Sometimes red flags pop up pointing to a need for change, and that’s exactly what happened in the Pasco County, Fla., Sheriff’s Office a few years ago.
Narcotics and vice officers executed a knock-and-talk at a home, and when the suspect wouldn’t allow them in, they secured a warrant and returned hours later. When officers finally gained entry, they confirmed it was a grow house.
But the red flag that popped up had nothing to do with drugs. It had to do with the fact that in the hours between law enforcement’s first and second visits the suspect left the pot plants intact but destroyed every piece of digital evidence.
“It was the push we needed to put an in-house digital evidence lab together,” says Det. Sebastiano Pepenella, who now performs digital examinations in the county’s two-man digital forensics lab.
Police in Marble Falls, Tex., experienced a similar awakening when officers confiscated a hard drive from a suspected child pornographer then waited two years for the state lab to finish processing the forensic evidence. They finally made an arrest, but during that two-year lag time the suspected pornographer had been working as a school bus driver.
“This story shows that if you can get to the evidence more quickly, you can at least take the bad elements out of the picture until you can convict them,” says Suresh Sundarababu, Dell global solutions manager.
According to Det. Michael Fazio of the Bloomington, Ill., Police Department’s cybercrime unit, many departments don’t think their inability to process digital evidence is an issue, until it becomes one in an actual case. But it is a growing concern, he says, pointing out that “about 80 percent of everything a suspect deals with touches something digital. And if that person is touching something digital, he or she is leaving evidence behind.”
The reality is as more criminals rely on computers and digital devices to commit crimes, law enforcement is increasingly finding the need to use computers to fight back. Recognizing the explosive growth in digital evidence, the FBI proclaimed in 1999 that it would set up regional computer forensics labs (RCFLs) across the country to handle law enforcement’s digital forensics needs. Today forensic examiners in these labs effectively extract and analyze data from digital portals, such as computers, jump drives and phones, but demand for these services is high and turnaround incredibly slow.
“There’s been an opinion for many years now that only the experts can handle digital media,” says Tom Eskridge, partner at High Tech Crime Institute Group, a Florida company devoted to providing high-tech computer training to law enforcement. “But by sending every piece of evidence to a state RCFL, the evidence sits there for an average of 13 months before it gets examined. It’s like sending every person who comes to an emergency room into the operating room for surgery.“
Digital triage provides a light at the end of the tunnel for this winding and rocky road of digital evidence. “The tools needed to retrieve data from devices are not as expensive as they once were,” Eskridge says. “And in the case of cell phones, especially, about 70 percent of the time data can be retrieved from them by someone with minimal training.”
The concept of digital triage is simple: Police rely on a procedural method to prioritize which digital devices require in-depth forensic analysis and must be sent to a state lab, and which ones can be analyzed at the department via a simplified triage scan.
Eskridge likens the concept to what law enforcement currently uses with fingerprints. Years ago, when Eskridge worked as an officer in Compton, Calif., he never collected a fingerprint in 11 years; a crime scene investigator did that. Today line officers can collect their own fingerprints at the scene, unless the fingerprint lies on a surface, like paper, and requires fuming back at the lab. “If only special cops could fingerprint a crime scene imagine how backed up a crime scene investigator would be,” he says.