Forensic Locksmithing

“Nothing has such power to broaden the mind as the ability to investigate systematically and truly all that comes under thy observation in life.”

-Marcus Aurelius

Forensic locksmithing is the science of investigating locks, safes, and other access control mechanisms for evidence of tampering and compromise. Government agencies, law enforcement, and private organizations all make use of forensic locksmiths for investigations, penetration testing, and security maintenance. It is a rewarding field that is both interesting and challenging on a daily basis.

The primary goal of a forensic locksmith is to determine if, when, and how a lock, safe, or keying system was neutralized. Second, to identify evidence that can reveal suspects, victims, contraband, and stolen property. The forensic locksmith can help identify the tools and techniques used, the time required to gain entry, the number of attackers, and even the skill level of attackers. These findings are given to investigators so they have all the facts when trying to solve a case.

The forensic locksmith is skilled in a variety of areas. A thorough understanding of locks, safes, keys, and the tools and techniques used to compromise them is necessary. Additionally, the forensic locksmith is versed in crime scene investigation, photography, microscopy, and tool mark identification. Communication is an important skill, as well, with emphasis placed on proper documentation, thorough reporting, and public speaking, specifically courtroom testimony.

This article discusses the stages of a typical investigation and various types of evidence created by covert entry techniques. Investigations are traditionally broken down into three distinct phases: crime scene investigation, laboratory analysis, and investigative reports / courtroom testimony. The article ends with a thorough list of resources for those interested in learning more about forensic locksmithing.

Crime Scene Investigation

A locksmith, forensic or otherwise, is usually one of the first people at the scene of a crime. This isn’t always the case; in low profile cases law enforcement officers file a report which eventually gets passed to investigators, who in turn may call a forensic locksmith. With insurance claims, a forensic locksmith might not be called until the preliminary liability and policy checks have been completed. In any event, the forensic locksmith makes their way to the crime scene.

The purpose of crime scene investigation is to identify the method of entry, supporting evidence, and to evaluate the physical security of the facility and its locks. Being present also allows the forensic locksmith to mentally reconstruct the possible methods of entry and compare them with the evidence. Naturally, many questions arise during the crime scene investigation. A few questions I always ask myself when arriving at the crime scene:

  • What are the obvious signs of entry?
  • Was entry successful? Why or why not?
  • Which locks were opened / manipulated to gain entry?
  • Was the lock found locked or unlocked?
  • Is the locking system properly installed?
  • Are all known keys accounted for?
  • Has the key or lock been used since entry was suspected?
  • Were any tools left at the scene?

At the crime scene, all points of entry to the facility are examined. A search for evidence is conducted at all of these points, including looking for damaged or malfunctioning locks, windows, doors, and walls. Trace evidence, keys, and entry tools may also be collected. Possible entry points are closely examined for any tools marks that may offer insight as to the method of entry. Tools marks also allow the forensic locksmith to determine, with reasonable certainty, the number of attackers required, their skill level, and the time required to gain entry.

Locks are removed for further analysis one the crime scene investigation is complete. All locks are photographed prior to disassembly. In the United States, chain of custody is extremely important. Errors in the collection, storage, and transport of evidence are one of the main reasons for evidence dismissal. In order to preserve evidence, the disassembly process should only be done by a qualified locksmith. All parts of the locking system are stored as evidence, including knobs, strikes, bolts, and mounting screws. Locks are labeled with their location, current state, and other information, such as the direction each lock turns to unlock. Once the locks are removed, the walls, doors, and other areas are examined for additional tool marks or trace evidence, including evidence that the lock was repaired or replaced. Any additional evidence is cataloged, photographed, and preserved in the same way.

Following the crime scene investigation, the forensic locksmith may already have an idea of the method of entry. Additional information, such as the tools and techniques used, the number of attackers, and the time required to gain entry may also be available. This information is passed on to investigators in the hopes that it helps them quickly focus on people or places of interest to solve the case.

A thorough examination at the scene of the crime yields valuable insight and provides leads for the forensic locksmith and investigators to follow. The key to examination of the crime scene is documentation and photography. You will only have one chance to investigate the crime scene, so make it count. Write down, sketch, and photograph as much information as possible. Be thorough, detailed, and organized. It may be months before you provide testimony; organize your notes logically so that crime scene details can be easily recalled.

Laboratory Analysis

Once the crime scene investigation is complete evidence is sent to the laboratory. Here the forensic locksmith examines all components in detail to determine the specific tools and techniques used, and any associated evidence.

Care is taken to properly disassembly any lock cylinders in the laboratory. Wood and plastic tools are often used in place of metal to preserve evidence; specifically plastic plug followers, pinning trays, and tweezers. The preferred method of disassembly for pin-tumbler cylinders is to remove the pin chambers casings. Some locks do not allow this, typically older padlocks and European profile cylinders. Other methods of proper disassembly include rapping, shimming, use of a working key, and destructive methods. Each step in the laboratory analysis is documented and photographed. Disassembly may be videotaped so that proper tools and techniques can be verified at a later date.

Once disassembled, the lock components are examined to ensure that they are complete and not modified in a way that would affect security. For example, if a lock had only two pin stacks it would be considerably less resistant to lockpicking and impressioning techniques. This is later factored into our analysis of the plausible methods of entry against a given lock.

Next, a microscope is used to identify any tool marks and trace evidence on components themselves. Covert entry techniques all have signature tool mark patterns, most of which can be easily identified by the forensic locksmith. Lockpicking, the most notorious of techniques, leaves various scratches along the pin-tumblers and plug walls (Figure 1). Bumping, the media hog of the past few years, also leaves telltale tool marks, primarily in the form of large dents on the pin-tumblers (Figure 2). Most other forms of entry also leave tool marks, including impressioning, decoding, and mechanical bypass. Of course, destructive entry techniques also leave a wide variety of tool marks, but they are usually easier to spot and may not require a microscope to identify.

Any available keys are examined to identify tool marks and trace evidence. A forensic locksmith can distinguish between original, duplicate, and hand made keys. In many cases, tools used to make or duplicate a key can be identified, including details of the key machine used to cut it. Most investigations must consider the possibility of unauthorized key duplication. When a key is duplicated with a stylus-based key machine, the original key has a distinct tool mark from the stylus arm itself (Figure 3).

Once all locks, components, and keys are evaluated the forensic locksmith should have definitively identified the method of entry, any tools used, and associated physical evidence. If this is not the case, the crime scene notes and photographs are re-evaluated to make sure nothing has been overlooked. In my experience, it is also good to re-trace your steps through the crime scene and laboratory procedures to ensure that you or someone else did not accidentally destroy evidence. If there is still not an adequate explanation, surreptitious entry techniques, insider attacks, fraud, and negligence (willful or otherwise) must be considered.

Eventually, the forensic locksmith will come to a conclusion as to the most likely method of entry. This takes into account the tool marks, trace evidence, time and skill required to gain entry, and common sense. The method of entry, in terms of time and cost, must correspond with the value of the attack; it is unlikely that sophisticated, expensive attacks are used to accomplish low-profile crimes.

 Investigative Reports and Courtroom Testimony

Once the forensic locksmith has completed the laboratory analysis an investigative report is compiled. This report summarizes the findings of the investigation and provides evidence to support the findings. The physical evidence is stored with the forensic locksmith or the investigative agency so that findings can be verified at a later date, if necessary.

The evidence provided by an investigative report will often end the investigation because one side will withdraw. In insurance investigations, the findings of the forensic locksmith may point to insurance fraud, which can lead to criminal charges.

Sometimes the forensic locksmith is asked to provide courtroom testimony. Most of the time the forensic locksmith will be questioned on their findings, their method of obtaining and examining evidence, and proper chain of custody procedures. Chain of custody is a major topic in the United States, but less so elsewhere. The forensic locksmith can also testify as an independent expert, usually to explain how locks or compromise techniques work, or comment on the findings of another witness.

Forensic Locksmith Associations

How do you go about becoming a forensic locksmith? Anyone qualified can technically claim they are, but I would recommend training in a variety of areas before you begin. Obviously, understanding lock and key systems is a must, as well as methods to compromise them. Training (and personal tests) on how to identify various types of attacks by analyzing components is also recommended. Classes on evidence preservation and handling, crime scene investigation, forensic techniques, photography, and microscopy are all extremely useful, too.

Eventually, you may want to join an organization that provides training, certification, and a network of professionals in the forensic locksmithing field. The most respected organization is the International Association of Investigative Locksmiths (IAIL). With nearly 100 active members stationed around the world, the IAIL have a long history of providing expert assistance and training to governments, law enforcement, and private organizations. Membership is open to locksmiths, law enforcement, and government employees, with the option of becoming a “Certified Forensic Locksmith” (CFL) after extensive training and testing. For more information, visit the IAIL’s homepage at http://www.iail.org.

Resources

The websites http://www.lockpickingforensics.com and http://www.lockwiki.com (both run by the author) are the only two websites that deal with forensic locksmithing in-depth. The former provides detailed analysis of compromise tools, techniques. and associated forensic evidence. Both sites provide freely accessible information for forensic locksmiths, traditional locksmiths, hobbyists, and consumers.

Locks, Safes, and Security by Marc Weber Tobias is the best English book on the subject. Chapters 24-27 deal specifically with forensic locksmithing, but many other chapters include relevant and useful information. The multimedia edition includes related articles, audio, and video, as well.

Werkzeugspur (‘Tool traces’) by Manfred Göth is another excellent book but unfortunately it is only available in German. Automotive investigations are examined in detail throughout this book, as well.

About the Author

My nickname is datagram. I’ve taught locks, safes, and methods to compromise them for many years, including training to government agencies and law enforcement. I also do frequent public speaking at security conferences around the world; a dozen presentations in the last few years alone.

I provide assistance in investigations, security maintenance, and penetration testing. I also provide training and lecturing on almost any topic that relates to forensic locksmithing, locks, safes, covert entry, and physical security. Government agencies, law enforcement, and private organizations are all welcome to contact me. Contact information is available on http://www.lockpickingforensics.com/contact.php

 

Figure 1: Scratches on the key pins and plug walls are indicative of lockpicking tools. The specific size and shape of scratches may reveal the specific type of pick used.

Scratches on the key pins

Fig 1 Scratches on the key pins

 

 

 

 

 

 

 

 

Figure 2: Large dents on the key pins are caused by the bump key impacting the tumblers.

Large dents on the key pins

Fig 2 Large dents on the key pins

 

 

 

 

 

 

 

 

Figure 3: A stylus-based key duplicator will leave a distinct tool mark along the edge of the key blade.

Marks from a stylus-based key duplicator

Fig 3 Marks from a stylus-based key duplicator

 

 

 

 

 

 

 

 

 

Figure 4 : A foreign object is found on one of the key pins from a lock taken from a crime scene. What is it, where did it come from, and how did it get there?

Fig 4 A foreign object found on key pin

Fig 4 A foreign object found on key pin

 

 

 

 

 

 

 

 

Figure 5: Tool marks along the actuator of the electronic lock are not consistent with normal wear. What tool could have caused them, and could it have been used to neutralize the lock?

Fig 5 Tool marks along the actuator

Fig 5 Tool marks along the actuator

 

 

 

 

 

 

 

 

 

Article Originally published in our print publication in April 2010

1 Comment

  1. Elijah Lynn on 13/02/2015 at 6:36 pm

    Good article Mick. Do you know if the IAIL was somehow bought/merged by ALOA?

    The http://www.iail.org you posted redirects to ALOA’s homepage.

Leave a Comment

You must be logged in to post a comment.