This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Most online crimes leave digital evidence. PCs and cell phones, for example, routinely contain evidence related to the planning, coordination, commission or witnessing of crimes.
Even a low tech crime like robbery can have digital evidence if the criminal has a cell phone in his car or pocket when he commits the crime. Time and location stamps from the phone can place the criminal at or near the scene at the approximate time it took place.
In other cases, a laptop, desktop, tablet or smart phone might have a browsing history that adds evidence to a case. For example, in the summer of 2014, a Georgia father was suspected of having deliberately left his toddler son in a hot car to suffer a horrible death. While even the child's mother proclaimed it to be a tragic accident, digital evidence from the father's computers shows extensive "deceptive behavior" on his part. Such evidence is sure to be part of the case when and if it goes to trial.
Collecting this evidence and preserving it in such a way to ensure it is legally admissible usually requires some level of technical expertise. A high profile case like the one above would be assigned the best possible resources. The mundane, more common cases that don't capture headlines typically don’t get the attention of digital forensic experts who have heavy case backlogs. Rather, the local investigating officers may need to determine for themselves if there could be useful evidence on the devices.
A new tool on the market is designed to break the backlog and help investigating officers look for digital evidence on a suspect's devices. Tracks Inspector is a tool developed by the Dutch IT security firm Fox-IT to enable non-technical law enforcement professionals to conduct basic forensic analysis. Tracks Inspector can yield enough information to give a case officer additional clues to follow, and it can guide the officer toward more technical digital forensic resources when necessary. The idea is to advance the basic cases so not every case is waiting for weeks or months for analysis by a digital forensic laboratory.
"Currently the methods of dealing with digital evidence is the agency expects an expert to look at the data. This is where we think things should change," says Hans Henseler, Managing Director of Tracks Inspector. "We think a non-technical investigator should have the first look at the data because in many cases, if he has a simple tool, the investigator will be able to look at pictures, read through emails and documents, and look at the browsing history and decide if there is something here that can help the investigation along. In some cases the investigator can even solve the case without having an expert go through all of the physical data."
Tracks Inspector automatically collects all of the files from digital devices in a forensically sound way. Data taken from computer hard drives, USB/CD/SD/DVD storage devices, or cell phones and tablets go through a "write blocker" to make a forensic copy of the data without making any changes to the original files or devices. These forensic copies can then be scoured for relevant evidence by the non-technical case investigator.
Tracks Inspector processes the input, which can include a variety of evidence formats, and presents it back to the investigator via a web interface in an easy to understand way. Evidence is grouped by categories, such as pictures, videos, documents, and so on. The investigator can use basic filters such as keywords, file types and dates to narrow his search and drill down into specific information to see what is really there. He can add comments to the evidence to document a case, and tags to include the information in a report. All of this information can be shared with other authorized personnel assigned to the case. Once the analysis is done, the investigator's report has forensic details that are suitable for use in court.
In terms of processing evidence, Henseler makes a comparison to reading regular paper-based documents. "If an officer is doing an investigation and he is authorized to do a search and seizure, and he seizes printed documents, he is going to read those documents himself. He's not going to ask a reading expert to look at those documents because the assigned detective knows how to read. If the document is in a foreign language, he might need to go to an expert to interpret it, but he will first check out the evidence himself. This is what we're trying to bring to digital evidence as well—to allow the investigator to 'read' the evidence and attempt to solve the case without the need to call in a digital forensic expert."
Given the shortage of digital forensic experts in law enforcement today, Tracks Inspector could be a useful tool to investigate cases expeditiously and get criminal scum off the streets sooner.