What Are the Limits of Forensic Data Retention?

We have previously written about the role of big data in law enforcement. Fortune writer Thomas Davenport wrote an insightful article on the ways that the New York City Police Department is using big data to solve difficult cases.

While big data is a tremendous asset to law enforcement professionals, it still has its limitations. Digital services have the ability to amass more data than ever before. However, their data storage capacity is not infinite.

Forensic investigators must understand these limitations and take them into consideration. This will help them find their investigative techniques to better solve cases.

Here are some things that they need to keep in mind regarding the limits of forensic data retention.

Internet service providers store a limited range of data for a limited period of time

Law enforcement officials regularly work with Internet Service Providers (ISPs) such as Comcast and Adelphia. They try to determine the content that suspects are accessing over the Internet. This helps them identify potential terrorists, drug traffickers, people that commit crimes against children and other dangerous criminals.

While data from Internet Service Providers can be invaluable in criminal investigations, the amount of data that law enforcement officials can procure isn’t as expansive as your favorite crime dramas would have you believe. Here are some challenges that investigators face when getting subpoenas for ISP records.

Limited scope of data

Internet Service Providers will retain IP addresses of customers and the servers that they connect to. Armed with this information, forensic investigators can determine which websites suspects are accessing.

However, most ISPs do not keep records of the actual content their subscribers access. There are a couple of reasons for this.

First of all, keeping records of all content would be far more demanding on their servers. They simply don’t have the resources, even in the age of big data.

Even if they wanted to keep these records, it would be impossible to see what content customers are accessing on most websites. Most websites have encrypted connections, so Internet Service Providers can’t tell what their users are doing on them. For example, since Facebook uses HTTPS connections, Internet service providers can’t read the customers’ messages or seewhat content they post on their Facebook feed. Nor can they see what they are searching for on Google.

Time limits on data storage

Even though ISPs store a limited amount of data, they can’t store it forever. They usually only retain these records for 60 days or less.

Law enforcement officials should be aware of the time limits and make data requests as soon as possible. If they delay too long, they may not have a chance to get even the limited data the ISP can provide. This will lose the probable cause to subpoena the other content providers.

The best way to access data is by gaining custody of the device in question

You can only gain so much information from ISPs and other content providers. Sometimes, the only way that you can get the information you are seeking is by getting a warrant to gain access to the suspect’s device.

This is particular important when law enforcement officials need to get access to a suspect’s text messages. Many cellular phone providers don’t store customer text messages at all. Even Verizon, which has one of the most controversial data storage requirements, only stores images and texts for three to five days.

It is much easier to get the content from a customer’s device itself. Even if the customer has deleted the texts, images or other content, it is possible to use a tool to restore the content. You can learn more about this if you are interested.

It is very difficult for customers to completely erase content from the device. This makes it easier for law enforcement officials to make their case.