Fear of Mobile Device Evidence Collection?
In agencies that have shifted some digital evidence collection responsibilities from lab-based personnel to those in the field -- investigators, patrol officers, or crime scene techs -- the response has been mixed.
Some embrace the new responsibilities, eager to have the chance to get valuable evidence when they need it, and to add another skill to their set of job tasks. Others, however, shy away from anything resembling digital. Their reasons can take one or more of the following tones:
- I’m not a technical person.
- I don’t want to mess up the evidence collection.
- I don’t want to misinterpret the evidence.
- I have too much work as it is.
- I don’t think the evidence will have that much impact.
- I don’t want to have to testify about a process I don’t understand.
The Riley decision, handed down this past June by the US Supreme Court, complicated these issues. Still, backlogged labs and the time sensitivity of actionable evidence mean that the sooner field personnel get acquainted with collection procedures, the better -- for them, for lab personnel, and everyone who relies on the evidence.
I’m not a technical person.
True, some people should never touch house plants, carpentry, plumbing, cooking utensils, or, yes, computing equipment. And yet, these officers use CAD and RMS in their cruisers, don’t they? Maybe it took them a few months to get comfortable using MDTs, but they probably can’t imagine going back to paper-based reports now.
“Not a technical person” probably belies some deeper concern that they don’t want to admit to. Read on:
I don’t want to mess up the evidence collection.
So simple to use and so pervasive throughout society, there’s got to be a catch when it comes to the evidence, doesn’t there? Well, yes. This fear is not unfounded. Even after isolating the device from the wireless network, there’s the chance that mishandling the device could change or delete user data.
Good mobile forensics equipment, coupled with appropriate training and department guidelines, can significantly reduce this risk. This enables proper use of tools to copy data from device to secure container without the officer ever having to manipulate the device beyond isolating it from the network and plugging it into the forensic extraction device.
The officer who expresses this concern after being given the opportunity to use mobile forensic evidence collection equipment, however, is probably telling you that their training wasn’t adequate. (You did provide training on the equipment, didn’t you?)
Ensure that the training the officers receive is appropriate for the level of forensic evidence handling you’re asking of them. It should be neither too simple nor too complex. Training should help you understand how the collection helps to preserve chain of custody and data integrity, and, on a fundamental level, what it’s relying on (for example, manufacturer API) to copy the data.
I don’t want to misinterpret the evidence.
This is also not an unfounded fear. Messages that appeared to have come from one person might in reality have come from another. The device could misinterpret the country code of an incoming international call as the area code from a US state. Time and date stamps may not match an interviewee’s account of events.
However, much of the standard training that officers should have received, especially with respect to documentation and evidence handling, is no different when it comes to mobile devices.
When in doubt, an officer should have the option to escalate the device and its evidence to a lab examiner for deeper interpretation. It may become necessary to get into the device’s file system or memory to determine what, exactly, is the reason for the discrepancy.
Other times, such as when you’re authenticating a message’s origin, further legwork -- interviews or additional evidence -- may be required.
I have too much work as it is.
While it may be tempting to escalate devices as quickly as possible to lighten your workload, think about the hidden time costs to your case. Sending the device to an already backlogged lab means waiting weeks or months to get your evidence back.
At that point, you must take additional time to reacquaint yourself with the case. Witnesses may have become reluctant to testify to what they told you at first. Context isn’t as easy to remember. Thus, the “new” workflow may actually save you time and, like other police technology, make you more efficient.
I don’t think the evidence will have that much impact.
This could indeed be the case. Mobile device evidence can often provide probable cause for arrest, but so can other things. Several kilos of narcotics found during a search of an automobile, for instance, or surveillance video clearly showing the suspect in the act, means you may not need the evidence from the device right away.
Keep in mind, though, that the device could still provide evidence of additional members of a drug network, or multiple suspects planning the crime that the video recorded. How soon you need this information should determine whether you seek to get the evidence yourself, or escalate the device to the lab. Interviews can help you make this determination.
In all cases, start by weighing the value of the mobile device evidence. Is it needed, and if so, when is it needed? This should direct your next steps.
I don’t want to have to testify about a process I don’t understand.
As with any police skill, good traing and documentation should remove any anxiety about testimony. Together, training and documentation enhance the ability to answer questions.
As with a weapon, meanwhile, practice combined with training elevates skill level. Just as your firearms proficiency decreases if you don't practce target shooting on a regular basis, you can lose mobile device evidence collection skils if you don't practice them.
(Tip: during periods where you don't seem to be seizing many mobile devices, have your forensic lab examiner keep a box of "practice devices" that you can sign out to work on during your shft.)
Not every officer who learns to collect mobile device evidence can or should go on to become a forensic examiner. However, the skill can be an important career builder because it shows that you’re thinking beyond “typical” patrol, investigation, or crime scene tech skills. Learn it, practice it, and mobile device evidence collection can become as second-nature to you as any of the other technology that’s come to your cruiser in the last 10 years.
Christa M. Miller
Christa M. Miller is Director of Mobile Forensics Marketing for Cellebrite USA. Christa has worked for more than 10 years as a journalist, specializing in digital forensics and other high tech topics for public safety trade magazines including Law Enforcement Technology and Officer.com. Christa is based in South Carolina.