These days everyone has access to computers, including criminals. This means that it’s rare for a complex case not to involve some kind of digital media, whether it’s a desktop computer, a laptop, a smartphone, or a flash drive.
Large agencies with specialized investigative units often have their own computer forensics labs, where digital evidence can be extracted and examined in-house. But roughly 80 percent of the law enforcement agencies in the United States have 25 or fewer sworn officers, and those agencies will have one or two general-assignment detectives, if that. There isn’t enough funding or manpower to staff a digital forensics function.
Flashback Data, an accredited lab in Austin, Texas, has services designed for departments with limited resources. Flashback will extract the data from damaged and/or encrypted storage media for as little as $500, then return the data to you for analysis by your investigators.
Most law enforcement agencies have access to a state or regional crime lab for digital forensics, but those resources tend to be overextended.
“Typically, what you’ll end up having to do is get into a queue at whatever regional lab services you. And that queue can be awful long,” said David McGroty, Director of Compter Forensics for Flashback Data.
“This can be problematic if you’re looking at something that may be time-sensitive, and they tell you, ‘If we put it in our high-priority queue, it will be a month and a half.’ That can be an awful long time in an investigation,” he said.
Flashback Data can crack the password on a smartphone, extract and return the data to the investigating agency, or do the same with a computer hard drive.
Flashback in Action
A small Oregon agency had a homicide investigation and had identified a possible suspect. They believed that the information on a password-protected hard drive would tie the suspect to the crime.
The prosecutor didn’t trust the mails or FedEx to deliver the hard drive to Flashback Data, so a detective hand-delivered the drive to Texas. Flashback Data was able to crack the password and deliver the contents to the detective, who took it back to Oregon for analysis. In the end, the suspect was cleared of suspicion and the detectives went on to look for other leads.
Most forensics labs do both extraction and analysis of the data. This isn’t always the most desirable method, as photos, emails and other media may contain elements that mean nothing to the forensics analyst, but are of interest to the detective who is familiar with the principals in the case. A photo of your suspect and victim together is extremely valuable if the suspect denies knowing the victim, but the forensics tech may not know what the suspect and victim look like.
Another issue all computer forensic labs face is the increasing size of storage media. A laptop hard drive used to be considered large if it held 80GB. Now, 500GB hard drives are common in laptops, and there are 3TB (3072GB) hard drives for desktop machines available for about $100. Although investigators can always sift through this volume of information manually, a good forensic lab may be able to make the process more efficient.
Like a Key Under the Mat
Cracking the password on storage media that has been encrypted can be much easier if the volatile memory of the computer is preserved. McGroty provided a residential analogy for computer security. “It doesn’t matter how good the locks on your front door are if you keep a key under the mat.”
Popular open-source encryption software like TrueCrypt and PGP do a good job of protecting data from prying eyes, but the password they key in to decrypt the file may be stored in the computer’s random access memory (RAM) when it’s entered. The RAM contents are constantly changing as new processes start and stop, and the RAM is purged completely when the power is shut off.
By using a data capture application such as the Forensics Tool Kit on a flash drive, a responding officer can download and preserve the RAM contents before power to the computer is interrupted. Alternatively, it may be possible to plug the computer into a portable power source for transport, so that a trained forensic tech can capture the contents of the RAM before it vanishes.
Without some hint as to what the password might be, decrypting the drive might take a while. A brute-force cracking effort requires a lot of networked computer power a local lab may not have. A service like Flashback Data can put its battery of machines to work and extract many passwords, given enough time.
If your agency is small and you have computer evidence to handle, don’t throw your hands up in frustration. Consider the economy of using limited services from a commercial forensics lab and allow them to perform the heavy technical work, leaving the analysis to your officers already on the payroll.