Modern Evidence Management: Challenges and Solutions

AUSTIN TX — As I write this in October of 2016, a constant of American life is the inescapable media coverage of critical incidents involving law enforcement. The Media, in a free and open society, plays a critical role reporting and providing to the public a degree of transparency about how our government is policing us. We should be cautioned, however, to form our own individual opinions when digesting these events and to avoid being led blindly by a media narrative woven with information that is often, at best, incomplete, and at worst, completely wrong. Its easy to forget that even the best media coverage lacks the context that comes from having all of the information available to investigators.

The most important part of that information is, of course, the evidence. Evidence is and always has been the impartial witness that enables the facts to be known and justice to be served. Evidence collection and processing has evolved over several hundred years of policing into a mature discipline. A critical component of this discipline is “chain of custody”, a process that seeks to ensure the integrity of the evidence from the time of collection to final disposition of the case. Until recently, the traditional processes and technology used for evidence management had been sufficient. Unfortunately that is no longer the case. A disruptive force threatens even the most mature evidentiary processes. This force, in a word: data.

Every day we create 2.5 quintillion bytes of data, and a staggering 90% of the world’s data was created in the last two years. While the digital evidence associated with critical law enforcement incidents represents a tiny percentage of that data, it is undoubtedly one of the most important parts of it. While no data points exist to speak to the amount of digital evidence being created daily, empirical observations are telling. In addition to the video evidence generated by Body Worn Cameras (BWC’s) used by police officers, other sources such as video surveillance systems and the proliferation of video recording by the public are all contributing to an ever growing mountain of digital evidence that must be managed. This huge trove of data combined with public scrutiny of critical incidents is exerting new pressures on both law enforcement administrators and the technology they use to manage it.

Evidence management systems have evolved significantly from the paper systems of the 1960’s and the mainframes of the 70’s that were only tasked with tracking physical evidence. The personal computer revolution at the end of the 80’s finally enabled digital evidence management, even if only in the most rudimentary fashion. Today, the rise of cloud has enabled the creation of a new class of cloud-enabled Digital Evidence Management Software (DEMS) products, purpose built to manage the enormous amounts of data we must maintain with integrity. While its admittedly not a panacea, in today’s world, cloud based DEMS may represent the best method we have for ensuring that all evidence eventually facilitates justice.

—–

This article is a repost of an article originally guest authored for the DoubleHorn blog.

What can I do to help after a disaster? CERT may be for you.

The recent floods that devastated the Central Texas community of Wimberley in May left many asking themselves this question.  Becoming a CERT (Community Emergency Response Team) member will help prepare you and your family for a disaster and provide basic disaster training to assist others in the community.
CERT is coordinated by FEMA but led locally.  As of this writing there are over 2200 CERT teams nationwide.  You must be at least 18 years of age however local coordinators have the discretion to allow under 18 to participate.

I joined Austin CERT in 2011 by attending evening courses over a period of several weeks.  The training was held in the Austin/Travis County EOC which for a technology geek like me was worth the time investment alone.  The training class itself was about 35 strong and a diverse mix of young and old alike.  The training was interesting and engaging even for a seasoned first responder like myself.  For reference the current Austin CERT course description is here.

Working in law enforcement as both police officer and dispacher offered me ample opportunities to help people utterly unprepared, oblivious or even obstinate and hostile.  An informed and educated public is the greatest asset to both the first responder and themselves in time of disasters. Preparation prevents panic.

A photo taken during a 2011 Austin CERT Disaster Training Exercise

Culture Clash – Digital Forensics and Infosec

This week I will be traveling out to Las Vegas to attend the Computer and Enterprise Investigations Conference (CEIC) the largest digital investigations and forensics conference in the world.  A few short years ago this may have seemed an odd destination for a CISO of a cloud service provider but this is precisely why I am excited to attend.  

There is a very interesting convergence taking place that I will be exploring.  This convergence is the integration of digital forensics tools into the mainstream enterprise, but more interestingly the network/cloud.  Forensic tools, techniques and tactics show great promise when used in conjunction with existing security tools to reduce the time from breach to discovery, assist in remediation and ultimately reduce the entire incident response life-cycle.  At least this is the kool-aid that companies like Guidance Software (owns CEIC) and AccessData would have us drink.  This is a developing market segment with software that needs several iterations of development and integration before its full potential can begin to be realized.  

 
Maturation of the software may not be the greatest challenge however.  There is a larger cultural clash to be considered.  Traditional forensics software is heavily rooted in law enforcement investigatory procedures, rules of evidence and other legal benchmarks. This world is largely foreign to the network administrators and other information security experts that are battling on the front lines to protect their organizations from beach.  I have often argued that the best approach to solving many IT/security related problems is with an investigatory mindset.  Think like a detective in other words.  The intersection and integration of digital forensics into the network culture will certainly help bring this transformation over the next few years.  

Digital Forensics Resource List

Good Morning. I’ve published a list of digital forensic resources primarily for those in law enforcement interested in extending their knowledge/skills.  My personal observation being both technologist and cop is that traditional law enforcement investigative knowledge translates well to  incident response and digital forensics in particular especially when combined with aptitude and desire to be constantly learning.
Associations
HTCIA Austin Chapter – http://www.austin-htcia.org/
Open Source/Free Forensic Tools
Commercial Tools
Digital Forensic Certifications
Texas Law Enforcement Forensics Training