Leicestershire’s Police: Investigative Workflows Allow Every Officer Access to Digital Evidence
In England, Leicestershire’s Police department, which covers about 960 square miles surrounding its Enderby headquarters, investigators recognized early on that successfully gleaning evidence from digital devices couldn’t be a piecemeal process. In 2015, the department launched a comprehensive program to optimize the digital workflow so that they can leverage Digital Intelligence (DI). This is the data that is collected from digital sources and data types—smartphones, computers, and the Cloud—and the process by which agencies access, manage, and leverage data to more efficiently run their operations.
The result was a fully staffed and technologically advanced process, using Cellebrite DI solutions for accessing, managing, and analyzing digital data to create a more efficient and effective workflow. The goal is to derive digital intelligence that solves cases faster and results in convictions.
Leicestershire’s success in transforming its digital investigations has had a lasting impact on the force’s ability to solve crimes – including a murder case involving the online grooming of a teenager that won international attention.
The transformation started about the time that Leicestershire Police first established its Digital Media Investigation Team. Up to that point, accessing, managing, and analyzing digital intelligence was a siloed process with little shared efficiencies, and with the force’s 1,900 officers struggling to quickly glean guidance from digital data on their own. The siloed, disconnected approach to collecting and analyzing digital data slowed down progress on cases: helping create a 2.5-month backlog in analyzing data from devices and returning them to their owners.
“We used to have only 20 staff who could examine a phone. We now have around 300 people trained. There is a vision from our bosses that they want every single investigator in the force to be able to examine a phone.”
“Quite frankly, that wasn’t good enough,” says Detective Sergeant Charles Edwards (one of the original members of the team). “We had to turn to victims and their families and say, we’re working to safeguard you, but we won’t know what’s happened to your family member for two months.” With a centralized workflow and digital intelligence tools, that 2.5-month backlog has been reduced to just a day or two.
Improving Digital Evidence Workflows With a Central Team and Digital Strategies
DS Edwards, who describes himself as “that geek” that almost every police unit has who knows just that little bit more about technology, saw an opportunity to not only end that long device analysis backlog, but also evolve the digital workflow to add speed and depth to the process. Using his background from industry and academia prior to joining the Police, he reached out to expert providers around the world and took best practices from local universities and businesses.
Since the proliferation of digital devices in the mid-2000s, Leicestershire Police have had a Digital Forensics Unit made up of specialists around Digital Media Exploitation. “The Digital Forensics Unit were key players in dealing with the huge number of digital devices being seized but they couldn’t keep up with the demand and had numerous other pressures placed upon them,” explains DS Edwards. When looking at how they could support the team and develop greater capabilities and capacity he says “We realized that across the force superb work was going on in the digital arena, but no one was bringing this together and there was no sharing of work, which lead to regular duplication.” The lack of a comprehensive workflow and strategy wasn’t allowing technology and people resources to be used effectively to reduce the evidence backlog and solve crimes. Something had to be done.
In 2015, a team of officers was put together to make an 11-person Digital Media Investigation team made up of these “geeks.” Not long after and with the initial success under them, DS Edwards worked as part of a small group of detectives to create the digital hub of Leicestershire Police. This group is made up of approximately 70 staff and officers all working within the digital arena in areas including Cybercrime, Digital Forensics Unit, Online Investigations, and Audio Visual Unit.
At the heart of the digital hub is a comprehensive suite of Cellebrite solutions. The process of working with digital data starts with officers working at crime scenes or out in their communities, where they use Cellebrite UFED Touch2 to collect data, as well as UFED 4PC and Cellebrite Responder Kiosk. Once devices come back to the team for further analysis, members of the various teams within the hub use a range of Cellebrite tools including Cellebrite Responder, Cellebrite UFED 4PC, Cellebrite UFED Cloud to collect, preserve, and analyze cloud-based content. For more complex data collection, digital investigators use Cellebrite Premium. They also rely on Cellebrite Advanced Services (CAS) for encryption challenges and the hub has its own bespoke software to help manage the storage and dissemination of key data in a timely manner to investigators in need.
Every major crime investigation that occurs now in Leicestershire is assigned two digital media investigators. Every case will need a complex digital strategy written by or supported by the assigned Digital Media Investigator. This is a critical first step in defining the workflow for investigations – it’s the blueprint for which approaches will be used and how Cellebrite solutions will be applied.
“If a device only needs a logical read, we now have approximately 300 officers trained to use Cellebrite Responder Kiosk, and that’ll be the end of it,” DS Edwards says. “If it’s determined more work is required, if a device is damaged, a device is locked, or we need something that won’t come from a logical read, the devices will come straight into our lab.” The digital strategy will drive the investigation process, prioritizing what needs to be done and ensuring as little time and resources are wasted as possible.
“Every submission into the lab is reviewed and authorized if required by a Detective Sergeant,” DS Edwards says. “We ask, ‘Is it necessary to analyze this device? Is there a better way of doing what we’re about to do?’”
Using Digital Evidence to Find a Girl’s Killer
The Digital Media Investigator Team and the improved workflows, created by the digital strategies, have all helped the Leicestershire police force gain a deeper understanding of devices and analysis, improving evidence turnaround times and accelerating the closure of cases.
“It’s a robust structure,” DS Edwards says. “We can see which devices are becoming more common and/or causing us difficulties, so we can train staff and make sure we have the proper technology tools for analysis. We’re no longer in situations where we have four different sets of software for devices we haven’t seized in years, costing a considerable amount of wasted money.”
In late 2015, the police force marshalled its Digital Intelligence resources to identify the killer of Kayleigh Haywood, a 15-year-old girl who disappeared after exchanging texts and messages with Luke Harlow, a 21-year-old man. DS Edwards was one of the digital investigators assigned to the case. A few days after Kayleigh disappeared, investigators collected and analyzed data from her iPad, finding Facebook Messenger messages with Harlow about drinking alcohol and arranging to meet up.
While Harlow insisted he hadn’t met with Kayleigh, a search of his address helped prove otherwise, although there were no signs of a struggle. Digital investigators accessed the man’s online accounts including location data and placed him in a local park the day of Kayleigh’s disappearance. From further targeted searches they found clothing and Kayleigh’s damaged iPhone – signs that indicated a sexual assault had taken place.
The digital investigators accessed deleted content from the iPhone, including photos of another man, Stephen Beadman, a neighbor of Harlow’s who already had a criminal record involving assaults. A Cellebrite CAS-aided collection of Beadman’s iPhone revealed enough call and location data to press Beadman for details of his involvement in the crime. He initially admitted to sexually assaulting Kayleigh but denied killing her.
“The digital evidence made the investigation quicker and easier.”
“The next day he went to court and when confronted with how much data we’d obtained from his phone, he gave us the location of her body,” DS Edwards says. “It’s fair to say that if we weren’t able to pinpoint his general whereabouts using digital evidence that we would have been looking for the body for a long, long time. The digital evidence made the investigation quicker and easier.”
Beadman received a life sentence for Kayleigh’s murder; Harlow was sentenced to 12 years in prison for false imprisonment and grooming. The publicity around the case inspired the Leicestershire police force’s communications team to create a short film, Kayleigh’s Love Story, about the final two weeks of the girl’s life and the dangers of online grooming. The film is shown in schools all over the United Kingdom to children and their parents and has been translated into several languages.
Reducing Device Turnaround to Just a Day or Two
Leicestershire’s streamlined workflows have dramatically shortened the timeframe for assessing digital evidence. The two-and-a-half-month lag time for accessing and analyzing digital data has shrunk to just a day or two or even less – speeding resolution of cases and also improving community relations with members of the public whose devices become swept up in investigations. The Digital Media Investigation Team has also changed the culture of the department, raising awareness of the value of digital evidence, while raising investigators’ skill levels.
“We used to have only 20 staff who could examine a phone,” DS Edward says. “We now have around 300 people trained. There is a vision from our bosses that they want every single investigator in the force to be able to examine a phone.”
It’s not just about training officers how to use tools like Cellebrite Responder Kiosk, UFED, and Cellebrite Physical Analyzer– it’s about schooling them on the subtleties of digital data and devices collections, like assuming that a phone handed to officers by a suspect might not be the “real” phone based on its appearance, chargers plugged in, etc. The training is also customized by role. Cellebrite trainers trained several officers to then train their colleagues on the use of Cellebrite Responder Kiosk software so that every officer can improve their digital data collection knowledge.
“We can see which devices are becoming more common and/or causing us difficulties, so we can train staff and make sure we have the proper technology tools for analysis. We’re no longer in situations where we have four different sets of software for devices we haven’t seized in years, costing a considerable amount of wasted money.”
“My team do an input at pretty much every single level you can think of, at every chance we get,” DS Edwards says. “So if you join as a police officer, you’re getting one input. If you end up being a supervisor over investigations, you get a different input, with different tactics. We also do the national training for senior investigators around digital opportunities.”
Every six months, the trainer does a refresher course for all trained officers. “We’ll talk about changes in technology on devices, and we teach them about our escalation process and new threats,” DS Edwards says.
It’s clear that digital savviness is required for any officer who intends to climb the ladder in the force. “If you went into a promotion meeting three or four years ago, and you said, ‘I don’t understand safeguarding,’ you wouldn’t have gotten far,” DS Edwards says. “I think we’re not that far from that with digital now. Two years ago, you could have got away with saying, ‘I don’t do digital.’ But that’s not good enough now. Digital has become a key element of almost every single investigation and is finally getting the coverage it demands.”