Beating the Backlog in Criminal Investigations
News Mar 25, 2016
In late 2015 the BBC’s 5 Live Programme reported that more than 1800 cases of suspected child abuse were waiting to be processed by specialist high-tech police crime units. In one instance a case had been delayed by 21 months despite assurances from Home Office Minister Karen Bradley that the government has prioritised child sexual abuse as a national threat.
The report went on to highlight the fact that more than 20 police forces responding to a freedom of information response (representing over 50% of the replies) admitted to delays of 3 months or more. Working on the very reasonable assumption that police forces place the highest priority on allegations of child abuse, the implied backlog of forensic analysis across all types of crime is a matter of real concern.
The answer, however, may well not lie in the high-tech units themselves but in taking some of the work away from them. Sophisticated digital forensic technology is now available to police forces in the form of a USB3 thumb drive or Mac expansion card that turns suitable laptops into fully capable forensic intelligence devices which can be used by officers without the need for high-tech crime skills.
Nothing frustrates Police, the Judiciary, Parliament and the public more than delays in bringing miscreants to trial, caused by backlogs in handling, processing and submission of evidence.
In the field of Digital Forensics, however, the use of triage tools has the potential to short-circuit the lengthy process of seize – image – carve (recover) – index – review – report and potentially reduce backlogs and waiting time by a substantial amount.
Two fundamental problems currently exist with digital evidence which contribute to the backlog problem. First, labs cannot economically scale their in-house forensic investigation or cope effectively with unforeseen and high priority incidents, for example, those likely to involve Child Exploitation and Online Protection Centre (CEOP) and counter-terror response.
In addition, opportunities for identifying data of potential intelligence value are generally limited to cell phone forensics which may be case specific and held locally. There is little capability or attempt to identify, capture and process material from much richer computer sources at local, regional or national level. With the rapid increase in availability and use of more and more powerful, affordable and mobile devices the problems, if not addressed, can only get worse.
The Internet Advertising Bureau reported in 2014 that more than 1 in 4 British consumers owned a tablet and worldwide mobile device usership has outstripped desktop equivalents approaching a phenomenal 2,000 million users, according to Morgan Stanley Research. Research firm EMarketer reported in March 2015 that there would be 32.8 million British tablet users in that year.
Add to this the fact that all types of devices have massively increased their storage capacity – a typical laptop drive now offers something in the region of 1Terabytes and it’s getting bigger with the release in 2015 of a 16TB laptop drive. Putting this into context, 1 Gigabyte could hold the contents of about 10 yards of books on a shelf, 100 Gigabytes could hold an entire library floor of academic journals and one Terabyte is equivalent to 1000 Gigabytes.
Using advanced technology is not something exclusively for criminals, however. Using standard removable USB devices as ‘collectors’ of data, digital triage data acquisition and automated analysis is enabled simultaneously on multiple targets. Technology also exists to extend the triage stage to include both forensic imaging and automated anlaysis in one complete process.
For hard-pressed front-line officers to reclaim their role in the processing of evidence, clearly traditional methods are not going to work. High-tech specialist units are understandably unwilling to clear backlogs of ‘everyday’ crime such as burglary, bike theft and shoplifting while high profile work on child abuse, trafficking or even counter-terrorism are left in abeyance.
Police forces that have tested systems such as Evidence Talks SPEKTOR include the City of London Police. They have some 40 – 50 officers trained in the use of these resources and have rolled out their own programme with providers on a ‘train the trainer’ basis to control costs. In just one case, involving a complex series of unauthorised accesses to a professional institute’s network, the force was able to get a rapid conviction under Section 1 of the Computer Misuse Act.
In what might otherwise have been a very long drawn out investigation, arrest and seizure on day 1 was followed by interviews with evidence obtained from a laptop on day 2 and an early guilty plea entered on day 3. Not only is the system saving time through an efficient method of identifying and processing evidence, it often means that offenders, faced with compelling forensic evidence, are more likely to plead guilty, raising conviction rates and relieving the judicial system of time and cost.