The Evolution of Digital Forensics

Metropolitan Nashville Police Department Det. Chad Gish has been working cases with digital evidence since before the boom of modern digital forensic investigations. When he first joined his agency’s cybercrime and digital forensics (CID) unit, building a case with the tools at the time was challenging, even though the devices under investigation were much simpler.

Gish, a digital forensics veteran of 17 years with a total service time of more than 24 years, remembers how difficult it was to determine where specific picture files came from. When that data wasn’t available, all that could be proven was that a suspect possessed an illicit image. Digital forensics investigators couldn’t always prove how the picture ended up on the device or attribute the image to a suspect’s account. In some scenarios, this could be the difference between conviction and acquittal based on lack of evidence.

Now, digital forensic solutions are benefitting from broader advancements in technology, allowing investigators to streamline their workflows and recover and analyze evidence faster. During the transition from largely computer-based to mobile-first investigations, Gish has witnessed that evolution first hand.

“Even though phones used to be a lot smaller and store less data, it could take two or three months sometimes to get access to the data,” said Gish. “With today’s tools, we can get the data we need in less than a day. We need ways to recover data quickly, especially for those high-profile priority cases and the technology needs to evolve to allow us to do so.”

Computer forensics experts have formally been a part of law enforcement agencies for over 40 years. Specialized computer forensic groups such as the FBI’s Computer Analysis and Response team were established in the mid 1980s, but the rise of the modern digital forensics lab can be more closely aligned with the emergence of the smart phone. Fifteen years after the first iPhone was released, it is estimated that 90 per cent of devices entering digital forensics labs are smart phones.

Adapting to changing technology has been a job requirement for Gish and other digital forensics investigators who are handling more devices than they ever have before. These devices are also much more complex and possess significantly greater storage capacity than they did even five years ago. With case backlogs increasing, investigators like Gish have been tasked with reducing the time to evidence.  

This year alone, Gish estimates he’s investigated 500 cases. He’s currently working on one that requires 50 phones to be processed. In another, he processed two phones that had over 250 GB of data for a single suspect.

“This is becoming common for almost every case now,” said Gish. “It’s a lot. Even though there’s way more data these days, I only need a small amount of it. Today’s tools allow me to go get that data much more easily.”

Magnet AXIOM is one of Gish’s go-to solutions and it’s part of what allows him to use the data collected from digital devices to recreate the story of a crime. Developed by Magnet Forensics, Magnet AXIOM helps investigators like Gish recover digital evidence from mobile phones, computers, IoT devices and the cloud and analyze it in one case file.

“Magnet AXIOM is a great solution when it comes to filtering in and filtering out the important data that investigators need to review, which really reduces the overall time to evidence,” said Gish, who added it’s rare that “we see a crime committed by someone without a computer in their pocket.”

Gish is always focused on reducing time to evidence because he knows that in a backlog, there’s evidence that can save a life or protect a child. A quick response is important, especially when evidence is received for a high priority case and digital forensics investigators are already stretched thin.

Triage reports, provided by tools like Magnet Forensics’ Magnet OUTRIDER, are a starting point for Gish, especially when it comes to cases involving child sexual abuse material (CSAM). When a case includes multiple devices, Magnet OUTRIDER helps reduce the overall time to evidence by quickly identifying CSAM, the devices used most recently and the cloud accounts that have been accessed from that device.

Not only are new tools changing the way that Detective Gish approaches cases but so too are emerging sources of data.

In the last eight years, Gish has been increasingly impressed by the amount of evidence that can be collected from cloud packages.

The data that’s being stored by cloud service providers such as Google, WhatsApp and Microsoft can unlock an investigation. Gish shared an example where in one homicide investigation he could see the exact moment the trigger was pulled. The victim was murdered while driving, so Gish analyzed waypoint data and found a consistent speed registered for most of the trip. The data suddenly signalled a quick drop in speed before the car slowed to a complete halt where it was found on the side of a highway.

Identifying the moment that the car began to slow was a critical discovery for Gish. Doing so allowed him to quickly establish the time of death and expedite the investigation. Gish understood the victim was already deceased for a few hours by the time he had arrived at the scene. In turn, this afforded his team more information for when they were canvassing the area for witnesses.

In another case involving multiple car-jackings, Gish and his team were able to acquire data from the suspects’ phones and the vehicles once they were recovered. What they did to piece the sequence of events together was acquire the waypoint data from a suspect’s cloud accounts, correlate that with the route data from the vehicles and then use the results to identify where the best locations would be to recover video from CCTV.

As technology evolves, investigators must adapt to get the best data possible, conduct efficient investigations and reduce the overall time to evidence. The next stage of technological advancement is underway as cloud infrastructure is offering investigators automated workflows to churn through backlogs of digital evidence and new solutions to share evidence with non-technical stakeholders in a simplified and secure manner.

While Gish notes these new technologies certainly require updated oversight and new legal precedents, given the option to return to the “good ol’ days” or to press forward with new technology, he’ll take the latter.

“If you can get to the evidence quickly, and reduce the time it takes to get there, it just makes sense,” said Gish.

Computer Forensics