As the growth in data outstrips the capacity to manually process it, Marc Lees explains why automating digital forensics will increase public confidence in policing.
Twelve years ago, the forensic data explosion was just beginning. However, there were few tools available to law enforcement agencies to recover digital information vital to investigations, such as social media messages, online chats and webmail.
At that time, an officer in the High-Tech Crime Unit at the Waterloo Regional Police Service (WRPS) in Canada, seconded due to undergoing cancer treatment, set about finding a way to collect evidence from computers and mobile devices, especially messages in social networking sites like Facebook.
Using his degree in programming and skills acquired before becoming an officer, Jad Saliba wrote his own scripts based on developing an understanding of file systems and where to look for data.
The software he created – Internet Evidence Finder – proved so successful that there was huge demand for it from other law enforcement agencies.
In 2011, Mr Saliba left the WRPS and together with Adam Belsher, then vice-president at Research in Motion, the maker of the Blackberry phone, he established Magnet Forensics, what is now a global technology company present in 92 countries around the world and helping police forces in the UK resolve today’s digital forensics challenges.
Internet Evidence Finder was revolutionary at the time and, as it saw rapid growth, Magnet focused on being the best at finding data, reliable at recovering it and trusted to recover the most.
Continued expansion meant it also had to provide experts and cops easy methods to report on it.
In 2013, detectives investigating the pressure cooker bombs left close to the finish line of the Boston marathon turned to Magnet Forensics to help uncover the offenders. The company was also asked to locate evidence from the Signal messaging app, used by the terrorists in the 2015 Paris atrocity and mass shooting at the Bataclan theatre.
Terrorism and a huge volume of child abuse investigations all over the world are driving many developments in the software. The challenge now, however, is very different. The exponential growth in devices, applications and storage mean law enforcement agencies still need to recover the data and search it, but the value of software is in surfacing meaningful insights from it.
In the same way Mr Saliba used his knowledge of policing in Canada to understand what was needed by forensic specialists and investigators, Marc Lees is using his background in intelligence and forensics technology in a UK police force to spearhead the way law enforcement agencies around the world are able to collect, understand and present digital information.
Mr Lees, Magnet Forensic’s Director of Digital Evidence Solutions, says not very long ago, digital forensics was the domain of smaller, specialist departments with more time to investigate each case. This is still needed, but those departments, people and processes have been overtaken by societal changes and the police need to respond by developing people, process and technology suited to the current challenge and not the model from ten years ago.
As the world has woken to scale and role of digital data in police operations, from missing persons to volume and major crime investigations, it has become a significant factor in organisational competence.
But, despite the huge controversies and damage to forces’ reputation from well publicised failings in the disclosure of digital evidence, Mr Lees is upbeat about where UK forces stand on progress to meet the challenges they face.
UK policing has recognised the problems earlier than most and has done a very good job in getting on top of them, Mr Lees believes, through a range of force-wide, regional and national initiatives and projects.
Financial support is being given to national developments alongside individuals grasping the nettle locally and working with suppliers to resolve major challenges.
However, wherever in the world law enforcement is transforming its digital forensics, the stakeholders – from chief officers and IT departments to forensic examiners and end user investigators – need to support changes. Such buy-in is important as developments usually require improvements in infrastructure, processes and technology.
The amount of data involved in digital forensics and its continued growth is widely publicised. In response, organisations could grow their digital forensics departments, but the reality is they will never have enough staff to cope with rising demand simply by adding people using the same processes, Mr Lees suggests.
Typical of today’s digital forensics world is the requirement to examine 50,000 chat messages in multiple languages on a number of devices, even online. This means finding a different way to extract, analyse and understand the data is needed.
Two years ago, Magnet Forensics added the ability for UK customers to recover and analyse data from the Cloud, in conjunction with data obtained from physical devices, into its main recovery solution – Magnet AXIOM.
And Apple and Facebook warrant returns can also be processed and parsed through AXIOM, the typical hundreds of pages of results can be dealt with faster and in a more cohesive way.
But still highly technical, well-trained staff are involved in repetitive, simple processing tasks for the huge number of devices seized. And many are reliant on using basic programmes like spreadsheets to report the findings.
To enable the transformation needed, Mr Lees recommends two significant developments in technology available:
By using an engine that frees up these valuable members of the workforce, data can be processed 24/7 in combination with a range of suppliers’ products.
And tools are now available that allow detectives to understand what information and evidence is available and produce reports that assist the investigation and criminal proceedings, whether this is search tools such as date filters, keywords, a timeline and Connections view, or artificial intelligence to conduct major analysis.
A third significant development is around the corner for UK law enforcement. Magnet Forensics has developed a simple solution, SHIELD, to capture a single or fleeting video or message on a victim or witness’s device, without having to seize it or download everything it contains.
For example, when a witness to an assault has filmed the attack on their phone, an officer will ask them to email the file or the device is taken away and placed into the evidential chain. Sometimes officers will even take a picture of the evidence on their own personal smartphones and then struggle to know what to do with it.
SHIELD has a built-in consent form, the evidence capture can be done together with the device owner and reports can be easily printed out. Compared with triage tools, the software is much faster and prevents officers having that awkward conversation with a valuable witness over downloading everything on a phone or taking the device away.
Magnet Forensics expects the product will lead to greater confidence in policing as well as reduce the backlog of devices waiting for examination.
As criminals seek to evade justice, encryption is increasingly being used to hide illegal activity and evidence. However, in February this year, Magnet Forensics announced a commercial and technology partnership with Grayshift, a company that developed the ability to crack the most recent attempts by Apple to make its iOS system impenetrable.
This exclusive partnership allows law enforcement agencies around the world to purchase GrayKey – the industry-leading iOS acquisition solution that labs of any size can use to keep their investigations in-house – directly from Magnet Forensics.
Mr Lees says Magnet Forensics has not changed its focus since it created its first product – using modern technology to help investigators solve the case they are working on.
“Whenever we hear that the software has been used to convict a criminal, we are motivated to keep innovating and ensure the tools we provide to experts and investigators allows them to do their job and keep the public safe.”
Comment