Digital Forensics Observations from the Field, Summer 2023

This article is a post authored by Ian Rainsborough, Regional Vice President for Public Sector Europe at Exterro

Given my title and employer, it should be no surprise that my team and I spend our time with very interesting people, doing very interesting things in the field of digital forensics (DF) for our governments and law enforcement agencies.

Without these agencies, and those that support them, our borders would be open, our taxes would go uncollected, and the rule of law could not be enforced.

My team and I are lucky enough to hear the successes, the frustrations, the challenges, and most importantly the aspirations of those we work with across the forensics field: from front-line Officers and Investigators, through Forensic Analysts and Lab Managers, procurement and infrastructure teams, all the way to Ministers and Commissioners determining national strategies.

These teams are trying to deal with an unprecedented number of cases, devices, data volumes, complexity, and urgency - often with shrinking budgets and under-staffed teams.

This article is formed of my personal opinions based upon those customer conversations regarding digital forensics challenges and opportunities for today, tomorrow, and beyond.

Centralisation of Digital Forensic Software

We find that many examiners still work independently, with a serial workflow, where evidence passes from one function or specialist to another as it moves through the process: “This is how we’ve always done it”.

We have arrived at a point in time where the volume of cases and data to be processed is forcing units to look at better ways to manage the whole forensic process.

The most obvious of these is a shift from client-based software (“how we’ve always done it”: distributed, serial) to server-based, centralised software.

Centralised environments can be better secured, controlled, managed and optimized, not just throughout the forensic process but also from infrastructure, procurement and operational perspectives.

Many of Europe’s larger agencies, driven by scale and workload, have already made this shift from client to server and have seen significant benefits:

• They have infrastructure that can process large data sets at scale and at speed.
• They have visibility and control of the full forensics process.

However, the biggest benefit to be made from centralizing is the ability to collaborate.

Collaboration in Digital Forensics

Collaboration means different things to audiences. Across the forensic community we find collaboration means:

• The ability for stakeholders to work on a case together, at the same time – no more waiting for one person to finish before another starts. This leads to both better and faster outcomes.
• Removal of the need to ship evidence from person to person or agency to agency. This removes risk from the forensic process, allows for better control of the evidence, saves the costs of physical shipping (not to be underestimated), and again significantly speeds up the time to justice.
• Interested third parties, typically other agencies and Justice Ministries (for prosecution determination), but could include Legal Counsel, Translators, or Regulators, all of whom can be granted controlled access to cases that require their input, again driving efficiency.

When considering collaboration, we find our customers lean towards the browser as the preferred method of accessing cases for review. When considering the increasing need for non-forensically trained personnel, whether Investigators or third parties, to be able to access their labs, the use of distributed desktop-based viewers (“that’s how we’ve always done it”) has become unmanageable and can even introduce risk into the process (version control issues).

The emergence of the browser has in turn led to a re-think of how these non-forensically trained personnel can easily access their cases in a simple, intuitive way. There is a strong appetite for platforms that can offer the trained forensic practitioners the depth of functionality they need but allow casework to be presented to an Investigating Officer in a way that they understand.

Note that browser or web interface does not necessarily equal web or internet. Given the nature of artifacts that Law Enforcement must process, especially when considering CSAM material, we typically see most deployments into private clouds or on premises, however there is a growing momentum to look at more cloud-based technology.

Digital Forensics in the Cloud

One of the challenges facing Forensics Labs is the increasing difficulty in predicting incoming workloads.

When sizing an on-premises Lab, one would typically look at inbound evidence over a defined period, add headroom and build out the infrastructure accordingly. As workloads continue to trend upwards, we would add infrastructure as required, hopefully before we reach capacity. This approach has served our customers well, but as inbound data volumes continue to accelerate and are increasingly unpredictable, we are seeing agencies look to cloud technologies to help them manage this challenge.

Cloud technology offers the ability to make the infrastructure flexible: not only can an environment be grown as needed, but more importantly it can be spun down again when not needed.

The pan-European aspect of my role offers insight into different European countries’ maturity and appetite for the journey to cloud. We are beginning to see DF Heads of Department, infrastructure teams and data architects in previously cloud averse nations growing to accept that the use of some form of cloud technology is inevitable (whether private or otherwise). That said, these national maturities cause their own challenges, especially for agencies working cross jurisdictional workloads. Consequently, we are seeing a growing number of agencies adding “cloud ready” or “hybrid capable” to their list of requirements.

Automation & Interoperability in Digital Forensics

Another huge benefit of a centralised approach to digital forensics is the ability to automate workflows and the potential to connect to other systems of record.

Automation is proving to be one of our customers best weapons in reducing the backlogs and getting on top of incoming cases.

Where once workflow automation was seen by analysts as a risk to their roles, there is now recognition that automating the more mundane aspects of the process frees them up to spend more time on the cases that benefit from their skills and experience.

Importantly, in those customers who have heavily automated, we’ve noticed that analysts are significantly less stressed and much more productive. When no agency seems to be able to get enough good people, keeping the analysts we have has become an important issue.

Like the ability to automate, the ability to connect DF platforms to other systems is becoming increasingly important. Like other points raised in this piece, Open APIs that facilitate this connectivity are increasingly listed as a critical requirement on tender documents. The most common integration requests we see in DF are typically for case management and records management systems.

The Use of Artificial Intelligence in Digital Forensics

No discussion around automation would be complete without a reference to artificial intelligence (AI), both in terms of the opportunities it offers, as well as the new challenges that these technologies present to DF.

Our law enforcement agencies are already seeing growth of AI generated CSAM leading to an unprecedented volume of first-generation material not seen in CAID or Project Vic databases. This is hampering the ability of teams hunting through this material to identify the real victims and bring perpetrators to justice.

AI and its younger sibling, machine learning, certainly have their place in digital forensics: for example, technology assisted review (TAR), helps to filter out the non-relevant data before it gets to the reviewer, allowing a reviewer or analyst to focus on what’s important.

However, probably the biggest challenge that our customers articulate in reference to the potential application of AI for good is nothing to do with technology, but rather sits with government and judiciary to determine how much AI our laws can or will accommodate in our legal and regulatory environment.

As a law enforcement official succintly summed up when discussing AI in relation to expert witness testimony: “I would love to see the paperwork needed for that!”

Regulation of Digital Forensics

It is right that the digital forensics process be regulated and scrutinized. Citizens need to have faith that the evidence being presented in their case is unquestionably the truth.

We are seeing a growing number of countries across Europe take a tighter approach to regulation and the accreditation of digital forensics processes and technology. Even countries that had previously had more relaxed oversight are finding that they need to be able to demonstrate to courts how seriously they take the process of acquiring, processing and presenting digital evidence. To this end, we are seeing a growing number of agencies needing to certify their labs and processes to ISO 17025 standards, and this requirement alone is often enough to justify the shift from distributed processes to a centralised platform.

Concluding Thoughts on Digital Forensics

The deluge of devices, the growth of the number of cases and the need for digital evidence in support of nearly all prosecutions is forcing agencies to accept that the traditional methods of working DF are no longer fit for purpose.

This presents challenges on how to maintain services whilst investing in the future, not just across forensic tooling but also across the whole gamut of technology, supporting the judiciary and even finding the right mix of personnel.

The good news is that there is a strong community of vendors able to support these initiatives, with choices available to suit the needs of every Investigator and Agency, large and small.

My team and I look forward to continuing our service to our customers and their respective agencies.

Thank you for doing what you do to keep us all safe.