Data MiningTurning digital evidence from a liability into an assetBy Jad Saliba, Paul Beesley and Jeff AdamThe proliferation of digital devices and the data they are generating is proving to be one of the greatest challenges of modern policing. A decade ago, digital evidence was a niche component in most investigations. Today, it has become essential to almost every investigation. While digital evidence can beintegral to police agencies securing prosecutions or exonerating the innocent, it can also act as a doubleedged sword.There is simply too much digital evidence for the current complement of digital-forensics professionals in police organizations to handle. Agencies are being overwhelmed. They’re building up months-long backlogs, restricting the case types in which digital evidence can be collected, and they’re even seeing judges throw out prosecutions due to delays, as we saw in the Supreme Court of Canada’s R v. Jordan decision.Without additional technical help waiting in the wings, police agencies have put increasing pressure on their digital-forensics professionals. To keep investigations moving, many are working overtime, contributing to increased investigation costs at a time when resources are limited. Police leaders cannot commit to paying overtime costs in perpetuity. Nor can they expect to address the surge in digital evidence by hiring more professionals. They’re under extraordinary pressure just to keep their pre-existing talent in the face of competition from the private sector and a global talent shortage in the field.With cyber and cyber-enabled crime expected to continue its rise, police leaders are at an inflection point. The choices they make now will influence whether their agencies will rise to the challenge or be engulfed by it. Maintaining the current approach will inevitably lead to an erosion of the public’s trust as more and more crime associated with digital evidence goes unaddressed.Transforming EvidenceTo transform digital evidence from a liability to an asset, police agencies must treat digital investigations as an agency-wide strategic imperative. They need to use their broader workforce more effectively and employ technologies like automation, Artificial Intelligence (AI) analytics and the cloud. The goal should be to eliminate case backlogs by redistributing the more menial workload away from digital-forensics professionals, freeing them to allocate their time to tasks more in keeping with their level of expertise.Much of the bottleneck in digital-forensics labs occurs during evidence processing. Devices are recovered by officers in the field, delivered to the lab and added to an ever-growing queue. In cases like a hit-and-run, a video that was recorded only minutes before police arrive at the scene may be all that’s needed from a cooperating witness. In these instances, first responders can contribute to digital investigations and take some of the pressure off the digital-forensics lab.The Federal Bureau of Investigation (FBI) came to the same conclusion in 2016, when it said it was “imperative” for first responders to “have a working knowledge of how to survey and secure electronic evidence.” Research also suggests that the public expects police officers to respond to digital crime, regardless of the size of their agency. Rather than defer the work to a digital forensic professional – who may take hours to recover a single picture or text message at significant cost to the agency – there is an opportunity to empower first responders to recover low-risk evidence by leveraging simple evidence capture tools.Aside from the efficiencies this approach would create, it would also help build public trust. Witnesses and victims are reluctant to submit their devices to police for a day, let alone a week or a month. Informing a victim or witness that they will not need to part with their device, and that they can choose exactly what they’ll share with officers, may give them the assurances they need to support an investigation.Automating the ProcessingEven if first responders engage in low-risk evidence collection, it will not alleviate case backlogs entirely. Unlike a hit-and-run, investigations into homicide, terrorism, human trafficking or child sexual exploitation often require police to collect multiple devices with terabytes of evidence. The evidence for each device must be processed, requiring digital-forensics specialists to run multiple tools and wait around for the results – sometimes for hours at a time. When they’re not physically present during evenings, weekends and holidays, evidence processing grinds to a halt and justice is delayed.Police agencies should automate repeatable tasks related to common digital evidence and case types. Doing so would have multiple benefits, most significant among them being that agencies could keep investigations running 24 hours a day, seven days a week, 365 days per year.Once the processing burden is addressed, agencies can focus on analyzing digital evidence to help complete cases with greater speed and precision by using AI and analytics tools. These tools quickly comb through millions of data points, automatically detecting photos, videos and chat logs pertaining to child sexual exploitation, weapons and drugs. They also create timelines of events and use geo-mapping to link individual pieces of evidence together to develop a better understanding of the crime.Canadian privacy commissioners have questioned whether some AI technology providers have acted ethically and legally, particularly regarding facial recognition technology used by police agencies on open-source data. This should not deter agencies from using AI on lawfully gathered digital forensic evidence. Police leaders must ensure lawful applications are preserved. Agencies should establish internal policies on the limited use of AI applications and work with privacy advocates and their governance bodies to develop a definition of “acceptable use.” The volume of digital evidence will continue to rise, and bans on these technologies stemming from perceived misuse will ultimately be harmful to the public’s safety.While using analytical tools to review digital evidence in the digital-forensics lab can improve case closure rates, it may not be enough to address the issue at large. Agencies may simply be transferring the evidence bottleneck from the processing stage to the review stage.Digital InvestigationsInvestigators currently participating in digital investigations are doing so inefficiently and in a limited fashion. Digital evidence reports are shared with investigators at many agencies via physical storage media. In most cases, this evidence can only be accessed after investigators travel to the digital-forensics lab and wait for a workstation to become available. Making sense of the digital evidence is complicated because of the complex nature of digital-forensic tools. The work of digital-forensics professionals is also impacted as they’re required to give investigators a stepby-step explanation of all the critical evidence. This results in hours of lost productivity for the investigator, the digital-forensics specialist and, ultimately, the agency.Investigators would benefit from working with a digital evidence review platform that is purpose-built for their needs and allows them to securely access evidence from anywhere, at any time. Above all, this platform should be easy to use and require minimal training. Any investigator, regardless of technical expertise, should be able to quickly access and understand the evidence, collaborate with colleagues remotely and develop reports. The platform could be or in the cloud depending on the preference of an agency and its cloud readiness.The organizations that have already implemented elements of this strategy were rewarded with immediate results. For example, the Waterloo Regional Police Service empowered first responders to collect low-risk digital evidence in the field, resulting in 70 per cent of its officers reporting that it was easier to convince witnesses and victims to participate in investigations. Another large municipal agency based in Washington State introduced automation to its digital-forensics lab and was able to turn evidence around to investigators in under 72 hours while finding 30 per cent time savings per case. London’s Metropolitan Police recently deployed a new evidence review platform and expects it will be able to solve cases up to three times faster.The choices before police leaders are clear: they can adapt, invest and transform digital evidence into an asset in the pursuit of justice or stay the course with current procedures and see it become an even greater liability in the years ahead.Jad Saliba is the founder and chief technology officer of Magnet Forensics and a former digital investigator with Waterloo Regional Police Service.Paul Beesley is an advisor to the Canadian Police Knowledge Network and the former Chief Superintendent and executive lead of the Ontario Provincial Police Cyber Strategy.Jeff Adam is a strategic advisor with Microsoft and the former Assistant Commissioner for technical operations with the Royal Canadian Mounted Police.
READ MORE LIKE THIS
TRENDING ARTICLES
1

Why HQ Hub?

HQ Magazine has evolved with a new Digital edition. Robust and Responsive the AnswerApps edition is user friendly, easy to read, and easy to share.

2

ISN Maskwa

A new resource has been added to the emergency operations capacity in Ontario specifically to assist Indigenous leadership in leading their own response for their communities in the event of an emergency situation.

3

Indigenous Policing in Ontario Today

Indigenous Police Leaders Speak

4

The OACP at 70

The Founders, the Builders, the Innovators and the Leaders

5

The Benefits of Peacekeeping

Canadian Police Peacekeeping and Peace Operations