At the International Association of Chiefs of Police Conference, one thing is clear: police chiefs and commanders have a lot competing for their attention. Priorities compete in the lecture and panel tracks, while in the expo hall, products that support those priorities compete for visibility.
Whether you’re a detective relying on digital forensics lab services, a forensic examiner providing them, or even someone spearheading an effort to begin offering them in your agency, it might be difficult to make your voice heard in justifying the technology, positions, or lab space you want. Here are a few metrics you should be tracking to help build your business case.
If you’re an investigator
Your overall goal should be to present how mobile device evidence affects your cases and how you work them. To start with, record the number of cases you work where:
- A victim’s or suspect’s mobile device contains evidence you need to make your case, such as threatening text messages or child abuse images.
- Mobile device evidence corroborates other evidence, such as a victim’s or eyewitness’ interview, surveillance video, an inventory of as-yet-unrecovered stolen property, your own observations, etc.
- Mobile forensics gives you fresh leads, people that you would not have considered either because a victim or suspect isn’t fully cooperating, or is unable to cooperate.
When measuring these numbers, consider that mobile devices may provide additional context to your cases, beyond the actual crime. For example, while surveillance video might be enough to charge a suspect for a robbery, evidence on the mobile device could show that suspect conspiring with others to plan that robbery or a series of them, that the suspect was connected to previous robberies, or that the robbery was committed to fund or support other crimes.
Keep track of the turnaround time between time you submit evidence and time you get it back. How many hours, days, weeks, or months do you have to wait for that evidence from your in-house lab, or a lab out of town?
Also, if you’re regularly going out of town to submit evidence, track how much time you spend driving back and forth per case. Be sure to add this up per month, because it translates into how much time you are spending outside the office not working on cases. Use this to show the need for mobile forensics capacity in your own agency.
If you are a general assignment investigator, be sure also to track the types of cases you work where mobile device evidence is valuable. It may be useful to get as specific as recording what statutes you charged a suspect under.
Audit the number of cases per month and per year that you were able to close as a result of having mobile device evidence—as well as the cases that are outstanding because you are still waiting to obtain the evidence you need.
Finally, when you submit mobile devices, be sure to fill out digital evidence intake forms as completely as possible. Include phone makes and models, whether the device is locked or encrypted, any passwords, the wireless carrier, the presence of SD cards, and types of data you need. This will help your forensic examiners keep better metrics and, ultimately, ensure you get the level of service you need for your investigations.
If you’re a forensic examiner
The key to good metrics starts with a good standard forensic request form, and SOP requiring all officers to fill one out for each device they submit. If completed correctly—train officers, including FTOs, on how—it will contain all of the information you need to keep good metrics. It will also set expectations for detectives and officers turning in evidence to you.
If you’re an investigator carrying a caseload of your own, in addition to supporting your agency or task force with mobile forensics exams, and your non-forensic caseload is becoming backlogged as a result, maintaining good request forms will also help you explain the problem to your supervisor.
Either way, track the types of cases you’re being asked to process mobile devices for, and whether you have to prioritize cases on a regular basis. Note which cases get priority over others, and how often.
Along similar lines, track the average number of devices that get submitted per case. A high number of felony cases, especially if it means that devices from misdemeanors aren’t being processed, could indicate a need to train additional personnel to collect at least basic mobile device evidence.
Compare the number of mobile devices—tablets, GPS devices, and e-readers count along with smartphones and other cell phones—and the number of laptop or desktop computers, digital cameras, and other forms of digital media submitted to your lab. These ratios can help prioritize budgetary outlays toward different forensic hardware and software.
Track submitted devices’ makes and models. Wireless carriers, even if they are national, encourage different device sales in each region. Tracking these trends shows which devices are most popular. Together with those makes and models, knowing the number of each that are prepaid, passcode protected, and/or encrypted can help you determine which tool(s) would be the best fit for your lab.
Record the size of each device’s memory, and average those numbers—per make, if possible—at the end of the month. Memory size can make a difference in how much time it takes to extract each device, and you should be performing multiple extractions on the same device in order to validate your work. Note how much time it takes you to perform logical, file system, and physical extractions per device, and average these times per make.
Track whether you were able to extract the entire device, versus only partial data, from the different makes and models. These numbers can help you justify tool purchases.
Following an extraction, analyzing the device takes time. Take into account false positives and negatives as well as validation and, if applicable, malware scans. Average the time it takes to analyze each device, and how long it takes to analyze all the mobile devices from each case.
Average the time it takes to create a report per device, per case. This might seem small, but if you’re trying to show that you need a new forensic tool because the one(s) you have are inefficient to use, these numbers can be important.
Measure the degree of communication you have with investigators. Compare the number and type of cases where detective submits a device along with a request for specific data, versus asking you for “everything on the device.” (Note: this should be easier to record using good standard intake forms.)
Specific data requests can help you reduce the amount of time you are spending on forensic examinations. Make sure to record what data they request—timeline, keywords, content types, etc.—and the average amount of evidence that is relevant (whether inculpatory or exculpatory) to the case.
If you’re supporting crime or intelligence-led policing analysts as well as investigators, find out from them how easy it is to import your mobile device extraction output into their analytic tools.
Plan also to obtain feedback from prosecutors about how the evidence you’re providing enhanced the cases you’ve been working with them to support for trial. Their feedback can enhance your metrics with qualitative input.
These metrics may not be the only ones you can track, but they are a start. Without them, commanders may not be able to think about your mobile device evidence needs in among everyone else’s requirements in your agency. Explain your work in terms of quantitative as well as qualitative impact on public safety, and you should find commanders more receptive to your needs.
Further reading:
3 Questions to Ask about Mobile Device Evidence
