With digital’s rapid expansion showing no signs of slowing, digital forensics – identifying, recovering, analysing, and investigating data stored electronically – is mission-critical to effective modern policing.
The (r)evolution of crime in a digital age
The 4th Industrial Revolution has blurred the lines between physical, digital, and biological spheres through technologies like AI, robotics and virtual reality, causing a seismic shift in the crime landscape. An example from earlier this year, involves Global engineering firm, Arup, who suffered a £20m loss due to a ‘deepfake’ scam using AI-generated digital clones of its Chief Financial Officer and other employees to ‘authorise’ the transfer of funds to the criminals.
While the crime was traditionally classified by Hong Kong police as ‘obtaining property by deception’, traditional forensic investigation methods such as fingerprint analysis or lifting fibres from the scene of the crime couldn’t be applied in this instance.
Often crimes like cyber-attacks, online fraud, terrorism and child exploitation, leave only a digital footprint or one that’s pivotal to solving the case. This explains why digital forensics (DF) is rapidly emerging as the cornerstone of an effective policing ecosystem.
The role digital forensics can play in modern policing
Digital forensics empowers policing professionals by enabling them to piece together narratives that shed light on the who, what, when, where, and how of criminal activities by:
Uncovering hidden evidence: deleted conversations, sophisticated, encrypted financial transactions or incriminating images on the dark web can all be uncovered using DF methods and tools.
Linking suspects and crimes: whether its tracing digital interactions across organised crime networks, social media posts placing suspects at the scene of a crime or private messages between accomplices in planning it, DF can be used to uncover evidence that builds a picture of events.
Providing timelines and corroboration: DF can use metadata attached to images and audio files to establish a clear chronology of events and corroborate – or refute – witness testimonies and alibis.
Clearly, as the digital revolution has irrevocably changed crime, a robust digital forensics capability across policing benefits not only law enforcement, but society a whole.
So, what’s the current state of play?
The scale of the digital forensics challenge
The sheer volume of digital evidence is overwhelming.
Using the headline statistic from the National Police Chiefs’ Council that 90+% of all crime has a digital element , and basing it on the ONS’ 6.7m total crime case number for 2023. Assuming just one digital device per case, that’s 6m devices per year that require investigation: an average of 140,000 devices for each of England and Wales’ 43 territorial forces.
Even if just 10% of those crimes warrant police Digital Forensic Units (DFUs) investigation, that’s 14,000 devices each. We know that the current digital forensics backlog is huge, untenable and risks damaged public trust in policing effectiveness alongside impacting case prosecution times and as society’s digitisation continues, the challenge can only increase.
Three solutions to improve policing ecosystem digital forensics capability
Building DF capability in the policing ecosystem is now a strategic, operational and reputational imperative, going beyond the application of technology, also requiring investment in people and process.
Fostering Expertise
Forces have made great strides to address the challenge with more Digital Hubs, Kiosk and Digivans and Digital Media Investigators who can play a demand-reducing triage role around device seizure at crime scenes. But the current shortage of highly trained digital specialists working in line with Forensic Science Regulator Code of Practice statutory requirements is critical. As Europe’s only ISO/IEC 17043 accredited Digital Forensic proficiency testing provider, we can support forces in assuring digital forensics best practice in line with ISO/IEC 17025 accreditation standards. Add to this upskilling the robust resourcing and finance plans called for by Matt Parr in his HMICFRS report and you have a recipe for success.
Cutting-Edge Technology adoption
The rapid pace of technological advancement requires continuous adaption of forensic tools. DF must be capable of retrieving data securely, efficiently and lawfully wherever it resides, making Cloud forensics a vital focus area, along with Internet of Things (IOT) and blockchain capabilities. AI and machine-learning is now commonplace (unthinkable mere years ago), requiring specialist practice and – potentially – adoption in the DF process. Particularly in areas like image categorisation, though their accuracy and robustness need further validation. Partnering with organisations like CACI, DFUs can ease the burden of trying to keep pace with these advancements in technology.
Promoting Collaboration
Collaboration between police, government agencies, and private enterprises is vital for effective digital forensics at the scale it needs to be. Ironically, as criminals increasingly operate in sophisticated, structured networks with advanced technology and skills, policing is still working in silos. Sharing best practices, standards, and methods, and fostering information exchange can only strengthen the overall DF response.
Open Digital Forensics – a shared vision for the future?
A more collaborative DF policing ecosystem could go one step further, taking inspiration from the UK’s Open Banking initiative. Imagine digital forensics practitioners using standardised tools, methods, and processes, with data stored in a central national cloud repository, with AI and machine learning being used to rapidly triage the vast amounts of data, freeing up investigators to focus on relevant items. This centralised approach would also streamline the UKAS accreditation processes, reducing the burden on UKAS and individual forces.
Big thinking perhaps, but tackling the ever-growing, complex, evolving nature of crime in the digital age, requires even bigger ideas, investment and resource.
Digital forensics is a critical component of modern policing. By investing in expertise, technology, and collaboration, law enforcement can build a robust DF capability that not only meets current demands but’s also prepared for future challenges.
To find out more about CACI’s Digital Forensics Laboratory including our uniquely accredited European Digital Proficiency Testing services, just get in touch with our team of experts today.
With the Forensic Science Regulator Code of Practice now a statutory requirement, Digital Forensics units pursuing ISO/IEC 17025:2017 accreditation must use an ISO/IEC 17043 accredited proficiency testing provider. CACI’s Digital Forensics Lab has been assessed by UKAS and granted accreditation to BS EN ISO/IEC 17043:2023 for all our Digital Forensic Proficiency Testing schemes.
What is the Forensic Science Regulator Code of Practice?
GOV.UK states that the code “sets quality standard requirements for forensic science activities related to the investigation of crime and the criminal justice system in England and Wales” and came into force in October 2023. This being introduced will prove to be hugely impactful for forensic science and it’s importance and meets the regulator’s requirements for quality long-term.
CACI Proficiency Testing Schemes
ComputerBased Devices – Acquisition
ComputerBased Devices – Processing & Analysis
Mobile Based Phone – Acquisition, Processing & Analysis
What’s included in the scheme?
Computer Based Devices – Acquisition
Includes three to five physical devices each year.
Devices meet UKAS requirements to test the entire scope over a four-year period.
Focuses on acquisition processes and related challenges.
Includes pre-acquisition activities and more.
Computer Based Devices – Processing & Analysis
Provides forensic acquisition yearly for processing and analysis.
Meets the scope for Microsoft Windows, Apple MacOS ad Linux over a three-year period.
Includes full case background, examination strategy, and workbook.
Focuses on processing and analysis processes and related challenges.
Mobile Based Devices – Acquisition, Processing & Analysis
Includes three physical test devices and forensic acquisition yearly.
Provides full case background, examination strategy, and workbook.
Focuses on acquisition, processing, and analysis processes and related challenges.
Includes pre-acquisition activities and more.
How do CACI’s PT schemes ensure relevance to Law Enforcement DFUs?
CACI’s PT schemes are designed to closely replicate typical law enforcement digital forensics submissions. Participants receive physical devices packaged as police exhibits, along with a submission document, allowing them to test their end-to-end processes. Both Computer Acquisition and Mobile Acquisition schemes test pre-acquisition activities and more.
If you would like to book yourself on the next proficiency testing scheme, please get in touch with our team.
CACI’s new Digital Forensics Laboratory has successfully passed its initial assessment and been granted accreditation to ISO/IEC 17043:2023 by UKAS for its Digital Forensic Proficiency Test schemes. This builds on the Laboratory recently receiving ISO/IEC 17025:2017 accreditation back in February. This accreditation means that CACI are now the only accredited Digital Forensics Proficiency Testing provider in Europe.
Full scope details:
The following CACI Ltd Proficiency Testing Schemes have been accredited by the United Kingdom Accreditation Service (UKAS) for ISO/IEC 17043:2023:
All schemes are tailored to meet the criteria for accredited digital forensics (DF) laboratories operating in law enforcement. Participation rates during proficiency testing cycles have been consistently increasing.
CACI’s DF Laboratory’s Operations Director, Richard Cockerill, had this to say:
“CACI are delighted with the news that we have been granted ISO/IEC 17043:2023 accreditation for our digital forensic proficiency testing services. Over the past year we have successfully delivered realistic and challenging PT schemes to UK Law Enforcement related organisations. Feedback from participants has been really positive. Now that we are an accredited PT provider we look forward to expanding our support in this area for both existing and new law enforcement clients.”
*The certificate of accreditation awarded to CACI will be available from the UKAS website shortly.
If you would like to enquire to our expert team about our proficiency testing or other digital forensics services, you can get in touch here.
Digital forensics is a branch of forensic science that focuses on the recovery and investigation of digital devices, data and electronic evidence. With over 90% of crimes having a digital element associated with it nowadays, digital forensics plays a pivotal role in delivering justice within criminal investigations, from the scene of the crime to the courtroom.
So, what does digital forensics entail? What makes it integral for businesses, and how are digital forensics processes carried out? What skills must one possess to pursue a role in this industry?
What does digital forensics entail? Digital forensics encompasses the identification, extraction and interpretation of electronic evidence from digital devices such as computers, laptops, smartphones, tablets and even network infrastructure. By examining the data on these devices, digital forensics experts can supply insights and an understanding of the events that occurred, the actions taken and the individuals involved. Within an organisation, digital forensics can be used to identify and investigate cybersecurity and physical security incidents, as well as fraud, intellectual property theft, insider threats/bad leavers, sexual misconduct and embezzlement.
Why is digital forensics integral to businesses? Digital forensics is vital for businesses as it safeguards against data security discrepancies. Since businesses typically have an influx of digital data from financial records to customer data and intellectual property, the use of digital forensics to investigate identified issues helps them avoid financial losses and reputational damage by identifying and investigating cyber enabled or dependent crimes and securing their information.
Data preservation Digital forensics plays a crucial role in preserving and presenting evidence for legal proceedings. When crime(s) involving digital devices occur, law enforcement agencies and businesses must gather relevant evidence for legal purposes, such as criminal prosecutions or civil litigation. Digital forensics experts follow policy and procedure documentation to ensure the integrity, preservation and authentication of electronic evidence. They create forensic copies of digital devices using validated methods, document the chain of custody and use advanced techniques to extract and analyse data without altering its original state. This aspect is vital, especially in situations where data is regularly updated or extracted from various sources. This also ensures that the evidence collected is admissible in court and can effectively support legal actions.
Digital forensics process deep dive
During an investigation, digital forensic techniques are applied to collect, preserve, and analyse digital evidence in a manner that ensures its integrity and admissibility in a court of law. With computer type devices, this involves using forensic software and hardware tools to create a digital forensic image of the device or media being examined. This image is a bit-by-bit copy of the original data, which allows investigators to work with the evidence without altering or compromising the original source. The forensic image is then processed and analysed in a controlled environment using forensic software and techniques to search for meaningful information that can be used as evidence.
In criminal cases, the digital forensics process has succeeded in identifying, apprehending and prosecuting criminals in a wide range of offenses covering both cyber enabled and cyber dependent offences. In civil litigation, digital forensics can be used in intellectual property disputes, employee misconduct investigations, and to support or challenge contractual claims.
While the digital forensics process may be unique to specific scenarios, it typically consists of the following steps:
Step 1: Collection and recovery The digital forensic process begins with the collection and recovery of information through advanced technological methods to extract and store data from computer systems, mobile devices and other storage mediums. Recovering such a vast scope of information can be fundamental to understanding the root cause of any digital incident, whether it’s a security breach, fraud or other cybercrime.
Step 2: Examination and analysis Once the evidence is recovered, digital forensics experts process the data using a range of tools before thoroughly analysing the data. Some examples of techniques used during analysis include file carving, registry analysis, database analysis, timeline investigation, hash comparison, filtering and keyword searching to identify relevant information that may support or refute a hypothesis or allegation. This can involve linking digital evidence between devices or people– with physical evidence or other forms of non-digital evidence– to create a comprehensive picture of the events under investigation. Digital forensics experts may need to work on a live or dead system— working live from a laptop or connecting via a hard drive to a lab computer– to decide which pieces of data are relevant to the investigation. The examination will result in a report or reports produced to address the points to prove defined within the digital evidence strategy and any data of significance presented evidentially for use in criminal or civil proceedings.
Step 3: Reporting and documentation The reporting process is tightly controlled by the Forensic Science Regulator and ISO 17025, ensuring that the status of compliance (to those standards) of work conducted is appropriately declared and the findings of the examination cannot be misinterpreted. Reporting can come in many forms, ranging from simple to complex, in line with criminal standard reporting formats.
Types of digital evidence
Communications Communications can occur in a wide range of mediums, from traditional emails and text messages to app-based communication, in-game, encrypted and secure communication channels.
Recovered communication data can be invaluable in establishing a suspect’s intentions, activities, connections between involved parties and potential evidence of illegal activities. Metadata relating to recovered communication data can be used during analysis to inform the investigation. Email headers, for example, can contain valuable metadata that can establish the authenticity and integrity of the communication. They can also supply information about the sender and recipient email addresses, the date and time of transmission, details of the email servers involved in the delivery process and enable investigators to define timelines and track communication flow. Attachments within emails can also give away clues about illegal activities, which can help prove a criminal’s motive, intent or even their involvement in the event in question. App based communications often contains media, links to other content or individuals of relevance and location data.
Internet activity Internet activity can be recovered from a wide range of browsers and is often extremely valuable in determining intent– for example, recovered ‘search terms’ entered into a search engine by an individual of relevance to the investigation. Internet records can be used alongside other activity conducted on the suspect’s device when investigating a time-period of relevance to the investigation during ‘timeline’ analysis.
Application data Mobile devices utilise software applications, or ‘Apps’, to enable the user of the device to perform a wide range of different functions. Recovered application data if often used during investigations for evidential purposes.
Logs Logs are automated records of computer processes, user activities or communication transactions generated by computer and mobile devices. They can be compelling evidence by being able to detail who accessed a specific system and what actions were taken
Media Videos and images are another significant type of evidence that can be used to identify and prove the physical presence of an individual at a specific location at a given time, concluding their involvement in the event in question. Metadata recovered from media is examined during analysis.
Archives Archives involve storing offline copies or backups of databases, files or even websites. This is a practical way of retrieving lost information, which can be crucial in a digital forensics investigation.Each of these types of evidence features their own unique characteristics and functions and contributes significantly to the realm of digital forensics, aiding experts in piecing together the digital aspects of investigations and solving cases.
What challenges commonly arise in digital forensics?
Adapting along with ever-changing technology Devices, operating systems and security are constantly changing, significantly complicating the field of digital forensics. With Windows, macOS, Linux, iOS and Android being the main operating systems used across consumer computer and mobile devices, forensics experts must innately understand each operating system’s structure and functions to effectively extract and interpret digital evidence.
Encryption and password protection Encryption is a widely used security measure that maintains data privacy and integrity. While these techniques effectively safeguard sensitive information, they can obfuscate investigations when authorities require access to relevant data. Encryption obfuscates the data format, making it decipherable only with the correct encryption key, or password. Without these credentials, accessing the encrypted data can become impossible.
Privacy concerns Digital forensics experts must always consider privacy while performing their work. Not only is their professional credibility at stake, but also the fundamental rights of individuals, as any breaches can lead to legal complications and reputational damage. As a result, forensics investigators must exercise caution in accessing information that is specifically pertinent to the investigation in question and that any non-relevant personal data is not intruded upon.
Establishing data authenticity and reliability Since electronic data can be easily altered or destroyed, establishing its authenticity and reliability can be compromised, resulting in complications during court proceedings. Despite forensics professionals’ best efforts, there is always a chance that the evidence could be disallowed by the court if certain legal criteria are not met.
Emerging trends in digital forensics
The integration of artificial intelligence (AI), machine learning (ML) and blockchain technologies, coupled with a rise in mobile device forensics, are transforming digital forensics as we know it. These advancements will bolster forensics experts’ capabilities in terms of visualising and interacting with complex digital crime scenes, leading to a significant enhancement in their ability to gather crucial evidence and reconstruct events accurately.
Artificial intelligence (AI) and machine learning (ML) integration Artificial intelligence (AI) and machine learning (ML) integration will continue to revolutionise the ways in which digital forensics experts can investigate and analyse data and evidence. Through AI-powered algorithms, experts can rapidly process large volumes of data to significantly reduce the time needed to prepare for investigations. AI and ML algorithms can also be used to identify patterns within the data that may not have been picked up during traditional, manual analysis. These algorithms can also automatically categorise and prioritise evidence to help forensics analysts assess the relevance and potential significance of collected data. Automating this process saves analysts considerable time, ensuring their focus remains on the most essential elements of the investigation. While AI can aid the investigation process, it is important to stress that digital forensic experts must never use material identified by AI as being of potential relevance within evidential reports without first reviewing and verifying it.
Implementation of blockchain technology Blockchain characteristics– immutability, transparency and decentralisation– make it ideal for ensuring the security and integrity of digital evidence. With digital evidence traditionally stored and managed by centralised systems or authorities, potential vulnerabilities and risks emerge, as the evidence can be tampered with or manipulated, compromising the integrity of the investigation. By implementingblockchain technology, a decentralised and distributed ledger system that addresses these concerns is created. Blockchain acts as an immutable and tamper-proof record that stores all forensic activities, including the collection, analysis, and preservation of digital evidence, ensuring that any changes made to evidence will be easily detected, providing increased trustworthiness to the investigation process.
Rise of specialised mobile device forensics Mobile device forensics has become increasingly prominent due to the widespread usage of mobile devices. It is a sub-branch of forensics that focuses on the recovery of data or information from mobile devices. This specialised area of digital forensics employs advanced tactics and approaches to analyse data, calling for an increased importance of this specialised forensics.
Certification and career opportunities
Digital forensics experts’ innate software understanding coupled with access to sophisticated tools and technology allows them to analyse and report on data effectively. These experts understand technology, computer systems and data structures to a degree that guarantees secure data evidence collection. Their roles are critical in corporate environments, where they may be tasked with examining malware, breaches or damages that can identify attackers to help organisations prevent incidents of this nature reoccurring.
Digital forensics professionals can pursue a range of classroom and online courses that cover a variety of aspects and specialisms of the field. While some organisations may task digital forensics experts with broader tasks and responsibilities, there will be a unanimous understanding of software to back these roles. A typical day could include:
Handling exhibits, data and materials to avoid contamination or corruption.
Disassembling and examining computers or hardware for non-volatile data storage.
Acquiring and processing data in line with defined digital forensic strategies.
Review processed data and analysing material(s) of relevance.
Creating formal reports with evidence to support investigations.
Roles within Digital Forensics Units include, but are not limited to:
Digital Forensic Technician
Digital Forensics Investigator
Senior Digital Forensics Investigator
Digital Forensics Manager
Quality Manager
Technical Manager
Quality Technician/Assistant
Consultant
How can CACI help?
CACI can supply comprehensive digital forensic services that encompass computer, mobile phone device examination and scene support for law enforcement, commercial and civil investigations.
To ensure compliance with The Forensic Science Regulators Code of Practice, and ensure quality of all Digital Forensics Investigation and proficiency Testing services, the United Kingdom Accreditation Service (UKAS) has granted CACI with accreditation for ISO/IEC 17025:2017.
UKAS Recommendation Details: Accreditation Scope: ISO/IEC 17025:2017 with compliance to ILAC G19:06/2022 and Forensic Science Regulator Code of Practice Version 1.
Capture and preservation of data from computers and digital storage devices HDDs, SSDs, M.2 memory devices, memory cards and USB flash devices – Using FTK Imager, EnCase Imager and Tableau T356789iu.
Capture, preservation, processing and analysis of data from Mobile Devices, SIM cards and Memory Cards – Using Cellebrite 4PC, Cellebrite Physical Analyser, MSAB XRY, MSAB XAMN and Magnet Axiom.
CACI Ltd has also been recommended for accreditation to ISO/IEC 17043:2023. This recommendation is for proficiency testing schemes relating to the acquisition, processing and analysis of computer and mobile devices.
In addition, CACI’s Digital Forensics Lab holds certification from British Standards Institute (BSI) to ISO 27001 for the provision of Digital Forensic Science Services.
To learn more about our Digital Forensic Proficiency schemes or to book a demonstration,contact us today.
CACI is delighted to announce that its Digital Forensics Laboratory has been granted accreditation by the United Kingdom Accreditation Service (UKAS) to ISO/IEC 17025:2017 with compliance to the Forensic Science Regulator Code of Practice and ILAC G19. This accreditation signifies CACI’s commitment to providing compliant, quality assured digital forensics services to support Law Enforcement related industries.
This achievement is particularly significant in light of the Forensic Science Regulator’s Act 2021, which came into effect on 2nd October. The Act introduced a statutory requirement of compliance to the new ‘Code’ for Forensic Science Activities provided to the UK Criminal Justice System. The new ‘Code’ is crucial for ensuring the admissibility of robustness of evidence, and includes the requirement for accreditation to ISO/IEC 17025:2017 for the digital forensic science activities provided by CACI from within their laboratory.
CACI’s Digital Forensics laboratory, situated in Northallerton, North Yorkshire, has been designed to match the capabilities of law enforcement digital forensic laboratories. This enables CACI to integrate seamlessly with their clients, minimising the impact of outsourcing digital forensic investigation services and maximising the benefit for the client. The team behind the laboratory consists of highly skilled professionals with extensive experience in the digital forensics field within Law Enforcement investigations.
Richard Cockerill, Operations Director of CACI’s Digital Forensics Laboratory, expressed his team’s excitement about the accreditation, highlighting their dedication and expertise. He further emphasised CACI’s ability to deliver high-quality digital forensic investigation services to the UK criminal justice system.
“CACI looks forward to expanding its support for both existing and new law enforcement clients. This achievement highlights the dedication and expertise of our digital forensics team. With our robust capabilities and specialist expertise, CACI is well-positioned to deliver high-quality digital forensic investigation services to the UK criminal justice system and related industries. This accreditation from UKAS is a significant milestone in our development and ongoing commitment to excellence.”
Having secured ISO/IEC 17025:2017 accreditation, CACI is now actively expanding its support for both existing and new law enforcement clients.
UKAS Accreditation Details:
ISO/IEC 17025:2017 with compliance to Forensic Science Regulator Code of Practice and ILAC G19:06/2022
Mobile type devices: Acquisition, Processing and Analysis
Computer type devices: Acquisition and Preservation
CACI’s new Digital Forensics Laboratory has successfully passed its initial assessment and been recommended for ISO 17043 by UKAS for its Digital Forensic Proficiency Test schemes. This recent recommendation from UKAS follows closely after CACI’s ISO 17025 recommendation, achieved in September, and coincides with the Forensic Science Regulator’s Statutory Code of Practice, effective since Monday 2nd October.
CACI has been recommended by UKAS for accreditation to the following scope:
ISO/IEC 17043:2023
CACI’s current schemes are as follows;
Mobile-Based Device – Acquisition, Processing and Analysis
Computer-Based devices – Acquisition
Computer- Based Devices – Processing and Analysis
All schemes are tailored to meet the criteria for accredited digital forensics (DF) laboratories operating in law enforcement. Participation rates during proficiency testing cycles have been consistently increasing.
This further evidences CACI’s commitment to supporting UK Law Enforcement with digital forensics and FSR Code compliance. The laboratory, based in Northallerton, was launched on 9th June and has been created to mirror the capabilities of law enforcement digital forensic laboratories, adhering to industry standards and employing the same tools and processes.
It took an 18-month process for the laboratory to be created, but it is now housed with industry-leading individuals with years of expertise across the digital forensics space.
The formation of the team was heavily influenced by the already-established counterpart in the United States, which has been providing exceptional service for the past decade, shown through various accomplishments and significant recognition.
CACI’s DF Laboratory’s Operations Director, Richard Cockerill, had this to say:
“We are thrilled to announce that CACI has received a recommendation from UKAS for ISO 17043 accreditation for our Digital Forensic Proficiency Test schemes. This achievement highlights the dedication and expertise of our digital forensics team. This accreditation significantly strengthens our ability to support Law Enforcement, particularly with the Forensic Science Regulator’s Statutory Code now in effect. With our robust capabilities and specialised expertise, CACI is well-positioned to deliver high-quality digital forensic investigation services to the UK criminal justice system. This recommendation from UKAS marks a significant milestone in our ongoing commitment to excellence within the UK.”
CACI are looking forward to embrace the array of opportunities expected for our digital forensics team following the confirmation of this recommendation. Furthermore, we look forward to the continued progression we’ve seen since the formation of the laboratory.
