Low Hanging Fruit: Evidence Based Solutions to the Digital Evidence Challenge

When I first saw the title, I thought this was going to be something different (as in “low hanging fruit in digital forensics investigations”), but instead realized that it’s a think-tank report asking to approve a new yet-another-digital-forensics-federal-agency tasked to develop a list of ISPs.

Here is my understanding of their proposal

Problem and Objective:

-Cops don’t know which ISP to ask for data

-Teach cops how to ask for data from service providers by creating a “New national digital evidence policy” that is also “going to require a dedicated office”.

Staffing needed for the new federal agency:

--10 to 15 technical experts

--10 to 15 additional support staff

--Director

--Deputy Director

--Administration assistant

--Part time administration assistant

--“Additional staff”

--“Additional expenditures” could include more staff and attorneys

--“Honorariums” to advisory board members

The cost? Hold on to your seat.

--$10 million for staff

--$100 million OR MORE for support

The part of $100 million that rubs me a little raw is that the amount was downplayed because it is so small compared to other government spending. That simply sounds to me like, ‘hey government, you spend so much money, how about I create a new agency and you give me a little off the top, like a cool 100 million?’  Even the staffing requirements are limitless with “additional staff”.

I’m not going into what I really feel about another federal government agency for $110+ million that is created to research the development of a spreadsheet of ISPs just so that law enforcement knows where to send a legal demand…

But I’ll get a little bit into the training that was referenced in the presentation. From their research/survey, they found that law enforcement only receives between 10-15 hours a year of digital evidence training. This was conflated with training related to legal requests (search warrants, etc…) and training in forensics. On top of that, I found no separation between “law enforcement officer” and “digital forensics examiner” in what training they referred. I would say that 10-15 hours a year in digital evidence training to first responders is more than sufficient, but for a forensic examiner, a wee bit on the low side of annual training in analysis, but certainly not insufficient.

Some points of digital forensics training in law enforcement, and the obstacles I have seen go beyond what ISP to send a legal request.  In my experience, practically any detective or patrol officer can type up a legal demand and find out where to send it without having a bit of digital forensics training, yet it was the number one issue in this report.

It’s the individual

There are two types of forensic analysts in government service. One who does the minimum. The other who goes well beyond the minimum.

I have seen some who are assigned to the cyber unit (cyber as in whatever the name of the digital forensics unit is called by each agency), take not a minute more training than being paid to take by their employer. For some, learning a skill for the job is directly tied to being on-the-clock and not a second more. This also applies to law enforcement lifesaving skill training…

The expectation is that the agency must provide everything they need to do their job. I’m not agreeing or disagreeing, nor getting into guild contract issues.  But I will say that some do go beyond that which is given them. I have certainly enjoyed the benefits of government provided training, spending months at FLETC and other out-of-state trips for training. I have also used vacation leave and spent my own money on training, books, and software when I was a government employee because I knew  I needed more than what was going to be provided to me. Hearing statements like, “I haven’t read that book because my department won’t buy it” continues to amaze me.

The difference that I have seen in the skill level between both groups is that of night and day. One detective told me that he refused to go to a forensic conference that his agency agreed to pay because lunch wasn’t covered. He wasn’t going foot the bill for his lunch and turned down the conference. The same detective also simply exports lists of CP filenames in his cases without any analysis, and sends the reports for charging, specifically blaming his lack of analysis skills on a lack of department provided training. A different forensic detective in a different agency spent three months trying to image a hard drive that I had already imaged for him but couldn’t figure it out (errors of some sort, I have no idea), but lives by the same rule as the first example. You no pay me, me no learn.

I’ve seen other law enforcement forensic folks who are forensic gods. Their departments will be at a great loss when they retire or move into the private sector. This is not due to having higher IQs or the agency having a bigger budget but instead, they are putting forth the effort with a willingness to do better regardless of who pays.

Back to the $110+ million dollar agency

The main issue of this research was that cops don’t know which ISP to send legal demands. Their entire premise boiled down to one statement:

“Law enforcement needs to understand where to go to in order to ask for data.”  - Low Hanging Fruit presentation

My solution: We just need to create a list to do that.  

Another issue in the research was that current forensic programs don’t include legal demands in their training. Please, do not start doing this! Forensic training is forensic training.  Legal demands (like search warrants), don’t need forensic training and many times, it is not even the analyst writing the warrants if there is a case detective/agent working the case. Don’t waste an examiner’s time on how to write a warrant when they need to know how to extract the evidence and interpret it.

On the training and skill side of things, I don’t see a federal agency fixing anything as detailed in the report. We already have tons of grants, more training from more vendors than ever before, more folks trying to get into forensics, and more work than can ever be done. I can see $110+ million being spent on more effective measures for law enforcement forensics than what is proposed in this report.

Internal agency specific problems

My suggestions to increasing competence in law enforcement digital forensics is that each agency needs to make changes in how they do business when electronic evidence analysis is concerned.

--Select those who can do the job to do the job (seniority does not equal potential competence)

--Pay for their training (to speed up the learning process)

--Stop rotating them out of the job (or competence in the unit will never be obtained)

--Create promotions within the unit rather than promote them out of forensics

--Remove those who can’t do the job and find someone who can

I make these suggestions only because I have seen it done opposite of what I am suggesting. This is not a federal agency’s responsibility to fix the state and local digital forensics issues, especially at $110+ million.

I’ve been on a few boards and committees at the local and state level at attempts to do something about the lack of LE forensic analysis, but mostly they resulted in lots of talk, lots of notes, and the creation of another committee or board to start over. It is good to see interest in trying to make it better, but sometimes someone just has to put their foot down, stop talking, stop researching, and plainly get things moving.

Check out the research video here: