Royal Malaysia Police Digital Forensic Notes

Royal Malaysia Police (PDRM) Forensic Laboratory Functional Organization

• The Forensic Laboratory is divided into key sections: Physical Section, Chemical Section, Narcotic Section, and the Quality Management and Accreditation Section.

• Physical Section: Includes Units for Scene Investigation (CSI), Computer Crime Investigation, and Audio/Video Investigation.

• Chemical/Narcotic Section: Features units for Document Analysis, Fingerprints (D13), Illegal Drug Laboratories, and Narcotic Analysis.

• Strategic Ad Hoc Units: Sub Aquatic Forensic Investigation (SFI), Post Blast Investigation (PBI), and CBRNe (Chemical, Biological, Radiological, Nuclear, Explosive).

Digital Forensics: Role, Scope, and Capabilities

• Role: Scientific examination and analysis of digital media storing data to be used as admissible evidence in court.

• Core Functions: Extraction of deleted or hidden data and maintaining the Chain of Custody.

• Staffing levels: Total Analyst capacity for the Physical Section (Digital) is $15$. The Computer Crime unit comprises $11$ personnel.

• Comparison: CID D10 possesses broad capabilities across Computer, Cellular, Video, Audio, Document, Data Recovery, and Internet Forensics, comparable to agencies like CSM (CyberSecurity Malaysia) and MCMC.

The Forensic Process Flow

• Step 1: Request by Investigative Officer using form MF01.

• Step 2: Registration and Semakan Barang Kes (Evidence Review).

• Step 3: Receipt of evidence (MF02) and Analysis Processing.

• Step 4: Reporting and Status notification.

• Step 5: Return of evidence (MF03).

Analysis Tools and Evidence Recovery

• Identification: Standard devices include cellular phones, hard drives, SIM cards, and memory cards. Easily missed items include USB drives disguised as innocuous objects (e.g., car keys or chapstick).

• Forensic Software: Industry-standard tools used include EnCase, FTK (Forensic Toolkit), XRY, Cellebrite UFED Touch (for logical/physical extraction), Magnet AXIOM, and Oxygen Forensic® Detective.

• Technical Methods: Keyword searching using Regular Expressions (RegExp), Hashing (MD5, SHA1, SHA256) for data integrity, and Video Enhancement (license plate ID and Face ID).

Operational Statistics and Standards

• RMP Case Load ($2002$–$2024$): Total Cases: $59,457$. Total Exhibits: $256,428$.

• Accreditation:     * MS ISO/IEC $17025$: Accredited for Ballistics, Document Analysis, Vehicle Examination, DNA Databank, and Fingerprints.     * MS ISO/IEC $27001:2013$: Information Security Management System (ISMS) certification covering Document, Audio/Video, Computer Crime, and Liaison units.

High-Profile Forensic Case Studies

• Lahad Datu Intrusion ($2014$): Use of military-style forensics to track terrorist movements.

• MH370 ($2014$): Collaboration with the FBI to analyze pilot flight simulator data, recovering deleted logs from $3$ February $2014$.

• UPSR Leak ($2014$): WhatsApp tracing utilized to correlate senders and receivers of exam questions.

• Kim Jong-nam Assassination ($2017$): Extensive CCTV analysis at klia2 to identify four North Korean operatives.

• Valentine’s Day Murder (Cheong Teik Keon Case): Digital analysis of the defendant’s laptop recovered farewell emails and specific Google searches for "suicide methods," "seppuku," and "paracetamol suicide dose." This contested the insanity defense by proving premeditation and intent.