Column Police Chief Magazine: 'Digital Forensics as a Service - Not a Silver Bullet, but a Crucial Tool'

News item | 01-07-2022 | 00:00

In the process, we are developing ‘Digital Forensics as a Service’ (DFaaS), which, in addition to the Netherlands Police, is now used by virtually all Dutch investigation services. A continuous quest with great successes, but also significant learning opportunities and areas for improvement.

The importance of large-scale digital investigation

In the autumn of 2010, we were faced with a case that underlined the importance of large-scale digital investigation once again. On December 7^th of that year, Opsporing Verzocht – a Dutch investigative TV show – published a photo of a boy of about two years old who had appeared in a child abuse case in the United States. The victim was identified during that very broadcast, and that same evening, Robert M. was arrested. He proved to be the chief perpetrator in a horrific case in which 87 very young children had been seriously abused, with photos and videos of them being distributed worldwide via the Internet within child abuse networks. The children were very young, and digital evidence was crucial. Vice detectives had to search through terabytes of photographic and video footage, under huge time pressure. Fortunately, we had an initial version of an experimental search engine at that time. Partly for this reason, we decided to develop this platform further in 2012 under the name ‘Hansken’.

A big-data platform for digital traces

Hansken provides detectives and investigators with easy access to various digital forensic tools. The starting point is that, if detectives can independently examine digital traces much easier, the digital experts will be able to concentrate mainly on the more complex questions. It was therefore expressly not the intention to find a replacement for existing specialist tools, but rather to combine the results of available tools and make them accessible.

So, how does this work in broad terms if hundreds of devices are seized in an investigation? After the source data have been secured in evidence files, Hansken goes through an advanced extraction process to make all relevant traces accessible to the users. The platform automatically indexes the various traces and places them in one or more categories. Criminal investigators can then search for the various digital traces such as files, instant messages, emails and photos without specialist IT knowledge. In the process, they can search and filter by all kinds of properties, time and location details, file names and key words.

The process helps the detective to extract a clear and manageable set of results from millions of traces. The investigator can also mark relevant traces for further research, add notes and create a report with all the technical and other data. In addition to making case data available to investigators and detectives, you can also make it accessible to lawyers, the Public Prosecution Service  and the court.

Successes, but also clear learning points

The platform has now been used for nearly 10 years in over a thousand cases. These often involve dozens, or sometimes even hundreds of devices, many millions of traces and terabytes of raw data. Among other things, the search environment has been successfully used in large-scale bank frauds, money laundering constructions and environmental crimes. The aim is always to find relevant data within the huge quantities of digital material and to correlate them with each other. The platform has also been used to analyse data from crypto-communication servers, resulting in multiple convictions. This involved not only searching the decrypted messages, but also sorting the material from various criminal investigations. Incidentally, the platform is also used for other, noncriminal, investigations. For example, in a major technical investigation following a tragic accident involving a popular means of transport for children (the ‘Stint’), the technical data were also analysed using the platform.

With the use of Hansken, we of course also encounter significant learning opportunities and areas for improvement. The speed and quality of management processes, the development of intuitive user interfaces and the ability to quickly process new types of digital traces are just a few examples. We will now highlight a number of examples.

Better user interfaces and operational processes

It is a persistent misunderstanding that Digital Forensic services will make digital experts a thing of the past. Just like modern aircraft no longer require an on-board engineer, for example. In our case, this is not realistic. What we do want to achieve, is for our digital experts to be able to focus much more on complex cases, as ‘regular’ detectives will be able to start the digital trace examination themselves in 80% of the investigations.

However, this ambition does not appear to be easy to achieve. Experience has shown that Hansken is still mainly used as a powerful tool for large-scale ‘data-centric’ cases with up to hundreds of devices and terabytes of data. For smaller (partial) cases with a few phones, a laptop and a Facebook account, we now often opt for smaller, specialist tools that make it possible to search these devices quickly. First of all, the ‘pre-production’ of a project within Hansken is relatively labour intensive for such a relatively small investigation. In addition, a more intuitive user interface with graphical and context-dependent support is needed to further lower the threshold for criminal investigators and examiners.

This is important, as the computing power of computer chips doubles every two to three years. For end users, increasingly powerful, smaller and cheaper devices therefore constantly become available with more possibilities and smarter applications. In addition, more and more devices are continuously collecting data. From your car, smart energy meter and refrigerator, to your sportswear and doorbell. For us, this means that smaller (partial) investigations will also yield more and more digital search work. In order to keep this manageable, it is important that tactical detectives, in the majority of these investigations, are able to start the digital examination themselves.

Fast and professional ‘forensic-proof' development

Our Digital Forensics environment was not developed as a closed system. The platform integrates as many existing tools as possible into an accessible digital search environment. Thanks to open interfaces, participating investigation services can also develop and link functionalities (plug-ins) themselves or have this done for them. Examples include user interfaces aimed at specific types of investigations, as well as extraction and reporting tools.

It is also important for us to be able to continuously process new types of digital traces and make them searchable in a smart manner. Speed is a very important element here. New apps and other digital applications are being developed at an increasingly fast pace and often become popular at lightning speed. And as soon as they become popular, the data becomes relevant for investigation purposes. For example, it soon turned out that consulting the popular pedometer can be very useful for checking someone's alibi. And we also discovered that the chat option within popular games is regularly used as a low-profile means of communication.

This presents a major challenge for the forensic field. Fast software development should never come at the expense of forensic quality and safeguards. Nowadays, for example, software is usually developed during an agile process. Long-term ‘waterfall‘ projects that only provide new functionality after months of developments are a thing of the past. Instead, we constantly work in short sprints that every time deliver new and modified features. In popular consumer apps, such as Netflix, you recover this in the sometimes daily modifications to your home screen, the available buttons and functions.

This agile-based development is also essential for our digital investigation in order to keep up with the ‘criminal market’. The challenge here is that principles as forensic quality, security and privacy must always prevail. The use of Hansken must always be reproducible, and changes to the platform must not interfere with ongoing investigations. This requires a high-quality development and management organisation with short lines to the users.

Not a silver bullet. Definitely a powerful weapon

Fortunately, we are getting help with these challenges. Since 2019, we have broadened the collaboration to investigation services in other countries; universities and knowledge institutes have also joined in. We all work together in the international Hansken Community, which gives us a very important combination of knowledge that we can use to further improve, professionalise and update the platform.

‘Digital Forensics as a Service’ is not a silver bullet. Digital specialists and specialised analysis tools remain absolutely necessary in our investigations. What a DFaaS environment can add, however, is a forensic tool that helps criminal investigators and detectives to start their digital investigations themselves. This way, we are expanding and accelerating the use of digital forensic research, allowing the digital experts to focus on the most important and complex questions. This will allow us to work together to keep digital trace examination manageable!

Bio Toine van Loenhout

Commissioner Toine van Loenhout is Head of the Regional Criminal Investigation Department in the East Brabant unit of the Dutch police. In this role, he represents the police in the development and use of Hansken during the investigation processes of the various teams of the 11 national police units.

Bio Harm van Beek

As senior digital-forensic scientist and court expert at the Netherlands Forensic Institute, Harm cofounded the investigation, innovation and knowledge-sharing platform Hansken, and CASE, the standard for expressing digital evidence. Before joining the NFI, Harm obtained his PhD in formal methods and was cofounder and CTO of software company ISAAC.