*Editor's note: This is the last Digital Intelligence in the 21st Century column for 2021, but Heather will continue to write these interesting and informative editorials every month in 2022.
Digital training is vital for investigators and other law enforcement officers. It strengthens their ability to locate and collect evidence that brings criminals to justice and keeps citizens safe, while encouraging officers to move up the career ladder. Unfortunately, when budgets are tight, training tends to be the function that’s usually the first thing to go. Training is seen as an intangible – whereas police cars and bulletproof vests are tangible.
In a world where just about every suspect and witness has a digital device, however, cutting digital training eliminates an investment in people – and therefore, a force’s future. Too many law enforcement agencies today worry about retaining talent, and ongoing training is critical for job satisfaction. As officers and investigators move up either in rank or move to different units, training for that unit becomes absolutely essential. And it’s that specialized training that builds motivation and piques officers’ interest.
Now that we’ve given our stump speech in favor of training, let’s share our ideas for creating effective training for investigators on digital evidence collection and forensics.
Digital Training Starts in the Academy
Almost everyone carries a cell phone, which means that almost every single crime scene leaves behind some kind of digital footprint. This is why digital training should always start at the academy level because proper collecting of the devices that carry evidence is crucial.
In our conversations with law enforcement agencies, we’ve discovered that many state’s police academies are teaching digital forensics skills. Even if new recruits aren’t angling to become experts in digital evidence processing, they need to know the basics such as placing cell phones in Faraday bags to isolate them from network access, keeping them powered on, and avoiding the temptation to try to figure out passwords.
Academy training is valuable because it helps us preserve the chain of evidence, but there’s another reason. The new officers coming into police academies are, for the most part, digital natives who recognize the value of the data collected by their devices. This generation knows precisely what kinds of data can be captured – not just the obvious texts and app messages, but map searches and turn-by-turn directions. Law enforcement agencies should seize on this knowledge: We have a prime opportunity now to take advantage of officers’ awareness of the importance of correctly handling digital evidence.
Forensic Tool Basics Go a Long Way
As officers transition to investigator positions and forensic tasks, they’ll go beyond the basics in terms of training – for example, learning how to navigate around hardware and software tools that are used to collect, share, and analyze digital evidence. It’s important for budding investigators to understand core forensic principles before they get their hands on the technology.
The good news is that with these core forensics skills under their belts, investigators can apply this knowledge to many technology solutions. Many agencies and digital forensics labs use a mix of vendor products, so you’ll want to ensure that trainees understand the logic behind forensics processes before you let them loose on new systems.
How to explain investigations in court
At some point, investigators will get their first experience testifying in court about their digital forensics findings. For this experience, investigators need coaching about how to deliver their analysis in a clear and simple manner.
The most crucial skill is the ability to create relatable examples for a jury, since jurors won’t have the deep technical knowledge that the investigator has. However, the example has to be accurate enough so that it will hold up under an opposing expert’s scrutiny.
A good strategy is to speak about the jurors’ own devices. For example, an investigator could talk about how text messages can be deleted, yet still leave behind logs or records that allow investigators to read those same messages. The investigator might say, “When you delete a message on the phone in your own pocket, you swipe left and tap ‘delete’ – but what’s really happening on the back end is that only a pointer is removed.” (The investigator might also note that the comparison isn’t meant to be a word-for-word technical explanation).
Perhaps the most important and clear explanation that an investigator must make to the jury is the method used for seizing the device. An investigator might believe they have the most locked-down case in the world – but if that device was improperly seized and not handled correctly as physical evidence, then all that hard work gets tossed out the window.
Finding Evidence Beyond Cell Phones
For both academy trainees and more-experienced investigators, training should emphasize that there are many sources of digital evidence beyond what’s on a cell phone. Certainly, there are physical devices, but much evidence is now cloud-based. Obtaining evidence from cloud applications, such as webmail and social media companies, can be a complex process, involving subpoenas delivered to the company’s housing the data. But in our conversations with law enforcement agencies, these questions are very much out there, which means officers and investigators should know the basics of lawfully obtaining warrant returns or attaining authority to acquire cloud data.
The training on the broad range of available digital evidence should also include extra guidance on what to look for at a crime scene, or at locations connected to suspects. Where, potentially, could video be found? What else is at the site besides cell phones? Or perhaps the alleged incident took place in an apartment building with controlled access, including digital locks and video that could provide valuable information.
This observed information could be added to an officer’s report to provide guidance to investigators, who could return later to seek access to the evidence. Even simple notes such as “I noticed there was a digital lock on the door,” or, “I saw there was a swipe pad to get in,” provide solid leads for the experts gathering evidence to deepen the investigation.