When I was investigating child exploitation and human trafficking cases in 2009 as a digital forensic examiner, the central challenge was access. Social media and the instant messaging connected to it was starting to take off globally. Unfortunately, its use as a tool to lure victims was playing a crucial role in some of our investigations. The investigating officers I worked with started to ask me whether we could retrieve chat messages as evidence. At first, I didn’t think it was possible.

After doing some research in my evenings and weekends, I realized that critical evidence like these messages was recoverable. I developed a prototype that I shared with my agency and others around the world.

In 2011, I made an extremely difficult decision to leave policing to found Magnet Forensics. In the past decade, we’ve developed tools such as Magnet IEF and Magnet Axiom that help police agencies lawfully recover, analyze, and report on critical digital evidence from computers, mobile phones, cloud services, and IoT devices. Using these tools, police agencies can recover messages as well as other critical evidence found on these devices in images, emails, browser histories, documents, and GPS data to build a case.

While access continues to be a challenge with device and app encryption, it is no longer the only problem. It is rivaled by another that is currently threatening to overwhelm police agencies: the volume of digital evidence that examiners now have to process.

To address this problem, forward-looking police agencies and their leaders have looked to Magnet Forensics to introduce automation technology to help ensure they can investigate any crime or incident with digital evidence in a timely fashion.

THE CHALLENGE

The explosion of data is changing criminal investigations. In the past, investigators relied on evidence that was bound to crime scenes. Now, evidence is everywhere and it’s more complex. It’s in the chat logs found on laptops, the GPS tracking data of mobile phones, and even in apps connect-ed to smart home devices. According to a European Commission report, digital evidence is relevant in 85% of criminal investigations.

The problem for many police agencies is that there is too much digital evidence to handle. Budget constraints and a global technical talent shortage are complicating the ability of agencies to meet the growing demand for digital evidence processing, analysis, and report generation. Digital evidence is rapidly accumulating, leading to months-long backlogs for some agencies that are resulting in an erosion of justice.

There is a major evidence bottleneck occurring from the time digital devices are collected in the field to the time that the evidence found on them is processed.

In most agencies, cases with digital evidence are still worked on a one-to-one basis, which means one digital forensic examiner is required to run each piece of evidence through the investigative steps on one workstation. That digital forensic examiner needs to be physically present to launch each phase of their workflow. Many of these tasks are basic and don’t involve much more than connecting a device or clicking through prompts. Due to the limitations of the digital investigation process, critical time is lost between shifts, evenings, weekends, and holidays. Up until now, many agencies have had to devote more resources to overtime expenditures to keep digital investigations moving. Their reports suggest that digital investigations are one of the fastest growing causes of increased overtime costs. This solution isn’t sustainable.

The pressure to accelerate evidence processing is also being felt by digital forensic examiners. They are being diverted from the detailed, technical analyses they were trained to perform and hired to do because of the increasing burden placed on them by the volume of digital evidence that needs their attention.

Without relieving the digital evidence bottleneck, police agencies are going to risk seeing their cases dismissed by courts and burning out their digital forensic examiners.

THE SOLUTION

Magnet Automate is helping police agencies solve the digital evidence challenge by automating the initial phases of a digital investigation. This solution takes the basic and repetitive tasks in the digital investigation process and runs them 24 hours a day, 365 days a year without the need for human intervention.

Think of our solution as an assembly line for your digital evidence processing. With Magnet Automate, digital forensic examiners can use their existing hardware to automatically distribute tasks and maximize evidence processing. Rather than being limited to working cases on a one-device-per-workstation basis, Magnet Automate unlocks the ability to simultaneously process data for multiple cases. When a workstation completes the processing of evidence on one case, it can automatically move on to the next.

Magnet Automate, which has the ability to be deployed in virtual machines or in the cloud, allows agencies to scale up and maximize the full potential of their existing resources if they receive an influx of cases or a case with a large amount of data.

By turning hours of overnight or weekend downtime into uptime, Magnet Automate is helping labs eliminate heavy case backlogs, accelerate the rate in which they deliver evidence to investigating officers and free up their digital forensic examiners to take on the more complex analysis they were hired and trained to do.

CASE STUDY

In 2020, a large municipal police agency’s digital forensics unit was struggling to get digital evidence into the hands of its investigating officers in under 72 hours. The growing volume of digital evidence was beginning to overwhelm the unit. In some cases, the agency realized that there were upwards of 14 hours of downtime between each step of the digital investigation process.

The agency’s digital investigations unit determined that the only way it could achieve its goal to turn around digital evidence in a 72-hour window would be to eliminate the downtime and automate the workflow. The agency partnered with Magnet Forensics and adopted Magnet Automate to work within its existing infrastructure.

The improvements were immediate.

While investigating a multijurisdictional case involving evidence from the dark web, the agency needed to image and process two terabytes of digital evidence. Magnet Automate enabled the agency to accomplish this in only 40 hours. Without Magnet Automate, processing the evidence manually took 58 hours.

The agency would go on to find an average of 30% time savings per case involving digital evidence. It was also able to guarantee, going forward, that standard digital evidence found its way to investigating officers within its 72-hour goal and ultimately, increase its pursuit of justice.

Jad Saliba is the founder and chief technology officer of Magnet Forensics. He previously served as a front-line police officer and digital forensic examiner.