Morning Read: Police Digital Forensics: Storing and Using an Overflow of Video Data

Welcome to the Morning Read, a daily post where I recommend and discuss a white paper, blog post, chapter of a book, or some sort of text I find useful for DFIR analysts.

Today’s morning read is an article from EnterpriseTech, and contains a pretty interesting data storage-related interview with the Calgary Police. You can find the article here:

Overview

I found this article interesting as it deals with an underlying issue that some DFIR analysts are all-too-familiar with: data storage. “Storing all the evidence forever” sounds like a wonderful idea, but damn if it ain’t expensive. Police departments around the world are discovering just how much.

The article discusses the addition of data retention that police departments have to deal with the advent of mandatory body cameras. Check out these fascinating statistics:

For each eight-hour shift, a police officer’s body camera generates around 18 gigabytes of video data. Three shifts means 50+ Gb per day. In 14 days, 12 officers generate 1 Tb. Multiply that by, say, the 1,500 officers in the Calgary (Alberta) Police Department, and you’ve talking about 1 petabyte of video data produced per year.

1 PB a year! And that’s an estimated value, given cocktail-napkin math on 1,500 officers. LAPD has over 12,600 officers. Think that’s crazy? NYPD has close to 50,000 officers!

The article also discusses Quantum Data Storage, a pretty nifty San Jose-based storage company. Their product, StorNext, bridges storage between disks and tapes, depending on the age of the data.

Highlights

  • The problem described above is also coupled with data and/or evidence retention requirements or laws for various police departments. The article provides Calgary’s data retention policies (which, as noted, varies by municipality, state, and country):
In Calgary, all video data must be held for 13 months; video used in court must be held for seven years; video associated with a serious crime: 20 years; with a terrorist incident: 40 years.

Imagine having to hold on to a petabyte of data for 40 years, whilst generating an additional petabyte each year — which may also become subject to extended retention periods. The math is staggering.

  • Not only does the data need to be retained, but it also must become searchable. What use is body camera data if 5 years later, when the lawyers finally get around to it, the data is requested and is no longer available? Police departments have enough public relations crap to deal with.
  • Given the statistics above, there seems to be an underlying assumption that technology can just be thrown at any organization and they’ll just deal with it. I’ve worked with some incredible law enforcement folks; they’ll tell you faster than I can that they are not data storage experts. Yet, there is an increasing demand that assumes they are.
  • The Calgary Police have found an answer to their problem using Quantum’s StorNext product (note: this is not an endorsement but StorNext sounds pretty cool). As mentioned above, StorNext stores data on disks or tape, but oddly enough it also utilizes tapes for active file retrieval as well.

Suggestions for Analysts

This article may not be applicable to every analyst — a lot of DFIR folks I know do not manage evidence, they have someone who does that for them. But focus instead on the service that Quantum is trying to provide: data access and storage for folks who are not experts in that field. Here’s a quote from one of Quantum’s VPs:

“One of the things officers and investigators have stated,” he said, “is that there’s a learning curve involved. They’re police officers, not IT experts, so what they’re looking for is a solution that helps them find it themselves, that works with them the way a detective would think and the way a detective would uncover information. But to do that you’ve got to be able to search things that are there and retain things for long periods of time, because it may be years before you get back to certain case information.”

I appreciate the admission that the company is providing a service for folks who may not be too concerned with the back-end. They are trying to solve crimes and put bad guys in jail; they’re not trying to sit through a PowerPoint that discusses the latest in data duplication technologies. They are more concerned with whether it works or not.

Vendors, pay attention. Many of my clients are not interested in buzz words, fancy graphics, or some bullshit you’re trying to sling.

Vendor: “But it has machine learning under the hood!”
Customer: “Can it stop my top 5 threats?”
Vendor: “No, but it has artificial intelligence, so watch it defeat this use case designed specifically for the software.”

Want to be a successful information security vendor? Have one slogan: “It works”. And then prove it.


Until tomorrow!