By Brendan Hooke, P1 Contributor
As technology evolves at an unprecedented rate, so do the challenges facing law enforcement agencies and investigators.
The importance of digital evidence continues to increase each year and, with the growth of smart devices, internet connected homes, crypto currency, cheap drones and smart cars, will only continue to rise.
Let’s take a look at some of the technology challenges and opportunities facing investigators in 2018.
Smart Phone Encryption: The Apple IOS 11 Game Changer
The perpetual cat and mouse game of smart phone encryption between Apple and law enforcement has taken a new twist.
In the past, security features related to Apple phones were mostly model specific. The newest iPhone would have different security features and then a few months later, vendors would release a solution that allowed investigators to bypass the security.
With the release of Apple IOS 11 software, ALL iPhone 5s or newer that accept the software upgrade become infinitely more difficult to unlock and process for law enforcement.
IOS 11 requires that the phone establish trust with any connected device to include laptops running iTunes or an investigator’s forensic machine. Trust is established by entering in the six-digit passcode before the phone can sync. Establishing trust is required even if the phone is unlocked.
In the event a phone with IOS11 is unlocked and a passcode is not available, the investigator must manually review the phone. A manual examination of the phone is incredibly tedious considering the volume of data stored on most modern phones and it will also miss recovering deleted files, which is possible with forensic software.
Prior to the implementation of IOS 11, investigators could establish trust between an iPhone and a forensic computer by simply unlocking the phone. Investigators could obtain unlocked phones via ruse, consent, or careful tactical planning that prioritized the retrieval of digital evidence. Another popular but controversial method was to compel suspects via proper legal process to unlock the device with their fingerprint. Fingerprint unlocking worked in situations that involved phones that were powered on and had been unlocked within the previous 48 hours.
In 2014, Virginia Circuit Courts ruled in Commonwealth of Virginia v. David Charles Baust that a suspect could not be compelled to provide a passcode to a cell phone as that would be a testimonial act and would violate their 5th Amendment rights. However, the Court also ruled that the government could compel a defendant to produce a fingerprint to unlock an encrypted phone:
“The fingerprint, like a key, however, does not require the witness to divulge anything through his mental process. On the contrary, like physical characteristics that are non-testimonial and does not require Defendant to “communicate any knowledge” at all.”
It seems that the requirement to establish trust is Apple’s response to law enforcement compelling suspects to unlock their iPhones via fingerprint.
Now that unlocking and analyzing encrypted phones has become more difficult, it is a good time to discuss possible solutions.
Several vendors have and are working on solutions. Of course, they are costly and the cost may not always be worth it depending on budgets, the type of case and the work load.
In some cases, a little old school police work on the front end can help prevent technical issues on the back end.
Forensic examiners should provide routine updates to submitting investigators of the current smart phone security landscape. Communicating with case investigators can help them guide their investigations and decision making. Emphasizing the need for a passcode can help focus a case investigator during interviews, search warrants and surveillance.
For instance, I recommend that case investigators:
- Use social engineering to identify potential passcodes. People are creature of habits. Think about where you hide your passwords; criminals are not much different. Investigators should photograph and search computer areas for any potential passcodes. When legally permissible, take all devices linked to a suspect. Although an examiner may not be able to initially access a target phone, associated devices may assist in eventually unlocking the target phone. Secondary devices may have password files, or reveal a passcode for an old device used across multiple devices. Additionally, the associated device may have an older iPhone backup file that could contain relevant evidence for the case. In some cases, files from synced devices can be used to unlock some locked phones. Focus interviews and confessions around providing passcodes. It’s no longer enough for a compliant suspect to simply unlock a device, they must provide a passcode. Be creative. Use ruses and surveillance to surreptitiously, but legally, obtain a suspect’s passcode. Consider going to the cloud. If you can’t get what you need from the phone look for evidence from application company servers.
Evolution of Forensics: The Merger of Digital Forensics, Crime Analysis and Intelligence-led Policing
Several vendors offer solutions to help investigators find the needle of evidence in the hay stack of digital evidence.
As the amount of data stored on mobile devices has increased, reviewing digital forensic reports has become a more tedious task. Link analysis, facial recognition, and photo and video analysis products are simply amazing, but also expensive. The real value of these products is that they can aggregate data from many formats and devices to detect previously unknown relationships, important locations and patterns.
If your agency is like most police departments, the case agent reviews the digital forensic report for evidence related to their case. The report will sit in a case file and it may be entered into evidence for court. After the case, it gets filed and sits in an archive. If the case agent sees other evidence or intelligence of criminal activity in the report, they will most likely act on it; however, the case agent can’t possibly be aware of all other investigations in the agency.
If that data were entered into a central location that collated all digital evidence (enterprise-wide server), it could illustrate drug distribution networks, organized crime groups, street gangs and so much more.
The ability to analyze and derive intelligence based on digital forensics from an agency-wide solution should be a goal for forward-thinking agencies in 2018. The initial cost will be high, but embracing this next evolution of digital forensics will help efficiently deploy resources in real time by focusing efforts on top offenders, speed up investigations and help reduce those unknown unknowns.
The Internet of Things
Digital examiners need to prepare for the proliferation of the internet of things.
From smart watches, smart thermostats and internet-connected home assistants, the availability and complexity of digital evidence is exponentially increasing. Investigators need to know what can be recovered from these devices and how to extract and analyze the relevant data. While these devices provide an opportunity to gather evidence, they can also present some risks.
Smart watches can be used to communicate and destroy evidence on other devices. I have seen suspects communicate with accomplices from a locked interview room because we failed to recognize a smart watch as a communication device.
During search warrants, suspects may be listening in on investigators from many different devices. Investigators need to consider these devices when taking measures to protect operational security.
Unfortunately, 2017 saw an increase in vehicles used to commit acts of terror. How often are we collecting digital evidence from vehicles? Would that information such as device sync data, GPS data and vehicle specific data be useful in those cases? As cars become more connected to the internet and our phones, their importance in the field of digital forensics is increasing.
I know of a few tools that are not easy to use and require a great deal of trial and error. This field seems ripe for vendor development. As self-driving cars begin to enter the market, I suspect this area of digital forensics will continue to grow in importance.
At times, the number and type of solutions available for purchase to help investigators can be overwhelming. As always, the best advice is to network with your regional colleagues and vendors. Figure out what works best for your agency by learning from the mistakes of others. Figure out what you need by identifying areas for sharing within the region. A regional approach will help reduce costs, spread out expertise and prevent redundancy which ultimately should allow for efficient and professional digital investigations.
While advances in technology pose many problems for investigators, they also provide opportunities to gain an edge on suspects. It’s amazing how criminals continue to use smart phones to help record, plan and enact their crimes. As our lives become more integrated with the digital world, there will be a corresponding increase in evidence.
Disclaimer: Consult with your prosecutors and agency leadership before implementing any strategies discussed in the article.
About the author Brendan Hooke is a Second Lieutenant with the Fairfax County (Va.) Police Department. He is a supervisor in the department’s Cyber and Forensics Bureau and has prior experience in investigating and supervising major crimes, organized crime and narcotics. He holds a master’s degree in high technology crime investigation from George Washington University.