Sergeant Tom Oldroyd oversees the high-tech crime digital investigations department of Nottinghamshire Police. In 2016 his organization was involved in a criminal investigation into an organised crime group. They quickly discovered two other police forces were investigating the same criminal organization and joined forces. It became the biggest case they ever investigated.
Tom explained that in such large investigations the Complex Case prosecution department gets involved. Typically, the investigators from this department ask many questions and for Tom’s unit it is important to have all the data together in a single system and thus have the capability to search across 100’s of devices for digital information. In total 168 computers, 30 external devices such as hard drives, usb drives and a handful of mobile phones were acquired. The current solutions available in the digital forensics labs were failing on this enormous amount of data. Either failing technically or failing because they could only access a single device at a time making cross devices searches not very productive.
Tracks Inspector claims to be scalable, very easy to use and able to perform case wide searches across many exhibits. Tom decided this was an ideal case for a trial with Tracks Inspector, so, with a trial license from Tracks Inspector they installed it on their virtualized environment. Tom explains: “We are running on a virtualized system. We did have problems in the beginning. It was the biggest case we ever did. It was trial and error. First we implemented a distributed system with help of Tracks Inspector. That worked, but didn’t really make sense in a virtualized environment. We got better performance with a single virtual system. People now visit us to see the system”.
Tracks Inspector could process all the exhibits. In the beginning lessons were learned when implementing the system in a virtualized environment. For instance, Tom’s department has a 10gb internet connection in the lab with a fast SAN and special storage for the virtualized (HyperV) system. Like in any other digital forensic lab, digital forensic tools will show hiccups when processing large E01 images over the network, even if it is 10Gbps. Digital experts typically work around this by copying complete evidence folders back and forth between the SAN and the forensic workstations. By contrast, Tracks Inspector, even though it was virtualized, Tom’s team was able load more than 200 exhibits in a single Tracks Inspector case, get it processed and ready to be searched. During the interview, Tom said:
The case is being investigated now by prosecutors in the Manchester prosecution office who deal with the more complex cases. Typically, investigators from the central location will ask questions to Tom one at a time. Before Tracks Inspector, this would mean Tom’s unit would have to mount every exhibit one at a time, run the new query and return the results to the investigators. Now, Tom takes his laptop to them to answer questions directly. He sits down with the detectives of the prosecutor and answers their questions and can immediately respond to new questions. Tom thinks that on the longer term he can also take his laptop to court while the case is prosecuted. It may become an important feature, both for the prosecution as well as for the defense.
Meanwhile Tom’s team has also started using the Tracks Inspector system for other cases, e.g., on immigration fraud and human slavery. Tom has found that the system is also helping to improve the communication between investigators and the experts in his unit. He explains:
So why is this new? Certainly, other tools can do this as well? According to Tom: “Nuix, FTK, Encase are scary for non-technical people. So many options to find information that it scares them. You show them how it works, they then review and finish within one hour. Not because they finished but because they do not really understand how it works. Tracks is completely user friendly and is more Apple like. People really like to use it and the investigators are not scared of the technology. When there is a new case, investigators are asking us if they can please use the Tracks product again.”
How much training did the investigators need to use the system? According to Tom: “That’s one of the biggest selling points. Non-technical investigators, detectives, barristers etc. can use the system after a short instruction of 15 minutes, at most. Within 10 – 15 minutes they understood how the system works. They can navigate. They can ask more questions. Cops were very quickly using it and giving us feedback so that we could show them how to refine their usage. It’s not even necessary to give them a training in class. We should probably do a 30 minute instruction video that can be watched (remotely) by anyone that has to use the system.”
In one case a barrister is using the system because the evidence comes from a lawfirm. The barrister needs to sort out privileged information and Tracks Inspector has a special workflow for that. Tom explained:
We asked Tom if he thinks Tracks Inspector can help with the October 2017 accreditation that is required by the UK Forensic Regulator. Tom explained: “Tracks Inspector will come under the area of data processing which is part of the UK Forensic Regulator area: Screening or recovery of data from a device using an off the shelf tool for factual reporting. We are working on that and are writing documents that describe the restrictions of any tool that we are using. We are working on a data set to validate tools to know their capabilities and as well as their limitations.”. Because Tracks Inspector is server based the organization only needs to ensure that the version on the server is validated which then automatically implies that all clients are accredited.
We are always looking for feedback from customers and trial users and asked how the product can be improved based on the experience in the pilot. Tom said the following: “Reporting can be improved. It’s great that you can run reports over so many exhibits but it needs to become more flexible. For instance, we would like to be able to change the font and it would be nice if we can select templates. Alternatively, if we can report to MsWord we could modify the layout.”
Tom is looking forward to our Elastic Search integration that is expected later this year. This will enable investigators to also search across multiple cases. Tom: “This can be a very effective tool to gather intelligence and go back to old cases with new names”. Further Tom said he likes the fact that Tracks can import xml reports from expert tools but that he would like to see support for more artifacts: “Some of the expert tools distinguish 70 or even more different categories of forensic data points. Tracks Inspector selects data from the xml reports and tries to cram this in 8 categories and evidence dashboards. Users can drill down with facets in the evidence unit search but this is not always productive”.
Our final question to Tom was if he would recommend Tracks Inspector to other organizations. Tom said yes and already various organizations have come and looked at their system. Other organizations are more than welcome to do so as well. Because of this successful trial Nottinghamshire Police have now procured a 20 concurrent user license from Tracks Inspector.