±Forensic Focus Partners
New Today: 2
New Yesterday: 4
±Forensic Focus Partner Links
· SQLite Database Forensics – ‘Sleep Cycle’ Case Study
· Data Recovery As A Medium For Email Forensics
· Carving out the Difference between Computer Forensics and E-Discovery
· Forensic Analysis of SQLite Databases: Free Lists, Write Ahead Log, Unallocated Space and Carving
· How Secure Is Your Password? A Friendly Advice from a Company That Breaks Passwords
· Using SQL as a date/time conversion tool
· Forensics and Bitcoin
· Investigation and Intelligence Framework (IIF) – an evidence extraction model for investigation
· Extracting data from dump of mobile devices running Android operating system
InterviewsBack to top Back to main Skip to menu
Jonathan Krause, Managing Director, First Response
In early 2008 I started Forensic Control after four years as a computer forensic employee. It began as a vehicle for my contract work but soon developed into a business in its own right, becoming relatively well known – albeit within the fairly small world of computer forensics! I moved further and further away from my roots in public sector work, and found myself really enjoying the faster pace and challenges in the corporate world; there was no going back for me. During this time I was fortunate enough to work on some very interesting cases including the Deepwater Horizon oil spill and the estate of Elvis Presley.
You recently became the Managing Director of First Response. Tell us more about the company and your involvement.
First Response was set up in January 2012, and at present is being run alongside Forensic Control. There are three joint owners of the company; myself, John Douglas and Bill Lindley. John (the Operations Director), Bill (the Chairman) and I bring together over 30 years’ experience of working in the industry. We decided to bring the forensic operations of our separate companies under one roof which was a natural progression for each of our companies. We think we complement each other very well! There’s some more background on First Response in the recent Forensic Focus news item.
I’ve known Bill and John professionally and socially for years; as well as offering what we believe is a first-class service, we enjoy our work and enjoy working with each other – for me, this is of fundamental importance.
In terms of my involvement, I’m a typical managing director/CEO though with a very much hands-on role. You’re as likely to find me imaging an unusual server configuration, analysing the content and reporting back to the client as much as dealing with the behind scenes management.
Can you give us some recent examples of cases First Response has worked on?
Sure. I think First Response’s main strength is in having both a great technical depth and an ability to communicate complex matters in a way that an average lawyer or director can easily understand and then act on. This helps our clients tremendously as it did in the two examples of cases I'll outline.
In one case, a trading company in the City of London asked if we could help determine if a staff member had been working for a competitor. Examining the staff member’s Blackberry, laptops, external drives and server-based email allowed us to piece together communication evidence despite great efforts to hide it. The evidence we provided resulted in successful litigation for our client at the High Court in London.
Another example was a financial company who had dismissed an under-performing senior director, who then instigated legal proceedings claiming unfair dismissal. Examination of his laptop uncovered thousands of pornographic images which our time-line analysis showed were downloaded exclusively during office hours. Also uncovered was evidence of the subject using the laptop to order cocaine. Our report was used to successfully reject the claim of unfair dismissal.
What do you see as the major digital forensics challenges in 2013 and how will First Response meet them?
An ongoing challenge that needs to be met is that of encouraging ‘forensic readiness’. It’s disappointing when you discover a lack of material available to be examined; for instance server logging was switched off or set to minimal levels, backups (if any) don’t restore and changes to administrative accounts are not recorded. Companies can significantly improve their chances of negotiating an incident by implementing a few common-sense rules before any incidents occur. By ensuring that evidence generators are in place and that first responders have received forensic awareness training, organisations greatly increase the probability of a successful outcome. We're already working with some clients to provide them with a robust forensic readiness plan and we'll continue to push this as a priority to new clients in the future.
Data stored in the cloud is another challenge – jurisdictional issues remain the number one focus for legal teams instructing forensic examiners, however for us the technical hurdles are far from minor. The petabytes of data present in large data centres coupled with the need for proportionality (not capturing data belonging to innocent 3rd parties) makes dealing with cloud based data a challenge to say the least. We've already seen the need to adopt eDiscovery tools and tactics when dealing with cloud based data and believe that 2013 will see the distinction between Digital Forensics and eDiscovery become blurred; eventually the distinction may disappear altogether.
When we last spoke, you talked about the need for better standards within the industry - have things improved?
In a word, no. While there are various individuals and groups formally working towards better standards we are still hamstrung (and I’m talking about the UK here) by the absence of an industry body akin to The Law Society or the British Medical Association. Further, since we last spoke budgets have been cut in public sector forensics, meaning that some hi-tech crime units have been reduced to only being able to perform triage type examinations. I’ve seen the results of such policy in some prosecution reports I’ve been asked to verify and this has not been good for forensic quality at all.
Last question - as an employer and someone with a great deal of experience within the industry, what advice would you give to those just starting their careers?
With the number of new entrants outnumbering the number of vacancies I see two options for those just starting their forensic career – either really stand out from everyone else or first get some experience of working in a related area to increase your exposure to hardware and software and running a case load. A background in IT support is generally considered highly beneficial in this industry - and there are plenty of those roles available. Or why not do any job and at the same time set up a data recovery service from home while you’re waiting for that break? You’ll get some great hands-on experience with a number of different devices, you’ll (hopefully!) learn how to price, budget and manage your time and you’re very likely to impress future employers.
First Response can be contacted on +44 20 7193 4905, by email at email@example.com or via the contact form on their website.
Please note that they do not have any vacancies at present and because of security vetting requirements cannot accept student placements.