co-authored by Stephanie Kurtz, Technical Account Expert, Cellebrite
For complex cases that unfold over time and jurisdictions, sharing the data legally obtained from digital devices is often a necessity. But sharing evidence is not as simple as in the days when a folder of photos or documents could be hand-delivered to investigators. In the process of copying and sharing Digital Intelligence obtained from devices, the data could be damaged or altered unintentionally, affecting the ability to use the data to bring suspects to justice and protect citizens. (Digital Intelligence is the data collected and preserved from digital sources and data types—such as smartphones, computers, and the cloud—and the process by which agencies collect, review, analyze, manage, and obtain insights from this data to run their investigations more efficiently.)
The advice below can help law enforcement officers share data without compromising its value to a case.
The “Gold Copy,” and why it’s important
With careful documentation, handling practices, and technology that facilitates protecting the chain of evidence, law enforcement officers can assure data integrity, starting with the “Gold Copy.” That’s the term for the original version of the data that’s extracted from a digital device – a version that must stay pristine if it’s to pass muster with courts and attorneys. The “Gold Copy” needs to be carefully stored and tracked, with copies made as it is shared, so that the data remains “golden”—that is, in its original state.
Why does the “Gold Copy” need to remain in its original state? Let’s say you receive digital data from a law enforcement colleague, but you notice that some of the images aren’t complete, or they’re damaged. You ask the colleague to resend the data, and they tell you they’ve deleted the original data—leaving nothing but an incomplete file. That’s the kind of thing that can kill an investigation.
As far as storage, investigators can set up special data repositories where original data can reside. Any technology that’s used to analyze or manage the data should only ever access a copy of the data—again, to keep the “Gold Copy” untouched.
Investigators or forensic examiners should never be working with the original copy of the data. There could be situations where lab examiners or others involved in the case may not be as experienced as one would like—and you don’t want them to access that copy and potentially compromise the data.
Obtaining hash values
A hash value is a series of numbers that uniquely identifies data—it’s akin to a fingerprint in that it is unique to the data to which it is attached. It’s a good idea to obtain hash values for original evidence—everything from a physical image of a computer drive to a zipped file of cell phone extraction data. With a baseline hash value, investigators can compare the data they have with the data that’s being shared with someone else—the same hash value equals the same data.
Correlating hash values helps prevent claims of data integrity down the road, where a court might want to ensure that every part of the data was shared, and that the data wasn’t manipulated at some point.
Get evidence, not spreadsheets
If you’re thinking about sharing a spreadsheet instead of actual data, think again. For an investigator on the receiving end, a spreadsheet won’t be enough to prove a case. Investigators don’t want to rely on someone else’s summary of the evidence—they need to do the examination themselves. If you’re waiting to receive such shared evidence, push back and ask for a copy of the “Golden Copy.”
Double check who’s asking for evidence, and whether they really need it
Make sure whoever’s receiving the shared data has the warrant or authority to actually look at the data. In the United States, Americans have certain privacy rights, so data cannot be freely exchanged with law enforcement outside of the U.S.– unless there is clearly a need to do so.
Document who’s asking for and receiving shared evidence
Keep careful records of who’s asking for evidence and what they were given. Insist on requests in writing to better document who’s accessing the data.
It helps to be meticulous when documenting the sharing of data. For example, after investigators are finished collecting data, they should take photos of the devices, including photos of any labels that were applied to devices—preferably showing each device’s serial number or IMEI number for phones. Some cases can go on for years, and in the event of a question about where devices were stored and shared, the detailed note-taking can help drive a case forward.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back the first friday of every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.