FOCUS The Case for Mobile Device Forensics Start a new lab.
If you don’t already have a lab, but want to start one, it’s likely that your reasoning goes something like this: First, it takes too long for the lab to get my evidence back to me, so my cases are going stale and/or I’m los- ing witnesses. Second (if you have to go to a forensic lab out of town), I spend too long transporting my evidence back and forth to the lab. Or, third, I need mobile evidence or intelligence to be actionable and available as soon as I need it, to inform my decision- making in the fi eld or interview room. If one or more of these applies to you, and you’re not already tracking the time you spend transporting or waiting, start now. Keep track of the hours, days, weeks, or even months that might be involved, and the types of cases they affect. Also note the opportunity cost of this time—the case- related work you could be doing if you weren’t in transit or waiting.
Audit the number of cases you work per
month where mobile device evidence is valuable, and that you were able to close because you were able to obtain the right evidence. It may be helpful to record what statutes you charged a suspect under on these cases. However, also track the num- ber of cases that have gone unsolved be- cause you are still waiting. Finally, if you currently rely on a lab either within or outside of your agency, part of keeping accurate metrics is helping your forensic examiners to keep them, too. To that end, fi ll out digital evidence intake forms as completely as possible with phone makes and models, whether the device is locked or encrypted, any passwords, the wireless carrier, the presence of SD cards, types of data you need, and appropriate date and time ranges.
Expand an existing lab. Completed correctly, a good standard forensic request form will contain all the information you need to keep appropriate metrics. Help commanders to craft an SOP that requires all offi cers to fi ll one out for each device they submit, and also to de- velop training for offi cers (including FTOs) on how to fi ll out the form most effectively. While well-completed intake forms should reduce any problems you have with offi cers or investigators asking for “everything on the device,” measuring form usage can help you identify who still needs training. Explain to both your and
22 LAW and ORDER I June 2015
their supervisors that specifi c data requests can help you reduce the overall amount of time you are spending on forensic exami- nations, and they help you get the most important data to individual investigators closer to their preferred timetable. If you support other agencies, require those offi cers to fi ll out the same forms. Be sure to spend the time with them to help them understand how. Tip: While this can be accomplished during roll call or in-ser- vice training, it may be more effective done one-on-one, so the offi cer can ask questions privately.
In general, intake forms will allow you to track the types of cases you’re being asked to process mobile devices for, which cases get priority over others, and how often you have to prioritize. This is especially impor- tant when you’re an investigator carrying your own caseload. If that caseload is be- coming backlogged because of your mo- bile forensics services, maintaining good request forms will help you explain the problem to your supervisor.
Justify forensic tools. Tracking submitted devices’ makes and models helps you to understand which devices—smartphones, tablets, e-readers; prepaid, passcode protected, and/or en- crypted—are most popular in your region. Maintain statistics not just on mobile de- vices, but on all types of digital media sub- mitted to your lab.
The trends you see in these ratios over time can help you determine how much of your budget should be committed to different forensic hardware and soft- ware. So can metrics on whether you were able to extract the entire device, versus only partial data, from the differ- ent makes and models.
Average the time it takes to create a re- port per device, per case. This might seem small, but if you’re trying to show that you need a new forensic tool because the one(s) you have are ineffi cient to use, metrics on the amount of time and effort you put in can be important.
If you’re supporting crime or intel- ligence-led policing analysts as well as investigators, fi nd out from them how easy it is to import your mobile device extraction output into their analytic tools, and use that to inform your re- search on which forensic tools integrate with which analytic tools.
Justify additional personnel.
Measuring the average number of devices submitted per case, along with the size of each device’s memory, is important. Both can make a difference in how much time it takes to extract each device, especially if you are performing multiple extractions on a single device (which you should be doing to validate your work). Record how much time it takes you to perform logical, fi le system, and physical extractions per device. In addition, aver- age the time it takes to analyze each device, and how long it takes you to analyze all the mobile devices from each case. You can use this to justify one or more additional exam- iners to perform simultaneous extraction and analysis tasks.
However, a backlog doesn’t always mean that you need additional forensic ex- aminers. If you are getting a lot of requests for devices from misdemeanor offenses, it may be possible to justify turning over at least basic mobile device evidence collec- tion to fi eld-level personnel: detectives or even patrol. Whether you are pursuing this avenue or hiring more professional exam- iners, be sure to include training and certi- fi cation costs in your business case. Finally, plan to obtain qualitative feed- back from prosecutors about how the evi- dence you’re providing enhanced the cases they agreed to bring to trial. These don’t have to be high-profi le cases, but should be a good assessment of all your activity across the spectrum of your investigations. These metrics and others can all help you to build a case for starting or expand- ing mobile forensics support in your agency. Without them, commanders may not be able to think about your mobile de- vice evidence needs with the same measur- ing stick that they use to evaluate everyone else’s requirements in your agency. Ex- plain your requests quantitatively as well as qualitatively, offer your opinion on how it impacts public safety in your commu- nity, and you may fi nd commanders more willing to listen.
Christa M. Miller is the Director of Forensic Marketing at Cellebrite, Inc. She may be reached at
christa.miller@
cellebrite.com.
LaO Post your comments on this story by visiting
www.lawandordermag.com
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68