Crime is constantly evolving in today’s digitally interconnected world. The complexity of digital evidence and the volume of data investigators are collecting from myriad data sources are overwhelming police agencies.
According to some estimates, digital evidence is a factor in about 90 percent of criminal cases.1 Evidence is being retrieved from mobile devices, computers, digital video recorders (DVRs), and Internet of Things (IoT) devices.
Police agencies realize there must be a better way to extract data from devices, process the data, and ensure evidence gets to the right stakeholders and investigators in a timely manner.
Digital forensic investigation and AI-powered open-source intelligence (OSINT) are playing crucial roles in modernizing police investigations. They are helping to save lives and bring criminals to justice by increasing the police’s ability to locate missing persons, find victims of human trafficking, identify criminals in fraud and extortion cases, and identify the sources of illicit drugs, as well as assisting in solving other active or ongoing investigations.
Today, analysts across the OSINT and digital forensic investigation fields are siloed. In fact, the two functions do not work together in many police agencies. That must change.
Data Extraction from a Digital Forensics Perspective
To effectively recover, analyze, and report on digital evidence, agencies need to adopt a toolbox approach that can validate results. The truth is in the data. Being able to validate what a victim, witness, or suspect says happened and having the evidence that supports those statements are critical.
Digital evidence must be delivered to investigators in a timely manner, giving them the actionable intelligence needed to follow new leads. Agencies that are adopting the latest digital forensic approaches are receiving actionable insights within 24 to 36 hours of a serious crime. Historically, evidence has been on a desktop computer, and analysts used a desktop forensics solution to retrieve and review evidence. Now, with capabilities such as automation and orchestration, examiners can automatically collect, process, analyze, and share digital forensic evidence.2
Data Extraction from an OSINT Perspective
OSINT, on the other hand, provides seamless search and analysis of publicly available sources, open, deep, and dark web, as well as integrated data sources, allowing the police to generate actionable insights. OSINT is a multifactor methodology for collecting, analyzing, and making decisions about data accessible in publicly available sources to be used in an intelligence context.
The internet is loaded with information—some real, some not so real. The information is not always verified or vetted. A name search could return multiple results, but it might not be the person an investigator is looking for. An OSINT analyst looks for unique identifiers.
Some people might think a phone number is a unique identifier, but phone numbers can be changed. An email is a more consistent unique identifier. Email stays with a person forever. People still have old email accounts that they have not used in years, but nobody else is using them either. Unique identifiers are important because they link back to the forensics, typically information downloaded from a phone or device during an investigation. There are phone numbers, contact names, nicknames, or a suspect’s “street name.” Sometimes those pieces of information corroborate each other and help investigators identify a target or suspect.
All of this information must be verified. That is the function of OSINT. In some cases, an investigator or analyst searches the web and thinks they are on the right track. However, there are so many digital breadcrumbs on the web, and as analysts collect information from open-source platforms, they must make sure they are collecting the right information. One wrong move in the investigation can derail the case in court.
How can analysts conduct an OSINT investigation and avoid pitfalls that could hamper the development of a case? Here are some steps to consider:
-
- Create a research account online.
- Never go on the offensive. Do not engage with the target. Use institutional language so you are not identified.
- Perform a peer review of the information. Analysts and investigators are human, and they can have inherent biases that impact the way they perceive and analyze the information. Having other analysts or investigators review everything related to the case is important.
- Include as many unique identifiers as possible. Emails, names, and phone numbers can lead to online accounts, photos, and video posts that can help identify suspects, as well as information about their phone. An investigator then can perform social engineering on a target based on visual and institutional knowledge.
OSINT and Digital Intelligence: A Synergistic Relationship
Police analysts can start investigations anywhere when web intelligence and forensics come together. OSINT is a great way to start an investigation if there is no physical evidence. For instance, if the analyst has a name associated with a suspect’s street name, they can search through databases and online accounts to find friends and other connections or photos that typically have information about the phone used to take the picture.
The police can store and maintain digital forensics information for up to five years, according to U.S. federal law. After that time, they must purge it or prove that there is still a need for that information. Investigators can go back and find old phone numbers, suspects’ street names, and emails out of forensic evidence associated with a target and start to work off that information.
Having that forensic repository is vital for OSINT investigations because a lot of the information they are looking for is already stored, retrieved from a mobile device or computer. Everybody’s life is in their smartphones today. Financial accounts, contacts, photos, and associations with people are all there. Investigators can find patterns of life and locations to reconstruct an individual’s whereabouts.
An OSINT analyst can export hundreds of phone numbers into a batch file like a spreadsheet. In a few hours, every single one of the numbers will have been searched on the web. Automating these processes is especially important.
Investigators must be aware that they still need probable cause and a search warrant to download phone information. The police cannot violate the Fourth Amendment, which protects people from unreasonable searches and seizures by the government. However, devices and information in plain view—discarded or abandoned devices or information available publicly online—are permitted to be searched.
Better Together
The digital landscape is a vast and complex terrain. Digital forensic investigators and OSINT analysts working together can amplify investigations, helping to save lives and provide leads to close cases faster. These powerful technologies can increase the ability to locate missing persons, find victims of human trafficking, identify criminals in fraud and extortion cases, stop the distribution of illicit drugs, as well as assist in solving violent crimes. At the same time, both OSINT analysts and digital forensic investigators need to be cross-trained, so they know the right questions to ask as they extract information and ensure that investigations are thorough and accurate in today’s digitally connected world.
Learn more about how Magnet Forensics and PenLink are empowering agencies to accelerate their digital forensic investigations.
Johnmichael O’Hare is a former commander of the Vice, Intelligence, and Narcotics Division for the Hartford, Connecticut, Police Department. Prior to that he was the project developer for the City of Hartford’s Capital City Command Center (C4), a real-time crime center (RTCC) that reaches throughout Hartford County and beyond. As project developer, he made sure all the intelligence analysts were forensically certified. A highly decorated former gang intelligence officer, O’Hare has transitioned into utilizing his experiences to provide superior technological support to law enforcement officers on the streets as director of business development at PenLink. |
Trey Amick, MCFE, is the director of technical marketing at Magnet Forensics. He is a forensics investigator with a background in both law enforcement and corporate investigations. As a detective with the Rock Hill Police Department in South Carolina, he was sworn as a Special Deputy U.S. Marshal and supported the U.S. Secret Service Electronic Crimes Task Force. Most recently, as a corporate investigator, Amick managed the Enterprise Cyber Education and Awareness Team at Capital One, where he also served as part of the Cyber Technical Investigations Team. |
Notes:
1Christa M. Miller, “A Survey of Prosecutors and Investigators Using Digital Evidence: A Starting Point,” Forensic Science International: Synergy 6 (2023): 100296.
2Magnet Forensics, “Best Practices for Digital Forensics Workflow Orchestration & Automation.”