by Heather Mahalik, Senior Director of Digital Intelligence, and Ian Whiffin, Senior Digital Intelligence Expert, Cellebrite
A couple of decades ago, law enforcement officers looked for evidence that was more likely to be found in a shoebox than a hard drive—things like VHS cassettes and Polaroid photos. Today, the data that can solve a case is most often found on digital devices, including desktop and laptop computers.
But, as is the case with cell phones, even basic computers today are equipped with enough security and encryption technologies to thwart basic forensic tools—like the launch of Apple’s T2 and M1 laptop and Mac computers with Secure Enclave technology. And the popularity of cloud laptops, like Google’s Chromebook, means there may not be much data on the devices to begin with.
In addition, many new and popular ultrathin laptops feature hard drives that are just memory chips soldered on to motherboards. This means the drives can’t be physically removed from the device, as was common in the past.
But in spite of these difficulties, there are successful best practices and technologies for law enforcement agencies to deploy in terms of lawfully collecting digital intelligence (DI) from desktop and laptop computers. (Digital Intelligence is the data collected and preserved from digital sources and data types [smartphones, computers, and the Cloud] and the process by which agencies collect, review, analyze, manage, and obtain insights from this data to more efficiently run their investigations.)
Best Practices for Managing Desktops and Laptops
Protect the chain of evidence at every step
This critical process starts as soon as laptops and desktops are lawfully collected under warrant. For example, investigators should take photographs of the devices in situ; they should also document the state of the devices. At the station, the computers need to be placed into secure evidence storage rooms, where nobody else can access them without the visit being logged.
When the computer comes to a forensic lab to be examined, that process should again be documented via photos to show the state of the device, and notations made about any damage. In addition, investigators must document the processes and tools used to collect, review, analyze, and manage data. Any processes that involve potential changes to data, such as booting up a computer, should also be described in detail, along with the reasons for choosing these approaches.
Decide which devices to collect—if not all of them
When officers are collecting evidence, it often makes sense to take all of the desktop and laptop computers they can find. The reason is that such devices can often be shared among occupants of a home or a commercial location. Perhaps devices in an attic that are covered with cobwebs might not have been used in years and aren’t worth the time to seize and analyze. This decision may depend on the nature of the crime and the search warrant considerations.
A good reason to take all devices that appear to be in use is that, especially in a home, devices are often shared, which means there could be relevant digital intelligence on all of them. Of course, investigators need to also prove who the devices’ users are. This could be as simple as showing the various password-protected user accounts on a computer. But what if multiple users share the same account? In this case, investigators may need to rely on patterns of use analysis to show who was using the device at any given time.
Another good reason for taking extra devices: People like to reuse passwords. If the password for an older device with weak protection can be cracked, that same password might allow investigators to easily gain access to newer, more secure devices.
Document where laptops and desktops are found
If a desktop computer is in the home’s family room, everyone in the house might have had access to it, versus a device that’s in a household member’s bedroom. This is important information to be captured during an investigation. Since defense attorneys will try to show that a given device might not have been used by their clients, investigators need to demonstrate ties between devices and suspects.
Apply different tools and approaches to different operating systems
Windows, Macs, and Linux operating systems all have different file systems and ways of working. A tool that works well for Windows may not handle the MacOS similarly well, if at all. Investigators can’t be sure they are acquiring all available data by using the same tools on each.
In recent years, Macs moved from Mac OS Extended to the APFS file system. Apple also introduced the T2 Security chip—and more recently, the M1 chipset with Secure Enclave. That's not to mention FileVault and FileVault2.
These are nuances that can confuse even experienced investigators, who might assume that one successful approach on a Mac computer would work equally well on another Mac. Ideally, investigators would have a single technology tool to extract data from computers with all types of operating systems.
Leave computers on or off—just as you found them
The best practice for mobile phones at an investigation scene is to isolate them from any available networks using either a Faraday solution, placing them in airplane mode, or removing the SIM card (although be aware of nearby Wi-Fi connections). This is to prevent remote wiping or otherwise deleting data remotely.
There is less concern about taking this step for desktop and laptop computers since the devices don’t usually connect to cellular networks. But bear in mind that Wi-Fi connections may be active while the device is powered on. The best practice for desktops and laptops is to simply leave them as you find them from a power standpoint. If the devices are still powered on when they are retrieved, keep them powered on. If you can seize devices while they’re on and unlocked, keep them that way and get them into the hands of forensic examiners as soon as possible. If you turn them off or let them power down, you might not gain access to that device again.
On the other hand, if investigators find laptops or desktops that are powered off, leave them that way. Memory chips have a certain amount of autonomy, and simply having power can cause the chip to reorganize how the data is stored in a process called Garbage Collection. From a forensic point of view, whenever the device is turned on, there is a chance that the memory chip is performing Garbage Collection, even though this process may not be obvious to the end user. This could result in deleted data becoming completely unrecoverable.
Choose your tools
As sources of Digital Intelligence get bigger, the solutions that investigators choose to use are becoming more important, since as they can help quickly unearth the data that’s actually needed for investigations. For example, technology solutions can filter out system files that are not useful or can find image files of specific content types. These features can save a good deal of time for investigators who might otherwise have to review every single image manually or sort through terabytes of “noise.”
Interpret data for others
The actual end user of Digital Intelligence is usually investigators, prosecutors and courts. Examiners need to be sure that everyone can easily understand their findings, including judges and juries, who may have little understanding of technology.
Courts will want to know how the data ended up where it did, so examiners need to provide explanations such as, “This is a website that was visited by this person at this time,” or “This file exists because it was created or downloaded” (versus copied from a USB drive, for example).
Courts also want to know that examiners came to their determinations in the most forensically sound way possible. The court doesn't really understand the intricacies of data collection and analysis; they simply want to know that once forensic investigators find data, they can show that the data was collected in a forensically sound manner and that the digital chain of evidence was securely protected throughout the investigation. An examiner needs to be able to say “I did A, B, and C to lawfully collect and analyze the data, and at no point during this process was the data altered.”