Digital Forensic Investigative Tools: Enhancing "At-the-Scene" Digital Analysis Capabilities of First Responders

Incidents of crime that use the Internet - such as fraud and harassment, delivered through instant messages, e-mail or social media, are all too common in this digital age and greatly increase the amount of digital evidence to be analyzed. By improving the efficiency and effectiveness of digital evidence collection and analysis at the scene of the crime, first responders can help reduce the backlog of digital evidence in forensics laboratories.

A new tool, the Cyberinvestigation Law Enforcement Wizard (CLEW), enhances the capability of law enforcement to gather and analyze digital evidence in such cases. It is an application that can be downloaded to a portable USB thumb drive and uploaded to computers at crime scenes. Because the tool's primary users are not computer experts, its interface provides easy-to-follow steps for gathering digital evidence. The program also has triage capabilities to help law enforcement personnel determine the next step in the investigation, providing different options for collecting and analyzing digital evidence.

Developers of CLEW are focused on developing the following functions, among others:

  • Perform live forensics at crime scenes prior to shutting down computers and support onsite evidence collection.
  • Support investigations in handling the most common e-mail, instant messaging and social networking issues.
  • Capture volatile data that would normally be lost after powering off device.
  • Easily upload evidence so that data can be captured for later, more detailed analysis.
  • Create a concise summary of the evidence, suggesting possible correlations.
  • Analyze online social networking information as well as virtual world online applications such as Second Life.

CLEW has already received positive feedback from law enforcement personnel. The program will be available after the testing period, and developers are working with the FBI to explore possible distribution options.

The development of CLEW has been a collaborative process between NIJ, the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign, the FBI and local law enforcement agencies.

The private sector is also committed to improving law enforcement digital analysis. CLEW will be compatible with the Computer Online Forensic Evidence Extractor (COFEE), a Microsoft tool that extracts data from a Windows operating system prior to shut-down. The compatibility between these two programs is essential, given that the majority of cases involve Windows systems.

Date Created: November 5, 2010