Mobile Forensics in Internal Affairs Investigations
It’s an unfortunate truth of the cell phone era that sometimes, employees will abuse their access to these devices. Whether their employer owns the device, or allows “bring your own device” (BYOD) to work, the convenience and ubiquity to an individual’s day-to-day means that sometimes, devices will be used inappropriately.
In the law enforcement arena, several very recent news stories highlight this truth:
- Chicopee (Massachusetts) police officers were investigated after leaking crime-scene images of murder victim Amanda Plasse. The photos were taken with officers’ personal mobile devices and shared with people outside the Chicopee Police Department.
- In Denver (Colorado), an officer was given a desk assignment after allegedly using his department-issued mobile device to sexually harass a woman.
- Connell (Washington)’s chief of police is under investigation for allegedly watching pornography on a city-issued cellphone.
- A Roseville (California) police officer used his cell phone to stalk and harass a woman.
How can you protect yourself and your agency in the event of these types of allegations?
Establish proactive and reactive policies
Whether you issue devices or allow BYOD, have policies that establish acceptable use. In either case, personal communications should not interfere with official duties. Require employees to password-protect their devices, and possibly even encrypt potentially sensitive data, such as text messages between officers and witnesses.
Clearly lay out what behavior will not be tolerated. This can be as obvious as pornography viewing on duty (or even off duty on a government-issued device), or as “gray” as limiting personal communications only to family emergencies.
In Connell as well as in many other communities, employees can use their city-issued phones for some personal use as long as it doesn't add to maintenance costs, and/or if they agree to pick up the tab for additional accrued costs. However, employees also have a limited expectation of privacy in the use of employer-issued devices, as the US Supreme Court ruled in City of Ontario v. Quon in 2010.
BYOD policies are a little different. These should stipulate:
- What devices are permitted. As government employees, everyone in your agency may need to adhere to any policy already in place for your city, county or state. Devices that are allowed can affect any support issues officers may have with connecting to work email or other internal resources, as well as potential security issues.
- What apps are permitted. Especially on Android devices, it’s possible that some apps may not be as secure as you’d like them to be when a device is accessing your network.
A BYOD policy should also include language that allows the agency or government to search the employee’s device. There should be cause to do so, of course, and the policy should state that the scope of a search will be limited to relevant data (not a wholesale scouring of employee personal data, which could leave you liable if you uncover personal health information or other protected data). This part of the policy should also cover what happens when employees leave the department.
Employees should also be compelled to turn over any evidentiary data on their personal devices as soon as possible after obtaining it. It may be, in some situations, that a personal device is the only means of recording a crime scene, a victim’s injuries, a confrontation of some kind, or other evidence. But policy should dictate when this type of use is allowable and what should happen to the evidence following the recording.
Policy should also dictate how to handle mobile devices in certain situations, like officer-involved shootings or other use of force encounters. It may be that the device contains no evidence. Then again, the nature of text messages or other communications can help to establish an officer’s frame of mind leading up to an encounter.
Have a standard search procedure
Policy only goes so far. Also understand how you’re going to obtain the data. Just as with a civilian’s device, it’s not appropriate to “thumb through” text messages, images, or other data. That would be like thumbing through all the pictures, files and personal effects within an officer’s home.
“Digital first responder” training is imperative for everyone in the agency, including any officer or commander responsible for conducting internal investigations. This training helps the investigator understand how to preserve digital evidence.
For instance, it would not be enough to put an iPhone in Airplane Mode. The investigator also needs to turn off its wi-fi. Doing one but not the other would still allow the device to send and receive data from wi-fi access points, changing data on the device.
Investigators should also be sure to collect data and power cables for all relevant devices. While Android phones use micro USB and therefore have interchangeable power cords, other makes and models do not; Apple iOS devices, for instance, do not have consistent power cabling. If you don’t collect the right cables, you may face having to purchase one.
Keep cables with the devices they’re meant to go with, separate from other devices and cables. Label everything: device make and model, whose it is, case control number. If for some reason you could not collect the cable, note that too.
Internal investigations may start in the field rather than in the office. In this event, a small “first responder” kit (which should be standard issue in all field vehicles) should be maintained. The kit should include a Faraday bag or box to help you isolate the device as you transport it from the scene to the office or forensic lab.
If the device is locked, obtain its password. This may be part of consent to search -- be sure to maintain consent forms for BYOD scenarios -- or the employee may be compelled to provide the password. Keep in mind that the officer may be unwilling or unable (if physically injured) to provide the password. In this event, know whether your agency’s or government’s IT staff maintains device passwords, and whether they can be reset over the network.
Finally, once you have the device and all necessary legal authority, examine or assign the examination like you would any other evidence device. Know who in your agency or region can perform mobile forensic examinations, and how to contact the on-call specialist.
If you are the one doing the examination, it is wise to undergo training on how to use the forensic tool, including obtaining any necessary certifications. It may also be wise to perform any search in the presence of the officer’s union representative or attorney, or request independent examination by a district attorney’s or attorney general’s investigative staff.
Communicate with employees
Employees should understand that nothing on their personal mobile device is truly “private.” It could become discoverable for any reason at all. Employees should be taught to assume their mobile devices may be searched at any time, and that the old saying “better to ask forgiveness than permission” may not be true of mobile device usage.
Clearly communicate what policies exist and why, along with any changes that are made as soon as they are made. Make sure employees also understand the SOP that goes along with those policies and what their rights are. Know how to answer any questions they might ask, which means working with the city attorney to address them.
Annual in-house training, complete with scenarios and/or role-play, can help in this regard. Regular briefings on offenses, right and wrong responses, implications and consequences of each, and what officers are required to report should all be built into this type of training.
Just like social media posts, mobile device content can affect your credibility as a witness in court, and your usage habits can affect the public’s perception of your professionalism. Strong policies, procedures, and training can help both officers and agencies protect themselves and one another from damaging mobile device misuse.
For more information:
The Use of Personally-Owned Mobile Phone Cameras and Pocket Video Cameras by Public Safety Personnel
DPD officer investigated for allegedly sexting on department phone
Roseville settles lawsuit accusing former police officer of stalking
Connell police chief investigated for allegedly misusing work cellphone
Supreme Court rules in favor of California police chief who read employee's texts
Christa M. Miller
Christa M. Miller is Director of Mobile Forensics Marketing for Cellebrite USA. Christa has worked for more than 10 years as a journalist, specializing in digital forensics and other high tech topics for public safety trade magazines including Law Enforcement Technology and Officer.com. Christa is based in South Carolina.