Conducting a Digital Forensics Capability Study
By Colin May, M.S.
Local law enforcement agencies face an exponentially expanding cybercrime problem, once largely the realm of “computer geeks.” Now, nearly everyone has a smartphone, and digital evidence surfaces in virtually every type of investigation conducted by local police.
Electronic evidence often proves substantially valuable, offering information necessary to support or refute criminal charges, find accomplices, obtain criminal intelligence, and protect the public. However, digital forensics can be expensive and time-consuming and require specific technical expertise.
Given that many state computer forensics labs have significant backlogs or deal with other priorities, some local police departments should consider forming a cybercrime unit. Even if just one or two people, part- or full-time, such a team could help identify, collect, analyze, and present evidence from digital devices. Using this model can provide key benefits to agencies, including more prompt recovery of information.
Each department needs to weigh the benefits and risks based on a wide range of factors. Although some are beyond the scope this article, many core issues are discussed.
When discussing any new unit or capacity, decision makers need a framework to help them collect data, analyze options, and consider all issues. Perhaps this proves even more true while dealing with cybercrime and digital forensics due to the challenging technology and ever-evolving and pervasive nature of electronic evidence.
The framework focuses on three major factors.
- Needs assessment
- Resource assessment
- Technical assessment
Within the resource and technical components, several crosscutting topics also require consideration.
- Personnel and staffing
- Legal authority
- Policy and procedure
- Tools and technologies
- Communication and awareness
Exhibit 1 presents a visual depiction of key issues in the framework, including both resource (management) and technical matters. Because of the crosscutting implications, this framework proposes viewing them together.
A needs assessment serves as the basis for any agency commitment. It enables the organization to evaluate operational requirements and capabilities. For example, if a locality experiences a lot of major traffic collisions and has a crash reconstruction team, a digital forensics unit could help determine if drivers used their mobile device during the incident. A team also would prove useful after officers identify a hit-and-run suspect to see if the individual’s phone provides evidence, like a location.
Additionally, needs assessments can help determine the unit’s priorities. Using population and demographic information, crime-reporting figures (e.g., the FBI’s Uniform Crime Reports), and other internal statistics (e.g., types of calls for service or intelligence reporting) will help inform leadership and the team about issues faced by the community and how best to use time and resources. For instance, in a demographically older area, the unit may want to focus on preventing elder financial exploitation and teaching that population how to avoid Internet scams.
Variety of Investigations
Digital evidence collection and analysis can help significantly in virtually all types of cases faced by local law enforcement. A list of examples serves to illustrate.
|Missing or endangered persons||Fraud||Elder abuse|
|Illegal gambling||Drug trafficking||Human trafficking|
|Robbery||Organized crime||Sexual exploitation|
Executives might consider starting with a shorter initial needs assessment followed by a longer review to see if they need to make revisions after completing the resource and technical portions. This ensures enough data exists to support the need and also, perhaps, a budget request or spending justification, especially if statistical information is included.
The assessment process should include officers, analysts, investigators, civilian staff, or volunteers with strong technical experience. Because digital forensics covers such a large knowledge base and includes Internet investigations, social media evidence collection, and other topics foreign to most nontechnical employees, these personnel could help accurately shape the entire feasibility analysis.
Resource and Technical Assessments
Any police department faces limited financial and personnel resources, and smaller local law enforcement agencies may not have the time or funding for a state-of-the-art regional cybercrime lab. However, executives have other alternatives.
Of course, having a competent digital forensics capability costs time and money. The needed tools, software, training, and technology involve substantial expense. However, partnering with other organizations and using an array of creative funding mechanisms can allow agencies to share the burden and reap the rewards a team can provide.
Police departments can work together to meet mutual needs cost-effectively. For instance, agencies in the same geographic area can share funding, personnel, and expertise. This requires considerable time and commitment from each department’s chief executive, as well as senior management.
Agencies also can leverage public-private partnerships, including those with local colleges or universities. For instance, the Saint Joseph County, Indiana, Prosecutor’s Office moved its cybercrime lab from the jail building to the University of Notre Dame campus. Further, the agency hired interns (after an extensive application and background check), trained them, and swore them in as investigators. With faculty and law enforcement oversight, they work cases, process digital evidence, draft reports, and conduct investigative research.1
Joining task forces and working groups also can facilitate access to forensic services. However, this may prove difficult if they are less formal or lack protocols to help smooth the way in nonroutine or emergency circumstances.
In areas with a large armed forces presence, working with such organizations as the U.S. Army Criminal Investigation Command, Naval Criminal Investigative Service, Air Force Office of Special Investigations, Defense Criminal Investigative Service, and Coast Guard Investigative Service can be beneficial, especially if a military connection to a specific case exists.
Assistance during the start-up phase of the unit can come from partnerships. These sources enable the agency to attain necessary tools and technologies and allow selected officers to attend training and learn needed technical skills.
- Donations of computer equipment or hardware from local technology companies
- Corporate donations for training and travel to forensics conferences
- Fundraising efforts by citizens police academy alumni associations
- Grants from state or federal agencies or from grant-making foundations
- Educational institution scholarships or tuition assistance for officers taking courses related to technology or computer forensics
- Donations from local nonprofit organizations or civic clubs (e.g., Rotary, Kiwanis, Elks), chambers of commerce, or other business associations
- Asset forfeiture funds through federal equitable sharing agreements or from prosecutors’ offices
Hardware and software probably will be the most immediate up-front cost, other than personnel and training. In addition, because technology constantly changes, police departments will need to update and upgrade as these items become obsolete. However, agencies can use creative methods to gain access to hardware and software.
- Working with other agencies’ IT vendors
- Leveraging bulk buying power through negotiated government contract vehicles
- Obtaining surplus as larger agencies upgrade their own cyber capabilities
- Procuring specific tools from federal surplus equipment programs
- Asking for donations from local colleges, universities, and businesses as they cycle through computer equipment
- Acquiring scholarships or discounts for training from specific digital forensic companies
When soliciting or accepting donations from private parties, police departments must consider both the legal obligations and ethical implications. For example, New Hampshire has a state law that specifically outlines what agencies can accept and when, as well as the process local elected officials must follow to accept the item.2 Also, leaders need to consider ethical and optics issues to ensure the donation appears and is legitimate. Agency legal counsel must advise throughout the process to ensure compliance with law, policy, and ethical obligations.
“Each department needs to weigh the benefits and risks based on a wide range of factors.”
Because of the heavy emphasis on technical issues while standing up a digital forensics team, agencies must consider several issues in tandem because of their implications on both resources and management.
Personnel and Staffing
Staffing always is a critical issue for police departments. Executives face the delicate task of deciding on or finding employees with the technical ability and key skill set necessary for successful implementation of a digital forensics team.
In addition to or in lieu of their sworn full-time officers or investigators, agencies also may consider other sources of staffing, subject to successful vetting.
- Retired federal or state investigators with a computer forensics background
- Military reservists or veterans with cyber skills
- IT specialists who can be cross-trained in forensic imaging and analysis
Some departments may want to explore a reserve officer program or employ unsworn forensic specialists. In certain jurisdictions, agencies may grant “special deputy” status to trained but unpaid investigators who under state law would have limited police powers (e.g., obtaining search warrants).
Using college interns also could serve as a practical alternative, subject to meeting the training, security, oversight, and vetting requirements.
Regardless of who is on the team and how it functions, sworn officers or supervisory personnel need to properly structure, manage, and oversee the program. This includes ensuring the unit follows all state and local laws and regulations and, thus, has the legal authority to obtain search warrants and take other compulsory measures to seize and analyze digital devices.
Having legal counsel, including prosecutors, agency legal advisors, and corporate counsel, on board and working with the executive staff throughout the process proves essential. Doing so helps legitimize the team and provide the structure and lawful authorization necessary to withstand judicial scrutiny. This holds particular importance for departments with special law enforcement authorities, like university police, transit or capital police, and other limited-jurisdiction agencies.
Policy and Procedure
Enacting and enforcing effective policies and procedures also prove important to a successful team stand-up. While a detailed description of best practices is beyond the scope of this article, it is important to emphasize that the new unit must have a defensible position concerning all phases of the digital forensics process. This helps to withstand not only judicial scrutiny but also internal audits, inspections, and other types of inquiries. As with any evidence, establishing the chain of custody and using well-documented, proper procedures are critical to successful digital forensics program policy.
Police executives need a basic knowledge of the forensics process and operational functions. This will prepare leaders to make important decisions and help promote the work of the unit, as well as provide meaningful functional oversight.
There exist numerous resources that give a high-level overview.
“…partnering with other organizations and using an array of creative funding mechanisms can allow agencies to share the burden and reap the rewards a team can provide.”
Many of the listed courses focus on initial or basic training in digital forensics, but importantly, there also are ongoing and advanced curricula, especially for experienced examiners. Budgets need to include these costs.
Tools and Techniques
The tools and techniques used by examiners depend on many factors discussed in the Needs Assessment section. Police departments will employ a lot of digital forensic equipment and supplies to package, protect, and safeguard evidence. Agencies must take these costs into consideration.
Departments need to purchase software acquisition and analysis tools. Vendors offer various options and platforms; often, working with the supplier will help identify the best choices based on the agency’s needs and budget. Usually, agencies need to pay an initial license fee to acquire the software, but they also face costs related to ongoing maintenance, upgrades, and annual subscription fees.
Also, free or low-cost open-source tools can be used for digital forensic acquisition and examination. When considering providers, agencies should ask them for a full-version trial copy to test. Further, they can consult the National Institute of Standards and Technology (NIST) Computer Forensics Tool Testing website, https://www.nist.gov/programs-projects/digital-forensics, for additional information and issues to consider.
Communication and Awareness
Another component of a successful digital forensics unit rollout involves making sure people know of its existence and understand how they can help. This communication and awareness process takes two primary forms—internal (within the agency) and external (within the community or jurisdiction).
Using already-existing platforms, such as social media accounts or press releases, can prove effective. In addition, having team members conduct presentations on specific topics at roll calls or during short in-service training sessions can relay the message to department personnel that these tools are available and instruct employees on how best to use them.
Executives and managers can assist by attending these trainings and soliciting staff feedback. Not only does this benefit leaders’ learning but it also sends the message that collecting and analyzing digital evidence comprise important components of policing in the 21st century.
In addition to speaking engagements, unit members can partner with others in the agency, such as D.A.R.E. or school resource officers, to help identify opportunities to assist in communicating topics like Internet safety for children. If a community has a large elderly population, then providing resources on knowing what online fraud looks like also could be useful.
Finally, the agency may look to other resources and materials to help supplement their own. For example, the U.S. Department of Homeland Security sponsors National Cybersecurity Awareness Month in October and provides many materials on its website, https://www.dhs.gov/stopthinkconnect. Resources of local FBI or U.S. Secret Service field offices, as well as other federal agencies, also can help spread the message.
Evaluating a potential digital forensics unit within a local police department is no small task. Agencies should not do it lightly, nor should they dismiss establishing a team as impossible. This article has provided some guidelines and a framework from which departments can collect data and then make decisions as to the appropriateness and feasibility of launching a unit.
The proposal must have financial and leadership support. Also, police agencies should help educate local residents, businesses, and elected officials about cybercrime and electronic evidence and the possibilities available with a digital forensics team.
Conducting an in-depth needs assessment, reviewing the agency’s operating environment and community needs, and identifying key affected populations all can provide the supporting data to show the utility of a unit. Then, the department must find creative ways to leverage the talents needed to staff a team and ensure it has the necessary resources.
“Agencies should not…dismiss establishing a team as impossible.”
Mr. May can be reached at firstname.lastname@example.org.
1 Brendan O’Shaughnessy, “Cyber Sleuths,” University of Notre Dame Stories, accessed January 30, 2020, https://www.nd.edu/stories/cyber-sleuths/.
2 N.H. Rev Stat § 31:19 (1996).