab, they are not organizationally linked with the RCFL program of the FBI and are funded through a grant from the U.S. Department of Justice, COPS Technology Program. Participating agencies include the Bowling Green, Kentucky Police Department, the Owensboro, Kentucky Police Department, the Paducah, Kentucky Police Department, all in western Kentucky, and the Ashland, Kentucky Police Department and the Kentucky State Police, Frankfort, Kentucky, through its posts in Hazard, Kentucky (Hazard Post 13), Pikeville, Kentucky (Pikeville Post 9), London, Kentucky (London Post 11) and Morehead, Kentucky (Morehead Post 8) all in eastern Kentucky. These agencies agreed to collaborate to expand the capacity for handling electronic evidence in order to enhance public safety in the Commonwealth of Kentucky. Each participating agency or agency division provides: 1. A secure space with utilities for the location, operation and use of the hardware/software systems; 2. A detailed employee, sworn or unsworn, to be trained and use the systems; 3. Information on other employees to be trained in these forensic techniques; and 4. Availability to accept some cases from other jurisdictions in their use of digital evidence.
The University of Louisville and KRCFL provide:
1. A digital forensics examination system of computer hardware; 2. A digital forensics suite of examination software (AccessData’s FTK and MPE suites); 3. A connection to the DCAP network linking each facility to the KRCFL in Louisville 4. Training on these systems and software; and 5. Ongoing support from the KRCFL staff.
This project is built around a triage model for computer/digital device examinations, with standard examinations being handled locally and highly-technical problems being handled by the KRCFL.
4.2 Operational Protocols for the Minilab Model The KRCFL minilab model requires adherence to a set of rules – protocols of the participating agencies to build a collaborative network to cover the entire state. Those are:
Protocol 1 – relating to a secure space with utilities for the location, operation and use of the hardware/software systems The equipment, software, documentation and any evidence is maintained in a secure, locked space with utilities for the location, operation and use of the hardware/software systems; these is provided by the Examining Agency at its own expense. Individuals not trained in forensic examination shall not use the machines although they may observe operations and use of the machines under the supervision of a trained examiner. The equipment and software may not be used for any purposes other than the forensic examination of evidence.
Protocol 2 – relating to detailed employees, sworn or unsworn, to be trained and use the systems
7 The examining agency may use any employee of the department, sworn or unsworn, to conduct computer forensic examinations once that employee has undergone the basic training for such examinations, including FTK training. It will not allow untrained employees to use the equipment for any purpose and will not allow trained employees to use the equipment for any purpose unrelated to official law enforcement purposes.
Protocol 3 – relating to availability and acceptance of and reports on cases, including those from other jurisdictions in support of law enforcement’s use of digital evidence Examinations of evidence from case agents of the examining agency shall be processed according the investigative and reporting procedures of the examining agency, subject to the data collection requirements of UOL that the examining agency quarterly provide, among other information, copies of log sheets, the Form A, the Service Request Form, and Form B, the Preliminary Examination results form, for its cases where examinations for electronic evidence were conducted by the examining agency using equipment, training or other resources provided under this project. The examining agency, at its discretion, will accept digital evidence for examination from agencies in their and other jurisdictions subject to the availability of resources and compliance of the submitting agency with these protocols and the requirements of the examining agency. Examinations of evidence from case agents of other submitting agencies shall be conducted as follows:
4.2.1 Contact prior to submission Prior to presenting evidence for examination, a submitting agency will contact the examining agency and schedule a date and time for an examination of the evidence to be done in the presence of the submitting agency’s case agent.
4.2.2 Submission All items submitted for evidentiary examination must be accompanied by a completed Service Request Form that includes information and documentation of:
a. Documentation of legal authority to search b. Submitting agency information c. Services requested d. Incident/Suspected Criminal Activity e. Items to be searched
4.2.3 Acceptance procedures Upon completion of the submission requirements, acceptance of the case for examination by the examining agency and scheduling of review appointment, the submitting agency case agency will transport the evidence items to the receiving agency for review. The case agent will keep the items in his or her custody during the examination, unless the examining agency, at its discretion, determines otherwise to conduct the examination. Each accepted case is logged on a sheet detailing. Submitting agency, submitting case agent, item, time, date, receiving examiner, summary of exam results and time/date item/case agent.
8
4.2.4 Examination The examiner will conduct the examination in the presence of the case agent unless otherwise noted. Upon completion of the examination the examiner will complete the Preliminary Examination form, Form B, and provide it to the case agent with a copy for the examiner’s file and copy to be reported to UOL. That report shall detail:
a. Person/agency submitting evidence b. Process for preserving evidence c. Process for examining evidence d. Results of examination e. Verification by and of examiner f. Disposition of the evidence.
Where another agency has submitted evidence for examination, the receiving department may require the presence of the custodian of the submitting agency to be present during the examination and to receive back the evidence upon completion of the examination. The submitting agency is responsible for submitting suspected contraband to the National Center for Missing & Exploited Children's Child Victim Identification Program (CVIP)
4.2.4 Special Circumstances Where it appears the examination may require deposit of the evidence with the examining agency, that agency decides at its discretion whether or not to accept custody of that evidence and shall comply with standard procedures for the preservation of the chain of custody and evidentiary integrity of that evidence. The examining agency may choose to make a mirror- image, bit copy of the submitted evidence with custody to remain with the submitting agency and conduct its examination on the bit copy. The submitting agency should acknowledge the examining agency has no obligation to retain the bit copy and it remains the submitting agency’s responsibility to preserve its evidence. Where the examining agency finds additional issues relating to the evidence it may refer the submitting agency to the KRCFL or KSP for further examination.
4.3 Results The data below shows the use of the mini-lab tools by the different agencies with additional information such as numbers of computers and numbers of cell phones examined, time periods and types of devices.
4.3.1 Agency A Agency A did not have digital forensics capabilities prior to the project but provided the most complete data on the implementation of the project; their data indicated, inter alia, the expanding useful of cell phones as evidence sources in more and more traditional areas of law enforcement. The data is set out in Table 1, below.
9 Table 1
September 2011 # Computers # Cell phones Other22 - July 2012 (SIMs included) September 6 October 5 18 123 November 5 December 7 January 2 1 February 3 13 7 March 2 10 3 April 9 4 May 1 4 3 June 224 9 2 July 1 5 2 Totals 14 88 22
Agency A reported individual examination request forms that detailed requests relating to investigations of murder, robbery, rape, unlawful imprisonment, assault, narcotics trafficking, child pornography and child sexual exploitation. The majority of the September 2011 cases (three of five) were related to child pornography/exploitation. By contrast, the majority of the June 2012 cases (four of five) dealt with other kinds of cases, including homicide, rape and robbery. This indicates the shift towards use of digital forensics as an investigative tool across the criminal justice spectrum. The number of devices examined in relation to each investigation ranged from one to 12, ranging from computers and cell phones to GPS systems. Half of investigative examinations in the first quarter 2012 were of multiple devices. Cell phone examinations included SIM card examination. Multiple agencies used the services of Agency A, including the federal Bureau of Alcohol, Tobacco and Firearms (ATF) and the Kentucky State Police.
4.3.2 Agency B Agency B had a pre-existing digital forensics program which incorporated the new tools into their operations. The reported data are set out in Table 2:
22 MicroSD cards are counted as separate devices although they are associated primarily found associated with cell phones in these examinations 23 TomTom GPS 1EX00 24 Includes a tablet computer
10 Table 2
Types of Devices Examined Numbers examined in time period 1/1- 6/13/2012 2011 2010 Computer/HDD 35 56 70 Cell phones/SIM cards 86 67 62 Other (usb drive, CD/DVD, SD cards, diskettes, GPS) 28 210 189 Internal v. External Agency Examinations Internal Examinations 77 External examinations for other agencies 49
This data further supports the trend away from general computers as sources of digital evidence to mobile devices such as cell phones. Agency B also performed a significant percentage of its examinations for other law enforcement agencies in the area. Although case type data was not available for this agency, it did handle the digital forensic examination for the fetal abduction/homicide case discussed above.
4.3.3 Agency C Agency C had a pre-existing digital forensics program that absorbed the new equipment and training within that framework. Agency C also has an ongoing schools program for discussing online safety issues with school children. With their systems they examined approximately 48 devices in 15 to 20 different cases. The ratio of computers to mobile devices examined was about 1:1, but the agency noted the trend was strongly towards more mobile devices than computers. While the majority of cases continued to be child pornography, examinations were done relating to drug trafficking, counterfeiting, forgery and a car bombing.
4.3.4 Agency D Agency D had no prior digital forensics operations but used the training and equipment to begin these examinations as well as make the examination systems available to other local law enforcement agencies in their region. Despite schedule conflicts that developed,25 it was able to submit usage information for the collaborating sheriff’s office in the county:26
25 The police officer assigned to the project was activated for military duty. 26 Report of Cheryl Purdy, instructor in IT and Computer Forensics at Owensboro Community and Technical College, special deputy with the Daviess County Sheriff’s Office and on loan to Owensboro Police Department one day per week for the purpose of digital forensics examinations
11
Case Number Agency Case Type Date Media Examined
2012-9107 Daviess County Sheriff’s Office Child Pornography 2/2012 Motorola Atrix 2012-9107 Daviess County Sheriff’s Office Child Pornography 2/2012 Samsung Galaxy 2012-9107 Daviess County Sheriff’s Office Child Pornography 2/ 2012 HTC 2012-9107 Daviess County Sheriff’s Office Child Pornography 2/2012 HTC 09-64661 Owensboro Police Child Pornography 5/ 2012 Toshiba Satellite A205 Western Department (Practice) Digital: WD5000BEVT 500 GB 12-050743 Owensboro Police Child Pornography 6/2012 Custom built PC Western Digital: Department WD3200AAKS-00L9A0 320GB
4.3.5 Agencies E, F, G & H Four agency offices were not able to implement the program. In one the officer trained on the systems retired. In another, the trained officer was transferred to a central office digital forensics unit. In all four offices it appeared the trained officers were needed to continue regular policing duties and did not have full opportunities to provide digital forensic services. Plans are underway to reallocate these resources as needed for supporting digital forensics programs.
4.4 The Data Trends in Digital Investigations The most significant trends seen in the data are:
1. The significant growth in the numbers of cell phone examinations while; 2. Numbers of general purpose computer examinations remain stagnant or are declining; 3. The number of devices examined in relation to a single investigation may vary but seem to be increasing; 4. Digital forensics is being used for more and more different types of criminal investigations as devices are found at crime scenes and collected by investigating officers; the reported data of Agency A used digital forensics in murder, robbery, rape, assault and narcotics trafficking investigations as well as those for child pornography and child sexual exploitation.
4.5 Administrative Issues In general, those agencies that have been the most productive under this program are those in which there existed:
1. Adequate manpower resources to reallocate assignments to move field officers into the digital forensics lab part- or full-time;
12 2. Officers interested in developing the appropriate skills and qualifications to conduct exams, despite the challenging material, and 3. A willingness to promote services with proximate agencies and take on evidentiary examinations from outside their agency.
4.6 Heart of America/Kansas City Regional Computer Forensics Laboratory Virtual Cell Phone Kiosk Project The HARCFL Virtual Cell Phone Kiosk Project is a collaboration with Susteen, Inc., the vendor of the Secure View cell phone forensics examination system. It is a response to the explosive growth in cell and smartphone use in relation to crime that pushes analysis tools to more local police departments. The system consists of the Secure View software package, a phone cable kit, an online license validation process (a virtual “dongle”) and an online training program for sworn law enforcement officers; the local department must have its own computer for the use of the system. It is designed for straightforward use by all law enforcement with the evidence retained on the local machine. Secure View 3, the forensics suite currently used, provides for data acquisition, analysis and reporting relating to cell phone examinations. It offers keyword searching and transactional timeline, frequency and linkage visualization for phone, text and web activity on the device.27
4.6.1 Operational Protocols for the Virtual Cell Phone Kiosk Project The Virtual Cell Phone Kiosk is available only to sworn law enforcement officers. It may be used for all examinations of legally seized or possessed cell phones relating to crime except for child pornography; child pornography examinations must be done either by the HARCFL or at its laboratory cell phone kiosk. An eligible agency applies online with Susteen28, giving information about the individual and agency applying. This is forwarded to HARCFL for review and approval. Once approved, Susteen creates an account for that user and forwards them the log-in information. The user logs-on to download and install the Secure View forensic software on the local machine to be used for examinations. The agency has the option of purchasing a regular or extended set of cell phone cables to connect the device under examination to the examining machine; it may also choose to purchase those cables from other vendors. Online training in the use of the system is conducted twice weekly for about two hours each session. HARCFL supports several licenses for Secure View. To conduct an examination, the user logs-on to the project site. If a license is available for use, the system validates the use of the local machine and software for that examination session. This, in effect, allows easy sharing of the forensic tools without each local law enforcement agency having to purchase the license. For federal fiscal year 2011, the first year of operation, 69 agencies had signed up and acquired the Secure View tool, using it for 914 data acquisitions or attempts29. This may be compared to the 1,610 logged events at the pre-existing cell phone forensic kiosk physically located at the RCFL. The virtual tool removed the need to travel to the RCFL with the commensurate loss of officer time. For the first six
27 Secure View 3 Case Management-Analytics: http://www.mobileforensics.com/svProbe (accessed July 9, 2012) 28 Registration site for HARCFL – Susteen Online Cell Phone Kiosk Program: http://secureview.us/SV3_HARCFL/ (accessed July 9, 2012) 29 FY 2011 Annual Report, Regional Computer Forensics Laboratory Program, Federal Bureau of Investigation, U.S. Department of Justice, pp 24 - 25
13 months of FY 2012, under a revised and narrowed set of definitions, the system logged 442 complete cell phone acquisitions; this did not count use of the software for analysis nor attempted acquisitions that were not successful.30
4.6.2 Data and Data Trends in Digital Investigations with the Virtual Cell Phone Kiosk Log data for the most recent period of June 5, 2012 through July 4, 2012 show significant use of this system by local departments. Although data entry was inconsistent, the following estimates on system use for that one-month period are:
• Total successful exam logins – 210 • # agencies using system – 40 • # different mobile devices – 74 • # different manufacturers – 12
The most frequently found systems were Apple, HTC, Motorola and Samsung devices, usually cell phones although iPads and Galaxy tablets were examined. Chinese ZTE cell phones were also examined. The law enforcement agencies using the tool included municipal, county, federal and state law enforcement, including the Office of the State Fire Marshall, Lincoln University Police Department and the Kansas Department of Wildlife and Parks. The total count of devices was 249 for the period, although this number must be further verified. Some data entry could repeat listings for identical types of devices such there may have been repeated entry for the same device. But other acquisitions did not list the devices, indicating a possible undercount. Identifiable crimes were entered for 23 % (48 out of 310) of the examinations. The types of crimes associated with these examinations were: • Homicide • Aggravated rape • Aggravated assault • Narcotics offenses
The most frequent cell phone examinations were related to drug offenses, followed by sex offenses, homicide and assault. The system has been adopted by the Missouri Internet Crimes Against Children Task Force to provide these services to Missouri law enforcement officers.31 This data confirms the need for capacity for cell phone examinations and the expansion of the use of digital forensics to all types of criminal investigations, including those by officers of the State Fire Marshal and Wildlife and Parks. It also indicates the potential growth in the need for examination capabilities for tablet computers. The quick adoption of this tool by local law enforcement indicates it has addressed an unmet need of local law enforcement.
30 HARCFL presentation on system operations 31 Missouri Internet Crimes Against Children Task Force Online Mobile Phone Kiosk Program: http://www.secureview.us/MOICAC/SV3_MOICAC_LandingPage.html (accessed July 9, 2012)
14 5. The Future of Distributed Models and Conclusion The data collected from the tests of the two distributed models show the growth in the use of digital forensics in more and different types of criminal investigations. Given the costs of forensic tools and the economic pressures on local governments, these distributed models offer immediate aid for them. The scope and depth of investigation may not be as great as with fully equipped and staffed digital forensics laboratories, but a basic level of essential service is provided. This suggests the benefits of a continuous services model for addressing digital investigations. Continuous layers of expertise and services for analysing digital evidence can effectively and efficiently expand law enforcement capabilities. It begins with basic police investigative skills in digital evidence and links that seamlessly through to digital forensic expertise and computer science analysis. In this global model, there is more than a simple distribution of expertise. Rather, with the distribution of continuous levels of skills in identifying and collecting digital evidence there is also a collaborative association of all the agencies within this continuum. As a participating distributed agent finds issues beyond her training, she may immediately consult peers or expert assistance at the RCFL or FBI/Quantico/DHS level. The system of justice is a highly collaborative and distributed system that relies on both local and national efforts. Digital crimes involving electronic evidence are no different. To successfully provide for public safety in this era of ubiquitous computing and communication we must define and implement systems for the all forms of misconduct. This requires the normalization of digital investigation for all levels of law enforcement and the preparation of the system of justice for properly processing that information. It is the only way to assure public safety while protecting the civil liberties inherent in a culture built on the free and open exchange of ideas.
15