Chapter 7: What specialist resources are available to investigators?
Real lives, real crimes: A study of digital crime and policing
Chapter 7. What specialist resources are available to investigators?
7.1. There are very few criminal offences committed in the 21st century where some digital evidence does not exist. The need to retain digital evidence needs to be understood by every police officer in England and Wales, and the ability to identify and recover it needs to be a basic skill that all investigators possess.
7.2. Beyond that, we have sought to understand what specialist support is available to officers in the investigation of digital crime. This support can take the form of technical equipment, trained officers who are able to provide advice and guidance, and specialist investigative capability.
Are investigators able to access digital evidence quickly?
7.3. Each force that we visited during the course of our study had specialist digital forensic capabilities. The size and remit of these units varied, however. Their primary function was to undertake the forensic examination of seized digital devices for evidential purposes. The types of devices examined by these specialist units included computer hard drive units, laptops, tablets, gaming devices, satellite navigational devices and mobile telephones.
7.4. In some instances, the demand placed on these units has outstripped their capacity. This has resulted in significant backlogs. This issue has been the subject of comment in previous HMIC inspections relating to child protection, the most recent of these being Online and on the edge: Real risks in a virtual world – An inspection into how forces deal with the online sexual exploitation of children. While we recognise that this issue is of particular importance within the child protection arena it is also equally relevant to all other areas of police investigation.
7.5. During our study, the most common complaints that we heard from police officers and staff related to the length of time that it takes for digital devices to be examined.
7.6. This has had an impact on the willingness of victims to co-operate because, often, their entire social life is organised through their digital devices. To be deprived of them for a significant period of time is not something that they are prepared to accept. A response officer stated that:
“[v]ictims are now reluctant to hand over expensive devices because of the delays.”
7.7. In order to reduce this backlog, some forces have resorted to the outsourcing of the examination of devices to private companies. In one force, we found that over £180,000 had been spent in one year on outsourcing examinations. Despite this, the force still had a nine month backlog of exhibits awaiting examination. One senior officer responsible for digital forensic capability told us:
“[w]e cannot afford backlogs and we cannot afford to outsource.”
7.8. Other forces have responded to this challenge by providing triage equipment located within police stations. This provides frontline officers with the technology to perform basic analysis of telephone handsets or, as was the case in one particular force, computer hard drives.
7.9. The triage process allows investigators to determine which devices to seize at a crime scene to prioritise the sequence in which to examine devices, and quickly to extract information which might progress an investigation.
7.10. Those frontline staff with whom we spoke during our study were positive about the triage process. They provided evidence of how it had benefited investigations, and we were told that it had resulted in a reduction in the demand placed on the forensic digital capability of those forces.
7.11. On that basis, we hoped to find data that provided a strong argument in favour of the use of triage equipment by frontline investigators. Unfortunately, the collection and analysis of such information are not widespread.
7.12. However, others indicated that they were not persuaded by the use of triage equipment. On a number of occasions, we were told that its use presented “too great a risk” and that officers “might miss something” by using it. One digital forensic manager told us that he was “not a fan of [triage equipment].” However, this opinion was apparently based on intuition, as he also admitted that he had not conducted any research in arriving at his conclusions.
7.13. Whatever the merits of the triage approach, it appears often to be the case that, where it is not adopted, decisions have been made without any reference to empirical evidence. Instead, the judgment is left to middle-ranking managers who are able to influence force policy, sometimes on the flimsiest of evidence.
7.14. During our fieldwork, we found only one force that was using triage equipment in the analysis of computers. This was within a public protection unit where staff used the equipment to identify indecent images which were stored on computers while the suspect was held in custody.
7.15. The decision to use triage equipment had been made after an analysis of the following: the demand within the public protection unit for digital forensic examination; the capacity of the forces digital forensic unit; and an assessment of the risk presented to the public by the release of a suspect from custody without charge while digital forensic examinations took placed. We were informed that the there had not been any negative consequences as a result of the decision to use triage technology.
7.16. The Home Office Centre for Applied Science and Technology, also known as CAST, houses a team of scientists and engineers working within the Home Office. They provide expert advice and support to police forces. CAST has reviewed a wide range of triage devices by testing them within operational scenarios. The results are available to all forces, and their findings should enable operational staff to make an informed decision on the purchase and use of triage tools.
7.17. We recognise that the use of triage equipment is a decision for individual forces to take. However, its use to gather intelligence and evidence in a very timely manner serves to accelerate investigations and so ensure speedier justice for victims. In addition, it reduces the risk of backlogs, caused by an imbalance between demand and resources in the more established digital forensic arena.
7.18. Having hundreds of computers in a backlog awaiting full examination does not support the victim and undoubtedly does not do anything to prevent further crime.
How do digital media investigators assist forces?
7.19. Frontline staff are often left frustrated by their inability to deal with digital investigations. The provision of digital media investigators is one potential means of addressing this frustration. The main function of the role is to advise on the development of an effective technology and data strategy for any investigation or policing operation.
7.20. The number of digital media investigators in each force and how they are deployed is ultimately a decision for the chief constable. They were initially intended to be part of major investigation or serious organised crime investigation teams. However, forces may deploy digital media investigators at a local level to support local investigation teams on volume crime.
7.21. Those undertaking the role are required to have extensive knowledge of communication data technology and successfully to have completed the College of Policing’s digital media investigators course which is currently one of three training courses available for those involved in digital crime investigations (see paragraphs 5.9 to 5.16.) We have commented on the potential difficulties which forces face with regard to the continuing funding of the digital media investigators course in paragraphs 5.29 to 5.31.
7.22. We found that forces had used digital media investigators in a number of different ways. In all but one force, the introduction of digital media investigators was still very much in the planning stage. The different models included:
- a centrally based, stand-alone unit of digital media investigators, with an additional out-of-hours capability;
- digital media investigators embedded within basic command units; and
- virtual teams of digital media investigators, comprising officers who have been appropriately trained, and who are available to provide advice and guidance as required, but who are deployed in other full-time posts.
7.23. Due to the relative newness of the digital media investigator role, we are unable to comment on the effectiveness of any specific operating model. However, we are sure that the function of the digital media investigator is an important one and that forces need fully to understand the potential demand on those who will perform the role, when deciding how best to use them.
What regional capability exists to deal with digital crime?
7.24. In paragraph 1.11, we explained the component elements of what we have referred to as digital crime. Given the scope of digital crime and the breadth of the challenge presented by it, an effective response requires resources at a local, regional, national and international level.
7.25. The way in which digital crime is handled at the international and national levels stands outside the scope of our study. These levels of crime are overseen by the national cyber-crime unit which is part of the National Crime Agency. We have set out earlier the capability of local forces to deal with digital crime and, to complete the picture, we have considered the capability of forces to do so at a regional level.
7.26. Working in partnership with the national cyber-crime unit are the regional cyber-crime units. These are based within each of the nine regional organised crime units. The regional cyber-crime units provide an investigative capability for crimes that would generally fall within the cyber-enabled or cyber-dependent definitions which we explained in paragraph 1.11. In addition, they undertake a co-ordinating function, which, through regional meetings, enables them to provide updates on emerging national trends.
7.27. The development of the regional cyber-crime units is a very positive step toward combating cyber-enabled and cyber-dependent crimes. We found the relationship between the national cyber-crime unit, regional units and forces was good, with both the national and regional units providing effective support.
7.28. However, we found that, often, investigations were referred to the regional cyber-crime unit on a case-by-case basis, with little evidence of the application of referral criteria. Few to whom we spoke, including senior officers, were aware of any such criteria or, if they were, they recognised that they were inconsistently applied.
7.29. Because the regional units, at this time, still have some available capacity we found them willing to take on most of the cyber-related crimes referred to them.
7.30. However, we foresee that demand will very quickly outstrip the capacity of the regional units and it is therefore essential that an effective tasking and co-ordinating process is established. Without this, the regional units will soon be overwhelmed and important investigations might not be properly prioritised as they should be.
7.31. This will result in the responsibility for a significant proportion of complex digital investigations being returned to local investigators.
7.32. It is important that forces recognise this now, and ensure that they have access to sufficient capacity and capability, either independently or in collaboration, in order to avoid becoming over-reliant on the regional cyber-crime capability.
7.33. Each chief constable needs to make sure that his or her force has the capability: to examine digital devices in the most appropriate, effective and speedy way possible; and to provide sufficient local capability to deal effectively with digital crime.