"People don't know what they don't know until they don't know it," says Det. Michael Fazio of the Bloomington (Ill.) Police Department's cybercrime unit.
He speaks from experience. About eight years ago, the 150-man department found itself facing a homicide it couldn't solve because the evidence and the suspect's alibi resided on a computer.
"At that time we knew enough to go get the computer. However, we didn't know what to do with it," Fazio recalls.
Three regional labs in the state could analyze the evidence but estimated it would take two years. Investigators finally called the U.S. Attorney's Office for help and had the computer analyzed more quickly to disprove the suspect's alibi.
In an effort to prevent this situation from happening again, the city manager and Bloomington PD put money and time behind developing an internal digital forensics unit.
Fazio predicts there are many departments operating as the Bloomington PD did before 2004, and that worries him. "A lot of departments don't even realize they have an issue," he says. "About 80% of everything a person deals with touches something digital. And, if the individual is touching something digital, he or she is leaving evidence behind."
But as troubled economic conditions dramatically slash police budgets and reduce officer counts, it is difficult for many departments to justify putting financial muscle behind digital forensics.
There is some good news in all of this-a light at the end of the tunnel, so to speak. "A lot of digital crime scenes are turning into portable devices, aka cell phones. The tools needed to retrieve data from those devices are not as expensive as what's used in traditional computer forensics. And 70% of the time data can be retrieved from them by someone with minimal training," says Tom Eskridge, partner at High Tech Crime Institute Group, a Florida company devoted to providing cybercrime training to law enforcement.
Triage Is Where It's At
In 1999, the FBI proclaimed it would handle the entire country's digital forensics needs and set up regional computer forensics labs (RCFLs) across the country. These labs extract and analyze data from any kind of digital evidence, but the demand is high and the turnaround slow.
"The average turnaround time for a computer is 13 months," says Eskridge, who calls the current system, where agencies send out digital evidence for processing, broken. "It's like everyone with a paper cut going to see a trauma surgeon," he says. "We have to start triaging digital evidence if we are going to be successful."