Digital Forensics Artifacts
In modern society, “Mobile devices such as cell phones and smart phones have become an integral part of peoples’ daily lives, and as such, they are prone to facilitating criminal activity or otherwise being involved when crimes occur” (Casey & Turnbull, 2011, p. 1, para. 1).
Criminal investigations encompassing digital data evidence collection on mobile devices continues to be an uphill battle for law enforcement agencies, especially when evidentiary information collection pertains to potential violations of privacy protection rights of U.S. persons under the umbrella protection of the Fourth Amendment to the U.S. Constitution. Weinberger (2014) disclosed that Philadelphia Police Commissioner, Charles Ramsey claimed that, “the government has a “compelling interest” in searching the smartphones of arrested persons” (para. 5). Ramsey also indicated that law enforcement officials have to deal with the ubiquitous nature of technological advances such as those found on mobile devices—creates unprecedented challenges in evidence collections, investigative procedures, and digital forensics for modern law enforcement agencies (Weinberger, 2014, para. 6) and claimed that “a warrantless smartphone search ensures that evidence can be collected in a timely manner before a suspect has a chance to destroy it—something that he says was done in Orange County, California” (Weinberger, 2014, para. 9). According to the article written by Weinberger (2014), Commissioner Ramsey, who is also the president of the Major Cities Chiefs of Police Association, an organization that filed a friend of the court brief supporting warrantless smartphone searches, says collecting data and information from these types of mobile devices is critically important for law enforcement in this day-and-age. (para. 7)
These technological advances in mobile devices continue to present investigative challenges for law enforcement officials. Criminals will leverage these mobile technological advances and discover innovative means to conceal, delete, and/or auto-erase pre-existing evidence of ommunications, data, and information (i.e., incriminating evidence) on mobile devices.
“The information stored on and associated with mobile devices can help address the crucial questions in an investigation, revealing whom an individual has been in contact with, what they have been communicating about, and where they have been” (Casey & Turnbull, 2011, p. 1, para. 3). Ramsey further concluded that “As this technology continues to advance, it’s going to become more and more difficult for us to be able to preserve evidence of a crime” (Weinberger,2014, para. 8).
As an advocate of the warrantless smartphone searches, Commissioner Ramsey and his colleagues defended that warrantless smartphone search practice falls under the common law (i.e., search-incident-to-arrest) doctrine, which authorizes law enforcement officials to conduct legal searches and seizures of individual possessions (i.e., pockets and properties) upon the time of the individual’s arrest (Weinberger, 2014, para. 15). Ramsey also highlighted “Technology is advancing so fast that it’s difficult to keep pace, and it’s going to create some serious problems for us in the future” (Weinberger, 2014, para. 18).
In the following sub-segments, the author of this research paper will examine and discuss the various aspects of forensics challenges associated with criminal investigations and digital evidence processing.
Evidence collection and tagging
In any criminal investigation, law enforcement officials are responsible for collecting all evidence and tagging of such evidentiary items as a standard investigative practice. In today’s modern criminal investigations, the investigative process can be a challenging task, especially when criminals such as cyber terrorists, pedophiles, hackers, etc., are increasingly leveraging advanced mobile technologies to coordinate, communicate, share information and/or data; post audiovisual data on blogs, other Web 2.0 technology websites (e.g., Twitter, Facebook, Vine, and YouTube), and on the Internet. The locations for potential evidence can be anywhere in the online or virtual realm; and many are password-protected by the suspect in question. Law enforcement officials will need to obtain such passwords to enable digital evidence collection, tagging, and processing.
In the case of criminal investigations, such information and/or data could be self-incriminating evidence of a potential crime as seen in the Riley v. California case. Criminals are leveraging advanced mobile technologies to not only plan out their modus operandi, they are increasing the level of difficulty for law enforcement officials to collect relevant evidence, and preventing disclosure of such evidence in question from viewing and processing via data encryption and privacy protection rights.
Law enforcement officials must comply with department regulatory practices, laws and statues; as well as federal legislations, to include the U.S. Constitution (in particularly, the Fourth Amendment) for evidence collection, tagging, processing, chain-of-custody, etc., to ensure that all incriminating and/or excriminating evidence are admissible to the court. Law enforcement officials must also apply best business practices (i.e., in particularly, investigative processes) such as evidence tagging to ensure the integrity of the evidence collected on the suspect and/or at the crime scene are not manipulated, altered, destroyed, etc. One of the critical phases in vidence collection is tagging of evidence. Mike Byrd, a criminal scene investigator from the Miami Police Department clarified the importance of evidence tagging as “The tagging, labeling and marking of the evidence adds credibility and control to our ability to identifying the item (2015, para. 2).
In criminal crime scenes that involve the collection of digital and/or mobile devices, forensics investigators must abide by best forensics practices that relate to collection of evidence, to include digital devices such as mobile phones, tablets, phablets, etc. These collected evidence also needs to be tagged or label to establish a tracking system to assist with preservation of evidence for handling, processing, and to institute a mechanism for chain of custody—ensuring that the collected evidence are handled appropriately in accordance with federal and state laws—avoiding violations of the Fourth Amendment privacy protection issues that may arise. Byrd (2015, para. 5) stated that evidence tags should include the following information of the collected evidence: (1) general descriptions of the collected evidence; (2) case number for the investigation in question; (3) timestamp; (4) location in which the evidence was collected at the crime scene; (5) name of the evidence collection investigator or technician; (6) name of the manufacturer, brand, etc.; and (8) model and serial numbers if applicable.As described in the above findings, evidence tagging not only helps investigators to identify the specific evidence using a numbering system or alphanumeric system during the collection phase, it also facilitates the evidence processing phase so that the processed evidence and/or evidence being processed are admissible to the court without alteration, tampering, and/or
mishandling. Warrington (2013) mentioned that one crucial method to preserving and maintaining the evidence from tampering is through the use of evidence packaging during the collection phase.
Investigators and/or evidence collection technician or agent must following key points associated with evidence packaging: (1) packaging size and material selection; (2) use one package per evidence with its separate seal and label; and document each evidence collected; and (3) use evidence tape and append the signature of the evidence collect agent (Warrington, 2013, para. 1). In terms of mobile devices, Warrington (2013) recommended that “Electronic items require special attention. Cell phones can be activated and deleted from remote sites, which could destroy valuable information. Place cell phones in special bags [e.g., faraday bags and aluminum foil wraps] that block signals and protect from static electricity” (para. 7).
“Communication devices such as mobile phones, smart phones, PDAs, and pagers should be secured and prevented from receiving or transmitting data once they are identified and collected as evidence” (Hagy, 2001, p. 33). Additionally, collection agents or investigators must be aware that modern mobile devices are equipped with manufacturer and/or third-party data encryption software or applications. Hagy (2008) provided the following precautionary practice when collecting mobile devices as evidentiary items: “If data encryption is in use on a computer, data storage device, or other electronic device and it is improperly powered off during digital evidence collection, the data it contains may become inaccessible” (p. 33). Furthermore, law enforcement officials must ensure that all evidence and process throughout the collection phase are documented in detail—preventing any malpractice of evidence collection, handling, analysis, and processing of evidence that is relevant to the investigative case in question.
Chain of custody
According to Bennett (2011), chain of custody is a critical process that law enforcement officials must adhere to in order for post evidence processing to be admissible in court for criminal investigations: The goal of a forensic investigator is to obtain evidence utilizing the most acceptable methods, so the evidence will be admitted according to law in the trial. Obtaining a judge’s acceptance of evidence is commonly called admission of evidence. Evidence admissibility will require a lawful search and the strict adherence to chain of custody rules including evidence collection, evidence preservation, analysis, and reporting.
(Chain of Custody and Preservation of Evidence, para. 1)
Byrd (2015) provided an excellent explanation of the chain of custody process that investigators and or technicians must follow throughout the duration of an active criminal investigation: The chain of custody is defined as the witnessed, written record of all of the individuals who maintained unbroken control over the items of evidence. It establishes the proof that the items of evidence collected at the crime scene is the same evidence that is being presented in a court of law. (para. 3)
In general, chain of custody is a system of control and custodial management for evidence handling and processing to establish creditability and/or integrity of the evidence in question. In terms of mobile phones and/or mobile devices, “The most important step for a first-responder investigator, when arriving at the scene of a crime and identifying a mobile device for possible evidence submission, is to determine how best to preserve that device and its data” (Bennett, 2011, Chain of Custody and Preservation of Evidence, para. 6). Byrd (2015) stressed that the chain of custody process establishes four critical and pertinent components for handling and processing of all collected evidence from the crime scene: (1) tracks authorized personnel handling the evidence; (2) provides timestamps of evidence handling and/or processing; (3) describes the rationale of the evidence being processed; and (4) allows investigators and or technicians to annotate any associated changes that may have occurred that affect the physical and/or digital nature of the collected evidence since it was last checked out (para. 4). Basically, chain of custody enables law enforcement officials to keep track of the collected evidence, and to ensure that the evidence is processed accordingly without tampering, manipulation, and/or mishandling to facilitate the presentation of evidence in criminal cases to the court of law.
Forensics analysis and processing
In recent years, consumer demands for privacy via data and/or device encryption capabilities from manufacturers of diverse mobile devices have cast a dark cloud over the field of digital forensics. Some of these demands include full-disk data and/or device encryption by default on mobile devices. For example, “Android Lollipop, which introduced the first default full disk encryption for this OS [operating system on mobile devices]” (SANS DFIR, 2015, para. 9). It appears that at the time of this writing, the impact of data encryption found in mobile devices has generated alarming concerns for law enforcement officials—forcing the U.S. Government to respond through new cybersecurity policies that urge high-technology companies such as Apple, Google, Facebook, etc., to weaken data encryption capabilities, or perhaps proving a backdoor for law enforcement agencies to gain access to the encrypted mobile devices and/or applications that are developed or designed to protect the privacy of consumers. In a recent explicit letter of appeal by U.S. high-technology software- and hardware-based companies to President Obama’s administration. Two industry giants implicitly admonished the administration and emphasized that the government needs to keep their prying hands out of data and/or device encryption. They were strongly against implementation of any cybersecurity policies that will degrade the integrity of the encryption capabilities that exist on mobile devices and/or applications: “We are opposed to any policy actions or measures that would undermine encryption as an available and effective tool” (Cowan, 2015, para. 3).
The Obama administration and the FBI had previously “pushed the companies to find ways to let law enforcement bypass encryption to investigate illegal activities, including terrorism threats, but not weaken it so that criminals and computer hackers could penetrate the defenses” (Cowan, 2015, para. 4). The high-technology industry giants also fired back at the Obama administration “not to pursue any policy or proposal that would require or encourage companies to weaken these technologies, including the weakening of encryption or creating encryption ‘workarounds’” (Cowan, 2015, para. 19).
Government intervention in data encryption has raised alarming national security concerns over the protection of privacy and civil rights for mobile device consumers in recent years. It appears that identifying a balance between encryption, privacy, and forensics continues to be a challenging obstacle, especially when mobile device users continue to hit historical heights in terms of ownership and usability. “According to a recent study conducted by the Pew Research Center, as of January 2014, 90 percent of American adults owned cell phones, 58 percent owned smartphones, and a little less than half of those surveyed owned tablets” (Miller & Papathanasiou, 2008, para. 1). These are astounding numbers of American adults who own or have access to a mobile device.
Mobile devices have also necessitated major digital forensics analysis and processing for law enforcement officials due to cross platform operating systems, data encryption software and password protections associated with the mobile device—enhancing mobile security. These forensics challenges have spawned heated debates and raised difficult questions for forensics practitioners: (1) methods to gain access to data on mobile devices; (2) bypassing data and/or device encryption algorithms; and (3) post-decryption processing of application data (SANS DFIR, 2015, para. 2). According to Casey & Turnbull (2011), “Digital evidence in mobile devices can be lost completely as it is susceptible to being overwritten by new data or remote destruction commands it receives over wireless networks” (p.3, para. 1).
Generally, once the collected evidence is tagged, bagged, and delivered to the evidence processing facility; “the forensic examiner then performs extraction and analysis on the device, collecting evidence relevant to the investigation in question” (Miller & Papathanasiou, 2008, para. 6). According to Miller & Papathanasiou (2008), “many labs lack the funding, staff, or tools necessary to handle the high volume of mobile devices submitted for examination by law enforcement professionals and first responders” (para. 7). These large volumes of evidence contributed significantly to a decrease in timely processing of admissible evidence relevant to court cases. Additionally, technology and the lack of trained or skilled forensics investigators also created an added burden to the processing of digital evidence—resulting in the delay of time-sensitive processing and handling of the collected evidence—“lab limitations also contribute to delays in evidentiary extraction and analysis for investigators in need of information critical to their cases” (Miller & Papathanasiou, 2008, para. 8). Given the nature of mobile forensics processing, collection, handling, and legality constraints; it appears that these challenges that digital forensics investigators face are insurmountable. Law enforcement officials have to realize that the lack of training, technology, personnel, and facilities could severely impact evidence processing and reporting. Aside from the resource limitations that affect forensics analysis and processing of collected evidence (i.e.,mobile devices), Miller & Papathanasiou (2008) suggested an alternative solution that will conserve resources and money by utilizing decentralized forensics labs which are mobile and deployable in the field—providing real-time evidence handing, analysis, processing, and extraction of crucial information that can further assist ongoing criminal investigations.