The value of public/private alliances for digital investigations.

Leaps in technology over the last 20 years have created some true benefits to society; realtime collaboration, cheap and reliable digital storage, the ability to perform complex processing in a matter of seconds – all things designed to simplify and speed up our lives. Generally speaking, as technology has evolved its allowed us to complete tasks more efficiently, and more cost effectively. While this benefits most individuals and businesses, one area where this evolution is having an adverse affect is in the digital forensic space; especially when considering the law enforcement aspects.

A survey of policing agencies across North America revealed that the average backlog for cases, involving digital evidence, was 6 – 7 months. Obviously, that’s very concerning. What’s more concerning is that the survey was performed 12 years ago, in 2004. Nowadays, it’s not uncommon to have backlogs of 1-2 years. Even with advancements in the technologies and tools which are available, the sheer volume of data and the move to a more digital age is becoming painful.

For example, in March of 2015, Canadian Police uncovered a child pornography sharing database. It was approximately 1.2 petabytes in size which, for to give you some context, is the equivalent of over 20 million four drawer filing cabinets filled with text documents, or around 13 years’ worth of HD TV. Basically, it’s big. Really big. As the former Deputy Commissioner of the Ontario Provincial Police stated:

"This is the first investigation of this scale, to my knowledge - in North America,if not worldwide"

As one of the case supervisors stated, “We can hire many more digital forensic investigators and we wouldn’t make a dent in this case”.  In short, here we have a situation where one case is, essentially, going to break the system. While this size of case is still rare, we have to remember that, on average, many Canadian Police technological crimes teams have to analyze around 700-1000 digital devices per year and the size and complexity of those devices is ever growing.  Their backlog, like all other agencies, is continually increasing.

‘Why does this matter’, you ask? Simple - it’s the potential for the withdrawal of court cases due to unreasonable time delays.  Large forensic backlogs in the late 1980’s were one of the reasons for the withdraw of almost 50,000 criminal charges in part due to the courts ruling in the Canadian case R. v Askov (1990); one where a multi year delay resulted in it’s dismissal. While this isn’t yet commonplace, individual cases have been withdrawn due to delays in the digital forensic analysis being conducted.  

So, what can be done? Lets first look at why backlogs keep growing. There are numerous external and internal factors to look at. Here are some:

External Factors

Increased storage size

In the 1980’s, the average hard drive size was approximately 5 megabytes (MB). As of 2016 there are single computer hard drives now available that have a capacity of 15TB.  That's an increase of approximately 300 million percent in storage capacity over the past 30 years.

While the capacity of digital devices continually increases, the overall cost of storage keeps dropping.  An average computer built for home use can be purchased fairly inexpensively with a 3TB hard drive.  This allows a typical home user to store more data than ever before. 

More digital devices involved in criminal cases

There has also been a similar upward trend in the amount of digital devices in general use.  Mobile device use has seen a dramatic increase, and over the past 5 years there has been a explosion of new devices that are internet enabled, commonly termed the 'Internet of Things', or 'IoT'. Some estimates show that by 2020, there will be close to 200 billion devices globally that will have internet connectivity (or over 20 devices per person on the planet). 

These increases are being felt by law enforcement tech crime bureaus through the ever growing amounts of digital devices being submitted for analysis. Over the past 10 years many agencies have seen 300% increases in devices being submitted for cases.  This isn’t just traditional items such as computers and mobile devices, but also items such as hardware keyloggers, credit card skimmers, IoT devices and even vehicles.

 The volume of data being generated

Increased use of digital devices has led to an increase in the amount of data we all generate. Our daily communication has moved from phone calls and letters, to emails, texts, chats and tweets, and has resulted in user generated data accounting for over 25% of all digital data created. This number will continue to rise as more IoT devices are used.   

Increased digital investigation time

The amount of storage capacity, amount of devices and more user generated data are all resulting in more time being needed to investigate each criminal case.  Long gone are the days where an investigator only needed to conduct an analysis on a phone or a computer to gather evidence. Today’s criminal cases can call for investigation into an varied array of digital artifacts, e.g, multiple systems, mobile devices, USB drives, servers and ISP log files. It is not uncommon for a digital forensic examiner to have to analyze many terabytes of data for a single case.  The picture above is based on the estimate that there will be 200 billion connected devices by 2020. This equates to over 26 connected devices per person on the planet.  

Internal Factors

 Staffing and Retention

To counteract backlogs, many law enforcement agencies have taken the traditional route of hiring more staff.  Many have doubled or even quadrupled their capability yet still find it difficult to keep up with the demand. Some have resorted to hiring civilians (as opposed to sworn officers) in order to staff these positions. It’s a sensible approach, however retention is likely to become a problem. Aside from the general skills shortage issues normally associated with specialist roles, the demand in the private sector for the same resources, in combination with considerably higher remuneration, is currently resulting in some real challenges, and will definitely be a growing problem in the next few years.

Training and Budgets

The field of digital forensics is constantly evolving and law enforcement bureaus need to stay up to speed to effective.  The increased number and type of devices available with differing operating systems, and the speed in which new ones are being released, results in a need for ongoing specialized training which is costly and time consuming.  Time away from conducting cases is often a contributor to increased case backlogs, and budgets are often stretched at the best of times. For example, $50,000 is the average cost for the hardware, software and training costs to properly equip an examiner, and this number doesn’t consider salary costs, ongoing training or technology upgrades.

Public/private partnerships and the 5 main benefits in forming them.

While it seems like this is a losing battle for our law enforcements colleagues, there is a way forward. In North America, law enforcement agencies don't commonly partner with, or outsource work to, private companies for support in criminal cases.  This, however, is a fairly common practice in the U.K. and has proved to be very successful. With that in mind, here are 5 benefits to a partnership between law enforcement and private companies:

1. Faster turnaround time

As is often the case in many law enforcement investigations, there is a flurry of activity involved in investigating a crime within the first few days or weeks.  Policing resources are scarce and other investigations can often spread those resources very thin.  Minor cases go untouched for months, if not years, while the major cases are continually being worked on.  A partnership would allow those those cases sitting in a backlog to be dealt with quicker, while still allowing a focus for major case work.  

2. More effective use of policing resources

As outlined above, law enforcement digital forensic investigators are often multitasking between cases; often never fully focusing on one case, or being rushed through a case in order to get to the next one, and the next one… 

A public/private partnership would allow those investigators the breathing room needed to fully immerse themselves into an investigation without the ongoing concerns of a looming backlog of cases, and the potential for a case to get withdrawn if too much time passes. 

3. Reduced amount of cases that go to trial

A study showed that more than 90% of criminal cases do not make it to trial, as the defendant will usually enter a plea bargain, and almost 70% of those pleas are entered into during the first 6 months of the offence date.  This rate drops to approximately 30% between 12-18 months after the offence date. Its possible that many defendants - in cases involving digital evidence - do not initially plea to their charges within the first 6 months because they think that the police won't find evidence of a crime contained on their device.  It is more likely that the device(s) in question were not even analyzed during that initial 6 months. 

Finding evidence faster leads to higher plea rates and less cases that go to trial.  A public/private partnership would allow law enforcement agencies and prosecutors to quickly view the evidence involved in the case, make informed decisions as to any further direction of the investigation, and to present those findings to the defendant. 

4. Backlog reduction

Policing agencies want to be proactive when dealing with criminal matters. They don't want to just react to crimes that have taken place.  Large case backlogs typically result in many of the proactive measures being shelved while cases are being investigated. Several solutions have been proposed to deal with the ever increasing digital forensic case backlogs, e.g. digital forensic software companies have proposed changes in digital case workflows and that has resulted in some improvements, however it's often not been enough to make a real difference.  A public/private partnership would reduce backlogs to a manageable level, and allow agencies to get back to their core values of community safety. 

5. Cost reduction

As stated earlier, the average cost to properly equip a member of a law enforcement agency to conduct digital forensic examinations is higher than $50,000 (plus salary and on going costs).   Many agencies have continued to increase their compliment of officers (and therefore dramatically increase their budgets) without seeing a decrease in case load or the reduction in case backlogs.  A private/public partnership would allow those agencies the help needed, only when needed at a much lower cost to the organization.   

In Conclusion

The tough decisions that agencies make about prioritizing technology based investigations are ever present, and with society's dependency on digital systems, devices and services continually growing, choosing what to act upon first will become more a challenge. The balancing act between clearing back logs vs investigating fresh crimes vs managing budgets and resources will become more and more difficult as time moves on. The good news is that there are options. Working with private sector firms who have skilled resources available, on demand, to tackle the digital aspects of criminal cases can ease the burden, reduce the cost and time scale and ultimately allow law enforcement agencies to get on with the business of putting criminals behind bars.

We have already seen private companies assisting law enforcement in particular cases (the recent FBI/Apple case, where a third-party assisted the FBI in unlocking an iPhone).  A criminal prosecutor recently told us, "the days of Law Enforcement agencies being able to handle all of their digital forensics cases in-house are slowly coming to an end and the new norm will be some sort of a public-private partnership".