By Sean Millwaters VP EMEA Cellebrite, C
With over 30 years’ experience as a police officer, Digital Forensics Manager, Richard Andrews for the South Wales Police has seen digital transformation evolve over half of his career. Andrews has seen first-hand how digital transformation can impact a local officer’s working day over the last 15 years. Digital intelligence has been used to save hours on investigations and to standardize processes. Although, as digital transformation has helped law enforcement specialists to convict criminals though investigative tools and improved communications, law breakers of today are also better equipped.
Andrews and his colleagues in digital forensics use specialist technology as a lifeline to bust criminals – however, this cannot be done overnight. To get the most out of this technology, training and skills must be kept razor sharp across the force. Digital Intelligence adds an extra layer of dimension to investigations for South Wales Police, and most importantly save valuable time when brining criminals to justice. Digital Intelligence is the data collected and preserved from digital sources and data types – such as mobile phones, computers, and the cloud – and the process by which agencies collect, review, analyse, manage and obtain insights from this data to run their investigations more efficiently.
“Back in the day, it was all paper, and everything we had to do was written down in longhand,” Andrews says. “Now we’ve got digital case management. We’re sending files from one unit to another or to the courts at the click of a button. And everyone has the Internet in their pocket.”
Mobile phones shine a light on what a person is really like
If there is an emblem for what’s changed in policing in the past 30-odd years, it’s the mobile phone. In a given year, Andrews and his 26-persons forensic team will analyse thousands of devices, the vast majority of which are phones. And in every one of those phones rests the potential to uncover not just text messages and photos, but the device owner’s connections to their communities, and what they can offer to an investigation.
“When you examine somebody’s phone, it’s almost like looking into their soul,” Andrews says. “You find things on a phone that the owners wouldn’t even discuss with their own family. You can find out a lot about a person by examining their phone.”
But with the power to investigate a device comes responsibility, Andrews says, in terms of how data is lawfully collected under a warrant, how devices are handled to protect digital privacy, and how quickly they can be returned to citizens. Technology can provide both directional Digital Intelligence from devices, as well as the ability to preserve evidence according to law – all done with the goal of protecting and saving lives and accelerating justice.
The digital transformation of society has also added to the complexity of investigations. “Years ago, I knew how to establish where offenders were or how they were communicating,” Andrews recalls. “They’d frequent the same locations and street corners.” Nowadays, he says, the policing challenge is brainstorming who knows who, where suspects have been, and how such data points can be unearthed digitally.
“Even tracking phone calls is not as simple as it used to be,” Andrews explains, noting that he and his colleagues used to merely go to British Telecom (BT) to find out who called whom. “But now there’s a thousand and one different locations where a telephone call can be made. And that makes it far more difficult to establish the pattern of offending, to track and trace what they’re actually doing, and to bring the evidence to a court in a reasonable manner.”
How Digital Intelligence helps to spread the workload
Andrews’ team of examiners, along with about 12 digital media investigators, or DMIs, collectively examine about 13,000 devices a year. At this volume, clearly technology has to be put to work alongside forensic examiners and law enforcement officers.
To address this challenge, the force has created a tiered system for analysing devices and has also deployed technology that offloads some of the burden of collecting and analysing Digital Intelligence. “We have to spread the workload across the force, as opposed to leaving it on the shoulders of just 26 people,” Andrews says.
For example, the DMIs assist the forensics examiners in conducting basic digital data collection. While the DMIs do not have the expert training of the forensic examiners, they are knowledgeable about using solutions like Cellebrite Responder to provide an initial account of the data that is on the phone. The DMIs might also be assigned phones associated with less-critical investigations, freeing up time for Andrews and his forensic examiners to work on more complex cases.
In addition Andrews says, there are plans afoot to provide the DMIs with training in using Cellebrite Touch and Cellebrite Physical Analyzer solutions, which are favoured by the forensic examiners. That way DMIs can be mobile. By using Cellebrite Touch2, “They can visit police stations and even go to victims and witnesses’ homes,” Andrews says. “They can take the phones, collect the data, and immediately give the phones back to their owners.”
In the near future, Andrews hopes to train yet another level of law enforcement officers, such as those on the front lines, to use Cellebrite Responder for low-level crimes and logical Kiosk extractions. These would be for cases where officers find a device at the crime scene, or can obtain a device from a witness.
Passwords found within digital evidence
Digital Intelligence tools played a key role in a recent case involving indecent images of children (IIOC). Officers received information that Mega, a cloud-hosting and file transfer service, was being used to distribute IIOC from a specific address, which was in the South Wales Police’s area.
After obtaining a warrant, members of the police force’s Digital Forensics & Cyber Crime Unit visited the suspect at home and recovered his Samsung phone, among other devices including USB drives and computers. Since a physical extraction wasn’t possible on the Samsung phone, officers used UFED Touch2 and Cellebrite Physical Analyzer to perform a full-system extraction. The initial system extraction showed that the Samsung phone contained artefacts of the Mega and Telegram communications and file-sharing apps, even though the apps themselves were not present.
In addition, the officers discovered that the Secure Folder feature had been activated on the phone. The suspect told officers that he did not realize that Secure Folder had been activated, and that he could not remember the password.
In the course of studying the data from the suspect’s phone as well as other devices, forensic examiners discovered passwords for different applications and accounts. They could see a pattern in the passwords: The first three letters related to the application itself, followed by a set combination of letters and numbers, such as FaC%OgTfD5G for Facebook, and DrO%OgTfD5G for Dropbox.
“This knowledge gave us the ability to work out the password for the secured folder,” Andrews explains. On opening the folder, examiners discovered the IIOC images, alongside non-IIOC images of the suspect. The case had not yet come to court as of early summer 2021, but investigators expect the suspect to plead guilty to charges of possession and distribution of Indecent Images of Children, considering the wealth of evidence.
Using innovation to keep up with criminals
While Andrews has already made significant inroads in his plan to improve the South Wales Police force’s Digital Intelligence knowledge, more challenges remain for the digital forensics unit. They must grapple with more and more encrypted devices, for example.
“We need constant upskilling and constant training in understanding encryption,” says Andrews. “How are we bypassing that encryption? How are we getting around that PIN?” by constantly developing our capability and knowledge, working closely with a myriad of partners, academia, and forensic tools such as those provided by Cellebrite.
There’s also the growing amount of data that phones and other devices can hold. “A terabyte on a phone today is not uncommon,” Andrews says. Poring over this data image by image would take too many hours of examiner time.
Fortunately, Andrews and his fellow examiners have Cellebrite Responder to help target their searches so they are more productive, since they can customise searches by specific data sets, as well as generate reports that can be shared easily. “We can target our investigation toward just one field of data, like digital movies or GPS,” Andrews says.
In keeping with the rapid pace of digital transformation in every part of life, Andrews believes he and his fellow examiners can’t get too comfortable about the knowledge they possess today: It’s all about adding to that storehouse of knowledge, and equipping the forensic unit with the tech that helps them apply this knowledge to solving more cases and protecting citizens.
“Without a strategy and a roadmap for where mobile phones are going, where computers are going, or the Internet of Things, we’ll stagnate,” Andrews says. “For the digital forensic world, we need to keep moving, seeing where the next problem is going to be, and the next device, and how we get around problems. We have to constantly move forward.”