by Andrew Martin, Pre-sale Engineer Expert, Cellebrite
By now, most officers know that when they are the first responders at a suspected crime scene, digital evidence like phones and computers needs as much care as blood droplets and footprints. Phones, tablets, and computers need to be kept secure in officers’ safe hands until they can be handed over to the digital forensics experts.
But sometimes it may be necessary to engage in digital field forensics—that is, the collection and, if possible, viewing of digital evidence at the scene in order to make quick decisions about a person at risk, or about preventing future crimes. In these cases, officers may be called upon to collect evidence, using field technology that can preserve the chain of evidence while lawfully collecting actionable intelligence in accordance with local SOP and ISO requirements.
Gathering evidence in the field can also help reduce the backlogs at forensic labs that slow down analysis of evidence. If frontline officers can collect specific pieces of evidence, using lawful tools that preserve the chain of evidence, they can reduce the burden on the lab.
Keep in mind that field forensics should be practiced only by officers who have been trained in best practices and who know how to use technology for lawfully accessing and collecting digital data. Field forensics does not mean picking up a phone at a crime scene and scrolling through texts if the phone is unlocked; nor does it mean getting permission from witnesses to view text messages on their phones and then start browsing through photos instead. Such “fishing trips” can cause evidence to be lost or rendered inadmissible in court, putting the entire investigation in jeopardy.
Below, we’ll explain when and how field forensics makes sense.
What tools do you need to conduct digital field forensics?
If a witness simply needs to turn over a few photos or videos, it may seem easier to simply ask them to have the evidence texted to an officer’s own phone. But this approach raises all sorts of issues, including the fact that the officer’s phone then becomes part of the chain of evidence. The evidence could also be deleted or altered while it’s on the officer’s phone, which means it would not be admissible in court.
In the same way, taking photos of a witness’s or suspect’s phone screen—showing text messages or images, for example—is not a secure way to capture evidence. The screen recording would not include data such as the date and time the original image or text was recorded, which means it has little value as evidence.
If officers need to obtain specific pieces of data from witnesses, it’s better to use apps that safely capture the evidence and upload it to third-party servers. Witnesses can scan a QR code that allows specific files to be sent wirelessly to the officer’s device while being kept forensically sound.
Another point in favor of using an evidence-collecting app is that frontline officers don’t need to take possession of devices. This is an important benefit when working to gain trust with witnesses, who might balk at being told they have to give up their phones for days or even weeks for the evidence to be collected. It’s far easier to obtain witness consent when the process of sharing digital evidence only takes a few minutes.
If frontline officers believe they need more than a few specific pieces of evidence, they may have access to portable devices that can extract a fuller range of data that includes information from applications where a vast majority of communication data is held in modern devices. This also includes the ability to utilize selective-extraction techniques to obtain only the relevant data concerned or consented to by the subject.
Why conduct digital field forensics?
The nature of the crime may dictate the urgency of collecting data in the field instead of bringing devices back to the forensics lab. If a person has been kidnapped or someone’s life is in danger, for example, accessing digital evidence may be time-sensitive.
However, if a device is damaged or locked, it’s best to bring it as quickly as possible to skilled digital forensics investigators. They should have the knowledge and technology available to bypass locked devices, or extract data from damaged devices.
There are other situations where on-the-spot digital evidence collection can help preserve public safety. One European law enforcement agency we’re familiar with regularly engages in digital field forensics when conducting follow-up visits with registered sex offenders. The officers who are additionally trained as basic forensic examiners, can bring technology to quickly examine digital devices—which the sex offenders must consent to.
In one recent case, examiners used a field solution device to examine a registered sex offender’s phone and discovered images of a child. Using another tool within the indecent images of a child-evidence-gathering process, the examiner found indecent images of children hidden on the man’s home computer. At this point, the man was arrested for new crimes.
Is documentation important for field forensics?
As the old saying goes, “If it’s not written down, it hasn’t occurred.” So yes, frontline officers need to manage data properly to secure the chain of evidence, documenting exactly what they’ve done with devices or evidence as soon as they are collected.
If the device or evidence in question needs to go to the lab, the chain of custody must be auditable from the initial capture through to delivery to the lab. The lab needs to understand what has happened to that device, what state and condition it was in when the officer was presented with it, and what state and condition it was on receipt to the lab. If officers extract data from a device and create a preliminary report about what they discover, that report should also be passed along to the lab.
Co-author Andy Martin has served 20 years in the public sector across Her Majesty’s Armed Forces and within Lancashire Constabulary with roles such as Emergency response, CT-LSO, Counter Terrorism, Borders Policing, and digital forensics across the North West, UK. Andy joined Cellebrite in 2019 and works with customers to better understand their needs and requirements while providing assistance and guidance to align current and future capability needs.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back monthly for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.