In recent years as computers and mobile phones have become ubiquitous, the analysis of digital evidence has become necessary in the majority of legal cases. Even where a computer or phone is unlikely to have been used directly in the commission of a crime, communications records on such devices may still reveal vital evidence as to motive or guilt.
Computer forensics, also known as digital forensics, involves the analysis of computers and other electronic devices in order to produce legal evidence. Such investigations are typically long and complex, so as the average forensic caseload grows, so too does the need for an effective method to manage the dissemination of information between the many authorised personnel involved in an investigation.
With forensic experts and police high tech crime unit personnel each performing different functions simultaneously as part of an investigation, the sheer weight of update requests sent back and forth can place a drag on the investigation. For this reason, a central location where up-to-the-minute information about a case can be gleaned is becoming essential.
With time being a factor in almost all investigations, it is simply not viable to allow a single member of personnel to become a bottleneck. Therefore, it is practical for such management to be carried out electronically through a central database, giving authorised personnel the ability to track a case’s progress without the need to inundate the Officer in Charge, or the Forensic Investigator with update requests. Similarly, the use of such a system means that the disruption caused by a staff absence can be avoided, since any required information should be entirely up-to-date and stored centrally.
In addition, if such a system includes the ability to schedule analyses, then police investigators will be able to pass back requests to prioritise particular cases or devices to ensure that findings are returned as they are needed. Where cost is a factor, such a system also helps to ensure that unnecessary analyses are not carried out.
All forensic findings must also be presented in a format that is easily understood by the potentially wide variety of parties involved in an investigation, some of whom may be significantly less well-versed in the nature of a computer forensic investigation than others. As such, a central management system with set tools for reporting findings ensures that all findings are presented in a consistent manner that is interpretable to all personnel.
For any computer forensic evidence to be admissible in court, the forensic analyst must follow set procedures for the handling of computer-based evidence as prescribed by the Association of Chief Police Officers. This means that the entire investigation must be fully auditable, with no movements left unaccounted for in the records. As such, the use of a central system to manage case progress and track resource locations is one way to ensure that evidence is not lost, contaminated or rendered inadmissible.
While most police units and computer forensic investigators have systems in place that perform some of the functions described above, a broadly used system has yet to implemented. As computer forensic caseloads continue to grow, it seems likely that the police and computer forensic investigators will look increasingly towards a method to centralise and share data that is consistent across the UK.