chalabala - Fotolia
In the past, the laborious tasks associated with computer forensic investigations were undertaken by teams of high-tech units and contractors with years of experience in forensic investigation. However, with the recent rise in cyber crime, this approach began to fail.
Law enforcement increasingly found that these highly specialised units were being swamped with demands by local officers and detectives requiring both short-term and long-term support for urgent investigations.
A lack of technical on-scene training meant potentially crime-solving material lurking on devices was being lost or left behind. Evidence-laden computers were being “dead-boxed” – powered down and placed into a potentially long-winded evidence process.
Depending on the severity of the crime, devices could be dead-boxed for months before any action was taken. Often, these critical devices sat collecting dust, with very little being done to retrieve evidence from them.
For the frontline police investigating crime, knowledge of cyber security is important for gathering digital evidence fast. When arriving at a crime scene, speed is essential and every second a computer is left unattended it loses data stored in its memory cache.
This cache could contain activity logs and internet history – a record of the activities of a potential cyber criminal in the minutes before the arrival of investigators. The data needed to convict a criminal – cyber or not – is lost after only two-to-five minutes of inactivity. But, if an officer can get on to the machine, it can be kept alive while the volatile data is retrieved using forensic techniques.
Safeguarding the cache does not require specialist tools, but police on the scene must have the knowledge and training to do so, as well as the skills to act fast under-pressure.
How UK police became forensics experts
Through highly specialised cyber forensics training, cyber crime officers are now able to confidently keep a system alive while performing Volatile data captures of random access memory (RAM) and network caches. This is all done at live crime scenes and within minutes of taking possession of a device.
Officers on the scene are also now able to triage and image folders or hard drives, giving them current and historical connections of both wired and wireless devices – valuable information that could speed the investigation.
Use of virtual private networks (VPN), torrent sites and file sharing activity may all be discovered by analysing a router, alongside the IP address, MAC address and hostnames of other suspect devices.
Taking an image of open folders and hard drives also allows officers to quickly triage and examine routine locations of devices. Officers are trained to use tools such as Forensic Toolkit (FTK), which gives them a deeper look at file systems and the ability to recover material that may not be evident to an untrained officer. All this is now performed at the scene, potentially minutes after an arrest or seizure.
This forensic training also helps officers to capture data which may be encrypted when the device is removed or turned off. When performed on location, the time it takes law enforcement to access the data is cut from months to hours.
Interviewed by the BBC, detective constable Steve Mersh said: “It’s a case of learning the practical skills that we can utilise – no different to a finding a gun at a crime scene that we can make safe from the public and attribute to the criminal.”
This is a significant advantage for the UK police. Investigating officers are now able to use any data captured at the time of the seizure or raid to provide support when interviewing suspects in custody. They no longer need to wait to access this information because they are able to quickly find and interpret the results themselves.
Advanced techniques such as RAM and registry captures may still require more specialist units, but local cyber crime officers are now able to use their forensic knowledge to “speak the language”, guiding their colleagues to specific areas of interest on the criminal devices.
Skills for the future
“It’s what I see as the future of policing, and although people don’t see it as the norm now, I think it most certainly will be,” said detective constable Charlie Hare.
“With the rise of cyber crime – both in the UK and globally – we will expect to see elements of this cyber forensics training filtering down to all UK law enforcement officers to become standard training regardless of role.
“We’re now also seeing increased interest in digital currency, open source intelligence and the Dark Web. While these topics are already taught, to an extent, on our courses, demand for police to possess these skills is set to increase,” he said.