With approximately 90% of crimes today involving digital evidence, the acquisition and processing of mobile devices is often a critical first step toward solving a crime. But while digital evidence can be extremely consequential in a case, getting to it can also be quite a feat. The volume, types and file sizes of digital sources have soared, making it a challenge to extract data from a device with sufficient detail to distinguish clues from clutter.
The problem typically isn’t access to evidence — it’s how long it takes to get to it. For ultimate usefulness, the process should be disciplined and fast — but often isn’t.
Trey Amick, vice president, product and technical marketing at Magnet Forensics, knows firsthand that legacy mobile forensics often involves manual, repetitive steps with long downtimes between stages. As a forensic examiner for a South Carolina-based police department and later for a Fortune 100 bank, his weekends were often interrupted by needing to go back to the office after hours to manually shepherd digital evidence through each step in the acquisition and processing stage.
“If I got a phone call Friday at 2 p.m. and they said this is priority, I would kick it off,” said Amick.“Then I knew I would need to come to the office either Friday night after dinner or Saturday morning just so I could download that full file system image and copy it to my box to be able to start processing. Then, I’d have to come back once again hours later to push it to a portable case or a USB I could share with the detective.”
The segmented traditional workflows and long delays are beginning to change. From the extraction of the first device through final reporting, Magnet Forensics’ integrated platform transforms and automates the workflow to handle today’s data volumes and case demands and help investigative teams move cases forward quickly and efficiently.
“We’re mission-oriented,” said Amick. “Many of us came from law enforcement. We understand the gravity and the importance of these investigations and the need to get actionable information out so that investigators can move their cases along and justice can be served.”
Get to evidence faster
Magnet One Case Stream combines artifact processing with Magnet Graykey, Magnet One and Magnet Review, making it faster and easier to acquire digital evidence into a single case file, analyze it for quick insights and deep-dives, and share it with detectives, prosecutors and other stakeholders, all in an auditable, secure and scalable cloud environment.
The process begins when an examiner initiates an extraction, unlocking directories and files from leading iOS and Android devices. (New models and off-brand devices are being added almost weekly, with notifications automatically sent to agencies requesting support with a mobile device.)
Artifacts — including photos, contacts, chat messages, browser history, call logs, location data, app usage data and file metadata — are processed in parallel and automatically stream into the case file in real time as they are being extracted.
The first evidence is available in as little as two minutes, with no examiner intervention needed and no downtime between workflows. “That’s a big game changer for mobile workflows,” said Amick.
The assembling of all evidence into a single case file enables real-time, automatic collaboration so as soon as the processing is complete, detectives and prosecutors have faster access to priority artifacts through a web-based review experience.
“The paradigm has shifted to where examiners recognize the amount of evidence coming in. They cannot individually support reviewing every piece of evidence with every byte-for-byte detail that’s in there,” said Amick. “Being able to have that real-time collaboration is critical.”
Investigators have access to the totality of evidence so they can quickly bookmark key items and guide deeper forensic analysis in real time. With Magnet One, there are no gaps in the process, shortening time to evidence by up to 41%.
“With Magnet One, you can set it and forget it,” said Amick. “You have all your tools working together and it’s all connected so you can move through the ecosystem of our platform from that first access of a mobile device to the final report very seamlessly.”
Amick shared a case in which the platform surfaced chats between suspects talking about getting rid of bloody clothes and a weapon. The examiners brought up the geolocation and saw the suspects had gone to an area with several dumpsters. Investigators were able to recover the evidence — just in time to save it from a scheduled trash collection later that day. “They were able to find physical evidence still at the scene because they were able to turn that [digital] evidence around faster,” Amick said.
Speed is only part of the equation. As data volumes grow, agencies also need systems that can scale, secure and track evidence without adding overhead.
Scalability and security through the cloud
“We’re never going to have less data that we have to store,” said Amick, “and just having more and more of these servers, you have to think about all the upkeep expenses. With Magnet One, storage just scales as you need it with your cases and makes that information useful.”
Chain of custody
The time and effort an investigator and prosecutor invest in a case can be for naught if there are doubts about the integrity of the evidence or the chain of custody. Magnet One avoids these issues with chain of custody built into case management where every action by every person is tracked. “We’ve got to keep that chain of custody locked down and we can do that much, much easier now with the purpose-built system,” said Amick.
Access via web browser
Once evidence is available, investigators are granted immediate access to their case data through an intuitive, browser-based interface, eliminating bottlenecks, reducing dependency on the lab for basic evidence review and allowing for real-time collaboration. Both teams being able to work the case file simultaneously not only keeps the workflow moving, it frees examiners to do the deep dive analysis while investigators keep moving forward without sacrificing forensic integrity or control.
The fact that any authorized personnel can access the platform via a web browser also means fewer disruptions from detectives and investigators poking their heads into the forensics lab to check on the status of a case.
“I can’t tell you the number of times people just come by my door. ‘Hey, where’s this case? Hey, what about this?’ ‘Cool. Let me look in my Excel document and try and find that,’” said Amick. “Half my day or more was spent just documenting all of this. Now in Magnet One it’s all automatically tracked and they can log in to see that information.”
Real-world benefits
By eliminating unnecessary delays, automating processes and making the case file available to all authorized personnel at any time, investigators can get to investigative intelligence more quickly, examiners can do more deep-dive analysis and a growing case volume can be managed, reducing backlogs and helping ensure justice is served.
For Amick and other examiners, Magnet One Case Stream can also help them experience more of the right kind of downtime forensic examiners and investigators really need at the end of a long shift — time at home with their families, relaxing with friends or simply enjoying a weekend without interruption.
“The automation is the force multiplier — like a little digital examiner that’s in the office and lab when you’re not — clicking the next button, moving the case along so you’re not having to remotely log in to do this or come back to the office just to copy a file,” said Amick. “Being able to expedite and move cases around faster is a quality of life improvement that makes people appreciate the little nuances of this product.”
To learn more, visit Magnet Forensics.
