Features
Digital investigations

Digital forensic backlogs and the use of automation

Leaps in technology over the last 20 years have created some true benefits to society; real-time collaboration, cheap and reliable digital storage, the ability to perform complex processing in a matter of seconds – all things designed to simplify and speed up our lives. As technology has evolved it allowed us to complete tasks more efficiently and cost effectively. While this benefits most individuals and businesses, one area where this evolution is having an adverse effect is in the digital forensic space, especially within the realm of law enforcement.

A survey of policing agencies across North America revealed that the average backlog for cases, involving digital evidence, was six to seven months. Obviously, that’s very concerning, but what’s more concerning is that the survey was performed in 2004. Nowadays, it’s not uncommon for law enforcement digital forensic bureaus to have backlogs of one to two years. Even with advancements in the technologies and tools which are available, the sheer volume of data and the move to a more digital age is becoming painful.

For example, in March 2015, Canadian police uncovered a child pornography sharing database. It was approximately 1.2 petabytes in size which, to provide some context, is the equivalent of over 20 million four drawer filing cabinets filled with text documents, or around 13 years’ worth of HDTV. In short, here we have a situation where one case is, essentially, going to break the system. While this size of case is still rare, we must remember that, on average, many Canadian police technological crimes teams have to analyze thousands of digital devices per year and the size and complexity of those devices is ever growing. The backlog is continually increasing.

Why does this matter, you ask? Simple – it’s the potential for the withdrawal of court cases due to unreasonable time delays. Large forensic backlogs in the late 1980’s was one of the reasons for the withdrawal of almost 50,000 criminal charges in part due to the court’s ruling in the Canadian case R. v Askov (1990); one where a multiyear delay resulted in its dismissal. While this isn’t yet commonplace, individual cases have been withdrawn due to delays in the digital forensic analysis being conducted.

External factors

Increased storage size

In the 80s, the average hard drive size was approximately five megabytes (MB). As of 2022, an individual can easily purchase an 18 terabyte (TB) drive on Amazon for roughly $500. That’s an increase of approximately 360,000,000 per cent in storage capacity over the past 40 years.

More digital devices involved in cases

There has also been a similar upward trend in the number of digital devices in general use. Mobile device use has seen a dramatic increase, and over the past 10 years there has been an explosion of new devices that are internet enabled, commonly termed the ‘Internet of Things’, or ‘IoT’. Estimates are that in 2020, there were close to 200 billion devices globally that had internet connectivity (or over 20 devices per person on the planet).

The volume of data being generated

Increased use of digital devices has led to an increase in the amount of data we all generate. Our daily communication has moved from phone calls and letters, to emails, texts, chats and tweets, and has resulted in user generated data accounting for over 25 per cent of all digital data created. This number will continue to rise as more IoT devices are used.

Increased digital investigation time

The amount of storage capacity, number of devices and more user generated data are all resulting in more time being needed to investigate each criminal case. Long gone are the days where an investigator only needed to conduct an analysis on a phone or a computer to gather evidence. Today’s cases can call for investigation into a varied array of digital artifacts, e.g., multiple systems, mobile devices, USB drives, servers and ISP log files. It’s not uncommon for a digital forensic examiner to have to analyze many terabytes of data for a single case.

Even with advancements in the technologies and tools which are available, the sheer volume of data and the move to a more digital age is becoming painful.

Internal factors

Staffing and retention

To counteract backlogs, many agencies have taken the traditional route of hiring more staff. Many have doubled or even quadrupled their capability yet still find it difficult to keep up with the demand. Some law enforcement agencies have resorted to hiring civilians (as opposed to sworn officers) to staff these positions. It’s a sensible approach, however retention is likely to become a problem. Aside from the general skills shortage issues normally associated with specialist roles, the demand in the private sector for the same resources, in combination with considerably higher remuneration, is currently resulting in some real challenges for law enforcement to retain skilled practitioners and will be a growing problem in the next few years.

Training and budgets

The field of digital forensics is constantly evolving and those investigating digital cases need to stay up to speed to be effective. The increased number and type of devices available with differing operating systems, and the speed in which new ones are being released, results in a need for ongoing specialized training which is costly and time consuming. Time away from conducting cases is often a contributor to increased case backlogs, and budgets are often stretched at the best of times. For example, $50,000 is the average cost for the hardware, software and training costs to properly equip an examiner, and this number doesn’t consider salary costs, ongoing training or technology upgrades.

Is increased automation a solution?

There has been a lot of criticism aimed at the growing trend of “push button” forensics and at digital forensic tools that automate various aspects of digital investigations. While there may be some merit to the fact that relying solely on the use of these types of automated tools during an investigation may not be the best solution, there are many benefits to automating certain aspects of one’s digital forensic workflow.

At its basics, the workflow steps on most digital forensic investigations are: gathering evidence (usually imaging devices); processing evidence (this is where most digital forensic tools employ some aspects of automation); analyzing the evidence; and reporting on the findings.

Many digital forensic software tools automate various processing aspects of digital evidence. This may include the rebuilding of deleted content, extracting evidence from unallocated areas of the device, extracting evidence from compressed files and more. This automation allows an investigator to quickly determine what evidence is relevant to their case and move into the analysis of that evidence (often figuring out the who, what, when, why, and how).

The benefits of using automation within digital forensic cases

Faster turnaround time

As is often the case in many digital investigations, there is a flurry of activity involved in investigating a situation within the first few days or weeks. Investigative resources are scarce and other investigations can often spread those resources very thin. In law enforcement, minor cases go untouched for months, if not years, while the major cases are continually being worked on. Automating certain aspects of the digital forensic workflow would allow those cases sitting in a backlog to be dealt with quicker, while still allowing a focus for major case work.

More effective use of resources

One of the main advantages to the increased automation within digital forensic tools is being able to utilize non-digital forensic personnel to conduct the initial steps to image and process evidence. Utilizing tools to conduct the initial imaging and processing of evidence does not require an examiner to have advanced digital forensic capabilities and training, as the steps required are often repeatable for every case. Many agencies (both public and private) employ junior members that start their career “learning the ropes” by imaging and processing evidence before moving on to conducting a deeper analysis on cases. This in turn allows more seasoned or senior examiners to focus on cases that require a “deep dive” into the evidence.

Reduced number of cases that go to trial

A study showed that more than 90 per cent of criminal cases do not make it to trial, as the defendant will usually enter a plea bargain, and almost 70 per cent of those pleas are entered into within the first six months of the offence date. This rate drops to approximately 30 per cent between 12-18 months after the offence date. It’s possible that many defendants don’t initially plea to their charges within the first six months because they think that the police won’t find evidence of a crime contained on their device. It’s more likely that the device(s) in question were not even analyzed during that initial six months.

Finding evidence faster leads to higher plea rates and less cases that go to trial. Automation within digital forensic tools allows law enforcement agencies to quickly view the evidence involved in the case, make informed decisions as to any further direction of the investigation, and to present those findings.

Backlog reduction

Police agencies want to be proactive when dealing with criminal matters; they don’t want to just react to crimes that have taken place. Large case backlogs typically result in many of the proactive measures being shelved while cases are being investigated. The increased use of automation would reduce backlogs to a manageable level and allow agencies to get back to their core values of community safety.

In summary

The tough decisions that agencies make about prioritizing technology-based investigations are ever present, and with society’s dependency on digital systems, devices and services continually growing, choosing what to act upon first will become more a challenge. The balancing act between clearing back logs vs. investigating fresh crimes vs. managing budgets and resources will become more difficult as time moves on. The good news is that there are options. The use of automation within digital forensic tools to tackle various aspects of cases can ease the burden, reduce the cost, and time scale and ultimately allow law enforcement agencies to get on with the business of putting criminals behind bars.

Ryan Duquette is the Canadian lead for RSM Canada’s Security and Privacy Risk Consulting practice. Duquette focuses on litigation support, cyber incident response, privacy and cyber technology risks, digital forensics and cyber fraud matters. Duquette has been an investigator for over 20 years and was previously a police officer focusing on cybercrime and fraud cases.