co-authored by Andy Martin, Technical Account Engineer/EMEA, Cellebrite
There is seemingly no end of questions to answer and record when collecting and analyzing data from digital devices gathered in the course of criminal investigations. How have the devices been stored? Have officers had interactions with the devices? How were the devices being transported? Were they turned on or turned off? And so on.
On the long path of collecting devices and their digital data from crime scenes and witnesses to the courtroom, where prosecutors need to defend their evidence, there are many points at which the chain of evidence for data can be compromised – and many points where errors can be made. Documentation of every step – from the point at which they acquire a device to the point at which they no longer have that device – is critical to protecting the chain of evidence that allows for the successful administration of justice. If officers and investigators don’t document the steps and maintain that chain of evidence, they’re opening themselves up to severe problems if the case file should go to a court proceeding.
Below, we’ll document some of the chain-of-evidence weak points, and offer suggestions for avoiding common mistakes that can impact the chain.
One important point: If your department is successfully managing the chain of custody, the goal shouldn’t be so much to “improve it” as “reduce it”. When there are fewer steps in the chain of evidence, the more secure that chain of evidence is. The same goes for people involved in the process: The fewer people that are taking part in the chain of evidence, the more secure the chain will be.
Another key piece of advice to go along with the need for detailed documentation: If you are uncertain about a process or a step in the chain of evidence, ask your lab. They are the specialists, and the people who have to write the SOPs (standard operating procedures) across a police force. This includes everything from which devices should come to them for analysis, to whether phones should be put in Faraday bags before transporting them to the lab.
Tactics and workflows for digital devices vary widely by manufacturer and operating system, so it’s not easy to offer specific advice that’s applicable to every device and every situation. Take BlackBerry devices, for example, which are not as common as they used to be. The basic practice for securing BlackBerries used to be that you’d take the battery out immediately to preserve Digital Intelligence on the device. When the device was delivered to the lab, the battery would be replaced. But the issue here is that when you put the battery back in, the time freezes on the device – which means there is no longer a consistent time flow.
However, the suggestions below should apply on a high level to most situations involving collecting and managing devices.
On the frontlines
Frontline officers are critical in the chain of evidence process. They are usually the first ones who collect the devices from crime scenes and witnesses, so their actions can set the stage for the chain of custody. Here are some best practices for keeping that evidence intact.
Resist the urge to change the state of devices: Officers should never try to gain entry into devices on their own. The same advice applies regarding turning devices off and on. Depending on the device and operating system, such changes can alter the state of the device; turning devices on or off can also impact forensic examiners’ ability to gain access to the device.
Perform data extractions onsite to reduce steps in the chain of evidence: Frontline officers should have the tools to perform simple data extractions at crime scenes or when speaking to witnesses. Thanks to technology advances, officers can carefully remove only the data that’s needed for the case, unlike in the past where the only choices were a simple logical extraction or a more extensive physical extraction. If the technology has selective extraction capabilities, frontline officers can choose to simply extract chat app conversations, for example.
As mentioned above, it is important to train frontline officers that the lab is their “North Star,” and that they should always look to the lab for guidance.
At the lab
If digital forensic labs are the North Star for the rest of the police force, the lab’s examiners must also take on the tasks of training as well as creating SOPs. Training, SOPs, and documentation are the best defense against gaps in chains of evidence.
Asset management is critical: When law enforcement officers arrive in court to present evidence, they may be asked, “What software was used to analyze this device? What version of the software was used, and when was it installed?” Inconclusive answers can allow attorneys to raise doubts regarding the evidential process and divert attention from the actual content of the case.
No law enforcement officer wants to wonder if their evidence might be inadmissible because they have missed this basic element in the chain of custody. To avoid this scenario, labs can adopt solutions that help ensure evidentiary integrity by capturing metadata from every extraction, while also managing system usage.
Track evidence as it’s shared: As labs prepare to share digital evidence with a wider audience, they need centralized tools that can provide a complete audit to secure the chain of evidence, as well as documenting who interacts with evidence and how.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back the second friday of every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.
Co-author Andy Martin has served 20 years in the public sector across Her Majesty’s Armed Forces and within Lancashire Constabulary with roles such as Emergency response, CT-LSO, Counter Terrorism, Borders Policing, and digital forensics across the North West, UK. Martin joined Cellebrite in 2019 and works with customers to better understand their needs and requirements whilst providing assistance and guidance to align current and future capability needs.