"People don't know what they don't know until they don't know it," says Det. Michael Fazio of the Bloomington (Ill.) Police Department's cybercrime unit.

He speaks from experience. About eight years ago, the 150-man department found itself facing a homicide it couldn't solve because the evidence and the suspect's alibi resided on a computer.

"At that time we knew enough to go get the computer. However, we didn't know what to do with it," Fazio recalls.

Three regional labs in the state could analyze the evidence but estimated it would take two years. Investigators finally called the U.S. Attorney's Office for help and had the computer analyzed more quickly to disprove the suspect's alibi.

In an effort to prevent this situation from happening again, the city manager and Bloomington PD put money and time behind developing an internal digital forensics unit.

Fazio predicts there are many departments operating as the Bloomington PD did before 2004, and that worries him. "A lot of departments don't even realize they have an issue," he says. "About 80% of everything a person deals with touches something digital. And, if the individual is touching something digital, he or she is leaving evidence behind."

But as troubled economic conditions dramatically slash police budgets and reduce officer counts, it is difficult for many departments to justify putting financial muscle behind digital forensics.

There is some good news in all of this-a light at the end of the tunnel, so to speak. "A lot of digital crime scenes are turning into portable devices, aka cell phones. The tools needed to retrieve data from those devices are not as expensive as what's used in traditional computer forensics. And 70% of the time data can be retrieved from them by someone with minimal training," says Tom Eskridge, partner at High Tech Crime Institute Group, a Florida company devoted to providing cybercrime training to law enforcement.

Triage Is Where It's At

In 1999, the FBI proclaimed it would handle the entire country's digital forensics needs and set up regional computer forensics labs (RCFLs) across the country. These labs extract and analyze data from any kind of digital evidence, but the demand is high and the turnaround slow.

"The average turnaround time for a computer is 13 months," says Eskridge, who calls the current system, where agencies send out digital evidence for processing, broken. "It's like everyone with a paper cut going to see a trauma surgeon," he says. "We have to start triaging digital evidence if we are going to be successful."[PAGEBREAK]

It's a concept currently used for fingerprints. Every officer can collect fingerprints at the crime scene but if the fingerprint is on a piece of paper and needs fuming, that fingerprint is sent to a local lab. If it's a bloody fingerprint, it's sent to a regional DNA lab. "If only special cops could fingerprint a crime scene, how backed up would the crime scene investigator be?" Eskridge asks.

Advances in technology have made it possible for any officer, with minimal training, to retrieve digital evidence at the crime scene and utilize it for investigative purposes. "Today, they can get intelligence off a device in hours instead of waiting weeks, months, or years for the lab to return it," he says. "They need to get local control. We're talking about training people who 70% of the time can get the evidence they need. But there will always be a need for RCFLs in high-end cases."

Technology and Tools

To set up full-blown digital forensics capabilities that do 95% to 100% of all digital investigations, such as that found in Bloomington's three-man unit, Fazio says departments need the following:

• Write blockers, such as The UltraKit III from Digital Intelligence. This portable kit contains a complete family of UltraBlock hardware write blockers along with adapters and connectors for use in acquiring a forensically sound image of virtually any hard drive or storage device. The tools run about $1,500 to 3,000. Data Copy King (DCK), a hard drive duplicator from SalvationDATA, can also be used to duplicate hard drive data.

• Specialized digital forensics software, which costs approximately $5,000 a copy with maintenance plans that tack on an estimated $2,000 a year.

• Software to analyze phones and other portable devices, which can cost up to $5,000, depending on the product selected.

• A powerful computer that costs approximately $10,000 to $13,000. "This is not a computer you purchase at the local Best Buy," Fazio says. "It just won't have the power to run this software."

• A forensic laptop to analyze digital evidence in the field. This runs around $6,000, he says.

• Training. Technology is constantly changing so it's not possible to train for one year and be done forever, says Jason Mical, network forensic specialist for AccessData, a company offering a suite of digital forensics products for law enforcement.

• A dedicated server to store digital evidence. "A server can cost up to $22,000 and then you have to buy cases of hard drives and things like that," Fazio says.

Then there's maintenance and upkeep, salaries, and training. "Our yearly budget for just maintaining what we have is about $30,000," says Fazio. "That does not include switching out computers, which we do every three years. The $30,000 is just to keep us running."[PAGEBREAK]

While more than $50,000 to get started and $30,000 a year thereafter may be more than small- to mid-size departments can justify, the good news is they can get into the digital evidence space at a lesser scale, says Eskridge. "Some smaller departments are only in need of, or can afford, a triage level forensic capability that solves 70% to 80% of the cases," he says. "This sort of lab can be set up for about $10,000 and could include a cell phone solution. This gives local control for a majority of the cases that do not require the assets of a larger lab."

A smaller department may decide to only perform first-level triage-scan the devices for basic information that can help the investigation. In a child exploitation case, officers can employ technology such as Paraben's P2 Commander to collect pictures and chat info off a computer. Technology like Dell's Mobile Digital Forensics system can collect evidence such as pictures, driver's license templates, credit card templates, and DMV photos off a laptop in an identity theft case.

"At the local level for a reasonable amount of training and a reasonable price, they can do a form of triage that allows them to extract information and solve crimes 70% to 80% of the time," Eskridge says.

Selecting Software

When first entering the digital forensics space, chiefs often tell their detectives to find and use whatever free tools exist. While there are free tools available that work as intended, Fazio says to proceed with caution.

"They work well, but the problem comes in when trying to get evidence admitted into court," he says. The court classifies digital forensics data as scientific evidence, meaning it must meet the requirements set by the long-held Daubert and Frye rulings for scientific evidence. "To get scientific evidence admitted into court, you have to be declared an expert witness and the tool you use must be accepted by the industry," Fazio says. "That tool has to be available to the public for reliability testing."

Departments entering the higher level of digital forensics capabilities, such as Bloomington, will want to use one of two primary tools: Guidance Software's EnCase Forensic or AccessData's Forensic Toolkit (FTK). "If you use these, the defense attorney can no longer challenge the reliability of the software because it's been accepted by the courts," Fazio says.

Both AccessData and Guidance Software also offer triage tools for computers at a price point smaller departments can afford. AccessData's AD Triage enables on-scene preview and safe acquisition of computers that are live or shut down. EnCase Portable is delivered on a USB device that allows officers to quickly and easily triage and collect digital evidence in a forensically sound manner. Dell's Mobile Digital Forensics solution also enables field data collection. It utilizes Dell Latitude F6400 XFR rugged laptops, running SPEKTOR forensic intelligence software from Evidence Talks. Like the AccessData and Guidance Software mobile solutions, this system can identify and pull data from desktop computers, laptops, and portable devices.

"With a triage-type system, agents can prepare before they even go on site and say, 'I want to look for e-mails, pornographic images, or whatever,' and as soon as they show up on site, they can plug the tool in and it will automatically search for this data with little intervention," says Mical.

The advantage of using triage tools is time. "Before, computer forensics was a very serial process that progressed one step at a time," says Suresh Sundarababu, Dell global solutions manager. "If they had three terabytes of data it would take weeks to process." Triage products look for and find specific data in minutes.[PAGEBREAK]

Cell Phone Forensics

The above software covers computers, but what about portable digital devices?

Eskridge says there are really only four big players out there: Paraben Corp.'s P2 Commander, Susteen's SecureView for Forensics, Micro Systemation's XRY, and Cellebrite's UFED Ultimate." However, AccessData now offers its MPE+ tablet for mobile phones. It uses advanced plug-in technology to search through things like e-mail, network e-mail, chat logs, Internet files, call data, and more.

"Cell phone forensics fits very well into the whole triage philosophy," says Eskridge. "With a $2,500 tool, in five minutes they can have the same information they are going to get from a lab in three to six months. And now instead of sending 100 phones to the lab, they may only be sending 30 so the lab isn't as backed up because they took 70 phones off of their plate."

Tech Training

All of these tools are for naught without training, says Steve Salinas, product marketing manager for Guidance Software.

At a minimum, officers working the digital forensics space need a basic, forensics 101-type training. They need to know what a digital container is and the information that this technology can house. "A digital container can be a phone, a PC, a tablet, even a camera; anything that can store data," Mical explains.

Officers also require a basic understanding of how digital technologies store data, different file formats and operating systems, and the tools officers need to extract data from each. Training needs to be continuous to keep up on new technology.

There are many sources of training, from companies offering digital forensics products, to various state and federal training centers, to private companies such as HTCI. Nonprofit centers include FLETC, NW3C, DC3 and SEARCH.

Build Your Case

Once equipment is in place and officers are trained, departments can hit the ground running on their digital investigations. "We have students at the end of a one-week training class go out and make cases the next week," says Eskridge.

Once a few cases are made, it's easier to get the keepers of the department budget to open the coffers and fund this capability year after year, says Fazio.

"Departments need to sell this. It's necessary to educate local government officials and the public on cybercrime and why law enforcement needs to provide that service to them. When you come in and discuss cybercrime, you're fighting a battle about a crime they don't even understand or know exists."

Ronnie Garrett is a freelance writer based in Fort Atkinson, Wis. She can be reached via editor@policemag.com.

For More Information:

AccessData

Cellebrite

Forensic Computers Inc.

Dell

Digital Intelligence

Guidance Software

Micro Systemation

Paraben Corp.

SalvationDATA

Susteen

Training Resources:

DC3

FLETC

High Tech Crime Institute Group (HTCI)

NW3C

SEARCH