Winds of Change: The Power of Rapid Digital Triage
31st July 2019Kim Kingan
Kim Kingan brings nearly two decades of government policy and international strategy to team Cyan Forensics
Kim specialises in governance, compliance, and change management programmes.
In this blog, we explore why you can’t keep doing the same thing and expect different results and how investments in people, training, practices and new technologies such as rapid digital forensics triage will be crucial if police want to inspire public confidence and successfully tackle the offenders who cause the most harm.
Today, law enforcement is under pressure as never before.
- Child Sexual Exploitation and terrorist threats are rising – posing a real and serious threat to society.
- Crimes are becoming more complex – as criminals’ traverse both geographic borders and digital frontiers.
At the same time workloads are rising, budgets are shrinking, capacity is diminishing, leading many senior police officials worldwide to comment that their forces are at a “tipping point” and have an urgent need for change to deliver sustainable 21st century policing.
The increasing importance of digital evidence places new requirements on managers to ensure their teams’ skills and experience keep pace with the exponential growth and global interconnectivity of technology. The required change may benefit from:
- A “whole system” approach, where an agile and adaptive workforce has transferable skills and flexible roles to adapt to evolving threats and has access to the same tools.
- Greater clarity on the role digital forensics plays alongside broader digital investigative capabilities, as we move towards a digital Criminal Justice System.
- A standardised or national approach to those digital services required to be ‘mainstream’ (deployed to frontline investigating officers) and those services which will remain specialist.
Advancing technology gives offenders new tools to both commit crimes and conceal them (using encryption, destruction and anonymisation tools).
In the age of austerity, it is vital to understand not only the value and impact of new technologies on crime, but how quickly law enforcement can leverage technological advances to their own benefit. Key to this will be greater co-development with technology partners who have the capabilities and share policing’s values and mission.
Practices – Triage
In some investigations delays or missed deadlines can have serious consequences. Effective on scene rapid digital forensic triage lets forces gain an advantage in planning, decision-making and managing risk by:
- Identifying potential investigative targets in order to estimate their evidential value
- Prioritising those devices requiring further analysis in the lab; and
- Preserving data integrity; enabling officers to provide legally admissible evidence that could be essential in court to protect the vulnerable from harm and bring offenders to account.
THE CHALLENGES OF CHANGE
More of the same won’t work and the transformation of digital forensics will only be achieved with the collaboration of all disciplines. We are all guilty of getting stuck into a daily routine. Routines that don’t help us get the best from our people, technology and practice, but we keep doing it because it’s comfortable and may still work even when it’s under pressure. But, by repeatedly doing the same thing, we end up getting the same results.
The issue is compounded because no one solution will fit all, as different police forces have made the most of their unique organisational strengths and implemented same-but-different solutions to the existing problem.
- Agencies differ in how responsibilities and practices are distributed across their roles, including Digital Media Investigators, on-site digital forensic analysts, lab based DFUs, and (post-conviction) their public protection offender management teams.
- In some forces DMIs are advisors to investigations, in other they are trained in digital forensic live capture techniques
- In forces where digital forensics has historically been the preserve of ‘the techies’, a wide skills gap may exist between different user groups.
- Simplistically, has the rate of ‘technology enabled police’ increased in proportion to the increased rate of ‘technology enabled crime’?
- Whilst many front-line officers are “digital natives” (they are familiar with today’s technology) they often don’t fully understand the constraints and limitations of using the technology in a work environment or don’t relate to workplace technology because it is outdated.
- There is a balance to be achieved between protecting the public from harm, aiding swift and fair justice, aiding regulatory and legal compliance, and ensuring the well-being of all staff involved.
- Operational practice must deliver balanced risk management across:
- the risk that one of the 80,000 known downloaders of IIoC is incorrectly prioritised
- the risk that evidence is waiting in a backlog while a suspect is at large;
- the risk that evidence is missed through incorrect triage, or
- the risk that a known offender has learnt (the wrong thing) from their previous mistake and is now operating in an as-yet undetected way.
- The prioritisation of the above risks varies across police forces.
Cyan Forensics’ rapid digital forensics triage tools can help
Cyan Forensics’ vision is a world where there is no place that harmful digital content can be easily hidden or shared.
To achieve this, we are working together with policing to deliver technology which:
- Finds evidence in minutes, even in a suspect’s home, and quickly informs next steps
- Enables smarter decisions about what devices to seize, reducing volumes in forensic labs
- Gains rapid insights into ever-increasing volumes of data in investigations
- Is faster and more comprehensive than traditional triage approaches (by finding deleted files)
- Extends the use of existing databases into Forensic Triage (leveraging investments already made)
- Uses a secure Contraband Filter format for secure use in the field and sharing with other forces
- Supports mainstream computing devices including PCs, laptops, flash drives, external drives, and a wide range of disk types, partition types, file systems, and image formats for preview.
When used within a risk-based approach, triage reduces the number of devices seized reducing your backlog and overall workload.