Lockpicking Forensics - RSS 2.0 Feed
Lockpicking Forensics - ATOM 1.0 Feed

 

Forensic Investigations

This page focuses on methodology and proper procedures of a forensic locksmithing investigation. Investigations are broken down into several steps: crime scene investigation, laboratory examinations, investigative reports, and expert testimony. Some investigations may not require all steps; evidence may be mailed to you, testimony may not be required, and so on.

The goal of the investigation should be clearly defined from the start. Many investigations will not require that you exhaust all possibilities, but instead give you a clear, direct goal. For example, identifying if a key could have been used to open a lock, if the lock has any pick marks, or if a key machine was used to make a specific key. All of this depends on who the forensic locksmith is working for; insurance companies only need facts relating to their liability, but criminal investigations will be looking for as much information as possible.

Everyone has their own way of doing things in an investigation; an order, preferred tools, personal beliefs. The following are my personal beliefs on how proper crime scene investigations are conducted. They should not be taken as final, and you should experiment to find what works best in your investigations.

Initial Questions

The following is a list of initial questions that should considered during the investigation. They are very helpful in narrowing down possible methods of entry, suspects, and providing other information.

  • What are the obvious signs of entry?
  • Was entry successful? Why?
  • Which locks, if any, were opened or manipulated to affect entry?
  • What is the relative security of the locking system?
  • Are there any known vulnerabilities with the locking system?
  • Was the locking system properly installed?
  • Does the lock function properly?
  • Could any windows or doors have been left open or unlocked?
  • Are all known keys accounted for?
  • Were working keys left in easy to access areas? (Desks, cabinets, etc.)
  • Are there any tool marks or trace evidence?
  • Were any tools left at the crime scene?
  • Were any parts of the crime scene cleaned or repaired?
  • Were any dangerous substances left or created at the crime scene?
  • Does the value of the stolen goods correlate with the apparent method of entry?
  • Could any employees have been responsible, intentionally or unintentionally?
  • How often is the lock operated per day?
  • Was the lock found unlocked or locked?
  • Have any keys been used on the lock since entry was accomplished?

In any investigation, the first thing to do is determine what the method of entry was. This information will allow the forensic locksmith to determine the average time required for entry, the tools used, the noise made during entry, and the skill level of attackers. All of this is passed on to insurance or law enforcement personnel in order to properly identify and link suspects to a crime, provide proof that the insurance claim is valid or not, and other things, depending on who is employing the forensic locksmith.

Crime Scene Investigation

A thorough examination at the scene of the crime yields valuable insight and provides leads for the forensic locksmith and investigators to follow. Experienced forensic locksmiths can quickly rule out many possibilites and focus on what is relevant to the current case. The key to examination of the crime scene is documentation and photography. You will only have one chance to investigate the crime scene, in most cases, so make it count. Write down, sketch, and photograph as much information as possible. Be thorough, detailed, and (most importantly) organized. It may be many months before you are asked to provide expert testimony on the crime scene, so make sure to organize your notes in a logical way so that the crime scene details can be recalled without difficulty.

When first arriving at the crime scene, the forensic locksmith makes a sketch of the crime scene and surroundings. Use a compass to properly document the orientation of objects at the crime scene. Of course, you do not need to be Van Gogh, just simple sketching of shapes is enough. Remember, the purpose of sketching is to quickly recall of the layout of the crime scene at a later date. This is a personal preference, but I found that Don Shiles' method, described in an interview from Locks, Safes, and Security, is very effective. He recommends using colored markers to help remember different types of objects. His coloring scheme is:

  • Black: Notes
  • Red: Evidence (tools, locks, safes, doors)
  • Green: Shrubbery, plants, trees
  • Blue: Everything else

After making the sketch, the forensic locksmith will evaluate the condition of all locking systems, any tools left at the scene, and any trace evidence found. Many notes and photographs will be taken here, and some basic information may be added to the sketch where needed. The number and type of locks may be noted, as well as their current states, the direction they must be turned to unlock (while mounted), and whether or not the lock has been used in any way after the crime was allegedly committed.

Once the forensic locksmith has completed his investigation of the crime scene, locks will be removed for further analysis. All locks must be photographed prior to being disassembled and removed from the scene. Once photographed they must be carefully removed from their mountings and properly labelled with their location, their current state, and other information. Obviously, the disassembly process should only be done by a qualified locksmith. All parts of the locking system (including strikes, bolts, mounting screws) are stored as evidence. Once removed, the walls, doors, and other areas where lock components were mounted are examined for any additional tool marks or trace evidence, including indications that the lock was repaired or replaced.

If working with law enforcement, they may provide the facilities to "bag and tag" the evidence. Otherwise, the forensic locksmith uses evidence bags (or the budget option, household freezer bags) to store and document evidence. All evidence should be labeled properly and sealed. A popular method of sealing evidence is through the use of so-called "evidence" tape, which provides indications whenever it is tampered with. A good method of ensuring that evidence has not been tampered with is to seal the evidence bag with the proper tape and then put your signature over the tape. While not 100% effective, it does provide a reasonable amount of protection when transporting or storing evidence yourself.

Things to remember:

  • Place tape over both ends of the lock to prevent anything from falling out or going in. If necessary, place tape on the bottom and top of the lock, too.
  • Document which way the lock normally turns to unlock (while mounted).
  • Document the state the lock was found in (locked, unlocked, plug partially turned).
  • Color code your sketches so that they may be easily deciphered at a later date.
  • Take lots of pictures, you only have one chance!
  • Properly collect, catalog, and store evidence. Evidence bags and tape are recommended.
  • If working with law enforcement:
    • Always ask permission to do anything.
    • Always ask personnel to do or move things for you, such as opening doors and moving objects (a plant, for example) at the crime scene.
    • If working with a crime scene photographer, specify exactly what objects or marks need to be visible in photographs.

Toolkit for crime scene investigations:

  1. Notebook
  2. Pens/markers (different colors)
  3. Camera & tripod
  4. Evidence bags (if not provided)
  5. Masking tape, "evidence" tape
  6. Disposable plastic/latex gloves
  7. Compass
  8. Disassembly tools (screwdrivers, wrenches, etc)
  9. Optional: Handheld microscope

Laboratory Investigation

Once the crime scene investigation is complete the forensic locksmith can continue with the laboratory examinations. In this phase we address six major areas:

  1. Purchase, installation, and maintenance details
  2. Lock specifications
  3. Lock operation and functionality
  4. Lock security
  5. Tool mark and material transfer identification
  6. Key analysis

Purchase & Installation

Knowing where the lock came from, who installed it, and who maintains it is absolutely essential to an investigation. This information might not only reveal the method of entry, but it may have legal or insurance consequences if the lock was not installed or maintained properly.

  • Where and when were locks purchased?
  • Are all keys factory-original?
  • Who installed the locks?
  • Who maintains the locks?
  • Have the locks been serviced recently?
  • Do keying records exist, if so, could they have been compromised?
  • For keying records, has there been any recent inquiries or key requests?

Lock Specifications

The installation, design, and model specifics of the lock will determine what the relative security of the lock is. Locks that have been poorly installed, poorly maintained, or modified prior to entry may have little ability to resist compromise. This part of laboratory examinations identifies the lock and components, the lock characterstics, and expected resistance to compromise.

  • What is the brand and model of the lock?
  • What is the lock design? (i.e. pin-tumbler, lever, warded, etc.)
  • What is the lock type? (i.e. mortoise, rim, key-in-knob, european profile, padlock)
  • Has the lock been properly assembled?
  • Was the lock been properly installed?
  • Are all components factory-original? (including springs, screws, strikes, etc)
  • Are any components missing?
  • Does the lock have any ball bearings?
  • Does the lock have any anti-drilling or anti-cutting features?
  • Does the lock have a security rating?
  • For components (factory data):
    • Number of components
    • Shape (for pins, flat, rounded, pointed, angled, nippled, etc)
    • Size
    • Design (any non-standard or security features)
    • Position
    • Alignment (if applicable)
    • Color (if applicable)

Analysis of the size of components means that they are measured to determine their actual size as well as their bitting code. In pin-tumbler locks, the full length of the pin pairs and springs is measured to determine if a comb pick could be used. The position of components is especially important in dimple locks that do not use all of their pin chambers.

Lock Operation

This phase of the investigation determines the current state of the lock in terms of age, wear, and how well it operates. This must be done with great caution, because if done wrong it has a large effect on tool mark and material transfer examination. Care is taken not to destroy evidence or create false evidence that may be incorrectly interpreted or confusing. This is especially true if a key will be used to test if the lock can be operated. What happens in this phase depends on the preferences of the forensic locksmith and the sensitivity of the case.

  • Does anything block keys from being inserted into the lock?
  • Is there a broken key in the lock?
  • Does the working key(s) fit into and open the lock? If no, why not?
  • Does the key need to be jiggled or lifted to work?
  • Is the lock heavily worn, or excessively dirty?
  • Are the chamber casing or individual chamber screws loose?
  • Are the cam screws loose?
  • Are all retaining clips fastened properly?
  • Has the lock been moved to a "picked" position?
  • Could normal operation of the lock move it to a picked position?
  • Are the correct size components being used?
  • Are the correct number of components being used?
  • Do all components exhibit the same amount of wear?
  • Are the correct number, type, and position of security components being used?
  • Is the lock master keyed?
  • Are master components too small, too large, or improperly placed?
  • Are springs present? If so, are they the proper size and tension?
  • Are springs broken or compressed?
  • For components (lock-specific data):
    • Number of components
    • Shape (for pins, flat, rounded, pointed, angled, nippled, etc)
    • Size
    • Design (any non-standard or security features)
    • Position
    • Alignment (if applicable)
    • Color (if applicable)

Testing if the key(s) work for the lock is a delicate procedure. This must be done while the lock is intact; before it is disassembled. Unfortunately, you cannot disassemble then check because the lock would be in an altered state. The components are checked for looseness because loose components, especially the cam screws and retaining clips, leave erratic markings in the lock. Checking if the lock is in a picked position is helpful, but not altogether damning. Locks with a staircase style bitting may allow a key to be removed prematurely from the lock, and most tubular keys can be modified to remove the key prematurely (sometimes used as a poor-man's key control measure).

Once the lock has been operationally tested it can be disassembled and components examined. If disassembly is destructive, you must first get permission to do so. Once disassembled, components are cross-checked with our lock specifications to determine which components are factory original. We also check to make sure that all components are proper for a given lock; proper security components, proper number of components, and so on. All of these steps are photographed and documented for later reference. Beyond that, we check the relative wear of all components on a graded scale:

  1. New; no wear
  2. Minimal wear; high tolerance
  3. Average wear
  4. Heavy wear; low tolerance
  5. Extreme wear; unreliable tolerance

Components may conflict with the expected level of wear, either by being too worn or too new. In the former, we might be wondering why components are more worn than expected. Were they not new when purchased, installed, or rekeyed? Could an attack against them accelerate wear? In the latter case, we might consider if components have been replaced, rekeyed, or recently serviced.

Lock Security

Lock specifications provide the security baseline offered by the lock, but may not accurately describe the security of the lock that is being examined. In many cases the lock has been assembled incorrectly, is missing components, or has substitute components. All of these factors can dramatically affect the lock's ability to resist compromise. This stage of laboratory investigation evaluates the actual security of the lock to identify possible avenues of attack.

  • What is the security rating of the lock?
  • Has the lock been assembled correctly?
  • Are all components factory original?
  • Are all components present?
  • Does the lock use security features on components? (i.e. security pins, serrated levers/wafers, false notch discs)
  • Are all security components present? (i.e. security pins, sidebars, profile bars/pins)
  • Have lock components been added, removed, modified, or replaced to affect resistance to compromise?
  • Are there any known attacks for this brand/model of lock? (i.e. decoding, bypass)
  • Are there any known attacks against specific components in this lock?
  • Can the lock be picked easily?
  • Are component positions conductive to picking?
  • Are there any anti-picking features?
  • Can the lock be impressioned easily?
  • Can the lock be decoded easily?
  • Can the lock be bumped open?
  • Can the lock be opened with a comb pick or other overlifting attack?
  • Are there ball bearings, rods, or discs to prevent forced entry?
  • Is the lock master keyed? How many levels of master keying exist?
  • Does the lock use a restricted or patented keyway?
  • Does the lock have a paracentric keyway?
  • Does the keyway frustrate attempts at manipulation?
  • Does the lock provide any measure of key control besides warding?
  • How difficult is it to manufacture a key blank for the lock?
  • Is the lock considered high tolerance?
  • Does the lock have a round or flat plug to cylinder mating surface?
  • Has the top of the plug been filed flat?
  • Have components been manually shaped to proper size?
  • Does the lock appear to have been worked on by an amateur locksmith?
  • Does the lock show any signs of being repaired or replaced?
  • Is the lock removable, rekeyable, or reprogrammable without disassembly?
  • What is the assessed security against manipulation for this lock?
    1. No security
    2. Low security; minimal skill required.
    3. Medium security; moderate skill and time required.
    4. High security; high skill, time, and money are required. Specialized tools may also be a prerequisite.
    5. Extra-high security; very difficult to open. Extreme time, money, skill, and complex tools are required to open this lock.

  • What is the assessed security against force for this lock?
    1. No security; can be opened by manual force. (i.e. pulling, kicking, punching)
    2. Low security; can be opened with simple hand tools.
    3. Medium security; can be opened with simple power tools.
    4. High security; can be opened with power tools, but requires time and skill.
    5. Extra-high security; can be opened with extreme time, skill, and expensive tools.

Analyzing the security of the lock is fairly straightforward. We look at all the characterstics of the lock in question and identify any deviations from factory standards. In many cases components are missing or substituted, leaving the lock with a reduced ability to resist compromise. The depth of the forensic locksmith's knowledge of compromise techniques will be essential in order to identify any model or design specific attacks against a given lock.

Tool Mark Identification

The preceding sections have all served to better understand the lock as it is and should be. They help the forensic locksmith to identify specific security problems with the lock so that laboratory tests can be selected to best identify evidence that helps determine method of entry, skill level of suspects, and (most importantly) identify suspects. This stage will identify specific tool marks left behind by various compromise techniques. Microscopy and macrophotography are used to provide detailed pictures of the components and any tool marks they contain.

It is important to remember that all tools have unique characterstics developed by the manufacturing process and wear. These characteristics can be identified from tool marks found on components and linked to the suspect's tools. Examination of tool marks identifies both the class of the tool mark (i.e. screwdriver, wrench, drill, etc) as well as any characteristics specific to the tool. The class of tool may indicate the method of entry and the skill level of the attacker.

  • What class does the tool mark belong to?
  • What are the unique characteristics of the tool mark?
  • Could tool marks be the result of normal wear?
  • Could tool marks have been made during installation?
  • Could tool marks have been made during maintenance or rekeying?
  • What type and size of tools were used?
  • Do tool marks indicate any common compromise methods?
  • Does the direction of tool marks correspond with a compromise method?
  • Does the angle of attack correspond with a compromise method?
  • Does the position of tool marks correspond with a compromise method?
  • What do the tool marks indicate about the skill level of the attacker?
  • Do tool marks indicate conflicting tools/techniques?
  • Do tool marks indicate an attempt to hide the real method of entry?
  • Do tool marks indicate an attempt to simulate forced or covert entry?
  • Do tool marks fit into any of the following compromise categories?

Tool mark identification is a huge topic, and specific examples of covert and destructive entry techniques and their tool marks are available with the links above or on the left hand navigation bar. If tools are found with a suspect that match the class of marks found by investigators a tool mark comparison may be conducted to determine if suspect tools were in fact used in the crime.

Material Transfer

In the previous stage we identified tools used to affect entry and the forensic evidence they leave behind. In a similar fashion, this stage identifies any materials transferred between locks, tools, and their surroundings. It is not uncommon to find wood, metal, paint, blood, hair, fiber, and other materials, all of which may be found inside the lock itself, on keys, on tools, or in the surrounding area.. All materials transferred may help to determine the method of entry and identify suspects. All materials found in the lock are evaluated to determine their origin and relevance to the investigation.

  • Could material transfer be a result of:
    • Manufacturing processes
    • Installation or maintenance
    • Normal use
    • Keys, new or poorly cut (consider key material, too)
    • Vandalism or sabotage
    • Compromise technique(s), including previous attempts
    • Planting of evidence
    • Corrosion or oxidation
    • Environmental conditions

  • What materials are present in the lock components?
  • Do the lock or components use any proprietary alloys?
  • Are different materials used for various components?
  • Are materials found different from the lock components, including keys?
  • Are materials normally used in installation or maintenance? (i.e. lubricant, cleaning solutions)
  • Is material transfer present on or around tool marks?
  • Can materials on locks or keys be matched to a specific origin?
  • Can materials on tools be matched to a specific locks or components?
  • Does the amount, position, and method of transfer for materials appear natural?
  • Does the placement of material(s) conflict with the method of entry?
  • Could material transfer be the result of planting evidence?

Key Analysis

Equally important to examination of locks and tools is the examination of keys. Because keys are handled by users they provide an excellent source of forensic evidence. To the forensic locksmith, keys may provide insight as to the method of entry, skill level of attackers, and identification suspects. If keys lead investigators to locks outside of the crime scene they can also help to locate victims, evidence, contraband, and stolen items.

See the key analysis page for more information about forensic evidence available from keys.

Material, Cuts, Keyway, Codes

  • What material(s) is the key made of?
  • Is the key plated? Does plating include bitting surface(s)?
  • Is the key "synthetic"; made out of a nonstandard object or material? (i.e. flat piece of metal or plastic)
  • Is it the proper key blank for locks under investigation?
  • Has the key profile/warding been modified to fit locks under investigation?
  • Does the key, in fact, fit the keyway of locks under investigation?
  • Is the key profile or type common to the area?
  • Is the key profile patented, restricted, or possession considered illegal?
  • Does the key bow help identify manufacturer?
  • Does the key have any identifying codes or logos?
  • If present, are key bitting codes direct or indirect?
  • If indirect bitting codes are used, can the manufacturer identify the owner?
  • What type of components does the key interact with?
  • How many components does the key interact with?
  • How many bitting surfaces does the key have? How many are actually used?
  • What are the cut depths of the key? Do they correspond to factory standards?
  • Are ramp angles for the key cuts proper?
  • Do the cut depths follow maximum adjacent cut specifications (MACS)?
  • Does the key follow shoulder-to-first cut and cut-to-cut specfications?
  • Are any cuts jagged, cracked, or otherwise mis-shapen?

Key History & Duplication

  • Who manufactured the key blank?
  • What is the availability of the key blank?
  • Is the key hand-made, machine cut, or stamped cut?
  • Is the key a factory original, licensed blank, knock-off, or duplicate?
  • If the key is a duplicate, can generation be ascertained?
  • Has the key been recently cut?
  • Has the key been recently duplicated?
  • How much wear does the key show?
  • If machine cut, was the key accidentally tilted at an angle?
  • If machine cut, do cuts travel along the bitting surface or drop straight down?
  • Does the key require a special cutting machine to be made?
  • Has the key been modified to obfuscate its purpose?

Key Systems & Security

  • Is the key part of a master keying system?
  • What type of master keying system is used?
  • What rank or level is the key in the system?
  • Is the master key system properly designed and implemented?
  • Can the master keying system be easily decoded?
  • Is the master keying system too complex, leading to high rates of cross-keying?
  • Does the key have any high security features?
  • Is the key brand or type primarily used in high-security areas?
  • Is the key used in niche areas? (i.e. vending machines, lockers, luggage)

Investigative Questions

  • Has the key been modified in any way?
  • Does the key have any tool marks?
  • Do tool marks indicate method of creating or using the key?
  • Does the key have any foreign materials?
  • If hand-made, what tools were used to do so and can they be identified?
  • If machine cut, can the key be tied to a specific cutting machine?
  • Is the key a depth key? (uniform cut depths)
  • Is the key a bump key? (uniform low cut depths)
  • Is the key a tryout key? (deviated cut depth and/or spacing)
  • Does the key appear to have been used for copy-based impressioning?
  • Does the key appear to have been used for manipulation-based impressioning?
  • Were any keys ever lost or stolen?

Investigative Report

Once laboratory examinations are complete the investigative report is compiled. This report summarizes the facts of the case, the apparent method of entry, and any other information that may be useful to investigators, such as material transfer or trace evidence found. In high profile cases it may be prudent to include supporting examples in your report. For example, taking three duplicate locks, with the same type of keys and bitting codes, and performing picking, bumping, and impressioning on them. These test locks can be examined and included in the report to support your findings, either by being similar to the evidence from the actual case, or completely different. Of course, this is somewhat costly and requires more time to complete, so it will probably not be done for every case.

See the Forms & Reports page for more information on writing investigative reports.

Testimony

The forensic locksmith may be asked to provide expert testimony in court for the prosecution, defense, or as an independent witness. The role of the forensic locksmith, as an expert witness, is to provide the judge or jury with the facts so that they have a complete picture of the situation. As an expert witness he/she is entitled to compensation for their time and insight into the case.

As an expert in a field that most people know little about, it is helpful to prepare diagrams and animations for the judge or jury to understand what you are talking about. Locks are inherently simple mechanical devices, and only security through obscurity prevents most people from understanding them. This assumes that the side that will benefit from the facts wants these details brought to light. In many cases the expert witness can answer only the questions posed rather than speak freely. This, of course, depends on your level of expertise and your jurisdiction's laws concerning expert witnesses.

^Top