The Frontline Five

Are you expecting to seize more mobile devices for forensic examination in the future? If yes, then this article should be of interest to you.

You may have heard the term “Frontline” used in digital forensics and wondered what it meant. It is a term we at MSAB coined to explain the quite complex evolution in mobile forensics.  An evolution that is being deployed within some of the most advanced law enforcement agencies worldwide.

Frontline is used to encapsulate the evolutionary step of extending digital forensics beyond the traditional laboratory environment staffed by experts, to a regime where multiple tiers of differently qualified staff are involved in the process across the organization. In other words, pushing the technology out to the frontline, so that the most suitable equipment is in the most suitable locations, with the most suitable staff, in order to handle the ever-increasing volume of mobile devices that are seized for evidentiary examination.

Step 1 – IDENTIFY

If your organization is successfully examining mobile devices then, sooner or later, you will become a victim of your own success. You will eventually face a situation where there simply are not enough forensic experts available to examine all the devices being seized. Worse, you will have highly qualified staff working on simple examinations that could be performed by someone without a science degree. It is neither economically viable, nor realistic, to continue hiring ever more experts and building bigger central labs. Sooner or later, there comes a tipping point wherein you need to break the cycle and decentralize to manage.

If you recognize this situation and feel you can’t go on with the traditional centralized model anymore, what needs to happen next?

Step 2 – ENGAGE

You are going to need to convince the existing establishment that this is the right thing to do. There will invariably be some resistance. Some justified concerns will be expressed and it’s vital that you engage with all stakeholders. First on the list of concerns is usually ‘standards’ – specifically how will we ensure the same quality of work with more junior and lesser qualified staff?

The answer is a combination of both technology and communication. You must ensure that your solution supports the requirement to follow strict operational policies. MSAB Kiosks can offer a tailor-made workflow that will mandate that all users follow strict operational policies in accordance with your organizational process. This means staff can’t proceed with device extractions without meeting certain mandatory criteria and completing numerous data fields to ensure all required information is captured automatically.

Training is vitally important of course, but it is possible to qualify a user as competent with just a single day’s training. This occurs when the Kiosk is so locked down that they can only ever make a few key decisions and the rest of the process is turnkey. That’s why prior planning and detailed mapping of the current workflow process is mission critical. Copious time spent at the beginning going through the process gives a massive time and expense save later when the technology is deployed. Which leads us naturally on to the next step.

Working with frontline solutions from MSAB gives the additional benefit of being able to generate Management Information reporting automatically through our XEC Director system. There is individual audit performance data captured by the system that can help in understanding details like frequency of crime types and device types. Plus of course generating statistics that can help in overall resource planning, allowing you to see the real time ROI of your investments and plan for the future.

Step 3 – POLICIES

What standards will your organization adhere to to ensure quality assurance and the reliability of the digital forensic evidence produced via Kiosk solutions? Do you currently have a standard operating procedure or set of policies for mobile devices as to how they should be examined and by whom?

Taking time to review where you are today and what would need to change in order to adapt to Frontline, is time very well spent. The more preparation upfront the easier everything goes at rollout. There are, of course, always unexpected variables. However, engagement across the board so that all the stakeholders know the plan and can contribute, is vital to success.

A key consideration will be deciding what level of acquisition capability (logical or physical) a frontline Kiosk user should have. On the surface this sounds simple, and many organizations want frontline users to have logical only access to keep extractions simple and relatively quick. However, in our experience, the issue of analyzing memory cards within devices can very quickly come up. A logical examination of a phone is ok, but for a micro-SD card inside, there isn’t much value in doing just a logical examination. Not when compared to a physical dump that provides for deleted data. These are the sorts of questions that often don’t come up until users are already operational and they are well worth considering in advance to avoid the need for additional changes.

Another subject that comes up a lot is documentation; how will you ensure hundreds of examiners all follow and produce evidence to the same standard in written form? Many organizations use a proforma statement and hope staff complete it in the same way. But the option now exists to mandate that users complete the contemporaneous notes in the workflow within the Kiosk itself in order to generate a document. Users can’t proceed without completing these fields and they are forced to follow the process your organization decides is best practice. At the end of the examination process there will be, alongside the XRY files, an automatically generated report document that is to the same high standard every time.

The next most common objection is the issue of networking…

Step 4 – NETWORKING

Not having a suitable network to control the ecosystem of products will result in a tremendous amount of manual labour by having to update the Kiosks remotely distributed across your organization. We have a number of early adopter customers who have deployed frontline Kiosk technology to remote locations, and trained staff to operate them, but who were still forced to manually transport data from one geographical location to another. Similarly, when the XRY software needs to be updated (think monthly at this point) someone has to physically go to each location to update the software. This is where a network connected system is invaluable. With our central management suite tool, XEC Director, connected to the network, it will do everything for you at the touch of a button.

Stakeholder engagement from the inception is important. We have experienced involvement in projects where the IT Dept were not initially consulted. The resulting problems were painfully obvious, attempting to send a 256GB iPhone dump across a police IT network doesn’t usually make for happy IT Support staff. Make sure to involve them at the earliest possible time.

On a more positive note, one of the beneficial consequences of the recent Covid pandemic is the fact that most organizations have accelerated their adoption of remote working. This has opened up formerly locked down security protocols. This level of increased openness is now empowering some forces to actively discuss cloud based storage of digital evidence.

Why is this important? Well simply put, if your organization is brave enough to deploy frontline technology, you will want somewhere to centrally store the data. Removing the demand for large capacity servers at HQ and going straight to the cloud is a much more cost effective and efficient way to go in the long term.

Finally, don’t forget the Training.

Step 5 – TRAINING

There is little to no point investing taxpayer’s money in ‘frontline’ to make you more efficient, if you choose to overlook the users. Please ensure you get budget buy in for proper training at the correct level, for all users.

Good practice dictates that users must be competent to operate the technology. Police Officers get training on how to use handcuffs, shoot a gun and use a breathalyzer. Why would your organization not want to invest in training on a more sophisticated digital forensic tool?

One of the ways in which MSAB technology can assist you ensure staff remain competent is to use XEC Director as a supervisory tool that manages access to users based on rules. These rules could determine the need for formal certification and monitor usage of the system over a set period of time. It’s possible to configure the XEC system to deny access rights if a user fails to perform a minimum number of extractions in the necessary time frame. This automatically ensures use and compliance with standards and experience on the frontline.

Conclusion

Speaking as the most experienced frontline vendor in the digital forensic space, with over 80% of all UK law enforcement frontline rollouts and over 7 years of successful operation of Kiosk & Director deployments, we are confident that following this quick guide will put you way ahead of most agencies that have previously taken this path. Benefit from their learning experiences and be sure to engage with experts who have real world experience!

MSAB has its own Professional Services Department that has a deep well of knowledge and experience in supporting operational frontline systems across a wide variety of law enforcement agencies. You can benefit from their knowledge and fast track your implementations today. Contact us for a free, no obligation initial consultation to help formulate your business plans in the Digital Forensic Frontline environment.

About the author:

Mike Dickinson has spent half his working career in military/law enforcement and the other half in the private sector supporting these services. His specialty is providing tools and technologies designed to help in the fight against crime. Mike is dedicated to helping agencies make the best use of their existing assets to improve the prevention and detection of crime through the use of digital forensic technology.