How South Wales Police Manage the Rapid Pace of Digital Transformation to Keep Citizens Safe
Richard Andrews, Digital Forensics Manager for the South Wales Police, has been a police officer for 30 years and involved in digital forensics for half of that time. As such, he’s had a front-row seat for viewing the massive changes that have taken place in local policing during the past few decades. While today’s officers benefit from much better communications and investigative tools – from smartphones to Cellebrite solutions – the criminals are better equipped as well.
To stay ahead of the criminals, Andrews and his digital forensics colleagues must constantly train and learn to keep their digital skills razor-sharp. Digital Intelligence technology adds dimension and speed to South Wales investigations while providing directional signposts so that investigators can accelerate the path to justice.
(Digital Intelligence is the data collected and preserved from digital sources and data types – such as smartphones, computers, and the cloud – and the process by which agencies collect, review, analyze, manage, and obtain insights from this data to run their investigations more efficiently.)
“For the digital forensic world, we need to keep moving, seeing where the next problem is going to be, and the next device, and how we get around problems. We have to constantly move forward.”
“Back in the day, it was all paper, and everything we had to do was written down in longhand,” Andrews says. “Now we’ve got digital case management. We’re sending files from one unit to another or to the courts at the click of a button. And everyone has the Internet in their pocket.”
Within Mobile Phones – the Details of Life
If there is an emblem for what’s changed in policing in the past 30-odd years, it’s the mobile phone. In a given year, Andrews and his 26-person forensic team will analyze thousands of devices, the vast majority of which are phones. And in every one of those phones rests the potential to uncover not just text messages and photos, but the device owner’s connections to their communities and what they can offer to an investigation.
“When you examine somebody’s phone, it’s almost like looking into their soul,” Andrews says. “You find things on a phone that the owners wouldn’t even discuss with their own family. You can find out a lot about a person by examining their phone.”
But with the power to investigate a device comes responsibility, Andrews says, in terms of how data is lawfully collected under a warrant, how devices are handled to protect digital privacy, and how quickly they can be returned to citizens. Technology can provide both directional Digital Intelligence from devices, as well as the ability to preserve evidence according to law – all done with the goal of protecting and saving lives and accelerating justice.
The digital transformation of society has also added to the complexity of investigations. “Years ago, I knew how to establish where offenders were or how they were communicating,” Andrews recalls. “They’d frequent the same locations and street corners.” Nowadays, he says, the policing challenge is brainstorming who knows who, where suspects have been, and how such data points can be unearthed digitally.
“Even tracking phone calls is not as simple as it used to be,” Andrews explains, noting that he and his colleagues used to merely go to British Telecom to find out who called whom. “But now there’s a thousand and one different locations where a telephone call can be made. And that makes it far more difficult to establish the pattern of offending, to track and trace what they’re actually doing, and to bring the evidence to a court in a reasonable manner.”
Sharing the Digital Workload
Andrews’ team of examiners, along with about 12 digital media investigators, or DMIs, collectively examine about 13,000 devices a year. At this volume, clearly, technology has to be put to work alongside forensic examiners and law enforcement officers.
To address this challenge, the force has created a tiered system for analyzing devices and has also deployed technology that offloads some of the burdens of collecting and analyzing Digital Intelligence. “We have to spread the workload across the force, as opposed to leaving it on the shoulders of just 26 people,” Andrews says.
For example, the DMIs assist the forensics examiners in conducting basic digital data collection. While the DMIs do not have the expert training of the forensic examiners, they are knowledgeable about using solutions like Cellebrite Responder to provide an initial account of the data that is on the phone. The DMIs might also be assigned phones associated with less-critical investigations, freeing up time for Andrews and his forensic examiners to work on more complex cases.
In addition, there are plans afoot, Andrews says, to provide the DMIs with training in using Cellebrite Touch2 and Cellebrite Physical Analyzer solutions, which are favored by the forensic examiners, that way it allows DMIs to be mobile. By using Cellebrite Touch2, “They can visit police stations and even go to victims and witnesses’ homes,” Andrews says. “They can take the phones, collect data, and immediately give the phones back to their owners.”
In the near future, Andrews hopes to train yet another level of law enforcement officers, such as those on the front lines, to use Cellebrite Responder solutions for low-level crimes and logical Kiosk extractions. These would be for cases where officers find a device at the crime scene or can obtain a device from a witness.
Puzzling Out Passwords
Digital Intelligence tools played a key role in a recent case involving indecent images of children (IIOC). In February 2021, officers received information that Mega, a cloud-hosting and file transfer service was being used to distribute IIOC from a specific address, which was in South Wales Police’s area.
After obtaining a warrant, members of the police force’s Digital Forensics & Cyber Crime Unit visited the suspect at home and recovered his Samsung phone, among other devices including USB drives and computers. Since a physical extraction wasn’t possible on the Samsung, officers used UFED Touch2 and Cellebrite Physical Analyzer to perform a full-system extraction. The initial system extraction showed that the Samsung phone contained artifacts of the Mega and Telegram communications and file-sharing apps, even though the apps themselves were not present.
In addition, the officers discovered that the Secure Folder feature had been activated on the phone. The suspect told officers that he did not realize that Secure Folder had been activated and that he could not remember the password.
In the course of studying the data from the suspect’s phone as well as other devices, forensic examiners discovered passwords for different applications and accounts.
They could see a pattern in the passwords: The first three letters related to the application itself, followed by a set combination of letters and numbers, such as FaC%OgTfD5G for Facebook, and DrO%OgTfD5G for Dropbox.
“This knowledge gave us the ability to work out the password for the secured folder,” Andrews explains. On opening the folder, examiners discovered the IIOC images, alongside non-IIOC images of the suspect. The case is ongoing and may come to court by fall 2021. Investigators expect the suspect to plead guilty to charges of possession and distribution of Indecent Images of Children, considering the wealth of evidence.
Keeping Up With Criminals
While Andrews has already made significant inroads in his plan to improve the South Wales Police force’s Digital Intelligence knowledge, more challenges remain for the digital forensics unit. They must grapple with more and more encrypted devices, for example.
“We need constant upskilling and constant training in understanding encryption,” says Andrews. “How are we bypassing that encryption? How are we getting around that PIN?” by constantly developing our capability and knowledge, working closely with a myriad of partners, academia, and forensic tools such as Cellebrite’s Touch2 and Cellebrite Advanced Services.
“Without a strategy and a roadmap for where mobile phones are going, where computers are going, or the Internet of Things, we’ll stagnate.”
There’s also the growing amount of data that phones and other devices can hold. “A terabyte on a phone today is not uncommon,” Andrews says. Poring over this data image by image would take too many hours of examiner time.
Fortunately, Andrews and his fellow examiners have Cellebrite Responder to help target their searches so they are more productive since they can customize searches by specific data sets, as well as generate reports that can be shared easily. “We can target our investigation toward just one field of data, like digital movies or GPS,” Andrews says.
In keeping with the rapid pace of digital transformation in every part of life, Andrews believes he and his fellow examiners can’t get too comfortable about the knowledge they possess today: It’s all about adding to that storehouse of knowledge and equipping the forensic unit with the tech that helps them apply this knowledge to solving more cases and protecting citizens.
“Without a strategy and a roadmap for where mobile phones are going, where computers are going, or the Internet of Things, we’ll stagnate,” Andrews says. “For the digital forensic world, we need to keep moving, seeing where the next problem is going to be, and the next device, and how we get around problems. We have to constantly move forward.”