West Midlands has begun moving teams over to a cloud-based digital forensics platform and it is already helping with the disclosure workload.

Three weeks ago, West Midlands deployed a cloud-based digital forensics platform by Exterro and housed in Microsoft Azure. 

DS John Price who oversees the digital forensic side of the reporting team and the digital crime scene attendants explained: “What we’ve found with policing and the cloud is that there’s no playbook to refer to. 

“Investigators have basically designed what they want to see [in the platform] and how they want to see those work flows and processes

“As we've gone along, we've had to take a couple of steps, pause, just do a bit of a sanity check to make sure what we're doing is right, ethical, legal, etc, and that it's going to work, then once we've passed that we've then taken on the next steps.” 

DS Price explained that prior to the system being in place, jobs designated as not urgent could take between four to six months before they would be reviewed by a report writer. 

“[The reporter would] spend a bit of time reviewing that data, then they may have to create a disk. But if they created a disk, for example, using a particular forensic tool, and we've had to acquire some data in a separate forensic tool, we would be creating two different types of datasets. 

“Those datasets aren’t indexable together, so they're treated as single entities [..] for example if we used Cellebrite for mobile phones, but then another forensic tool for computer. 

“At the moment with the existing tools, there’s no way of cross-indexing all those hits. 

“It takes hours to burn some of those disks [...] technology wise, you’re talking 50 gigabytes worth of data [as a maximum on the disks], but when we get a device in cases where there’s two or three terabytes - that’s a lot of disks that potentially we will be burning. 

“Then it's the time of actual officers in a force our size, being able to come over and pick up those disks, then to go back to find hardware where what the discs would work and which also had those forensic softwares installed.” 

The new platform is a web-based review platform, meaning it works off of a browser and officers can use it from different devices, using a URL and their credentials. 

As long as officers are using an official WMP device within the West Midlands Policing area, they can access their cases anywhere. 

It centralises access and processes data quickly. Digital forensic investigators and officers on the ground can work on evidential data simultaneously without the need to be physically in the Digital Forensics Units (DFU). 

The data can be viewed almost immediately once it has begun being processed, there is no need to wait for the case to be fully processed - which DS Price said is particularly useful when dealing with custody time limits. 

There are additionally processes under the system which allows for data to be exported, with DS Price giving the example of linking to the Child Abuse Imagery Database, or running image identification through locally held databases. 

There is also an Explicit Image Detection feature which can shield officers from unnecessary exposure to graphic material during forensic review. 

“What's really good about the FTK platform is disclosure”, he said. 

“Everywhere [officers] go on that platform there's a breadcrumb, a complete trail. 

“For disclosure purposes, within digital it's an absolute nightmare. If you're using another tool, would you manually write down on a piece of paper, you've viewed that file? Whereas what this system does with any file you click on at the end of the case [...] it will do an export that you can provide then with your disclosure schedules CPS to say, this is what we've viewed, this is what we haven’t viewed.” 

In terms of transferring historic data over for the teams who have begun using the platform, DS Price said that thanks to the Microsoft technologies, it was as simple as “drag and drop”. 

The system is also scalable, with DS Price saying that if the point came where they needed extra licences, they can be done quickly, compared with the time taking to buy new forensic workstations at a minimum of six weeks. 

While this system has got a “part to play”, DS Price said there’s other areas that need to be considered when dealing with the quantity of digital forensic data. 

He said: “I think part of the problem is the understanding around when we seize exhibits, do we need to seize anything? Do we need to acquire everything? And also, when we are lawfully in possession of an exhibit - do we have to download absolutely everything? 

“It's great to have a review platform. And it's really a key part of the puzzle. But we need to think about the front end around when we're getting this data, do we need to capture absolutely everything? And is it lawful and ethical to give absolutely everything.”

Also this week, the force has been working with another cloud provider on password decryption, with a tool that can deliver decryption for around 433 billion passwords per second. 

DS Price summed it up saying: “Do we keep building more storage here and spending loads of money putting more servers in, then you need more power, you then need more air conditioning, you're then taking my team my away from their day jobs to look after the security of these servers. 

“It comes to a tipping point when you think right, business wise, we can't keep building server rooms, because storage sizes are exponential and we can't keep releasing highly skilled Digital Forensics officers to look after this data.”