Dutch Police helps build Tracks Inspector

Evidence is increasingly digital and just when speed is of the essence, detectives often have to wait for the findings of digital experts. Tracks Inspector prevents this delay: with this program the detectives can begin their investigation almost immediately. Research agency IDC predicts that the volume of data will grow exponentially doubling every 18 months. In 2020 there  will be 44 zettabytes of digital data worldwide.

Do the digital investigation yourself?

Previously a comprehensible quantity of evidentiary material would be seized, after which the data was directly readable by the detectives. In the current information society much of the evidence is digital and needs to be secured and searched by digital investigation experts using special tools. Thanks to the information explosion a double gap has occurred between the detective and the digital expert: detectives are deeply immersed in a case and can thus detect significant links, but they generally have insufficient knowledge of digital technology. Computer forensics examiners do indeed have the technical expertise, but are not familiar with the investigation and may therefore overlook connections. To bridge this gap, Tracks Inspector developed a user-friendly software solution that enables detectives without specialist digital knowledge to do what they are good at: tracking and investigating directly themselves.

User-friendly software solution

casestudy_dh_1From the early start Dutch Police has been involved in the development of Tracks Inspector. Four police forces have used early versions of Tracks Inspector in pilot studies and 30-40 detectives have participated in Tracks Inspector workshops. The objective was to optimise the program in collaboration with the users. Frits, digital expert with the police and a participant in one of the pilot projects: ‘The detective knows exactly what he’s looking for, but forensic software like Encase and FTK are complicated. Tracks Inspector is not – the program has a simple layout and what you see is what you get.’ The solution thus lies not in training detectives so that they can understand complicated programs, but in making it easier for them. Also workshop participants reported that they are extremely happy with the system’s user-friendliness. The pilot project users are also satisfied: ‘The greatest added value is that as a non-digital specialist you can still investigate the digital exhibits,’ according to Hans, one of the detectives. ‘Capacity is a problem,’ as Frits knows from his own experience.

Legal rules for digital evidence

With (digital) evidence it must be clear just what has occurred with the data from the moment it was seized. If this is not the case then it loses its evidentiary value. With Tracks Inspector the digital evidence is copied in a forensically sounds manner. A secure hash is calculated and the information may be investigated without running the risk of changing it. Another legal obstacle is legally privileged information, for example communication between a suspect and a lawyer. Such information is not allowed to be accessed. With Tracks Inspector files can be flagged accordingly, so that they become invisible to the detective.

Tracks Inspector

casestudy_dh_2Tracks Inspector is a software solution giving detectives an insight into simple digital evidence derived from computers, laptops, mobile phones, ipads, USB sticks etc. The software conducts a focused search in user data for documents, audio, video or photo material, address books, communication (e-mail, chat, sms) and internet history. Depending on the file type, the software recognizes various facets. For example language, duration of a video, type of camera etc. The user can filter data using these facets. A search can also be conducted using words that are highlighted in the text or file attributes. Tracks Inspector shows how many files there are with a particular facet, giving the user an idea of what kind of data is present. This makes filtering a lot like searching through a catalogue on the internet, where visitors can quickly and easily drill down on a large volume of articles. With the built-in reporting feature and overview of the flagged files can be reported as PDF. Users thus only have to learn how to collaborate and what the limitations are of the software, so that the know when to engage a digital expert.

Backlogs in digital forensics are an international problem

It’s not only in the Netherlands that investigative agencies sometimes have to cope with enormous backlogs. From international surveys of investigative bodies and private investigators it appears that three-quarters of those questioned have a backlog of up to six months. In the US and Belgium, backlogs of between six and twelve months are more the rule than the exception, sometimes even running to two years or longer. This period is in stark contrast to the needs of the prosecutors. They must in fact gain a rapid insight into the evidentiary material so as to be able to present it within three days to the examining magistrate, and after two weeks to the judge’s chambers. The submitted evidence forms the basis for the de-cision as to whether the provisional detention is extended or not (see sidebar).

Why traditional digital investigations fail

Once the police have collected sufficient information and evidence to detain a suspect, a search and seizure may follow. Here, among other things, the computer and other information media belonging to the suspect will be seized. In consultation with the computer forensics examiners of the ‘Digital Expert Unit’, a research question and a list of search terms are drawn up. The digital expert makes forensic copies of the information media. This may take several hours or even several days. The agreed investigation then awaits its turn: because of the backlog the waiting period may run into several weeks. Meanwhile investigation by the detectives also continues. Should new search terms or even new suspects then appear, new consultation with the digital expert is required, which further delays the investigation. Direct exchange of findings between tactical and computer forensics examiners is not possible in this way. Without hard evidence at a relatively early stage, a suspect may no longer be detained, and will be released (temporarily) by the police and/or the judiciary. While the detectives await digital evidence, the suspect may warn fellow suspects or may destroy other evidence.

Accelerated process thanks to tracks inspector

Tracks Inspector accelerates the process. The evidentiary material that the detective has taken is acquired by the digital expert with Tracks Inspector. While making a forensic copy, the content is also indexed, making it directly accessible to a team.

Public prosecution service recognises the benefits of working with tracks inspector

In 2011 the Haaglanden computer forensics examiners were involved in 2,200 cases, for which they investigated 4,000 digital storage media, including an aver-age of 120 mobile phones every month. According to estimates by Petra Gruppelaar and Hester de Koning of the Public Prosecution Service, digital evidentiary material plays a role in between 90 and 95 percent of the criminal offences handled by the three-judge division – murder, assault, burglary, robbery, extortion or vice cases. For less serious offences handled by the magistrate, digital evidence occurs in a maximum of 10 to 15 percent of the cases. ‘Speed is vitally important,’ explains prosecutor Gruppelaar. ‘Once someone has been detained, the clock is running.’ In particular, the first three days are crucial because new evidence might lead to an extension of the original detention by the examining magistrate, or for exceptional investigative authorisations. For example to locate co-suspects or in fact to restrict the ring of suspects. ‘Not only is it faster, but it’s also more efficient,’ believes prosecutor De Koning. Instead of giving lists of keywords to the computer forensics examiners and then sometimes having to wait for weeks for an-swers, with Tracks Inspector the detective can get to work immediately. Gruppelaar: ‘This lets you reserve the knowledge and time of the computer forensics examiners for the really difficult technical investiga-tions, like encryption.’