“Right now SAPS — in its entirety — does not have one single valid licence. Not SAPS, not the Hawks, not Crime Intelligence. Not one. They can’t fulfil their constitutional mandate.”
Sources say the SA Police Service (SAPS) is stuck with expired licences for their digital forensic tools — software and hardware crucial to obtaining and analysing digital evidence from devices like smartphones, laptops and surveillance cameras.
This doesn’t only threaten their ability to download evidence from electronic devices during serious criminal investigations; it also means that defence attorneys can call digital evidence into question and criminals could walk free as a direct result.
A massive tender was aimed at overhauling the digital forensic capabilities of the entire police service — including the crime intelligence division and the Hawks. It was first published in March 2020.
Tender RFB 2096-2019 originally called for hardware and software spanning 25 different digital forensic products. These ranged from technology to extract data from mobile devices and computers, to analysing video footage, to enhancing voice recordings and images, to lie detector and chemical analysis software.
Service providers also had to bid for maintenance of the equipment and certified training for investigators. The contract was to run for three years, with a value of R350-million, according to a source close to the bidding process. Ultimately, the tender was downsized to include primarily mobile device and computer forensics, totalling around R180-million.
Expired licences
But almost three years later, several sources with knowledge of the tender say the bidding process has stalled.
All sources spoke to us anonymously because of the sensitivity of the matter. One source in the private security industry said that the SAPS currently has no valid licences for any of its digital forensic tools, and that most of its licences expired as far back as 2018.
“Right now SAPS — in its entirety — does not have one single valid licence. Not SAPS, not the Hawks, not Crime Intelligence. Not one. They can’t fulfil their constitutional mandate.”
A mobile phone forensic specialist with knowledge of police procurement matters said that the issue of expired licences likely dates back to late 2017.
A third source who is a legal expert in digital forensics and has special knowledge of the police’s operational procedures, said: “I can confirm that the majority of their digital forensic tools are unlicenced. That includes critical mobile device and computer forensic tools.”
The expired licences and outdated software spell disaster for victims of crime in a world where the investigation of serious offences increasingly has a digital component, as one computer forensic analyst with knowledge of police operations explains: “Today, whether it’s a cash-in-transit heist or a robbery or murder… there really aren’t crimes without a digital element to them.”
Visit Daily Maverick's home page for more news, analysis and investigations
This is especially true where mobile devices are concerned, says the mobile forensic specialist.
“Who doesn’t run their life on their phone today? It tells you the story of a person’s life. Be it fraud, kidnapping, murder or white collar crime. You can get amazing evidence — messages, photos, chats, location. But SAPS aren’t getting it.”
And they’re not “getting it”, sources explain, because it can become impossible to extract data from digital devices if you don’t have the latest software. Evidence (known as digital artefacts) isn’t limited to emails, WhatsApp chats and TikTok videos. It also includes data about a device, such as a serial number, which is crucial to linking a phone or computer to its contents when providing evidence in court.
Other evidence types include internet search histories, the specific WiFi hotspots to which a device connected, and the identifying numbers of devices that are linked to each other via Bluetooth.
This data can prove associations between people and indicate their locations at specific times. With the right forensic equipment, it’s also possible to retrieve deleted data. Says the computer forensics analyst: “In principle, an analyst should be able to find any data on a digital device. Be it a phone or a computer, there is a search method for every type of file.”
Proof of intent
Digital evidence is crucial, explains the source in the security industry, because “it’s probably the only forensic evidence with which you can prove intent. If you find a message on my phone that threatens you, or if I search your address on Google before I go to your house and murder you there — that indicates premeditation”.
Digital investigations, says the source, increasingly play a critical role in investigating serious crimes such as terrorism, rape, murder, robbery, poaching and child sexual abuse.
But without up-to-date hardware and software, police won’t be able to extract the data they need from newer devices.
“Most of the time, the products simply won’t work. You’ll turn it on, it’ll say ‘licence expired’, and you can’t use it,” said the mobile forensics expert.
Even if police can use the product, they won’t have access to the tech’s full capabilities. The problem, explains the computer forensic analyst, is with the analysis; usually, the software to extract data from a computer is free, but updating the software licence isn’t. Without frequent updates, there will be data that the police simply cannot locate, or cannot analyse, even if the old version of the software still works.
“There’s a lot of data on a phone. Finding evidence can be like looking for a needle in a haystack.”
And forensic software updates are necessary to keep up with the consumer market, explains the security industry source:
“It puts SAPS on the back foot, because the latest software version supports the latest phones and computers.”
Latest technology
Also supporting the latest products are criminal cartels, explains the computer forensic analyst. “Criminals always have the latest technology, the newest Mac and iPhone.
“A cartel member won’t bother with an old laptop or drive an old car. So the police must have the latest technology.”
But it’s not just getting the evidence off a phone or laptop that’s an issue — it’s also about retrieving and analysing it in a way that’s acceptable in court.
It’s not as simple as taking a screenshot of a WhatsApp message, or forwarding an incriminating email to yourself. Instead, the chain of evidence must be preserved, and the prosecution must prove that the evidence actually came from a specific device without having been manipulated.
Forensic tools, explains the security industry source, let you retrieve evidence “in a version that cannot be tampered with. There’s an audit trail. If a defence attorney cannot find fault with the evidence, they will go after the process in which evidence was collected. And if that doesn’t work, they’ll go after the forensic investigator who collected the evidence”.
One way to go after such an investigator is to point out that they didn’t have recent training to use the forensic software in question. The mobile forensic specialist explains: “You need certified training to give evidence in court. All forensic tools will provide such training to allow an investigator to be an expert witness in court. The certification is important in that respect.”
Says the legal expert: “If I was on the defence’s side, the first thing I would want to know is exactly what tools they’d use when they did their analysis.”
The source explains that if the version of the software was outdated at the time the evidence was analysed, the defence can point out shortcomings by comparing the old to the newer version.
“That can then be used to introduce reasonable doubt.”
Invalid licences, private sector forensics
And there’s yet another weak spot the defence looks for. “I would want to confirm that you have a valid licence. Because if you don’t, then I could attack the legality of unlawfully using the tool.”
The bottom line is this, according to the security industry source: “Anything that goes to court now, the defence will tear them apart because they don’t have licences.”
But before a case can even get to court, the police need to catch the suspect. With the dire state of their digital forensics laboratories, sources say, victims of crime frequently have to turn to the private sector to have their phones or laptops analysed — at their own expense.
“That’s incredibly common,” says the legal expert. “The state literally tells the victim, ‘We don’t know how to do it’. The victims get no assistance in 99% of cases unless it’s a big case for the Hawks.”
“People come to us and say, take the phone, I’ll pay — my wife’s been murdered,” says the mobile forensic specialist.
But, says the source, police don’t always agree to private assistance, even if the victim or their family are willing to pay for it. The legal expert concurs, saying that SAPS may refuse help from the private sector because they fear “looking bad”.
Those in SAPS who don’t mind looking bad, spend significant state resources on private sector forensics, as the security industry source explains: “They spend hundreds of thousands of rands a year on stuff they should be doing themselves.”
Personnel loss
While the procurement lags, the police are also losing skilled forensic personnel to banks, insurance firms and phone companies because they cannot offer competitive salary packages in a field with a dire skills shortage.
The result is that staff find new jobs in the private sector, or are even headhunted.
Says the security industry source: “SAPS (digital forensics) staff are leaving in droves. They aren’t recruiting or retraining. But some guys are soldiering on.”
The legal expert agrees: “A few good people are sticking it out. But a lot of good people just leave.”
In a forensic environment so starved of resources, it’s impossible even for motivated staff to do their jobs properly. As the mobile forensic specialist puts it: “To be honest, I don’t know what they do all day, every day.”
Ultimately, those who pay the highest price are victims who cannot afford private sector assistance, as the security industry source makes clear: “Police say they care about gender-based violence. But what if a woman and her daughter have been abused by the husband, and she goes to the police to show them his harassing messages on her phone? Police cannot get evidence off her phone. The best they can do? They’ll book it into evidence. Maybe they’ll get around to it in two or three years’ time.”
We sent SAPS and the Hawks detailed questions on the crisis. The Hawks referred us to SAPS and police spokesperson Colonel Athlenda Mathe responded:
“The South African Police Service is not at liberty to discuss or comment on investigative techniques and capabilities; or in fact, operational capacity in general, in the public domain. We can however confirm that the SAPS has embarked on various processes and is putting measures in place to enhance its existing cybercrime investigation capacity/capabilities, both human and physical.”
The tender for the forensic products is in the public domain. You can download it here. DM
Heidi Swart is a journalist who reports on surveillance, security and data privacy. This report was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s Department of Journalism, Film and TV and Unisa’s Department of Communication Science.