Transportation accident scenes are a mess. When field investigators arrive on scene they may be faced with an array of issues including dangerously bent metal, human remains, uncooperative weather and other challenging working conditions. In this context and competing against other evidentiary demands, investigators must triage electronics that may have forensic value for the nascent investigation.
In 2017 the US National Transportation Safety Board (NTSB) completed 449 readouts of electronic devices and issued three recommendations related to recorders, according to the 2017 NTSB Annual Report to Congress. The NTSB’s frequent experience with electronics contributes to efficient recovery of data from electronics in transportation accidents; this efficiency may be why foreign investigators collaborated with the NTSB Vehicle Recorder Division on 43 devices in 2017.
Accident investigators with subject matter expertise in transportation but less specific expertise in electrical engineering or electronics are some of the initial personnel on-scene of a transportation mishap. These investigators are charged with initiating an investigation and collecting perishable evidence for use in the investigation, including electronic devices that may have immense forensic value to the investigation. Investigators must triage the electronic devices and make on-the-spot decisions as to which devices have forensic value. These decisions are made based on individual training and experience, collaboration with on-scene and remote experts, on-the-fly internet searches and job aids. Absent a definitive field conclusion as to forensic value, an investigator may err on the side of collecting a device for further review by a subject matter expert in electronics.
Field work is fraught with challenges to make effective decisions as to which electronic devices have forensic value. Investigator training and experience may not be sufficient to evaluate all the electronics found on-scene. Collaboration with on-scene experts may be limited due to the location and/or timeliness of the response. Collaboration with remote experts or internet searches may be limited by the remote nature of the mishap site. Investigator job aids may consist of notes or files that may be difficult to access, individually collected and/or organized, or otherwise siloed from a greater set of institutional knowledge.
Furthermore, valuable knowledge gained by a responding investigator may not flow up the organization—not to mention the broader international community of likeminded investigators—resulting in experiences remaining an individual affair and not being memorialized into institutional knowledge. Each of these factors results in a resource-constrained, personality-driven approach to how electronics are harvested on-scene as opposed to a resource-rich, organizationally-driven process ripe for interorganizational knowledge sharing.
While many mishaps contain electronic devices that have been researched from prior accidents, this institutional knowledge is often too immense to be available to the field investigator. One reason this limited access to institutional knowledge is accepted is because when the field investigator is in doubt, they will preserve the perishable electronics and then consider the value later. While this approach protects the integrity of the investigation it is inherently inefficient.
With investigations taking upward of one year to accomplish—in 2017 the NTSB noted approximately 750 investigations were exceeding the allotted time for completion—nearly all due to limited resources and backlogs of electronic forensic work, efficiency is a necessary consideration to reduce investigation time and ultimately contributes to a safer transportation system through more efficient resource utilization, shorter time for recommendations to be shared with the transportation community and more in-depth investigative output for a given resource input.
Providing field investigators with an efficient job aid to access historical, institutional knowledge from past investigations is one way to create a resource-rich, organizationally-driven approach for triaging electronics.
In the United States, 49 USC 1119 charges the NTSB with maintaining a public classification system of aviation accident data. In order to accomplish this obligation, various datasets are utilized. Figure 1 shows the structure of the NTSB Aviation Accident and Incident Database (available from the NTSB AvAll FTP Server). Data structures (other than metadata) are: events, aircraft, cabin crew, flight crew, narratives, engines, injury, aircraft and sequence of events. Absent from this classification system is a data structure related to electronics found on aircraft.
In addition to the NTSB Aviation Accident Incident Database, all investigations across all transportation modes contain a public docket of factual and analytical reports that form the substance of the final investigative report. Docket items contain reports of areas such as meteorology, air traffic control, operations, human factors, materials and electronics. The public manifestation of these reports are organized in dockets by a descriptive title. An investigation may contain only a few to hundreds of docket items. Countries other than the United States generally do not publish a full docket; rather, they only publish the final investigative report with synoptic discussions supporting the investigation.
Considering electronic investigative information sources, until the introduction of Forensic Field Assistant, there was no structured set of information describing electronics at a forensic level. The absence of such information leads to siloed, experientially-based, personality-driven approaches to field investigation by investigators and impairs a process-driven approach to intra- and inter-organizational knowledge sharing.
Forensic Field Assistant
After about 2009, the NTSB maintained an internal job aid for its investigators to look up basic electronic device memory characteristics. Forensic Field Assistant expands on the basic job aid with the rich set of data elements shown in Figure 2 presented on a portable, mobile interface. At the top of the hierarchy are device manufacturers, followed by devices made by those manufacturers. Manufacturers and device data elements include aliases, common misspellings, and prior company names (for example, Bendix/King is aliased to Honeywell). Each device has four major components: forensic summary, photographs, documents and investigations.
The forensic summary contains a description of the device along with data protection and recovery tips. Non-volatile memory (NVM), volatile memory (VM), and telemetry capabilities are structured elements of a device. For those devices having NVM or VM data, the parameters and sample rates are available as subordinate lists. For those devices with telemetry capabilities, such capabilities are described in a narrative.
Photographs are collected, each with a its source clearly identified in a traditional citation format. Citations are further refined into source organization and source reference number.
Documents generally contain detailed factual reports about the particular device published by an investigative organization. These reports typically describe the device, its NVM/VM/Telemetry capabilities, how data was recovered, what data was recovered, sample rates, and data recovered expressed as narratives, plots, geographical overlays, and/or tabular data. Source citations are part of the data element.
Investigations provide a cross-reference to investigations the electronic was found in, containing a narrative of the aircraft type, registration number, and probable cause. Like other data elements, the source citation is included.
The data architecture forms the basis for a user interface conducive to searching and presentation of the information, as shown in the montage in Figure 3. The search interface provides a free-form, multi-field search capability from one simple search box. As each character is typed, search results are displayed. From search results, the subordinate data elements for a device may be accessed. A free version of the app is available on the Apple App Store showing the full breadth of the content; the full depth of the content is available via subscription.
Data Culling Process
Data is culled using the methodological process shown in Figure 4. Automated tools are used to download all new docket titles from the NTSB docket system. These titles are then text mined using semi-automated heuristics to whittle the large number of docket titles down to those titles with potential electronic device information. Each of the potential documents is opened by an experienced engineer who then extracts relevant information adding it to the Forensic Field Assistant dataset. Report sources from the NTSB are inherently public domain publications not subject to copyright.
Forensic Field Assistant fills the electronic device data gap in existing international investigative datasets. By creating a third-party library of electronic forensic information, investigators around the world now have a job aid to improve their field efforts with respect to complicated electronics.
The mere existence of this mobile tool may alter the behavior of investigative organizations in how they make electronic forensic reports publicly available. Investigative organizations publishing detailed reports of electronic device recovery (describing the device, its NVM/VM/Telemetry capabilities, how data was recovered, what data was recovered, sample rates, and data recovered expressed as narratives, plots, geographical overlays, and/or tabular data) can be captured by Forensic Field Assistant to advance the craft of accident investigation by maintaining a comprehensive dataset of electronic device forensic information.