Inspector General Says FBI Not Doing Enough To Prevent Abuse Of Cell Phone Forensic Equipment By Law Enforcement Officers
from the but-we-maintain-strict-control-of-the-cables! dept
The FBI's Inspector General has released a report on the New Jersey FBI branch's Computer Forensics Laboratory. For the most part, the report is positive and shows this branch tends to handle its forensics work competently. The problem comes when it opens up its tools up to local law enforcement.
The FBI lab has a phone/media forensics kiosk located in the lobby of its building.
The Cell Phone Investigative Kiosk (Kiosk) allows users to quickly and easily view data stored on a cell phone, extract the data to use as evidence, put the data into a report, and copy the report to an electronic storage device such as a compact disk.8 In addition to the Kiosk, there is also a Loose Media Kiosk, which processes digital evidence stored on loose media, such as a DVD or memory card.Because it's outside of the actual lab, the FBI apparently feels it's ok if it doesn't track who's using the kiosk.
To use the Kiosk, law enforcement personnel are required to schedule an appointment. However, the NJRCFL does not require Kiosk users to sign its Visitors Log since users do not go beyond the reception area or enter the NJRCFL’s laboratory space.That leads to this sort of thing.
According to the Director, sometimes one investigator will schedule a Kiosk appointment and another investigator will show up in his or her place, or more than one investigator may accompany the scheduled investigator to use the Kiosk. According to the Director, NJRCFL personnel assume that all of the personnel who arrive for a scheduled appointment are part of the same case. However, he said that the NJRCFL does not verify that everyone arriving for a scheduled appointment is working on the same investigative matter.This is a problem because there are rules in place for use of the forensics kiosk, which include law enforcement officers having the proper authority to perform the search, the training to do so and the permission of the local AUSA (Assistant US Attorney). The FBI's decision to skip this verification step by not requiring signatures on the visitor's log means anyone could show up and use the kiosk without having secured the permission to do so.
The FBI does have this control in place, which couldn't possibly be circumvented.
While the Kiosk is housed in the reception area, the cables necessary to connect the Kiosk to a cell phone are not stored with the Kiosk. Instead, the NJRCFL examiner responsible for supervising the Kiosk provides the cables to a visiting user. Without the cables, cell phones cannot be connected to the Kiosk, ensuring that the examiner on duty would have to know that a person was attempting to use the Kiosk because the examiner would have to supply the appropriate cable.These "cables" sound a lot like your standard USB cables. There may be a proprietary connection on the FBI kiosk which prevents the use of off-the-shelf cables, but it's not as though no one in law enforcement could secure this sort of cable through other means. Even if these are cables that are only found at FBI offices, there's nothing stopping law enforcement officers from searching removable media without checking in with the reception desk first.
On top of that, there's nothing preventing law enforcement officers from asking for a cable and then performing illegal searches or using the forensics software for non-law enforcement reasons.
As a result of the procedures and practices described above, we found that the NJRCFL did not have adequate controls over the access to and use of its Kiosk. FBI policy requires Kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media. During our fieldwork, neither the FBI nor the NJRCFL provided any confirmation to show that NJRCFL Kiosk users possessed the proper legal authority to search for evidence on the devices examined. In addition, the FBI did not provide us with any information regarding controls in place at the NJRCFL to ensure that users do not use the Kiosk for nonlaw enforcement matters, an inherent risk of Kiosks without adequate controls.While the form officers are required to fill out to use the kiosk contain statements about having the legal authority to perform the search, the documents do not ask for any specifics about these authorities. It's just boilerplate text that anyone can sign, knowing that the lack of a visitor's log means no one can cross-reference possibly bogus affirmations with kiosk use.
This same problem is likely found at most other FBI offices with forensics kiosks. The report notes the same issues were discovered during its audit of the Philadelphia field office. The form -- and the "best practices" -- provide only the most minimal of safeguards against abuse. And the fact that the changes made in Philadelphia in response to the OIG's investigation never trickled down to the New Jersey office suggests this problem will be corrected on a case-by-case basis following an Inspector General's audit, rather than adopted across all offices.
A new form has been put into use -- at least at the New Jersey office -- that will capture more information about the legal authorities used to perform kiosk searches. However, there's nothing in the report that indicates this office -- or any others -- have stepped up to require kiosk users to sign a visitor's log. In addition, more than a quarter of kiosk users reported they did not have the training in place to use the equipment, yet are accessing it anyway. Until more improvements are put in place, FBI offices can't say they're doing everything they can to ensure lawful use of its forensic equipment.