Lake Jackson Police Department, Texas – Source: Cellebrite

Small, one-person digital forensics departments must do a lot with very little.

Big cases, solved by large agencies with lots of resources, may grab more headlines, but most communities depend on smaller police forces to do the hard work of keeping communities safe with just a handful of officers. As Cellebrite’s upcoming 2022 Digital Trends Survey reveals, 49% of agency managers rate their organization’s digital transformation strategy as “mediocre” or “poor.” And 1 in 10 agencies claimed they have no Digital Intelligence strategy at all.

Agencies almost unanimously agreed that utilizing Digital Intelligence is the key to closing more cases faster (81% of agency managers agreed or strongly agreed that the likelihood of case closure grows when digital evidence is available). The problem is how do you begin your digital transformation to obtain the necessary tools to secure, manage, analyze, and share actionable intelligence and train staff members to handle the challenges of digital forensics?

This is a tall order for smaller departments, many of which may have only one person, using a small space as a digital forensics lab, and dozens of devices to legally extract data from. This person is generally not a full-time digital forensics examiner. They may take on the role because they have an interest in technology or want to help their fellow officers solve more cases, but that is often in addition to their regular duties.

Lake Jackson Police Department, Texas – Digital Forensics Lab – Source: Cellebrite

Many of those officers running their own one-man digital forensics labs also see their reliance on farming devices out to larger departments with more resources as a hindrance because their cases are never a priority and turn-around times to get actionable intelligence from their big-department friends can sometimes take months.

Detective Sergeant (DS), Christopher Collins, of the Lake Jackson Police Department in Lake Jackson, TX, understands what it means to be the only digital examiner in a department. He is literally a one-man band. In his current role, DS Collins is responsible for major crimes and felonies. His cases usually include child victim/exploitation, robbery, homicide, and digitally inclined offenses.

DS Collins is also an ICAC Task Force Officer. He is presently attached to the Houston-Metro ICAC Task Force where he is responsible for ICAC cases and NCMEC Cyber Tips for the southern end of Brazoria County.

Finally, he is a Mobile Forensics Examiner, responsible for processing and capturing digital data from mobile devices.

As DS Collins explained in a recent interview, “Unless it’s a major case, like aggravated robbery or homicide, I generally don’t do a full examination of the device. I go in and just do a preliminary search for any kind of deleted data; anything major that may need to be brought up, like diving into the full file system and digging through some hex on some known places that I can search fairly quickly.”

For most devices, he simply captures the extraction, runs captured data through Cellebrite Physical Analyzer and Cellebrite UFED Cloud, and produces a report in Cellebrite Reader to assist the actual investigating detective going through the data.

Lake Jackson Police Department, Texas – Offices – Source: Cellebrite

Challenges

Not surprisingly, DS Collins faces a number of challenges that those in small departments know all too well.

Multiple roles: Having to divide his time between working cases and doing digital forensics work is difficult to manage.

Budget constraints: Like many departments, funding is always a challenge and though the current administration’s Safer America Plan and the America Rescue Plan promise major funding for law enforcement, DS Collins doesn’t see either plan raining dollars down on his department.

Outdated equipment: Though he is on the way to fixing this problem, he’s presently working on a system that was taken from an ICAC case in 2012 and gifted to his unit by another department.

“It’s a good machine,” DS Collins said. “The only problem is that it’s outdated. So, for a simple phone extraction, obtaining the capture of the image from the phone and then running it through Physical Analyzer takes anywhere from 45 minutes to four or five hours. And in some cases, where we do location carving and other … automated carving, I’ve had phones run for 15 to 24 hours.”

Too many devices: A recent case involved 20 devices. Having to deal with capturing data from this many devices in a single case leaves little time to assist in other facets of the investigation. As DS Collins described, he’s lucky just to capture the data.

Slow USB speeds: “Regarding the actual capture of the data, there’s almost nothing we can do to change that,” DS Collins explained. “We’re hindered by USB speeds and bus speeds.”

DS Collins is waiting on the delivery of a $25,000 computer forensic workstation he believes will be a game-changer. “I explained to them [my superiors], ‘Yes, the capture does take some time. But to get reports ready for other investigators to review, I need a system that’s powerful enough to run two, three or even four instances of Physical Analyzer at a time. This way I can get these devices out quick enough that it doesn’t hinder the investigation while they’re waiting on me.”

Using Technology as a Force Multiplier

In the two years, he’s been in his present position, DS Collins has learned how to use technology as a force multiplier to modernize his workflow and get the information his investigators need to move cases forward as quickly as possible.

Right now, he is utilizing Cellebrite UFED 4PC, Physical Analyzer, and UFED Cloud. And while he would dearly love to have Cellebrite Premium and Pathfinder, right now he sends devices that need work with those solutions to either the Brazoria County Sheriff’s office or the nearby Angleton Police Department, depending on which department has availability to turn devices around faster.

DS Collins clearly likes the solutions he is using. “UFED 4PC…makes it extremely easy to run through a phone extraction and capture of evidence. With the on-screen instructions, … there’s almost no question on what to do because it gives you the steps to follow.”

“If you need to place the phone in DFU mode, it tells you how to do that. The settings that need to be changed within the phone [are] contained in there, so it just makes that workflow easier.”

“Running it [data] through Physical Analyzer, while I do wish that there was more data parsed out of full file systems, presents everything that you’ve captured and parsed through on screen. It gives you that extraction summary screen, and I love that screen. It shows you what extractions have been completed or included in the report, and it breaks down photos, videos, text messages, instant messages, and device locations….The workflow is a lot easier to work through on that.” He’s also a big fan of Cloud Analyzer.

When his new district attorney came in, DS Collins worked with him to add specific language within their warrants in “Items to be searched” to include any databases and programs. As he explained, when using Cloud Analyzer for tokens or anything like that to access it and to capture the information that’s on those databases for a specific user or any user accounts specifically tied to this device…it’s fantastic. It captures all of the information you can want from those sources.

“Another thing [I like about] UFED Cloud are the public-facing cloud profiles and social media profiles that Cloud Analyzer is able to capture. By putting in a URL or a username, it captures the public-facing images. Because sometimes there’s a good chance that [a suspect’s] public side of their social media profiles are just open, so that reduces the need to go in and archaically screenshot and crop and all of that. That way, I don’t have to upload it into Microsoft Paint, and crop it down.… To explain that process in court would almost sound amateur, but to use Cloud Analyzer’s feature to do that sounds way more forensically sound.”

The Case

In a case that’s still pending, the Lake Jackson Police Department was given a cyber tip from the National Center for Missing & Exploited Children (NCMEC) regarding a child who had claimed abuse by a relative. To gather evidence, DS Collins was able to use Cellebrite Pathfinder to verify his findings with secondary software by running facial recognition through Pathfinder of those known images of the child.

While parsing through 40GB of Child Sexual Abuse Material (CSAM) images/videos of the victim, didn’t return any results, it was still a big win for the technology because it saved DS Collings from having to go through 2,700 files manually to check each one. In these days, when preserving the mental health of investigators is so important, having a technology solution that can spare an investigator from what might have taken months of sorting through explicit images, is a huge win.

“The artifacts that Cellebrite helped me find led to knowing that he [the suspect] was well-versed in hiding his tracks now because there were artifacts showing installation, uninstall logs, and everything like that through the knowledgeC database and interactionC database that I was able to find.”

A case had already been built against the suspect before DS Collins joined the investigation. Had he found images relating to the victim, it would have no doubt helped the case, but the fact that a large cache of images was discovered was very damaging and added an additional charge for the suspect who is now in custody awaiting trial.

Sound Advice for Officers On Their Own

When asked what advice he had for officers, like himself, who are flying solo in their departments to use digital technology to better serve their communities and close the public-safety gap, here’s what DS Collins had to say.

Train Up: Take up as much free training as you can. Reach out. If your department is part of the ICAC task force, go through ICAC training. They have a ton of resources for training that are free or at a very low cost.

The National White Collar Crime Center (NW3C), has tons of training available.

The National Training and Technical Assistance Center has some training resources available for online cybercrimes. If available, get funding or grants for costly training.

Get Cellebrite trained. As DS Collins explained, “This was one of the best courses I’ve had. And the person who trained me, my instructor for my CCO and CCPA, actually pushed me to get my CCME because he saw how well I was performing in that class. He was a fantastic instructor.”

Find Funding: While there are federal funds available, DS Collins recommends that those seeking funds to transform their department shouldn’t focus strictly on federal grants.

“There are a lot of private companies that have funds available. In our area, we have a ton of chemical plants. They, for lack of better terms, are looking for tax write-offs. So you come to them and say, “Hey, I need a $25,000 computer,’ and they’re like, ‘Okay, here’s a check for it. Just put our name on the side of it, or mention us in an article or something. Just give us some feedback saying, ‘Hey, they supplied us with what we needed.’

“There’s even places like ‘Firehouse Subs’ that provide public-safety grants. So don’t focus strictly on federal grants. Because sometimes whenever you go through those federal grants, you’re one of 60,000 agencies asking for the same thing and you may not get selected, versus going through Firehouse Subs, [where the pool of those vying for grants is much smaller.]”

In explaining how these Firehouse Subsidies work, DS  Collins said, “We asked for $25,000 for a forensic workstation, and we were one of 600 agencies asking for money so that reduced our pool by a ton. Even though we weren’t awarded that grant, it was still a way better chance—60,000 versus 600. So don’t leave out the private corporations and [non-profits]. Even if they’re not in your area, still reach out to them.”

Set Standard Operating Procedures: DS Collins is in the process of building a mobile device evidence collection course for basic-level patrol officers and even detectives because they need to be able to know how to handle devices collected at a crime scene.

He wants to make his course mandatory because so many times the mobile devices he receives from the multiple constabularies his department services (the entire South Brazoria County area) are in states not ideal for extraction, which wastes valuable investigation time.

“I’m going to make it mandatory and say ‘Look, if you want to give me mobile devices, you must put some people through this collection course I’ve developed that tells them, When you collect a phone, don’t turn it off. Don’t remove the SIM card. Put it in Airplane mode.’”

Use a Faraday Bag: “I have three Faraday bags with external batteries that are always charged up sitting there, waiting to go,” DS Collins explained. “So if you get something that’s an emergency, I’ve got the external batteries that are in a little pouch. Next to the external battery, I’ve got a USB-C, a Lightning cable, and also a Micro-USB charging cable for all three of them. So, if you need any of those, take them, they’re available. If you want to feel extra secure, I’ve told my officers here, ‘Put it on Airplane mode, hook it up to the battery, drop it in a Faraday bag, and then call me. I don’t care if it’s three o’clock in the morning, we’ll make this work.’”

What Inspires Him

When asked what gets him out of bed every morning to do his job, DS Collins paused for a moment and then said this.In the simplest terms, it’s justice for the victims. I know that even if we do the best job we can and we find the person responsible, and we get them put away for life in prison and they have no chance of getting out, it will never fully restore that person. But it will help. And the help that it will give those victims in restoring a normal life is insurmountable. They don’t have to worry about that person or keep looking over their shoulder, worrying about being victimized again. That’s the main thing that drives me, is to protect the children.”

Share this post