At the scene: Analyze devices faster and get results

Sometimes red flags pop up pointing to a need for change, and that’s exactly what happened in the Pasco County, Fla., Sheriff’s Office a few years ago.

Narcotics and vice officers executed a knock-and-talk at a home, and when the suspect wouldn’t allow them in, they secured a warrant and returned hours later. When officers finally gained entry, they confirmed it was a grow house.

But the red flag that popped up had nothing to do with drugs. It had to do with the fact that in the hours between law enforcement’s first and second visits the suspect left the pot plants intact but destroyed every piece of digital evidence.

“It was the push we needed to put an in-house digital evidence lab together,” says Det. Sebastiano Pepenella, who now performs digital examinations in the county’s two-man digital forensics lab.

Police in Marble Falls, Tex., experienced a similar awakening when officers confiscated a hard drive from a suspected child pornographer then waited two years for the state lab to finish processing the forensic evidence. They finally made an arrest, but during that two-year lag time the suspected pornographer had been working as a school bus driver.

“This story shows that if you can get to the evidence more quickly, you can at least take the bad elements out of the picture until you can convict them,” says Suresh Sundarababu, Dell global solutions manager.

According to Det. Michael Fazio of the Bloomington, Ill., Police Department’s cybercrime unit, many departments don’t think their inability to process digital evidence is an issue, until it becomes one in an actual case. But it is a growing concern, he says, pointing out that “about 80 percent of everything a suspect deals with touches something digital. And if that person is touching something digital, he or she is leaving evidence behind.”

The reality is as more criminals rely on computers and digital devices to commit crimes, law enforcement is increasingly finding the need to use computers to fight back. Recognizing the explosive growth in digital evidence, the FBI proclaimed in 1999 that it would set up regional computer forensics labs (RCFLs) across the country to handle law enforcement’s digital forensics needs. Today forensic examiners in these labs effectively extract and analyze data from digital portals, such as computers, jump drives and phones, but demand for these services is high and turnaround incredibly slow.

“There’s been an opinion for many years now that only the experts can handle digital media,” says Tom Eskridge, partner at High Tech Crime Institute Group, a Florida company devoted to providing high-tech computer training to law enforcement. “But by sending every piece of evidence to a state RCFL, the evidence sits there for an average of 13 months before it gets examined. It’s like sending every person who comes to an emergency room into the operating room for surgery.“

Digital triage provides a light at the end of the tunnel for this winding and rocky road of digital evidence. “The tools needed to retrieve data from devices are not as expensive as they once were,” Eskridge says. “And in the case of cell phones, especially, about 70 percent of the time data can be retrieved from them by someone with minimal training.”

Digital triage

The concept of digital triage is simple: Police rely on a procedural method to prioritize which digital devices require in-depth forensic analysis and must be sent to a state lab, and which ones can be analyzed at the department via a simplified triage scan.

Eskridge likens the concept to what law enforcement currently uses with fingerprints. Years ago, when Eskridge worked as an officer in Compton, Calif., he never collected a fingerprint in 11 years; a crime scene investigator did that. Today line officers can collect their own fingerprints at the scene, unless the fingerprint lies on a surface, like paper, and requires fuming back at the lab. “If only special cops could fingerprint a crime scene imagine how backed up a crime scene investigator would be,” he says.

Advances in digital forensics technology have made it possible for an officer with minimal training to retrieve digital evidence and utilize it for investigative purposes. Today, officers can gain intelligence data off a device in hours instead of waiting weeks, months or years for the lab to get to it, according to Eskridge.

The first step in the triage process—no matter if it’s a PC, a laptop or a cell phone, is to isolate the device or in other words take it off the network. That might mean unplugging the modem, disabling the wireless or blocking access to the cell phone network. “This prevents suspects from going online and wiping out their phones or computers wirelessly,” says Eskridge. “Then no one is going to recover data from it because the data is gone.”

Depending on the details of the case, officers can then decide to forensically examine digital evidence at the crime scene, at the department forensics lab, or send it out to the state lab for processing.

When the Pasco County Sheriff’s Office originally designed its lab, officials focused on bringing all evidence in to the department lab. Soon they realized they also needed to forensically analyze digital devices on-scene. “We once had an investigation where we had close to 60 computers at the scene, but according to the warrant, none of the computers could leave the business,” Pepenella says. “We had to process them at the scene, and because of the equipment we had, we were able to do it.”

While Pasco County performs most processing back at its home base, when cases warrant immediate analysis they do it in the field. “Ultimately though we prefer to bring everything back to the lab because we can process it in a more controlled environment,” he adds.

Sometimes there is simply no choice but to send the digital device to a lab, according to Pepenella. He explains at times officers cannot bypass a cell phone or computer password because a JTAG has been used to block access. “These devices have to be sent out because a forensics examiner must take them apart to recover data,” he explains.


The primary advantage of digital triage is improved access to forensic evidence. “Ninety percent of the digital media recovered is never looked at because it’s no longer needed by the time the lab gets to it,” Eskridge says.

Consider this example: Authorities confiscate a computer in a fraud case and send it to the state RCFL. In the 13 months it takes for state officials to examine that computer, the suspect may have already plead guilty to two charges of fraud and sentenced to 90 days in the county jail and two years of probation. Eskridge explains, “If I’m a bad guy, I’ll plead guilty right away, knowing that if I let the case drag on and authorities actually look at my computer, I’ll be facing 100 counts of fraud and state prison. In this example, when the lab finally gets to that computer a year later, the detective tells them the case was already plead out, and state officials never look at the hard drive. Now imagine that same case if they had looked at that drive immediately.”

Triaging cell phones in particular can have an immediate impact. “Cell phones are much easier to triage than a computer,” he says. “We have what we call the 85 percent rule. Eighty-five percent of the cell phones you come across could be lawfully searched when officers seized the phone. Officers could get the exact same data in five minutes that they would have received two weeks to a month later from the crime lab.”

The result is faster turnaround. Pasco County’s official turnaround is 30 days for cell phones and six months for computers. “But realistically we’re looking at about a month for computers and a week for cell phones,” Pepenella says. “And sometimes, depending on the case, we process them right away.”

Faster turnaround boosts law enforcement’s crime solving capabilities. “We had one case where detectives had an accusation that involved sexual battery, and with the information [the investigator] got off the cell phone, he was able to conclude his case in a matter of hours,” Pepenella recalls.


If a full-blown computer forensics lab that can handle 95 percent of all digital investigations is what a department desires, an agency requires the following technology:

  • Write blockers. The UltraKit III from Digital Intelligence, for example, houses a complete set of write blockers that allow investigators to capture a forensically sound image of a hard drive or storage device. The hard drive duplicator, Data Copy King (DCK) from SalvationDATA, also can be used for this purpose.
  • Specialized digital forensics software, such as Guidance Software’s EnCase Forensic or AccessData’s Forensic Toolkit (FTK).
  • Software designed to analyze phones and other portable devices. Susteen’s SecureView for Forensics, Micro Systemation’s XRY, Paraben Corporation’s P2 Commander, and Cellebrite’s UFED Ultimate all perform forensic analysis of today’s cell phones, including smart phones.
  • A powerful forensics computer. Forensic Computers Inc., HTCI and Digital Intelligence will custom-build computers to meet a department’s digital analysis needs. “This is not a computer that can be purchased at Best Buy,” Fazio explains. “It won’t have the power to run digital forensics software.”
  • A forensics laptop, such as a rugged laptop from Dell, to perform digital forensic analysis in the field.
  • A dedicated server to store digital evidence.

But with a $50,000+ price tag to get started and $30,000+ in annual upkeep after that, a full-blown lab may be more than the average mid-size department can afford. The good news is they can enter the digital forensics space on a smaller scale, says Eskridge. “Smaller departments can add a triage-level forensic capability that works for 70 to 80 percent of their cases,” he says. “This type of lab can be set up for about $10,000, including a cell phone solution.”

This capability would allow smaller departments to perform first-level triage, or scan devices for investigative information. In a child pornography case, detectives might employ technology such as Paraben’s P2 Commander or Dell’s Mobile Digital Forensics software to collect pictures off the computer.

Cell phones can be quickly processed with tools that rely on advanced plug-in technology to quickly search through emails, chat logs, messages, Internet files and call data. “Cell phone forensics tools fit well with the whole triage concept,” says Eskridge. “With a $2,500 tool and five minutes, they can retrieve the same information they’re going to get from a lab in three months.”

Meanwhile computers may be searched with triage tools from Guidance Software and AccessData, which have a lower price point than their more advanced software. AccessData’s AD Triage allows officers to safely view and collect data from computers at the scene, while EnCase Portable is delivered on a USB device that allows officers to quickly and easily collect digital evidence in a forensically sound manner.

Dell’s Mobile Digital Forensics solution utilizes Dell rugged laptops running SPEKTOR software from Evidence Talks to collect forensic intelligence in the field. This system also identifies and pulls data from desktop computers, laptops and portable devices. But its primary advantage is that it puts all the digital forensics tools into one “suitcase.”

“The problem with triage is that some triage devices are very specialized. Some only do phones, some lend themselves to laptops and computers, others only do GPS or satellite devices,” says Sundarababu. “The second problem with many devices is that the analysis still must be performed by a very experienced person. Dell combines all of these capabilities into a single system, and you don’t have to be a forensic expert to do the work.

“An investigator simply asks the system to look for specific types of evidence, such as emails, images, etc., and then the tool automatically scans the device for this data,” he continues. “And before, if they had 3 terabytes of data, it would take them weeks to process. This scan takes just minutes.”


Digital triage tools are meaningless however without training, says Pepenella.

Officers running digital forensics exams need a basic understanding of digital devices and the information they may house. They also require an understanding of how digital technologies store data, the file formats they use, and the operating systems they employ.

Pepenella recommends departments tap into the free classes offered by NW3C to develop a foundation for computer forensics exams. They can then obtain advanced training from places such as the Federal Law Enforcement Training Center (FLETC), the Department of Defense Cyber Crime Center (DC3), and SEARCH.

But before investing a dime in technology or training, Pepenella advises agencies to do their homework. “Reach out to someone in law enforcement who has done this for awhile,” he says. “Ask them how they store their data, how they conduct their investigations, and for their recommendations on how to streamline the process and make it better.”

And, above all, Pepenella advises departments to take action now. “Don’t wait for a red flag to pop up in your jurisdiction before you realize the need for this capability,” he says. “Law enforcement needs to embrace the digital investigation, or they are going to be left behind, while the criminals move ahead.”