Cellebrite launches actionable forensics data in the field

Police work is mostly about solving cases, and this is not a trivial task. Gathering clues and hints is important to achieve the desired outcome. Everyone today has a mobile device on them wherever they go, and these devices are storing a lot of information (calls, chats, locations, pictures, contacts), leveraging this data for investigation is just common logic.

Researchers conducted on investigation process proved that evidence or clues that are gathered within the first 48 hours are imperative to solving cases, and the statistics shows that when there is no real direction the chances to ever solve the case decreases by 50 percent.

So the need for speed is clear, and providing actionable data extracted from mobile devices is a necessity. How can this be done? A mobile forensic examiner would require years of experience to develop the right skill sets to overcome different technical challenges of obtaining forensically sound evidence. How can we speed the process and move mobile data recovery from the forensic labs, where we have the experts, to the field where we have excellent investigators whom ar not experts in mobile forensics?

This is the exact challenge we faced at Cellebrite when we started planning and designing our UFED InField solution. We have consulted with many of our customers (both digital forensic experts and police investigators), and together we defined the criteria and needs of users for field mobile extraction. There were three main obstacles we needed to address:

  1. Extraction duration – it must be quick and effective, as in the field there is no time for long process.
  2. Simplicity – The users are not technical nor forensic experts, and therefore the flow should be as simple as possible.
  3. Deployment management – When you have a wide deployment of devices across the country to enable investigative teams to perform mobile extraction quickly, you must have a tool to manage the deployment and set flows per the need on the agency.

With new release of UFED InField 5.2, we kept the above three challenges as part of our product design guidelines, and indeed, based on the feedback from our beta customers, we gained a lot of progress.

Meeting all the needs for field forensics is a journey, and together with our customers will continue to research and develop new capabilities to make the experience simplified and efficient as possible.

Join the journey and discussion share your ideas and feedback by posting a comment below. Perhaps together we can help build a safer society.

I am hosting a webinar next week, Wed. June 22nd, on how you can simplify mobile data access in the field to speed investigations. Click here to register.

_ARS6348_NewKiosk_22may2016

 

Balancing data actionability with forensic soundness

The ability to extend mobile evidence collection capabilities into the field has a great many benefits. Reducing costs associated with overtime, outsourcing, and diminished forensic lab productivity renders a field-based solution an investment rather than an additional cost. Reducing the risk of human error in data analysis is attractive, too, as automated tools help to improve field-level decision-making about cases.

Even so, decentralizing mobile forensics also carries its own risks. Will field personnel handle mobile device evidence the right way, including securing proper legal authority? Will they follow policy and standard operating guidelines when it comes to extracting and preserving mobile device evidence?

The legalities around field-based mobile device extraction have yet to be determined in many countries, but authorities can ensure compliance with organizational policy and overall forensic best practices by using permission management and auditing features. These kinds of capabilities take into account that not everyone needs the same level of access to mobile device evidence, depending on the types of cases they are investigating as well as the offense severity.

With the UFED Field Series, as well as the UFED Pro Series, permission management functionality allows agency administrators to define and configure user authentication settings to ensure that only users with the right credentials can access the application. An encrypted permission management file that contains usernames and profiles can be imported into multiple UFED InField applications.

Not only credentials, but also extraction privileges can be assigned. Certain investigators may be able to have access only to logical and SIM card extractions, while forensic lab examiners can access full physical extractions as well.

In addition, administrators can define content types available from logical extractions. Some investigators may be granted extraction permissions only for images and videos, for example, while others can access messaging in addition to images and videos.

These privileges can be based on user roles and/or training and certification levels. For example, investigators who have received the Cellebrite Certified Logical Operator (CCLO) or the Cellebrite UFED Field Operator (CUFO) certifications, or completed the coursework without receiving the certifications, can be assigned as many or as few extraction privileges as an administrator deems necessary for their role.

On the flip side of granting access to mobile extractions and data is tracking what the logged-in users do once they’re in the system. With UFED InField, an activity log maintains a list of all transactions including extraction start and end times; transaction type, duration, and status; device owner, vendor, model, and name; case ID and crime type; and who seized the device. Administrators can use this log to audit usage and ensure accountability among users.

The UFED Field Series solutions promote the treatment of mobile devices as crime scenes, so that the evidence they contain is fully preserved from seizure all the way through search and analysis. It offers organizations the “technology” component of a three-pronged approach that Cellebrite encourages towards implementing legally defensible field-based extractions for personnel who do not specialize in mobile forensics. By combining the UFED Field Series with training, policy, and standard operating guidelines*, organizations can reduce risk while meeting the need for improved access to actionable mobile device data in the field.  To learn more, download our solution brief today.

Umbrella - blog banner

*We recommend you work with your prosecutors and administrators to develop policy and appropriate training, including processes for obtaining written consent and search warrants (either traditional or electronic, if your jurisdiction allows).

Unifying investigative teams from field to lab

Nearly two-thirds of respondents to Cellebrite’s 2015 mobile forensics trends survey rated “important” the ability to extend mobile evidence collection capabilities into the field. The reasons are many: the costs of overtime, outsourcing, and even human errors are mounting, while lab service delivery times diminish.

Improving investigators’ ability to make decisions about their cases, including whether they need to escalate mobile evidence to a forensic lab at all, is the focus for many organizations in both law enforcement and the private sector. This focus reflects a need for in-field mobile device forensic solutions that span field locations: both stationary kiosks at satellite offices or stations, and mobile data extraction devices.

To this end, they seek solutions that provide basic data analytical capabilities: the ability to identify the who, what, where, and when of any given incident using mobile device data in conjunction with field interviews, witness statements, and other investigative activities undertaken in the first hours or days following an incident.

When evidence escalation is required, the solution must be able to route data immediately over a private network to a digital forensics lab at a headquarters, in another jurisdiction, or even in a different country. In other words, the solution must ensure that investigative teams have the technological ability to transfer data back and forth across a truly unified, secure system that promotes full accountability for their actions.

Without these abilities, the workflow falls apart under two circumstances:

  1. When data recipients have to translate the data into a different format so that it will work with a different system, or when senders have to take extra steps—such as transporting data storage media to the recipients—that adds, rather than saves, time.
  2. When it is difficult for managers to track statistics and integrate reports that give them visibility into how their personnel are using the tool, and therefore, make it more efficient for them to help personnel manage caseloads or adjust expectations.

Cellebrite’s UFED Field Series aims to reduce these problems by using an agency’s encrypted network to enable personnel to share extraction statistics, reports and raw data with other personnel or send to a predefined location.

The right infrastructure: local area network (LAN) and/or virtual private network (VPN)

Whether users are in substations, using UFED Field Series solutions installed on the UFED Kiosk, or are mobile, using UFED IX or ILX on laptops or tablets, the ability to send extraction data to a central location for storage or analysis with a single click is an important distinction.

At a minimum, kiosks in substations or satellite offices can be connected to a LAN using a standard RJ-45 cable and their own IP address. With a VPN, a similar capability can be extended to UFED Field IX deployments in vehicles. That way, a laptop or tablet connected to wifi, or to the cellular network via air card, behaves like other endpoint networked devices with its own IP address.

Organizations that do not have reliable infrastructure, such as those in rural locations without 4G or LTE wireless service, may experience bandwidth challenges because even logical extractions, on many smartphones, could be a couple of gigabytes.

In these cases, workarounds such as storing extractions and performing a daily scheduled batch file upload at end of shift may help. Users could also opt to store extraction data on encrypted portable devices such as USB or hard disk media, although this can add time to the overall process.

Streamlining communication via analytics

It is one thing to extract data to provide to other team members, but another to offer them visual analytics that can help them support particularly time-sensitive scenarios. Two scenarios enable this capability.

  1. Deployed in the field on mobile units, UFED Link Analysis allows investigators to create a project merging data from multiple devices, and then to share that project over the network with other investigators at a central or another mobile location.
  2. Deployed at a satellite location such as a police substation on the UFED Kiosk, UFED Link Analysis appears as a “shell” viewer. This data can be stored on a network drive, DVD, or USB for later transfer to other investigators.

While UFED InField is designed to help first responders improve their investigative efficiency by putting mobile evidence collection solidly in their hands, its optimization for a network-enabled environment allows for a seamless transfer of data to lab practitioners when required. To learn more, download our solution brief.

Umbrella - blog banner