Law enforcement agencies of all sizes across the United States have already purchased tens of millions of dollars worth of mobile device forensic tools. The mobile device forensic tools that law enforcement use have three key features. First, the tools empower law enforcement to access and extract vast amounts of information from cellphones. Second, the tools organize extracted data in an easily navigable and digestible format for law enforcement to more efficiently analyze and explore the data. Third, the tools help law enforcement circumvent most security features in order to copy data.

encase forensic v7 crack.84

The records we obtained through our public records requests demonstrate that law enforcement use mobile device forensic tools as an all-purpose investigative tool for a wide array of cases. Law enforcement use these tools to investigate not only cases involving major harm, but also for graffiti, shoplifting, marijuana possession, prostitution, vandalism, car crashes, parole violations, petty theft, public intoxication, and the full gamut of drug-related offenses. Few departments have detailed policies governing how and when officers can use this technology. Most either have boilerplate policies that accomplish little, or have no policies in place at all.

This report proceeds as follows. In Section 2, we describe the precise technical capabilities of mobile device forensic tools. With that technical background, in Section 3, we then trace the widespread proliferation of mobile device forensic tools throughout local law enforcement agencies nationwide. Next, in Section 4, we show how agencies routinely use these tools, even for the most mundane cases. In Section 5, we explain the unconstrained nature of these uses, especially as most agencies have no specific policies in place. Finally, we offer policy recommendations for state and local policymakers in Section 6.

We begin with a basic primer on how mobile device forensic tools (MDFTs) work and explain their capabilities with respect to data extraction, data analysis, and security circumvention. Our technical analysis surfaces three key points:

While security features like device encryption have received significant public attention, MDFTs can circumvent most security features in order to copy data. Challenges to access can often be surmounted, because of the wide range of phones with security vulnerabilities or design flaws. Even in instances where full forensic access is difficult due to security features, mobile device forensic tools can often still extract meaningful data from phones.

To date, most public reporting on law enforcement use of mobile device forensic tools has focused on law enforcement authorities with the most resources, like the Federal Bureau of Investigation, U.S. Immigration and Customs Enforcement, the Drug Enforcement Administration, and Customs and Border Protection, or on state law enforcement agencies. Much less is publicly known about the availability of these tools to the thousands of local law enforcement agencies across the United States. To find out, we filed more than 110 public records requests to law enforcement agencies across the country, and searched a variety of databases on government spending and grantmaking.

Our research indicates that this is not the case. Rather, we found widespread adoption of mobile device forensic tools by law enforcement in all fifty states and the District of Columbia. In all, we documented more than 2,000 agencies across the United States that have purchased a range of products and services offered by mobile device forensic tool vendors. Every American is at risk of having their phone forensically searched by law enforcement.

Almost every kind of law enforcement actor is represented in the data we collected: Local police departments, sheriffs, district attorneys, forensic labs, prisons, housing authorities, public schools, statewide agencies, and more.

Law enforcement use mobile device forensic tools tens of thousands of times, as an all-purpose investigative tool, for an astonishingly broad array of offenses, often without a warrant. And their use is growing.

But here is the story they do tell: Law enforcement use mobile device forensic tools tens of thousands of times, as an all-purpose investigative tool, for an astonishingly broad array of offenses, often without a warrant. And their use is growing.

After law enforcement extracts data from a phone and prepares a forensic report, what happens to the underlying data and how might it be used later? Few policies we received mention any limits on how long extracted data may be retained, or how that data may be used beyond the scope of an immediate investigation.

State and local policymakers should require that mobile device forensic tools used by law enforcement have clear recordkeeping functions, specifically, detailed audit logs and automatic screen recording. This would incentivize MDFT vendors to build this functionality. With such logs, judges and others could better understand the precise steps that law enforcement took when extracting and examining a phone, and public defenders would be better equipped to challenge those steps. Audit logs and screen recordings would document a chronological record of all interactions that law enforcement had with the software, such as how they browsed through the data, any search queries they used, and what data they could have seen.

State and local policymakers should require public reporting and logging for how law enforcement use mobile device forensic tools. These records should be released at least monthly, as this would allow more immediate access to information by advocates, policymakers, and the public seeking to understand the capabilities of their police agency. Agencies should additionally release annual reports on overall department usage.

Little public research has explored the precise technical capabilities of mobile device forensic tools that allow law enforcement to search thousands of phones in a wide range of everyday cases. To the extent there has been a public debate on mobile device forensic tools, it has centered on the rare cases when law enforcement cannot access the contents of a phone, due to encryption.

In order to assess the technical capabilities of current mobile device forensic tools, we reviewed technical manuals, examined software release notes, marketing materials, webinars, and digital forensics blog posts and forums. We also visited the office of one of the few public defenders in the US with these forensic tools (and forensic staff) in-house.

For these particular cities, it is not listed that a law enforcement agency purchased mobile device forensic technology. We believe this is an appropriate and fair inference, nevertheless, given all of our data.

This peer review process is supposed to evaluate and document the following: Whether proper evidence intake procedures were followed (legal authority, chain of custody, and handling of evidence); Whether appropriate forensic acquisition methods were followed (write protection, CMOS date/time captured, sterilization procedures, and validating DDE integrity); Whether appropriate forensic examination procedures were followed; Whether appropriate information was identified in the Digital Forensics Report and CID Case Management Report; Whether dissemination procedures were completed properly; Upon review of post-examination evidence, whether archival procedures were properly followed. See Texas Department of Public Safety, Computer Information Technology & Electronic Crimes (CITEC) Unit Standard Operating Procedures, January 2019, -citec-sop.

Evidence surrounding the use of USB devices is an often sought-after forensic treasure trove, due to its verbosity in the operating system, as well as the Windows Registry. The difficulty comes in attempting to make sense of all this data. When the many, disparate breadcrumbs of usage are pulled together in a coherent assemblage of user activity, the results can be shocking in their clarity.

For anyone who has been doing forensics for any period of time, you will be familiar with the location of USB device artifacts in the registry. We have often started in the USBSTOR key, and then drilled down to identify the USB device. After identifying the device Vendor and Product, we proceed to the subkey of that key, and we see the values as shown in the diagram below.

As an aside, it might come as a surprise to many forensicators that the USBSTOR key does NOT contain all USB devices that have been attached. Run your eyes up the registry path and you will see a key named SCSI.

Kevin J. Ripa is the President and CEO of The Grayson Group of Companies and has been involved in numerous complex cyber-forensic investigations. He can be contacted via his website at www.computerpi.com. 2ff7e9595c