Three proven tips to unleash the value of frontline digital forensics

Mobile phones are used in all types of investigations and these devices leave critical evidentiary traces. Volume crime can be solved quickly and effectively if the evidence is available immediately for interviews with suspects at the time of their arrest. However, that can’t happen if you have officers waiting weeks for a forensic report to be returned from a remote forensic laboratory staffed by specialist experts.

Many of our customers face three core challenges:

Core challenge 1: Volume of data

Growth in the use of digital technology has led to exponential growth in demand for digital forensics examinations. Many of our customers have the need to increase their mobile forensic capacity outside the digital forensic labs.

The increase in data volume and amount of data sources submitted as evidence from arenas such as the Internet of Things (IoT) devices or cloud computing systems has caused the digital forensics process to take longer than before. This results in backlogs and delays to investigations. These delays and backlogs impact victims, witnesses and suspects waiting for the outcome of investigations, and often for the return of their devices. They also increase the risk of delaying bringing offenders to justice.

Core challenge 2: Complexity of mobile data forensics

The diversity of devices presents a complex challenge. There are ever more types of devices and increasingly with end-to-end encryption. The digital evidence is no longer confined to a single host but, rather, is scattered amongst different physical or virtual locations such as online social networks, cloud resources, and personal network–attached storage units. For this reason, forensics experts need more time and training to completely and correctly reconstruct evidence and to be able to extract data from mobile devices outside the lab.

Core challenge 3: The digital evidence legitimacy

Privacy is a fundamental human right. To enable victims and witnesses to surrender their mobile phones with confidence, knowing that the frontline personnel are taking all reasonable technological precautions to mitigate the risks associated with personal data intrusion via mobile phone extraction is vital.

But to meet the challenge of rising data volumes, encryption and cloud storage, law enforcement officers and other frontline personnel need to work in new ways and it is crucial to maintain public trust and confidence while doing so.

The solution: new possibilities to improve digital forensics operations

The MSAB Ecosystem approach helps organizations unlock the full potential of mobile forensics helping them fulfill their missions. It helps eliminate processing backlogs, improves the speed and effectiveness of investigations and provides the oversight and reporting that managers need for efficient, high performance operations. It will ensure consistent quality of digital evidence through the use of tailored workflows that follow your organizational operating procedures with the need for minimal personnel training.

MSAB has, since 2014 together with our customers, implemented solutions for frontline forensics from small stand-alone implementations to nationwide centrally managed mobile forensic networks. No other company in the industry has such long and in-depth experience of organization-wide implementations.

One of the things we have learned is that there is no one solution that fits all customers. The organizational and technical premises are different from one organization to another, and the legal framework can differ from country to country or even between authorities in a single country.

The MSAB Ecosystem Solution makes it possible for each customer to tailor the solution to their specific needs and prerequisites. But in order to successfully decentralize mobile forensics in an organization it is essential to take into consideration three aspects: people, processes and technology.

1. People – Who will do the extractions? Who will need to have access to the extracted data?

Mobile forensics is often just one of the tasks for frontline forensic users. It is important to consider whether the intended users have the necessary competence, time and motivation for the new task.

There is strong operational efficiency evidence showing that putting tools into the hands of frontline personnel which enables them to extract data locally will speed up results and save money. This leads to faster suspect processing, increased detection rates and reduced overall costs of investigation.

Appropriate training based on the users’ pre-skills level is important to increase the understanding of digital forensics aspects. This makes users fit to handle the new technology as well as the technical challenges they may encounter when extracting data from mobile devices.

2. Processes – The importance of a proper well documented process for mobile forensic examination cannot be stressed enough for the successful implementation of frontline forensics. Surprisingly often customers lack a well-defined process or, even if they have it, the process is not documented.

Workflow technology incorporated in our frontline forensic platforms (such as the MSAB Kiosk, Tablet and XRY Express) provides the means to enforce organizational processes and secure unified ways of working across the organization. Our Professional Services team helps customers to translate their standard operational procedures (SOP) into a workflow on the frontline forensic platform.

In many cases this work also means that the customer themselves, or with our assistance, refine and document the process which in itself provides added value for the organization.

The differentiated handling of seized devices depending on the crime and its classification is an important part of the process. Many customers classify devices in three levels.

• – Level 1 devices (petty crime, etc.) are always extracted by the frontline personnel at the local site only.
• – Level 2 devices may be escalated to regional or central laboratories in the event of the local frontline forensic officer having problems extracting the device or if a more advanced extraction method than what is available at the local site is needed.
• – Level 3 cases, devices from serious crime cases, are always directly forwarded to forensic experts. MSAB’s workflow technology makes it possible to adapt the workflow for different user groups, different types of extractions and different types of crime cases.

3.       Technology – The organizational objectives as well as the economic and technical prerequisites may differ greatly for different customers. Therefore, a modular and scalable solution is essential.

The strength of the MSAB Ecosystem solution is its modularity. The customer can choose the modules and technical solutions that best meet their needs. Take the extraction platforms as an example: each of them – MSAB Office, Kiosk, Tablet and XRY Express – contains the same XRY software functionality but each platform is optimized for different users and use cases.

Scalability is another important aspect. A centralized digital forensic platform can help in organizing the handling of the digital evidence. Most of our customers begin on a small scale and grow as they go. The Kiosk and Tablet platforms allow for both local and central management.

For the customers who can connect their extraction platforms in a network, XEC Director provides enormous efficiency benefits through central management whilst still allowing regional/local differences in configuration. For customers who cannot connect their extraction platforms to a network a cloud-based management solution, or data storage, could be an alternative.

Find out more about the Frontline Digital Forensics Solutions and the MSAB Ecosystem.

About the author:

Anna-Maija has spent her entire professional career in the IT industry. Before joining MSAB she worked with IT solutions for knowledge management and knowledge certification. During her 12 years at MSAB Anna-Maija has been responsible for many different countries and regions around the world and thereby acquired experience of the differing needs and premises of our customers.