co-written by Adam Riley, Investigations Advisor, Cellebrite
The ultimate success metric for law enforcement agencies is how many crimes they can solve, and how quickly – that is, how soon they can put offenders behind bars. Improving these metrics demands rapid extraction and analysis of data, which often takes place days or even weeks after a crime takes place.
However, the Digital Intelligence equipment and training that can shorten the time to solve crimes is often not in the hands of the people who first show up at crime scenes. In many agencies, the flow of evidence calls for funneling all exhibits into one lab. That lab becomes essentially an evidence factory, pushing out data rapidly without applying the true art of digital forensics. The lab staff turn into button pushers.
This was the scenario we saw often in Australia’s law enforcement agencies, where data collection was highly centralized. The result was that investigators could wait days or weeks for data that could help solve crimes. For some crimes where time wasn’t of the essence, such as where the victim was already deceased, the delay might be acceptable. For urgent crimes, like crimes against children or a kidnapping case, however, those delays are damaging.
Data extraction at the scene
When technology and training are given to frontline investigators, the flow of evidence changes. An investigator in the field will extract data on a digital device that has been legally obtained from a suspect or witness. Instead of sending that entire exhibit into the lab so that the forensics experts can just push a button to extract data, the frontline officers can do the extraction, then the highly trained digital forensics staff can dig into the information.
A missing-persons investigation by Australia’s Queensland Police Service highlights the value of equipping officers with knowledge and technology. In the past, the department dealt with an overwhelming amount of digital data connected to investigations, but investigators had no way to glean insights from the information. That scenario changed when homicide investigators received training to ensure digital data is captured as soon as an investigation begins. The training was supported with products to extract and decode data, as well as devices for cloud extractions.
In part because of the emphasis on earlier collection of digital evidence, the Queensland Police Service has solved in excess of 97% of its homicide cases. The digital evidence transformation, says Detective Senior Sergeant Chris Knight, “allowed us to place our resources into precisely targeted areas and get independent corroboration that confirms our data is accurate – which gives us greater credibility in court.”
The policy of putting more resources on the front lines paid off in 2015, when a young woman was reported missing by her family. Queensland police established that she was last seen with a 19-year-old man who insisted he’d picked her up at school, drove her to another location, and left her.
To establish the facts and validate the man’s version of events, the Queensland homicide team performed a data extraction of the suspect’s phone, discovering geolocation data placing him about five kilometers south of where he told police he was at with the missing woman. Investigators used the new location data to ask local businesses and residents to share CCTV footage and search their properties for signs of the missing woman.
When investigators reviewed the CCTV footage, they were able to see the suspect – and find the missing woman’s body. Further data analysis tied the suspect even more tightly to case, such as turn-by-turn directions requested of Google Maps matching the CCTV footage.
Training and tech make the difference
The field extraction of the suspect’s digital data was what drove the investigation in the Queensland case. It gave investigators the gifts of speed and clues. They knew the suspect’s story wasn’t true, but with the rapid availability of relevant data, they were able to prove the man’s lies right away.
Investigator training was also vital in this case. The homicide investigators were able to prove the suspect’s claims were false, one lie at a time. For example, later in the investigation, the man began claiming that he had accidently choked the woman. But investigators and prosecutors pushed back with evidence that the man had searched for videos with the term, “best way to dispose of a body,” showing premeditation.
Let’s consider an alternative approach – where someone in the forensic lab, without the full context of the case, collected and analyzed the data. For example, the front-line investigators might know that an image of a red vehicle could blow the case open – but the forensic lab examiner would not know such specifics.
These silos need to be broken down, and the best way to do so is by empowering investigators with knowledge and tech to accelerate their own policing skills.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media.