Take an Investigator-led Approach to Digital Forensic Investigations
A recent article published in The Guardian highlighted 'bias' on the part of digital forensic examiners when examining seized media. In the original study, the authors found that when 53 examiners were asked to review the same piece of digital evidence, their results differed based on contextual information they were provided at the outset. Interestingly, whilst some of the 'evidence' for which they would base their findings was easy to find (such as in emails and chats) other 'traces' were not. These required deeper analysis, such as identifying the history of USB device activity.
One of the things that struck me was that the 53 examiners were all provided with a very short brief of what the case was about (intellectual property theft) and what they were tasked to find (or not find), including a copy of a spreadsheet containing the details of individuals who had been 'leaked' to a competitor.
This immediately reminded me of my first weeks within the police hi-tech crime unit (or computer examination unit as it was called). I vividly remember eagerly greeting the detective bringing a couple of computers in for examination into suspected fraud. I got him to fill in our submission form - some basic details about the case, main suspects, victims, date ranges, etc. I even helped him complete the section on search terms and then signed the exhibits in before cheerily telling him that I'd get back to him in the next few weeks (this was in the days before backlogs...).
As I returned from the evidence store, I was surprised to find that same detective back in the office being 'questioned' by my Detective Sergeant. "John," as we will call him (because that was his name), an experienced detective with over 25 years on the job, was asking all sorts of questions about the case:
- Who were his associates?
- What other companies is he involved in?
- Does he have any financial troubles?
- Is he a gambler?
- Did you seize any other exhibits?
- Does he have a diary?
- How many properties does he own?
The list went on. In fact, it was over an hour before John felt that he had sufficient information to allow the detective to leave. Following the questioning, John took me aside and told me that whilst we used the paperwork to record basic information about the case - it was incumbent on us to find out as much information as possible to ensure that we were best placed to perform our subsequent examination.
My takeway? You can never ask too many questions – in particular, those of the ‘who, where, when’ variety.
Has Digital Forensics Changed Since Then?
Given the rapid development in technology since those early days in digital forensics, you would think the way agencies perform reviews of digital evidence would have, well, kept up?
I recently watched a very interesting UK 'fly on the wall' TV series (Forensics:The Real CSI) that followed police as they go about their daily work (I do like a good busman's holiday) and one episode showed a digital forensic examiner tasked to recover evidence from a seized mobile phone and laptop in relation to a serious offence.
"I've been provided some case-relevant keywords," he said, "which the officer feels may be pertinent towards the case." "Murder, kill, stab, Facebook, Twitter, Instagram, Snapchat … and for those keywords I've searched for, there is potentially just under 1,500 artifacts that I'll have to start scrolling through."
“Have I been transported back to the 90s?” I thought as I watched in (partial) disbelief and was again transported back and reminded of John's sage advice all those years ago about asking lots of questions.
Whilst I understand that the show’s director was no doubt using the scenes to add suspense and tell the story in the most impactful way possible, there is no getting away from the fact that the digital forensic examiner was working with limited information about the case and with some terrible keywords.
Yes, they can (and no doubt did off-camera) pick up the phone to the Officer in the Case (OIC) to ask further questions ... surely, the OIC is the one who will see a document or email (that perhaps hasn't been found by keyword searching) and see a name or address within it and immediately shout "Stop! That's important!" The OIC will recognize the suspect in a holiday photograph having a beer with another suspect who they swear blind they've never met.
Focusing on the Right Evidence
How does this all tie back into the research I mentioned at the outset? The various 'traces of evidence' the examiners were tasked to find were both 'hidden in plain sight' and required skilled forensic analysis in order to identify and interpret their meaning. If the digital forensic examiner spends most of their precious time reviewing emails and documents - in the real world - will they have the time to perform the skilled digital forensics work to build the true picture of what happened?
If the OIC is only provided with material to review based on such basic keyword analysis or a couple of paragraphs that detail a very high-level overview into the case - will the smoking gun holiday snap make it into the review set?
Expert commentary in the article suggests that “Digital forensics examiners need to acknowledge that there’s a problem and take measures to ensure they’re not exposed to irrelevant, biased information. They also need to be transparent to the courts about the limitations and the weaknesses, acknowledging that different examiners may look into the same evidence and draw different conclusions.”
A spokesperson for the National Police Chiefs’ Council is quoted saying “Digital forensics is a growing and important area of policing which is becoming increasingly more prominent as the world changes ... We are always looking at how technology can add to our digital forensic capabilities and a national programme is already working on this.”
Nuix is keen to support this national program and I truly believe that our investigator-led approach to reviewing digital evidence by using Nuix Investigate is the way toward helping to put the evidence into the hands of those who are best placed to make sense of it (the easier 'traces' as per the study). Doing so allows the digital forensic examiners to focus on the harder 'traces' - such as undertaking deep-dive forensic analysis or ascertaining the provenance of relevant artifacts.
If you want to find out more download our most recent white paper examining the UK's strategic approach to the digital forensics problem.
Please note. No digital forensic examiners were harmed in the writing of this blog - and I fully appreciate the hard work they do in helping to protect the public and bringing offenders to justice, often working under significant pressures and with limited resources and budgets.