It is impossible to overstate the importance of digital forensic evidence from mobile phones and other mobile devices in most criminal investigations today, now that virtually every person carries one or several mobile phones and uses multiple apps—and as a result generates tremendous amounts of digital evidence that may indicate where they’ve been, what they’ve done, who they’ve communicated with, and more.
"Mobile forensic evidence and the technology to acquire and analyze it grow more critical every day."
As a result, in recent years, most U.S. law enforcement agencies have been increasing their investments in digital forensics—adding and training more officers for digital teams, buying additional technology and tools, and taking other steps to increase their operational effectiveness using digital evidence.
But there are significant challenges threatening forward progress in this area:
The “going dark challenge” refers to the increasing level of encryption and security built into many mobile phones today, and the resistance of phone manufacturers to cooperating with law enforcement, even when faced with court orders in many cases.
The big data challenge, caused by a combination of technical advances that enable the newest mobile phones to store huge volumes of data, and changing consumer—and criminal—behavior in the way we use mobile phones and apps. This growth in data volume makes the analysis of mobile phones more time-consuming than ever, in multiple ways: time required for the extraction of each device with mobile forensic tools, time for review and analysis of the data, time for reporting that data in a form that prosecutors and others can use, and more.
IT infrastructure-related challenges, such as the growing need for storage of all types of digital information, from digital forensics and also from new sources like body-worn cameras, closed circuit video, and more.
Ten years ago, investigators were likely to recover a small number of mobile phones in most investigations, such as an average of one or two devices for each suspect. Now, they may recover 5 to 10 times that many phones, based on criminals’ changing behavior. And each subsequent new device is likely to have far more storage capacity and data. The extraction, decoding and analysis processes takes far more time. It’s a major dilemma—more phones, more data, more time required for analysis, more encryption blocking access, a growing backlog of devices, and a growing demand for IT storage capacity to store all this data in addition to the storage explosion driven by body camera data.
How are innovative police agencies and leaders tackling these problems? What are public safety technology vendors doing to help? What can we expect to change in the next few years, based on how rapidly things are changing in this field?
Positive options and responses
♦ New analysis methods to save time. A number of software tools used by digital investigators have added time-saving features to help speed up analytic work, such as automatic image recognition that sorts images by content, such as weapons, people, drugs, nudity, etc.
♦ Geolocation and time-based filtering. Many software tools have improved the precision of their filtering and search capabilities to help investigators focus more narrowly on specific time frames, and specific geolocations, and to pivot their searches from any data point, such as a suspect name, phone number, vehicle license, address, etc.
♦ Integration among vendors. Many software companies are collaborating to provide investigators with the ability to export datasets from one tool to leverage that data in another tool or to incorporate into their software known tools such as Project VIC to allow investigators the ability to rapidly acquire and see that vital data in a mobile forensic examination.
♦ Faster extractions. It takes more time to extract data from mobile devices with more storage capacity, like today’s 256 Gigabit models. But software makers are also building in more options on the extraction profile menu to let examiners extract only selected artifact types on their first extraction, and take other steps to use a fast, triage approach initially, and then follow with a more complete, top-to-bottom extraction as a follow up step. Another option is giving customers multiple ports so that they can extract up to three mobile phones simultaneously on one computer, or peripheral device.
♦ New technology. In 2018, the start-up company Grayshift introduced its GrayKey product to enable law enforcement agencies to unlock iDevices. GrayKey users still need other mobile forensic tools to decode the extracted data.
♦ Training more people to extract and analyze mobile phones. This is a growing trend, using specialized touch screen computers with simplified, step-by-step workflows that make it possible for frontline officers to perform their own extractions and quickly view the results in the field instead of sending all devices to digital labs, where there are often long delays to get results.
♦ Centralized management of mobile forensic operations. If law enforcement agencies increase the number of people working with digital evidence, you need proper control and management to ensure the work is compliant with standards and can be defended in court. With a network of forensic stations, supervisors can track who’s doing what where, move forensic data from point to point, set policies and control usage.
Mobile forensic evidence and the technology to acquire and analyze it grow more critical every day. By using some of these approaches, your agency can keep pace with this reality.