The world of intelligence gathering has evolved dramatically. While infiltrating clandestine meetings in darkened rooms still has its place, today, a wealth of information resides online waiting to be unearthed and analysed. This blog post explores how investigators can leverage Clear and Dark Web data holistically together to gain critical insights and solve complex cases. 

A Familiar Landscape: Clear Web Investigations 

The Clear Web, the internet known to most that’s neatly indexed by standard search engines, is a treasure trove of publicly available, readily accessible information. Easy for investigators to search through, the Clear Web is a great starting point for building a comprehensive picture of a subject or situation for several critical intelligence investigation use cases: 

• Open Source Intelligence (OSINT) collects and analyses information from search engines, social media platforms, news sites, public records, and company websites to identify assets and connections between individuals, track movements, and establish timelines. 
• Social Media Analysis unlocks goldmines of personal information using social profiles, posts, photos, and connections to understand subjects’ interests, relationships, activities, and sentiment and help identify potential threats, track individuals, and understand group dynamics. 
• Media Monitoring helps track public sentiment and potential threats by looking at news articles, blog posts, and forum discussions to provide context and insights into events, individuals, organisations and cultural trends.  
• Background Checks to verify identities, uncover criminal histories, and identify financial connections using public records such as court records, property records, and business registrations for risk assessment and due diligence. 

The Deep and Dark Web: the hidden depths of the Internet 

This Clear Web, however, represents a tiny fraction of the Internet’s information. Over 95% of this content resides below the surface of the Clear Web, in what’s known as the Deep Web. At its most basic, anything behind a subscription, encryption or password, counts within this.  

For investigators needing deeper insights for more complex investigations, a sub-section of the Deep Web, the Dark Web, is a far more valuable, albeit challenging, information landscape.  

The Dark Web is a hidden part of the internet, accessible only via specialised browsers, often TOR (The Onion Router) browser, a modified, open-source version of Firefox. TOR anonymises web traffic using an encryption technique originally developed by the US Navy. It hides IP addresses and browsing activity by routing traffic through multiple nodes. This layered encryption ensures strong anonymity, protecting user privacy even if individual nodes are compromised. 

Most people perceive the Dark Web to be a place synonymous with illicit activities. And it’s true that illegal marketplaces and forums for drugs, weapons, stolen data, illegal pornography, counterfeits, Malware and other criminal activities exist there –c.57% of its activities according to 2020 research.  

However, the Dark Web also serves as a platform for secure communication and legal cryptocurrency trading, attracting whistleblowers, activists, and individuals seeking privacy, including those living under regimes with limited freedom of speech. The BBC, CIA and Facebook all have TOR sites on the Dark Web for this reason. Ultimately, the Dark Web’s anonymity, while exploited by criminals, makes it a valuable source of intelligence. 

A complex shifting world: the challenge of Dark Web Investigations 

The Dark Web is volatile in nature, with sites popping up and disappearing in rapid succession, making it difficult to get a precise view of how many sites there are and – due to the levels of anonymity – how many users there are too. Currently, it’s estimated there are over 2.7 million active daily Dark Web users  and it’s a mature and resilient space that continually adapts to site closures. 

To effectively use the Dark Web for intelligence, investigators need specialised tools, in-depth knowledge, refined techniques, and a keen awareness of ethical implications for these critical use cases. 

• Tracking Criminal Activity by monitoring illegal marketplaces to identify sellers, buyers, and track the flow of illegal goods. This is where effective Dark Web analysis tools are vital to help deanonymise individuals and generate intelligence to disrupt criminal networks.  
• Identifying Cyber Threats: Cybercriminals often discuss vulnerabilities and sell stolen data on Dark Web forums. Monitoring and carefully engaging in these forums can help investigators identify threats and prevent attacks. 
• Investigating Financial Crimes: Cryptocurrency transactions used in Dark Web marketplaces for legal and illegal trading – the most famous Bitcoin – can be difficult to trace. Investigators use specialised tools and techniques for blockchain data analysis to identify criminal individuals. 
• Uncovering Insider Threats: The Dark Web’s anonymity can embolden individuals to leak sensitive information. Investigators can monitor forums for leaked data and identify potential insider threats within organisations. 
• Sourcing Human Intelligence (HUMINT): While challenging, Intelligence investigators can establish contact with individuals who possess valuable information. Particularly useful for organised crime, terrorism, or other sensitive investigations. 

Challenges and Ethical Considerations in Clear and Dark Web investigations 

The Clear and Dark Web present both unique and shared investigation challenges requiring specialised skills, tools, and strategies: 

• Sheer volume of data on the Web makes it difficult to pinpoint relevant information. 
• Encryption of communications and transactions further complicates access to crucial evidence.  
• Crimes often span multiple jurisdictions, requiring national and international cooperation and collaboration. 
• Data fragmentation across various platforms and databases also requires extensive effort to piece together information.  
• Privacy laws and regulations add more complexity to obtaining data. Investigators must always operate within the bounds of the law, ensuring any intelligence collected can be used as admissible evidence in court.

The Dark Web has its own particular challenges: 

• Anonymity is the single most challenging factor which prevents linkages to real-world identities 
• Heavy encryption of transactions and communications further hinder interception and decoding of information, requiring specialist tool proficiency, cryptography and blockchain capabilities. 
• Human Analysis: while the sheer volume of Dark Web data necessitates using sophisticated tools to cut through the noise, careful analysis is vital to avoid false attributions. 

 Trends in the Evolving Investigation Landscape 

The world of online intelligence gathering is constantly evolving, requiring investigators to adapt their techniques accordingly: 

• Artificial Intelligence (AI) and Machine Learning technologies are both a challenge and opportunity to investigators. AI deepfake imagery, voice and video, AI-generated illicit content, cryptocurrency laundering and AI-automated cyberattacks, phishing and chatbots will require investigators to constantly adapt their techniques.  

On the flip side, AI can help automate the collection and analysis of vast amounts of data in forums and social channels, quickly identify patterns and anomalies, and predict future behaviour. AI facial recognition tooling was used to solve a recent joint Homeland Security Investigations (HIS) and UK police child exploitation case and in an HSI exploitation cold case review, resulting in hundreds of identifications of victims and perpetrators. 

• Big Data Analytics tools can process and analyse the exponentially growing large volumes of data, revealing hidden connections and potential insights about complex criminal networks or individuals’ motivations that would be impossible to detect manually. 
• Blockchain Analysis will be an even more critical skill for investigators given the growth of new cryptocurrencies like Monero (XMR) with highly advanced cryptographic techniques that mask transactions and dynamically change IP addresses, even as Bitcoin can now be ‘cracked’. With central banks also integrating cryptocurrency into operations, it’s clear its continuing adoption and acceptance for both legitimate and illicit transactions will remain a focus. 
• Decentralised Web (Web3), while slower to develop than predicted, just like AI presents both opportunities and challenges for investigators. Web3’s decentralisation, blockchain technology, and token-based economics, will require new tools and techniques to effectively investigate its platforms. 
• Focus on Privacy and Data Protection is an increasing challenge for investigators. New regulation like the UK’s incoming Data Protection and Digital Information Bill, Brazil’s General Personal Data Protection Act (LGPD) and India’s Personal Data Protection Bill mean investigators must be mindful of the latest legal and ethical frameworks they are operating under. Investigators must always adhere to such regulation and obtain proper warrants and authorisations before accessing sensitive information. 

The Integrated Approach: Combining Clear Web and Dark Web Intelligence 

The Clear Web and the Dark Web are both valuable sources of intelligence for investigators. The Clear Web offers a wealth of publicly available information, the Dark Web provides access to hidden data and insights that can be crucial to solve complex cases. By effectively combining intelligence from both realms and adapting to the increasingly complex technological landscape, investigators can gain a significant advantage in their pursuit of truth and justice.  

For example, several notable hackers and cyber-criminals have been arrested and subsequently jailed through integrating data from Clear and Deep web platforms like Roblox, Minecraft, Discord and Telegram with intelligence gathering on the Dark Web.  

This integrated Clear, Deep and Dark Web approach provides investigators with a broader, more nuanced understanding, yet the sheer volume, fragmentation and type of data means it’s a significant technical and practical challenge to navigate. It typically requires using multiple specialist tools and robust investigator skills, set against the dynamic nature of the Web itself. 

DarkBlue: a user-friendly platform for integrated Web intelligence investigations 

This fundamental challenge of scale, scope and complexity was the reason behind CACI developing our DarkBlue Intelligence suite.  

DarkBlue offers investigators a user-friendly, single OSINT platform to undertake holistic, complex investigations on the Clear, Deep and Dark Web efficiently, ethically and safely. 

DarkBlue leverages the intelligence that CACI has been scraping from across the Web including Tor, I2P, ZeroNet, OpenBazaar and Freenet for over 10 years, amassing billion of pages of data and capturing sites long since deleted.  

Included in the suite is DarkPursuit tool, which provides the user with a safe, anonymous browsing environment that obfuscates technical details that could be used for attribution or tracking. DarkPursuit integrates multiple specialist tools and allows investigators to seamlessly transition between search findings, multiple live environments and analysis.  

DarkPursuit’s new CluesAI feature helps investigators deanonymise individuals and entities on the Dark Web more efficiently, helping tackle its biggest – and growing – intelligence investigation challenge.  

CluesAI automatically gathers potentially identifying information like email addresses, cryptocurrency wallet details, and port scans from the Dark Web. It cross-references this information against DarkBlue’s extensive database and uses generative AI to identify connections and patterns. It then generates reports that summarise and highlight potentially deanonymising information, providing investigators with actionable leads in one click.  

As the Web in all its forms grows in complexity and size – particularly with the growth of Web3 and cryptocurrency, it’s vital that investigators can stay ahead of emerging threats to help protect national security and combat criminal activity.  

DarkBlue – and CACI’s OSINT as a Service offering – provides investigators with the critical tools and support from experienced intelligence experts to support your critical mission.

Contact us today to discuss how we can supercharge your investigations. 

Today, almost all crime has an associated digital element.

With digital’s rapid expansion showing no signs of slowing, digital forensics – identifying, recovering, analysing, and investigating data stored electronically – is mission-critical to effective modern policing.

The (r)evolution of crime in a digital age

The 4th Industrial Revolution has blurred the lines between physical, digital, and biological spheres through technologies like AI, robotics and virtual reality, causing a seismic shift in the crime landscape. An example from earlier this year, involves Global engineering firm, Arup, who suffered a £20m loss due to a ‘deepfake’ scam using AI-generated digital clones of its Chief Financial Officer and other employees to ‘authorise’ the transfer of funds to the criminals.

While the crime was traditionally classified by Hong Kong police as ‘obtaining property by deception’, traditional forensic investigation methods such as fingerprint analysis or lifting fibres from the scene of the crime couldn’t be applied in this instance.

Often crimes like cyber-attacks, online fraud, terrorism and child exploitation, leave only a digital footprint or one that’s pivotal to solving the case. This explains why digital forensics (DF) is rapidly emerging as the cornerstone of an effective policing ecosystem.

The role digital forensics can play in modern policing

Digital forensics empowers policing professionals by enabling them to piece together narratives that shed light on the who, what, when, where, and how of criminal activities by:

• Uncovering hidden evidence: deleted conversations, sophisticated, encrypted financial transactions or incriminating images on the dark web can all be uncovered using DF methods and tools.
• Linking suspects and crimes: whether its tracing digital interactions across organised crime networks, social media posts placing suspects at the scene of a crime or private messages between accomplices in planning it, DF can be used to uncover evidence that builds a picture of events.
• Providing timelines and corroboration: DF can use metadata attached to images and audio files to establish a clear chronology of events and corroborate – or refute – witness testimonies and alibis.

Clearly, as the digital revolution has irrevocably changed crime, a robust digital forensics capability across policing benefits not only law enforcement, but society a whole.

So, what’s the current state of play?

The scale of the digital forensics challenge

The sheer volume of digital evidence is overwhelming.

Using the headline statistic from the National Police Chiefs’ Council that 90+% of all crime has a digital element , and basing it on the ONS’ 6.7m total crime case number for 2023. Assuming just one digital device per case, that’s 6m devices per year that require investigation: an average of 140,000 devices for each of England and Wales’ 43 territorial forces.

Even if just 10% of those crimes warrant police Digital Forensic Units (DFUs) investigation, that’s 14,000 devices each. We know that the current digital forensics backlog is huge, untenable and risks damaged public trust in policing effectiveness alongside impacting case prosecution times and as society’s digitisation continues, the challenge can only increase.

Three solutions to improve policing ecosystem digital forensics capability

Building DF capability in the policing ecosystem is now a strategic, operational and reputational imperative, going beyond the application of technology, also requiring investment in people and process.

Fostering Expertise

Forces have made great strides to address the challenge with more Digital Hubs, Kiosk and Digivans and Digital Media Investigators who can play a demand-reducing triage role around device seizure at crime scenes.

But the current shortage of highly trained digital specialists working in line with Forensic Science Regulator Code of Practice statutory requirements is critical. As Europe’s only ISO/IEC 17043 accredited Digital Forensic proficiency testing provider, we can support forces in assuring digital forensics best practice in line with ISO/IEC 17025 accreditation standards. Add to this upskilling the robust resourcing and finance plans called for by Matt Parr in his HMICFRS report and you have a recipe for success.

Cutting-Edge Technology adoption

The rapid pace of technological advancement requires continuous adaption of forensic tools. DF must be capable of retrieving data securely, efficiently and lawfully wherever it resides, making Cloud forensics a vital focus area, along with Internet of Things (IOT) and blockchain capabilities. AI and machine-learning is now commonplace (unthinkable mere years ago), requiring specialist practice and – potentially – adoption in the DF process. Particularly in areas like image categorisation, though their accuracy and robustness need further validation. Partnering with organisations like CACI, DFUs can ease the burden of trying to keep pace with these advancements in technology.

Promoting Collaboration

Collaboration between police, government agencies, and private enterprises is vital for effective digital forensics at the scale it needs to be. Ironically, as criminals increasingly operate in sophisticated, structured networks with advanced technology and skills, policing is still working in silos. Sharing best practices, standards, and methods, and fostering information exchange can only strengthen the overall DF response.

Open Digital Forensics – a shared vision for the future?

A more collaborative DF policing ecosystem could go one step further, taking inspiration from the UK’s Open Banking initiative. Imagine digital forensics practitioners using standardised tools, methods, and processes, with data stored in a central national cloud repository, with AI and machine learning being used to rapidly triage the vast amounts of data, freeing up investigators to focus on relevant items. This centralised approach would also streamline the UKAS accreditation processes, reducing the burden on UKAS and individual forces.

Big thinking perhaps, but tackling the ever-growing, complex, evolving nature of crime in the digital age, requires even bigger ideas, investment and resource.

Digital forensics is a critical component of modern policing. By investing in expertise, technology, and collaboration, law enforcement can build a robust DF capability that not only meets current demands but’s also prepared for future challenges.

This article was based on a speech given by Damon Ugargol at the City Forum – 2024 Digital Forensics Summit.

To find out more about CACI’s Digital Forensics Laboratory including our uniquely accredited European Digital Proficiency Testing services, just get in touch with our team of experts today.

Digital forensics is a branch of forensic science that focuses on the recovery and investigation of digital devices, data and electronic evidence. With over 90% of crimes having a digital element associated with it nowadays, digital forensics plays a pivotal role in delivering justice within criminal investigations, from the scene of the crime to the courtroom.  

So, what does digital forensics entail? What makes it integral for businesses, and how are digital forensics processes carried out? What skills must one possess to pursue a role in this industry? 

What does digital forensics entail?

Digital forensics encompasses the identification, extraction and interpretation of electronic evidence from digital devices such as computers, laptops, smartphones, tablets and even network infrastructure.

By examining the data on these devices, digital forensics experts can supply insights and an understanding of the events that occurred, the actions taken and the individuals involved. Within an organisation, digital forensics can be used to identify and investigate cybersecurity and physical security incidents, as well as fraud, intellectual property theft, insider threats/bad leavers, sexual misconduct and embezzlement. 

Why is digital forensics integral to businesses?

Digital forensics is vital for businesses as it safeguards against data security discrepancies. Since businesses typically have an influx of digital data from financial records to customer data and intellectual property, the use of digital forensics to investigate identified issues helps them avoid financial losses and reputational damage by identifying and investigating cyber enabled or dependent crimes and securing their information. 

Data preservation

Digital forensics plays a crucial role in preserving and presenting evidence for legal proceedings. When crime(s) involving digital devices occur, law enforcement agencies and businesses must gather relevant evidence for legal purposes, such as criminal prosecutions or civil litigation.

Digital forensics experts follow policy and procedure documentation to ensure the integrity, preservation and authentication of electronic evidence. They create forensic copies of digital devices using validated methods, document the chain of custody and use advanced techniques to extract and analyse data without altering its original state.

This aspect is vital, especially in situations where data is regularly updated or extracted from various sources. This also ensures that the evidence collected is admissible in court and can effectively support legal actions. 

Digital forensics process deep dive

During an investigation, digital forensic techniques are applied to collect, preserve, and analyse digital evidence in a manner that ensures its integrity and admissibility in a court of law. With computer type devices, this involves using forensic software and hardware tools to create a digital forensic image of the device or media being examined. This image is a bit-by-bit copy of the original data, which allows investigators to work with the evidence without altering or compromising the original source. The forensic image is then processed and analysed in a controlled environment using forensic software and techniques to search for meaningful information that can be used as evidence. 

In criminal cases, the digital forensics process has succeeded in identifying, apprehending and prosecuting criminals in a wide range of offenses covering both cyber enabled and cyber dependent offences. In civil litigation, digital forensics can be used in intellectual property disputes, employee misconduct investigations, and to support or challenge contractual claims. 

While the digital forensics process may be unique to specific scenarios, it typically consists of the following steps:  

Step 1: Collection and recovery

The digital forensic process begins with the collection and recovery of information through advanced technological methods to extract and store data from computer systems, mobile devices and other storage mediums. Recovering such a vast scope of information can be fundamental to understanding the root cause of any digital incident, whether it’s a security breach, fraud or other cybercrime. 

Step 2: Examination and analysis

Once the evidence is recovered, digital forensics experts process the data using a range of tools before thoroughly analysing the data. Some examples of techniques used during analysis include file carving, registry analysis, database analysis, timeline investigation, hash comparison, filtering and keyword searching to identify relevant information that may support or refute a hypothesis or allegation.

This can involve linking digital evidence between devices or people– with physical evidence or other forms of non-digital evidence– to create a comprehensive picture of the events under investigation. Digital forensics experts may need to work on a live or dead system— working live from a laptop or connecting via a hard drive to a lab computer– to decide which pieces of data are relevant to the investigation.

The examination will result in a report or reports produced to address the points to prove defined within the digital evidence strategy and any data of significance presented evidentially for use in criminal or civil proceedings. 

Step 3: Reporting and documentation

The reporting process is tightly controlled by the Forensic Science Regulator and ISO 17025, ensuring that the status of compliance (to those standards) of work conducted is appropriately declared and the findings of the examination cannot be misinterpreted. Reporting can come in many forms, ranging from simple to complex, in line with criminal standard reporting formats. 

Types of digital evidence

Communications can occur in a wide range of mediums, from traditional emails and text messages to app-based communication, in-game, encrypted and secure communication channels.  

Recovered communication data can be invaluable in establishing a suspect’s intentions, activities, connections between involved parties and potential evidence of illegal activities.

Metadata relating to recovered communication data can be used during analysis to inform the investigation. Email headers, for example, can contain valuable metadata that can establish the authenticity and integrity of the communication. They can also supply information about the sender and recipient email addresses, the date and time of transmission, details of the email servers involved in the delivery process and enable investigators to define timelines and track communication flow.

Attachments within emails can also give away clues about illegal activities, which can help prove a criminal’s motive, intent or even their involvement in the event in question. App based communications often contains media, links to other content or individuals of relevance and location data.  

Internet activity Internet activity can be recovered from a wide range of browsers and is often extremely valuable in determining intent– for example, recovered ‘search terms’ entered into a search engine by an individual of relevance to the investigation. Internet records can be used alongside other activity conducted on the suspect’s device when investigating a time-period of relevance to the investigation during ‘timeline’ analysis. 

Application data Mobile devices utilise software applications, or ‘Apps’, to enable the user of the device to perform a wide range of different functions. Recovered application data if often used during investigations for evidential purposes.  

Logs Logs are automated records of computer processes, user activities or communication transactions generated by computer and mobile devices. They can be compelling evidence by being able to detail who accessed a specific system and what actions were taken

Media Videos and images are another significant type of evidence that can be used to identify and prove the physical presence of an individual at a specific location at a given time, concluding their involvement in the event in question. Metadata recovered from media is examined during analysis. 

Archives Archives involve storing offline copies or backups of databases, files or even websites. This is a practical way of retrieving lost information, which can be crucial in a digital forensics investigation. Each of these types of evidence features their own unique characteristics and functions and contributes significantly to the realm of digital forensics, aiding experts in piecing together the digital aspects of investigations and solving cases. 

What challenges commonly arise in digital forensics?

Devices, operating systems and security are constantly changing, significantly complicating the field of digital forensics. With Windows, macOS, Linux, iOS and Android being the main operating systems used across consumer computer and mobile devices, forensics experts must innately understand each operating system’s structure and functions to effectively extract and interpret digital evidence. 

Encryption and password protection

Encryption is a widely used security measure that maintains data privacy and integrity. While these techniques effectively safeguard sensitive information, they can obfuscate investigations when authorities require access to relevant data. Encryption obfuscates the data format, making it decipherable only with the correct encryption key, or password. Without these credentials, accessing the encrypted data can become impossible. 

Privacy concerns

Digital forensics experts must always consider privacy while performing their work. Not only is their professional credibility at stake, but also the fundamental rights of individuals, as any breaches can lead to legal complications and reputational damage. As a result, forensics investigators must exercise caution in accessing information that is specifically pertinent to the investigation in question and that any non-relevant personal data is not intruded upon. 

Establishing data authenticity and reliability

Since electronic data can be easily altered or destroyed, establishing its authenticity and reliability can be compromised, resulting in complications during court proceedings. Despite forensics professionals’ best efforts, there is always a chance that the evidence could be disallowed by the court if certain legal criteria are not met. 

Emerging trends in digital forensics

The integration of artificial intelligence (AI), machine learning (ML) and blockchain technologies, coupled with a rise in mobile device forensics, are transforming digital forensics as we know it. These advancements will bolster forensics experts’ capabilities in terms of visualising and interacting with complex digital crime scenes, leading to a significant enhancement in their ability to gather crucial evidence and reconstruct events accurately. 

Artificial intelligence (AI) and machine learning (ML) integration

Artificial intelligence (AI) and machine learning (ML) integration will continue to revolutionise the ways in which digital forensics experts can investigate and analyse data and evidence. Through AI-powered algorithms, experts can rapidly process large volumes of data to significantly reduce the time needed to prepare for investigations.

AI and ML algorithms can also be used to identify patterns within the data that may not have been picked up during traditional, manual analysis. These algorithms can also automatically categorise and prioritise evidence to help forensics analysts assess the relevance and potential significance of collected data. Automating this process saves analysts considerable time, ensuring their focus remains on the most essential elements of the investigation.

While AI can aid the investigation process, it is important to stress that digital forensic experts must never use material identified by AI as being of potential relevance within evidential reports without first reviewing and verifying it. 

Implementation of blockchain technology

Blockchain characteristics– immutability, transparency and decentralisation– make it ideal for ensuring the security and integrity of digital evidence. With digital evidence traditionally stored and managed  by centralised systems or authorities, potential vulnerabilities and risks emerge, as the evidence can be tampered with or manipulated, compromising the integrity of the investigation.

By implementing blockchain technology, a decentralised and distributed ledger system that addresses these concerns is created. Blockchain acts as an immutable and tamper-proof record that stores all forensic activities, including the collection, analysis, and preservation of digital evidence, ensuring that any changes made to evidence will be easily detected, providing increased trustworthiness to the investigation process. 

Rise of specialised mobile device forensics

Mobile device forensics has become increasingly prominent due to the widespread usage of mobile devices. It is a sub-branch of forensics that focuses on the recovery of data or information from mobile devices. This specialised area of digital forensics employs advanced tactics and approaches to analyse data, calling for an increased importance of this specialised forensics. 

Certification and career opportunities

Digital forensics experts’ innate software understanding coupled with access to sophisticated tools and technology allows them to analyse and report on data effectively. These experts understand technology, computer systems and data structures to a degree that guarantees secure data evidence collection. Their roles are critical in corporate environments, where they may be tasked with examining malware, breaches or damages that can identify attackers to help organisations prevent incidents of this nature reoccurring.  

Digital forensics professionals can pursue a range of classroom and online courses that cover a variety of aspects and specialisms of the field. While some organisations may task digital forensics experts with broader tasks and responsibilities, there will be a unanimous understanding of software to back these roles. A typical day could include:  

• Handling exhibits, data and materials to avoid contamination or corruption. 
• Disassembling and examining computers or hardware for non-volatile data storage. 
• Acquiring and processing data in line with defined digital forensic strategies. 
• Review processed data and analysing material(s) of relevance. 
• Creating formal reports with evidence to support investigations.  

 Roles within Digital Forensics Units include, but are not limited to:  

• Digital Forensic Technician 
• Digital Forensics Investigator 
• Senior Digital Forensics Investigator 
• Digital Forensics Manager 
• Quality Manager
• Technical Manager 
• Quality Technician/Assistant  
• Consultant 

How can CACI help?

CACI can supply comprehensive digital forensic services that encompass computer, mobile phone device examination and scene support for law enforcement, commercial and civil investigations.  

To ensure compliance with The Forensic Science Regulators Code of Practice, and ensure quality of all Digital Forensics Investigation and proficiency Testing services, the United Kingdom Accreditation Service (UKAS) has granted CACI with accreditation for ISO/IEC 17025:2017.

UKAS Recommendation Details:
Accreditation Scope: ISO/IEC 17025:2017 with compliance to ILAC G19:06/2022 and Forensic Science Regulator Code of Practice Version 1.

• Capture and preservation of data from computers and digital storage devices HDDs, SSDs, M.2 memory devices, memory cards and USB flash devices – Using FTK Imager, EnCase Imager and Tableau T356789iu.
• Capture, preservation, processing and analysis of data from Mobile Devices, SIM cards and Memory Cards – Using Cellebrite 4PC, Cellebrite Physical Analyser, MSAB XRY, MSAB XAMN and Magnet Axiom.

CACI Ltd has also been recommended for accreditation to ISO/IEC 17043:2023. This recommendation is for proficiency testing schemes relating to the acquisition, processing and analysis of computer and mobile devices.

In addition, CACI’s Digital Forensics Lab holds certification from British Standards Institute (BSI) to ISO 27001 for the provision of Digital Forensic Science Services.

To learn more about our Digital Forensic Proficiency schemes or to book a demonstration, contact us today.  

CACI is delighted to announce that its Digital Forensics Laboratory has been granted accreditation by the United Kingdom Accreditation Service (UKAS) to ISO/IEC 17025:2017 with compliance to the Forensic Science Regulator Code of Practice and ILAC G19. This accreditation signifies CACI’s commitment to providing compliant, quality assured digital forensics services to support Law Enforcement related industries. 

This achievement is particularly significant in light of the Forensic Science Regulator’s Act 2021, which came into effect on 2nd October. The Act introduced a statutory requirement of compliance to the new ‘Code’ for Forensic Science Activities provided to the UK Criminal Justice System. The new ‘Code’ is crucial for ensuring the admissibility of robustness of evidence, and includes the requirement for accreditation to ISO/IEC 17025:2017 for the digital forensic science activities provided by CACI from within their laboratory. 

CACI’s Digital Forensics laboratory, situated in Northallerton, North Yorkshire, has been designed to match the capabilities of law enforcement digital forensic laboratories. This enables CACI to integrate seamlessly with their clients, minimising the impact of outsourcing digital forensic investigation services and maximising the benefit for the client. The team behind the laboratory consists of highly skilled professionals with extensive experience in the digital forensics field within Law Enforcement investigations. 

Richard Cockerill, Operations Director of CACI’s Digital Forensics Laboratory, expressed his team’s excitement about the accreditation, highlighting their dedication and expertise. He further emphasised CACI’s ability to deliver high-quality digital forensic investigation services to the UK criminal justice system. 

“CACI looks forward to expanding its support for both existing and new law enforcement clients. This achievement highlights the dedication and expertise of our digital forensics team. With our robust capabilities and specialist expertise, CACI is well-positioned to deliver high-quality digital forensic investigation services to the UK criminal justice system and related industries. This accreditation from UKAS is a significant milestone in our development and ongoing commitment to excellence.” 

Having secured ISO/IEC 17025:2017 accreditation, CACI is now actively expanding its support for both existing and new law enforcement clients. 

UKAS Accreditation Details: 

ISO/IEC 17025:2017 with compliance to Forensic Science Regulator Code of Practice and ILAC G19:06/2022 

• Mobile type devices: Acquisition, Processing and Analysis  
• Computer type devices: Acquisition and Preservation 

For full details of our Schedule for Accreditation please follow this link: 25971Testing Single (ukas.com)  

Digital transformation is essential for the police force to stay relevant, effective and responsive in its approach to protecting and serving the public. Over the next five years, it’s estimated that policing in England and Wales will spend between £7bn – £9bn on technology alone. However, the scale of the change poses a range of challenges for police forces.

Digital transformation has the potential to touch every part of the policing process, changing the way police work, harness data, exploit available technologies, collaborate with partner organisations and organise themselves. Each of these issues has wide reaching consequences, both for the industry as a whole and for individual officers. A responsible technology roadmap must therefore focus on the capabilities, processes and approaches that can maximise efficiency and learning across the whole policing system while meeting the specific needs of individual contexts.

Here we examine the key challenges faced when implementing new technology, as well as the ways forces can minimise risk and maximise ROI.

Discover how digital technology is transforming policing in our new white paper – Policing in the Digital Age

What are the key obstacles to digital transformation?

The challenges in modernising technology in the police force are similar to those faced by other public and private organisations. While the pace of technological development has accelerated rapidly in recent years, the pace of organisational change has, inevitably, lagged behind. This results in institutions attempting to both change their structures and processes and the technology behind them simultaneously, resulting in unclear scope, competing incentives and a lack of organisational clarity.

In the police force, this leads to issues such as:

Legacy technology limitations

Historically siloed procurement processes lead to a range of embedded tools that are no longer fit for purpose. Even systems that may have once been cutting-edge can be rendered unsuitable by a change in context, or rapid advances in technology. This leads to an inefficient patchwork of tools that don’t connect with one another, reducing efficiency and increasing spend, especially if locked-in to existing suppliers for long term contracts.

Clashing organisational structures

Structurally, the pace of change has raced ahead of the protocols that govern its implementation. This can be seen not only in the slow pace of procurement processes that can end up delivering outdated solutions, but also in the way those solutions are conceptualised. For example, there is still much to be decided on the appropriate use of how police forces use automation tools, such as artificial intelligence (AI), machine learning and the internet of things (IoT) in their role. In the absence of a clear path forward, it’s hard to take the next step.

Underinvestment in key areas

In an era of heavy budget scrutiny, public organisations of all kinds are wary of the risk of expenditure on systems that do not deliver value. While the public may be most interested in the number of frontline officers deployed, the less glamorous side of the policing – back-end infrastructure, data and communications – receive less attention, despite their crucial role in preventing crime.

Inconsistent understanding of data

The volume of data now available to businesses, consumers and public institutions is both huge and growing. While there have been promising results in steps towards using big data in policing, the real value can only be realised when aligned with a broader strategy that can source, structure, analyse and leverage data in a consistent way across different forces, platforms and contexts.

Creating a tailored transformation strategy

take into account that meeting these issues will not be a one-size-fits-all solution. The precise form and impact varies from force to force, depending on a range of factors. Moving forward requires a targeted approach that takes into account the unique circumstances of each force and deploys relevant strategies. A transformation plan must therefore include:

• Awareness of the local challenges in policing and needs of the public
• An assessment of the legacy systems in place
• Plans to leverage available skills, personnel and budget
• Appropriate timelines for change
• A definition of success and project ROI

A key element of digital transformation for police forces will be appropriate collaboration with technology and change management providers. Given the huge range of products now available, there is scope to create unique technology stacks for individual forces that nevertheless connect to and enhance the capabilities of the wider police network.

By working with an experienced provider, you can create a transformation strategy that meets your unique challenges with a combination of relevant tools and process management. Outside advisors can also help streamline the planning and execution journey by offering a strategic view as to how operational processes can change, or be adapted, to make the most of emerging technologies.

Accelerating the digital journey

With the pace of technological change showing no signs of slowing, the challenges and opportunities that digital disruption presents to policing have the potential to become defining issues for the service.

To maintain its leading position in world policing and continue to operate as an effective public service, the police force in the UK must find a way to move past the challenges associated with digital transformation and embrace the opportunities available.

CACI has extensive experience working with large scale transformation in major industries, using agile, iterative approaches to test processes, new software and collaboration strategies to deliver tangible value quickly and cost-effectively.

Find out more about how digital technology is shaping the future of policing in our new guide – Policing in the Digital Age.

What is the cloud?

For the uninitiated reading this, what is the cloud?

Well in its simplest form, the cloud refers to a remote Data Centre, commonly owned and operated by a 3rd party, that is used to host applications and store data that a Force would have previously provided via their own on-premise Data Centre facility.

The cloud is commonly accessed via the internet, meaning any device that has some form of internet connection can access the applications and data that reside there. That device could be a desktop in the station, but it could just as easily be a remote device such as a laptop, mobile or tablet being used out in the field.

Given access is via the internet it also means that it makes it far easier to share anything that’s stored in the cloud with other entities should you wish to do so. Ideal if you want to work collaboratively with other agencies and share data.

Another added benefit is that the cloud hosting provider takes on the responsibility for maintaining the infrastructure on which your data and applications are stored, as well as being responsible for the environment in which it resides.

Cloud services are typically subscription based, which shifts the commercial model from a capital one, where the Force has a large capital outlay relating to procuring and maintaining their own in-house IT provision, to a revenue-based, ‘pay as you go’ model allowing for easier budgeting with no large initial outlay.

Cloud technology also provides the ability to ramp services up and down as needed, meaning the Force only pays for what it needs, typically with a lower overall total cost of ownership.

Cloud First policy

Back in 2013 the Government introduced its “Cloud First” policy. Within it was a recommendation to all Public sector organisations that, they should prioritise the use of cloud when considering new IT solutions. The inference being the public cloud rather than a community, hybrid or private deployment model.

Key to this recommendation was that “Departments should always source a cloud provider that fits their needs, rather than selecting a provider based on recommendation.” I’ll come back to this point later.

The Government stated that, “By exploiting innovations in cloud computing we will transform the public sector ICT estate into one that is agile, cost-effective and environmentally sustainable.”

The benefits of having a cloud-based deployment were clearly evidenced in 2017 following the Manchester terrorist bombing. In the aftermath of the incident, the cloud based HOLMES2 (Home Office Large Major Enquiry System) was used to set up a Casualty Bureau, to support with missing persons, the identification of individuals and logging of evidence. Thanks to being hosted in the cloud, within two hours of the attack, 27 forces were able to utilise the casualty bureau to support one another with mutual aid.

Another cloud native system that will undoubtedly benefit all forces is the much criticised and highly controversial LEDS (Law Enforcement Data Service). LEDS is the Home Office’s new “super-database” for Police. It combines the PNC (Police National Computer) and the PND (Police National Database) into one data source. Although massively over budget and behind schedule, no one doubts the benefits it will bring to Policing. Given the amalgamation of the systems there will be reductions in running costs by supporting a single, far more efficient system.

Police will have access to a much broader set of information, which should help in speeding up the identification of persons of interest. LEDS is to be hosted on the commodity cloud service within Amazon Web Services (AWS). This will widen the scope beyond policing in terms of organisations able to obtain access, such as the DVLA, Financial Conduct Authority, Highways England, Competition and Markets Authority and the Royal Mail.

Arguably, the cloud-based technology that has had the biggest positive impact of late is Microsoft’s 365 Productivity Services suite, being rolled out to Forces as part of the National Enablement Programme. The national lockdown that was imposed in response to trying to combat the Covid 19 pandemic, added an additional level of complexity to Policing.

Whilst most things ground to a halt, criminal activity continued and so did the need to police it. By using the collaboration tools that are offered as part of the productivity suite, Forces were able to continue to operate using a virtual environment, allowing employees to come together whatever and wherever their location.

Given the exhortations of the Government and the evidential benefits of adopting cloud technology, does that mean all Forces have rushed to go ‘all-in’ pushing all their Applications and data into the cloud in haste?

The short answer is no. Despite the numerous benefits to adopting a cloud first approach, as recently as 2 years ago, reports suggested that as many as 75% of all Forces still accessed and managed their data and applications on premise. So, the big question is why?

Barriers to adoption: security concerns

Understandably, Police by the very nature of the job they do are quite anxious when it comes to re-housing their applications and data. A good percentage of the work is sensitive and needs guaranteed security. As you would imagine, most forces were initially very sceptical that the cloud could offer the same level of security as that provided in their own on-premise data centres. Surely no-one would be as concerned about the security of Police IT than the Police themselves.

When we talk about security in this instance, it usually relates to the need to ensure that everything belonging to the force is protected from a potential data security breach. When you have been responsible for security for so long it is hard to share that responsibility with someone else and have the confidence that they will look after things as well as you do. It is also unnerving when your security is no longer fully reliant on the tangible devices sitting in your data centre, that you can see and touch with a reassurance that everything is ticking along as it should be.

In a traditional on-premise solution, IT teams must manage and maintain security at every single location and for every single application. When it comes to Public Cloud, providers don’t have visibility of where or what the ultimate endpoint is, therefore all security has to be centralised and unified, able to cater for all possibilities. This unified security approach means you may end up with access to more security than you currently have employed on premise.

Let’s just for a moment take a look at cloud security:

• Security is now a shared responsibility with the cloud vendor, meaning there is less of a burden on your IT teams and your finances.
• Updates and patches no longer have to be resourced and scheduled in by the IT team, instead being applied in a timely fashion.
• Cloud security is highly automated, meaning a reduced need for human intervention and less opportunity for errors.
• As security is centralised there are less boundaries in relation to possible end points.
• Cloud security may offer more specialised and robust options that would probably otherwise be unavailable due to cost.
• Although public cloud involves trust of a 3rd party. They are generally experts in their field and are focussed purely on security and nothing else.
• Cloud providers are now compliant with necessary regulation, meaning you can rest assured they are using best practices.

Over the last few years billions of pounds have been invested by Public cloud vendors to provide efficient data security. So much so, that cloud security arguably provides better protection than that offered by a lot of on-premise facilities.

Most of the major vendors are compliant with the Home Office’s National Police Information Risk Management Team (NPIRT) requirements, meaning cloud services can now support Police Forces across the UK who require Police-Assured Secure Facilities (PASF) to process and store their data in the cloud.

A big indicator of shifting attitudes around security, is the recent decision by the Defence Digital Service (DDS), a new group in the Ministry of Defence (MOD), to shift its data for its Readiness Reporting and Deployability Discovery (R2-D2) project to a public cloud.

Phil Jones from ISS (MOD’s Information Systems & Services) stated that Public Cloud is being used by several operations and projects within the MOD to identify how new services and capabilities can be delivered to Defence. Teams are able to access accounts to the Public Cloud offerings provided by Amazon Web Services (AWS) and Microsoft Azure – this provides teams with freedom to evolve their own Services that take advantage of industry leading capabilities.

Barriers to adoption: culture

Culture was cited as being another barrier to adoption. Historically, Forces have been quite parochial in their nature. Very much with a sense of, “This is how we’ve always done things!” or “We’ll wait and watch what everyone else does first before we decide.” This mentality has left forces lagging behind the criminals who they are trying to outwit (Who conversely, have exploited this new technology in advanced and innovative ways, making their criminal activities far more complex and difficult to untangle).

However, police culture is changing thanks to the everyday use of cloud in our personal lives. Barely a day goes by where we don’t perform some kind of interaction with cloud-based technology, passing data back and forth between applications and allowing us to do things on the move using our mobile devices, such as ordering food, making appointments and booking holidays, remember them?! We even trust the cloud to store our most precious memories in the form of photos and videos.

So, if security concerns have now been addressed and cultural views are changing, then what else is slowing mass adoption?

For those of you that read my last blog, you’ll already know the answer. However, for those that didn’t, go and read it! But in the meantime, the answer relates to the fact that a lot of forces maintain a large number of legacy applications, that were never designed for the cloud and don’t easily present themselves to being migrated on to one.

However, the aforementioned blog provides an indication as to how we at CACI can help forces overcome this obstacle.

Which cloud is the best?

If all barriers have been overcome and the decision has been made to adopt the cloud, how do you then go about deciding which cloud is best for you?

Let me try and explain by use of an analogy; when your child reaches a certain age there comes the time you want them to spread their wings and leave the family nest. Do you quickly find the first available cheap premise you can and proceed to move your loved one into it as quickly as possible? Then as each successive child reaches that same stage, find a similar property to the first and do the same again? Maybe you do!

But in all seriousness, most of us would probably seek the services of some form of an Estate or Letting Agent, someone with full knowledge of what’s available in the market that best suits your little treasure’s wants and needs. Relying on the Agent to advise and suggest viable options, before carefully choosing the best property available to them.

Well a similar approach should be applied when adopting a cloud strategy. Do you find the first cheap, hosted environment available and proceed to throw all your applications and data into it? Again, maybe you do, and I know some have to their regret.

But the smart option is to seek the services of an experienced, qualified cloud migration partner, someone who has thorough knowledge of the market and an ability to provide the best advice on the optimum solution for your organisation. A partner that will consider your differing workloads and what you need to achieve and design a strategy around a perfect hybrid of available cloud resource.

Here, now and the future

So with the many benefits the cloud brings: accessibility, affordability, removal of a maintenance burden, better levels of security, increased speed of deployment and rapid scalability, as well as the Government pushing its ‘Cloud First’ strategy, is this the end for on-premise data centres?

Gartner predicts that by 2025, 80% of enterprises will have shut down their traditional data centres, versus 10% today. But, is it as clear cut as that?

Traditionally when new applications were requested by the force, IT departments would consider how they could deploy the application using their in-house architecture. This strategy has worked well for many years, whereby the goal was to deliver the application to the Force’s own end users.

But as the workforce has now become more agile and the need for collaboration with other agencies grows, it drives the need to change the strategy and ask, ‘how can we deploy this so that we can easily access it from anywhere and share the information stored with others if we need to?’. Decisions now need to be less architecture driven and more about the needs for the services that are being delivered.

Cloud doesn’t have to be an all or nothing proposition – don’t let the one size fits all message fool you. Just because someone recommends a particular cloud service it doesn’t necessarily mean it is suitable for your particular workload.

Every Public cloud doesn’t fit every IT function. Planning around objectives and consideration of things like low latency and high bandwidth traffic needs to take place when designing a cloud migration strategy. Hence the need for an experienced, qualified partner who will provide a comprehensive, overall assessment before further engaging with your team on creation of a mobilisation and migration plan.

Cloud computing is no longer the novel concept it once was, it is a well-established, proven mainstream technology with many benefits and as operating models shift and demands increase, Policing should recognise cloud as a more effective method of delivering applications, software and data to those that need it.

It’s now highly regarded as inevitable that in time Gartner’s prediction will come to pass, but whether it is optimistic to think that it will occur within the next 4 years remains to be seen.

Find out more about how we can help

“Policing’s future is in the cloud” is the 2nd in our series of blogs on how tech can help the Police. Read the first blog in the series “Legacy Application Interoperability & Integration in the Police Force” now.