Press Releases

Dell Transforms How Police Analyse Digital Evidence With Digital Forensics Solution

New approach offers significant opportunity to increase police and security service productivity, and break the backlog of evidence awaiting examination
Date : 07/07/2009
Manchester, UK
  • Many crimes now leave behind digital evidence. Forensic experts are under pressure to quickly analyse a growing volume of digital devices to help secure arrests and convictions
  • There is a backlog of digital evidence as law enforcement agencies struggle to analyse evidence quickly. For example, UK police constabularies have an average backlog of 18-24 months¹
  • The Dell Digital Forensics solution helps police forces and security agencies secure convictions. The Dell solution, helps safeguards against evidence contamination and preserve an audit trail of all evidence handling – called the “digital chain of custody”, which could otherwise lead to a conviction failing on a technicality, if incomplete

Today an ever-increasing number of crimes leave digital evidence somewhere. From PCs to gaming consoles and mobile phones, police and security forces are being pushed to the limit to securely clone (image), ingest, index, analyse and archive huge amounts of data from a wide range of digital devices. Today, at the ACPO-APA International Policing Exhibition and Summer Conference, and in a blog post from Josh Claman, Vice President of Public Sector EMEA, Dell unveiled its Digital Forensics solution to meet these challenges. The solution is a suite of hardware, storage and software services designed to simplify the process of handling seized data, dramatically increasing the productivity of digital forensics experts and ultimately improving conviction rates.

Working with support from AccessData, EMC, Intel, Oracle, Symantec, VEGA and others, Dell has developed a new datacentre approach to digital forensics that simplifies the entire process, improves the efficiency of sharing and administering data across analyst teams, and supports strict evidence handling guidelines.

Forensic issues specialist, Tom Magner, said : “Phones, computers and other electronic devices are an inseparable part of criminal life as much as anyone else’s. This means the need for ‘digital’ forensic analysis has grown tremendously as investigators strive to ensure all evidence relevant to a case is collected. Searching this data is like looking for a needle in a haystack - speed and accuracy while maintaining evidential rigour, is key to ensuring the Courts have all they need to make a fair, informed and timely decision.”

Currently, once data on a seized device is cloned, it is “ingested” onto one or more workstations before being indexed, triaged and analysed, which can take days or weeks. Whilst data can be shared across file servers, it is rare that multiple analysts can work on an image simultaneously. Because of the volume of data it is almost impossible to work on data from a remote location or share it across borders and multi-governmental agencies without physically transferring it.

With Dell’s Digital Forensics Solution, the cloning, ingesting, indexing and analysis all happen in the datacentre on high performance servers, rather than individual workstations, greatly improving availability, productivity and time to analysis – a critical factor when trying to secure convictions. Multiple devices can be ingested simultaneously and prepared for analysis with ease – a great advantage in cases where a number of devices have been seized.

The new solution runs forensic tools as secure ring-fenced sessions on analyst workstations, protecting them from the effects of malicious code. In the past, the execution of such code could result in the workstation needing to be rebuilt, bringing analysis to a halt, and possibly damaging the chain of custody, with serious consequences for a case. Multiple analysts can work on the same cloned data, through a common interface that gives access to the specialist forensics tools.

Closed cases are archived within the datacentre, where historically they might be burnt to DVD and stored with other physical evidence. The datacentre approach helps ensure the integrity of digital evidence if a case needs to be re-examined at a later date, and aids with safeguarding against the failure or damage of storage media, resulting in the loss of evidence.

Dell’s Digital Forensic Solution Lifecycle:

  1. Ingest: instead of ingesting data onto a single workstation, it is ingested onto a central evidence repository, increasing availability of that data to multiple analysts - thus improving productivity and efficiency.
  2. Store: storing data directly to the data centre takes away the worry of finding enough hard disk space on PCs, and minimises the amount of time needed to copy large data sets from one device to another.
  3. Analyse: centrally stored data can be indexed and triaged within the data centre, rather than using dedicated analyst PCs. This way, multiple analyst sessions can be run concurrently or on single or multiple workstations. Each application instance is run in an independent session that helps protect the rest of the system from malicious code and viruses, helping to preserve system integrity.
  4. Present: Once a potential area of interest is found, viewing teams of police officers can be granted real time, secure access. The formalised nature of this infrastructure also allows for easier secure remote access to qualified experts. No need to be onsite at the lab anymore, or risk posting evidence on a DVD.
  5. Archive & Search: Integrating a formalised backup, recovery and archiving infrastructure helps to optimise co-operation between agencies, forces and across borders. Consistency is provided between labs and helps minimise the risks to the data integrity and confidentiality. Additionally, there is an optional search component that allows for information correlation between data sets. This allows analysts to perform internet-like search capabilities on the entire case data store, including active online content as well as offline archived material from previous cases.


Quotes

Josh Claman, Vice President of Public Sector, EMEA, Dell said “Law enforcement agencies across the world have told us about the enormous challenges they face in analysing huge volumes of data on seized digital devices. It’s a far cry from the forensics labs we see in television dramas, where evidence is cracked within hours. We’ve taken our experience in servers, the cloud and high performance computing, and created a solution which we believe will transform the way digital evidence is processed, leading to quicker forensic analysis and criminal convictions.”

"Investigations often stall while critical evidence lies in a long queue waiting to be processed and analysed by digital forensic examiners. AccessData has engineered Forensic Toolkit (FTK) to scale massively and fully utilise the processing resources available to reduce the time it takes to prepare evidence for review. We are very pleased to be working with Dell and its partners to deliver a whole solution that addresses the needs of modern digital forensics examiners."
Brian H Karney, COO, AccessData Corporation

“The handling and analysis of digital forensic evidence must be managed with speed, precision and perfect security if it is to stand up to scrutiny in a court-of-law. EMC is proud that our CLARiiON CX4 technology forms a core part of the Digital Forensics solution from Dell, underpinning the high transactional rate needed by advanced digital forensics solutions to process and analyse target data. This solution will enable police and security services to help ensure that critical data is appropriately handled, and will provide real security for the preservation of digital evidence – far beyond the current practice of backing-up to DVD.”
Chris Gould, Director Partners & SIs, UK & Ireland, EMC

"Symantec provides information assurance advisory services and infrastructure solutions for the criminal justice system. We helped to create the concept of an operational forensics archiving platform which enables the rapid ingestion of forensic images into a single and searchable archive. The solution can assist in both ensuring chain of custody and the protection of forensics data by exploiting Symantec's Enterprise Vault and Netbackup technologies, which are widely used across UK police forces. Symantec has worked extensively with Dell and other partners to develop this capability into an end-to-end digital forensics infrastructure.”
Louis Brooks, Head of Criminal Justice, Symantec UK

“Data proliferation combined with increasing complexity and capacity of storage technologies, means data analysis becomes increasingly compute-intensive. This Digital Forensics solution incorporating Dell PowerEdge servers that are based on Intel’s new Xeon 5500 series processors, provides an outstanding level of performance that dramatically decreases the amount of time needed to index and search suspect digital evidence. The efficiencies gained from combining great processing capability with an appropriately designed implementation should be considerable.”
Graham Palmer, Managing Director, UK & Ireland, Intel Corporation

“We are excited to be working alongside Dell in an effort to improve the efficiency and capability of the UK’s law enforcement agencies. VEGA has a proven track record of devising secure systems for some of the most sensitive areas of UK Government and its armed forces. This experience has enabled us to help Dell create a digital forensics solution that complies with HMG Manual of Protective Security, as well as JSP440. Furthermore VEGA has ensured that the security measures encoded in the solution do not interfere with the system performance or user operations.”
Paul MacGregor, General Manager, VEGA


About Dell

Dell Inc. (NASDAQ: DELL) listens to customers and delivers innovative technology and services they trust and value.

¹ Data given by the Metropolitan Police Central e-Crime Unit at Infosecurity Europe, April 2009.