co-authored by Matt Goeckel, Technical Account Expert, Cellebrite
Obtaining digital intelligence from the devices of witnesses requires a healthy mix of technology and diplomacy. It is critical that collection of digital data by frontline officers be authorized by agency command with clear procedures in place to ensure all data is secured and the digital chain of evidence is protected.
Experienced frontline officers see value in gaining the trust of witnesses who may have videos, pictures, or texts that can solve the case – instead of getting combative by demanding witness devices or obtaining warrants for them. (Digital Intelligence is the data collected and preserved from digital sources and data types – such as smartphones, computers, and the Cloud – and the process by which agencies collect, review, analyze, manage, and obtain insights from this data to run their investigations more efficiently.)
If officers are to gain this trust, they also need to obtain the digital evidence from these devices as rapidly as possible, while protecting witnesses’ privacy. At every stage of securing digital data from witnesses, frontline officers need speed and trust. The best practices below can help officers make the most of their initial interactions with witnesses, and ensure that data is secured to solve cases and protect citizens.
The most common mistakes and how not to make them
Before we talk about working with witnesses to obtain devices, let’s look at the most common error made by frontline officers: failing to isolate phones from their respective networks. If the witness’s phone can still accept calls and messages, there’s a chance that relevant evidence could be overridden by the new data. Phones can be isolated from networks in several ways, such as placing a device in a Faraday bag. Several wraps of foil or an arson can as an alternative method can also work.
Another mistake, one usually made by officers with good intentions, is scrolling through messages and looking at videos and photos, in hopes of finding critical evidence right away. The problem is that not only is the phone not isolated from network access, but an officer could also inadvertently change data and time records, throwing a digital monkey wrench into potential evidence.
Enlisting cooperation from witnesses
The first step in obtaining phones depends on trust more than technology. We all need the cooperation of witnesses in cases, which means frontline officers need to be accommodating to their needs. An officer’s opening line should not be, “You’re gonna give me that cell phone whether you want to or not.”
Think about how you’d feel if someone asked you, however politely, to hand over your phone for several hours, or even a few days. It’s like asking someone to cut off an arm and hand it over. It would be perfectly normal for a witness to be hesitant about complying with such a request by law enforcement officers. And if witnesses are hostile to turning over their phone, even briefly, officers have much more work to do in terms of explaining to judges why the phone should be seized.
Once officers complete the crucial first step of securing the scene, they can begin to find witnesses, asking bystanders if they saw activity or know any of the people involved. In these conversations, officers can often find out organically if there is valuable digital evidence to secure, since witnesses may offer that they have video or text messages relating to the crime. Polite conversations can unearth evidence more quickly and easily than by barking orders at witnesses.
Technology can save time and build trust
This is where tact, trust, and technology can come together to yield great results. With field technology for quickly collecting data in very little time, witnesses build up much more goodwill for interactions with law enforcement. In fact, with the right technology, witnesses don’t even have to physically hand over a phone: By scanning a QR code provided by an officer, the witness can provide access to the digital data that’s relevant to the case. The officer can download the data to the field device and then turn it over to forensic examiners.
Frontline officers need to reassure witnesses that if they agree to share their digital devices, their private data won’t be exposed as well. Officers can reassure witnesses that with selective extraction technology, only the digital data that’s relevant to the case will be copied. If there’s just one or two text messages that pertain to the alleged crime and suspects, then forensics examiners can obtain only those messages – and nothing else. This is a helpful strategy for gaining a witness’s trust and cooperation.
What about witnesses who can’t give consent?
When a witness appears to be incapacitated—or worst case scenario, if someone at the scene is deceased—the best practice for a frontline officer securing the scene is to avoid touching anything at all, even if devices seem easily in reach in someone’s pocket or purse. The forensic examiners who’ll show up at the scene don’t want anything disturbed.
Depending on the jurisdiction, deceased people may no longer have a right to privacy, which means officers may not need to obtain consent or even a warrant, before collecting data from a phone. But there are other reasons why frontline officers should not immediately seek out devices: namely the need for forensic investigators to document all interaction with the device, so that any evidence they obtain will hold up in court. The burden of proof for homicide is high; forensic examiners don’t want to risk crucial evidence being deemed faulty because it was tampered with at the scene.
The only exception would be when someone else’s life is in imminent danger, such as a kidnapped person, and officers believe that data on a device could help find that person and save a life.
Defer to the forensics experts
Frontline officers play a vital role during the first minutes and hours at a crime scene investigation. They’re usually the first ones interacting with witnesses, and taking the first steps to secure the scene and determine who may have documented the crime or interacted with potential suspects.
But the forensic examiners, who’ve been trained in digital evidence collection and who know how to document evidence so that it’s admissible in court, should always be consulted when there are questions about managing digital devices. When there are doubts about digital evidence, defer to your forensic examiners.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back the first friday of every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.