Interviews

Neal Ysart, Co-Founder, The Coalition Of Cyber Investigators
11th August 2025
Neal Ysart, Co-Founder, The Coalition Of Cyber Investigators

Neal Ysart shares how The Coalition of Cyber Investigators tackles OSINT integrity, complex investment fraud, and the rise of AI-driven scams.

Read More

Davinder Sangha, Enhanced Digital Media Investigator, Staffordshire Police

Tell us about your background and how you ended up in your current role at Staffordshire Police.

I first discovered my intrigue for digital forensics whilst applying for university and (thankfully) deciding to switch to a cybersecurity and digital forensics undergraduate program instead of software engineering. It was a field I hadn’t even considered as a career option until I started researching about it, and inevitably coming across Forensic Focus forums where I’ve spent dozens of hours since engrossed in topics!

Upon graduating, I decided to pursue a master’s degree in the same field, which is where I had my first exposure to mobile forensics from a hands-on perspective. Sitting in one of the labs on a weekend, conducting an extraction of my mobile phone in order to review app data as part of my master’s dissertation was incredibly exciting, as was learning firsthand the minutia of the information held on these devices which are integral to everyday life.

This experience had put me in good stead for my first graduate position as a mobile forensic analysis at Sytech, a digital forensics company providing services to both law enforcement and the defence. I was responsible for extracting and analysing data from phones, tablets, smartwatches, drones, and memory cards, as well as diagnosing and repairing these devices to facilitate data extraction — since they were often received in varying states of operation and cleanliness, as my time in the biohazard room will attest!

It was a fast-paced job at times, and I still remember an occasion where I had four mobile logical extractions in progress that required supervision while also training a junior member of staff. But it was also a rewarding environment — not only in terms of learning from experienced colleagues, but also being able to contribute to refining processes, practices, and ultimately working on investigations that led to offenders being brought to justice.

An opportunity came up at Staffordshire Police — one that, unbeknownst to me, would involve utilising the skills I had gained at Sytech almost immediately after joining. It sounded interesting, and my application was successful. The job was a result of significant investment from the force to develop its digital policing capabilities, and the unit has certainly delivered upon that and excelled in a relatively short time.

Each member of the team is expected to be a jack of all trades, delivering digital strategies and advice whilst also developing and deploying digital tactics. The role itself has evolved over time to encompass a greater level of expertise and expanding digital services, with the unit being responsible for cell-site surveys and analysis, vehicle forensics, router forensics, advanced open-source investigation, TSCM sweeps, and a lot more.

What does a typical workday look like for you?

In a word, varied! My first task of the day is reviewing emails that have come in overnight and assigning them a priority level. I then proceed with other commitments, which can range from contacting vehicle manufacturers to obtain telematics information, supporting officers on the ground with early morning warrants, and conducting digital scene searches to identify and locate all digital devices, to performing residential sweeps for covert devices.

No two days are the same, and the nature of policing often means urgent taskings can come in at short notice requiring weekend or overnight working. A personal favourite of mine was being on duty for 17 hours working on an infotainment examination of a vehicle involved in a kidnapping, for WMROCU, where the data recovered was relayed to the Senior Investigating Officer, and the threat to life was able to be downgraded as a result.

What types of data are often recoverable from modern vehicles, and how can this data help investigators?

Recoverable datasets can include geolocation data and information on previously connected devices, as well as more obscure details such as what songs were played in the vehicle, door opening and closing events, and screenshots of the infotainment screen — all of which can be pivotal to an investigation.

There has been great publicity of how data from vehicles assists investigators in high-profile investigations, but in my opinion it is equally, if not more, effective for volume crimes such as Theft of Motor Vehicles (TOMV).

In these investigations, we are limited to traditional forensic opportunities and CCTV trawls of the immediate area, but vehicles are now providing investigators with data that is identifying suspects who have been in the vehicle and CCTV and financial opportunities much further afield. Furthermore, we can establish and prioritise vehicle deposition hotspots for local officers to patrol to locate stolen/outstanding vehicles prior to being used to facilitate further offences. Lastly, the data from vehicles plays a substantial role in providing richer intelligence, which can often be the missing piece linking acquisitive crime and organised crime within a certain area.

Can you share an example of a case where vehicle forensics played a pivotal role in solving or advancing an investigation?

Following on from the previous question, I recall a vehicle theft investigation where a stolen/outstanding vehicle was recovered. As it was a Ford — a make known to contain a rich dataset — I was hopeful the recovered data would prove valuable to the investigation by helping identify potential CCTV opportunities, both at the crime scene and at the location where the vehicle was recovered.

Previously connected device information recovered included names and mobile numbers of devices which were paired with the infotainment system after the vehicle had been stolen, both identifying and placing offenders within it. This gave the officers a start for 10, as there was no waiting for fingerprint and DNA results to come back.

The impact of the availability of evidence within a short timeframe post recovery of the vehicle was further compounded by granular location data which placed the vehicle at a petrol station. CCTV and financial evidence helped place a suspect in the driver’s seat, identify associates, and further enrich our intelligence.

The CCTV was subsequently secured before it could be overwritten, with a final benefit being the identification of a rural location I had noticed was frequently visited. I brought this to the attention of the officer in charge of the investigation, and the site of interest was later visited by patrols. A number of further stolen/outstanding vehicles were identified and recovered. The vehicle began as just one strand of the investigation but ultimately became the most pivotal.

What tools or techniques do you most commonly use when conducting vehicle forensic examinations?

The most frequently used non-vendor specific techniques for vehicle forensic examinations are ISP and manual examinations. The latter is often dismissed as rudimentary, but in reality, previously connected device mobile numbers and Bluetooth MAC addresses can be recovered — although in some cases, accessing engineering mode is required. Further work can be carried out on these identifiers for attribution purposes during high-risk and time sensitive investigations.

Chip-off examinations are also conducted when circumstances allow, though they aren’t always pursued since this is technically a destructive technique. In terms of specific tools, Autel, Berla and VCDS are utilised. An alternative vehicle forensic suite, Rusolut’s Vehicle Data Reconstructor (VDR), is on my wishlist, as it would address significant capability gaps in current solutions. It supports not only data extraction and analysis from infotainment systems, but also from telematics and expansion modules — which is a gamechanger.

With connected cars and infotainment systems becoming the norm, what new challenges or opportunities are you seeing in vehicle forensics?

The advances in vehicle technology are both exciting and concerning — for consumers and law enforcement alike. The two main challenges I foresee are software security measures and data off-boarding.

Most infotainment systems today are no longer standalone units, but part of a network of interconnected systems within the vehicle. You only need to cast your mind back to the Jeep hack back in 2015 which demonstrated the feasibility of what was once thought to only be a theoretical threat. This is further exacerbated by the push for minimalistic interiors by manufacturers, where comfort functions are no longer adjusted using physical buttons but through the infotainment system.

What this means is that security measures are being implemented, whether they be encryption or the compartmentalisation of data, resulting in data that can no longer be accessed with traditional tools. Security is also being improved indirectly through a decline in use of proprietary operating systems in favour of those such as Android Automotive for infotainment systems.

Infotainment systems are recognised as one of the most exploitable gateways into other vehicular systems and, as a result, appear to be given the same developmental priority as other critical vehicle components by manufacturers.

I anticipate that the growing prevalence of connected vehicles will further reduce the types and volume of data stored on in-vehicle systems, as cellular data costs are no longer prohibitive and manufacturers can monetise the data as an additional revenue stream. Sending vehicle telemetry to servers rather than storing it onboard is also appealing from a risk perspective, especially given the growing public discourse around how much information vehicles retain and the increasing eagerness of companies to market their products as privacy-centric.

However, the challenges we face encourage us to seek opportunities elsewhere that may not have been considered until now. The aforementioned telemetry data may still be available to law enforcement even when the vehicle is no longer physically intact — whether it has been burnt out, damaged in a collision, or is still outstanding. For example, it may be possible to obtain a historic log of diagnostic trouble codes (stored in the cloud) for a specific vehicle, as we know certain passenger vehicle manufacturers are providing this as a service currently, albeit for fleet operators.

This data could be used by the prosecution to demonstrate a pattern of mechanical negligence by the vehicle’s owner, showing it was in an unroadworthy condition at the time of the collision. There may be further implications in a consequential civil setting in terms of insurance coverage suddenly becoming void or the insured party being held liable for any settlement costs incurred by their insurance company.

Looking further along the horizon at technologies in development and yet to be implemented, Vehicle-to-Everything (V2X) communication opens up a plethora of opportunities for all crime types. It may enable real-time geolocation of vehicles with GPS-level accuracy, help identify witnesses and suspects near key locations, and place individuals in vehicles with greater geographic precision. In fact, tier 1 automotive suppliers are already advertising the availability of telematics modules with V2X capabilities.

How do you stay up to date with rapidly evolving vehicle technologies and the impact they have on digital investigations?

Mainly through networking, knowledge sharing and keeping in touch with colleagues from other police forces, as well as external partners and experts such as Harper-Shaw and Rusolut. I’m a huge proponent of collaborative working between police forces. A significant proportion of offences involving vehicles are cross-border, and by assisting officers in other forces, there is an exposure to vehicles that I have not encountered to date in my own force, meaning that when I eventually do again, I’ll be able to provide an answer to the question of what data is held within the vehicle, with a bit more substance than “it depends”!

I’m also part of two national working groups focused on vehicle forensics and connected vehicles, where colleagues from other forces regularly present case studies and discuss novel investigative approaches. These groups provide a valuable and crucial platform for staying up to date with advancements in vehicle forensics and digital policing more broadly.

External partners are a valuable source of information, as they are often involved in serious investigations where every opportunity is explored, regardless of cost or complexity. The varied nature of their work takes them to conferences around the world, and their time spent networking benefits us as well — enabling them to signpost other subject matter experts within their networks and across both domestic and international law enforcement agencies.

Webinars — such as those hosted by Interpol — and product demos by tool vendors help bolster knowledge while offering insight into trends emerging in other countries, which we may not yet be experiencing but can begin preparing for by addressing potential capability gaps. And last but not least, the internet itself: online resources like owners’ forums, motoring journalism sites, and fleet news platforms are hidden gems for staying up to date with technological developments in vehicles.

Finally, what do you enjoy in your spare time?

I enjoy working out and hitting the gym — especially after being cooped up in the office all week writing reports! I also find a good book on existentialism entertaining, and I love going for drives on country roads, with plans to tackle the NC500 one day. When the weather allows, I spend time working on my car. I’ve currently got a Raspberry Pi set up for CarPlay and am developing a performance monitor that reads data from aftermarket sensors — a project that’s kept me busy over the past few months when I’m not doing DIY around the house.

Sophie Mortimer, Revenge Porn Helpline Manager, SWGfL

The Revenge Porn Helpline is a UK service supporting victims of intimate image abuse—to find out more, visit revengepornhelpline.org.uk.

What led you to join the Revenge Porn Helpline, and what does a typical working day look like for you?

I’ve worked at the Helpline for nearly nine years. When I first saw a job available at something called the Revenge Porn Helpline I was instantly intrigued. As I looked into it, I was fascinated in this evolution of abuse online and the accompanying criminal law response.

Not sure there is such a thing as a typical day here! But my first priority is always to ensure that the Helpline is up and running smoothly to offer advice and support to people affected by intimate image abuse. That depends on the amazing team of practitioners here, so ensuring that everything is good with them is really important.

Beyond that, StopNCII.org (our preventative hashing tool) is a big part of my working day: working with our NGO partners around the world to support them to support people in their own communities, as well as planning developments of the tool. I speak at conferences and events, engage with governments and policy makers, speak to press and media contacts…anything and everything!

What are the biggest challenges victims face when they report image-based abuse to law enforcement?

There is a lot of confusion from the police when it comes to investigating and prosecuting online offending. Clients report to us that the officers and call handlers that they have spoken to are unclear of what the law actually says and don’t understand how they can collect digital evidence of these sorts of crimes.

There is also an understandable barrier for anyone affected by this form of abuse that stops someone from reporting it to the police: it requires a victim to talk about incredibly personal experiences, and show incredibly personal and intimate images, to a stranger, quite possibly a male police officer, with no knowledge of who else might see them. The majority of people who come to us simply don’t want to report to the police: they want their online images removed and to forget that it ever happened.

Can you describe the emotional and psychological trauma caused by intimate image abuse?

Victims and survivors report a huge range of impacts of intimate image abuse, that reach into every corner of their life. Primarily, there is fear of people they know seeing the images and the impacts that flow from that: feeling shamed and humiliated in front of family, friends and peers, work colleagues and acquaintances.

People are convinced that if their images are online and people can see them, then they have—i.e., that any person who looks at them in the street or in a shop has seen their pictures online. This is an incredibly debilitating burden for someone to carry. It causes depression, anxiety, withdrawal from daily life and, in extremis, suicidal ideation.

Messaging apps and closed forums are increasingly being used to trade explicit images. What challenges does this present for digital forensic investigators?

Abusers will continually find ways and means to evade detection and accountability. In practice, this means that we have seen many forums where we know NCII content is frequently shared disappear behind logins and paywalls, making it much harder to locate and report for removal. At the same time, there is a rise in encrypted messaging services and an emphasis on user privacy that presents a conflict between people’s rights to private spaces and the imperative of keeping people safe from abuse and harm. We are nowhere near squaring this circle, but have to hope that as the nature of the abuse evolves, services like ours can evolve too.

What are the consequences of offenders being allowed to keep or regain access to their devices?

The return of devices to offenders is a huge injustice to victims of intimate image abuse. We have had multiple reports from clients that, even after legal proceedings have concluded with a conviction, devices still retaining intimate content have been returned. This cannot be right, and it reflects a lack of understanding throughout the criminal justice system about how this content can continue to spread online and the harm it causes to victims.

Courts have the powers via deprivation orders to remove devices, but they are simply not being used. And, in many cases, the device is only part of the problem: if images have been shared online then removing a device doesn’t prevent an offender from re-accessing the content online. The harm that recirculating content causes victims is ongoing, debilitating and traumatising: there is no end.

How is AI changing the landscape of image-based abuse cases?

AI technologies are moving so quickly that we are not so much seeing individual changes as experiencing a continuum of change. Most of us are familiar with the rising tide of synthetic sexual images (often called “deepfakes”), but we don’t see that many reports coming to the Helpline, mainly because, we think, the vast majority of victims are simply unaware that these images exist.

The behavioural drivers seem to be different—more about being able to create bespoke images, consume them, and share them peer-to-peer, rather than to cause direct harm (though that does happen). But just because a woman might not know that such images were created, doesn’t mean that they don’t cause harm or that it is OK to create them. And these abuses are evolving fast, so it is vital that our support, regulatory and legislative responses evolve at pace too.

We should also bear in mind that we hope AI technologies will assist in the searching for and removal of such content. As so many millions of pieces of content are uploaded to the internet every minute of every day, we will need these technologies to become ever more sophisticated if we hope to have any vestige of control over what is available in a couple of clicks.

How does inconsistent data collection across police forces affect outcomes for victims, and what types of data are most urgently needed to improve responses?

The UK has 43 separate police forces, all of whom collect data and develop training separately. While the College of Policing provide resources that are intended to bring consistency, it doesn’t seem to work like that. We are dependent on data to understand trends, changes in perpetrator behaviour, victim engagement with the criminal justice system and where the points of failure are in the system. But without consistent data collection, it is impossible to get a clear picture. Without that, we cannot develop appropriate responses—and that fails every victim.

You’ve described this as a “really dangerous time for women.” Should tech companies be doing more to tackle intimate image-based abuse?

I absolutely do think this is a very dangerous time for women, and of course, platforms should do more. But not just platforms; the issue isn’t solely theirs to solve. There is an ecosystem in which the internet operates of platforms, hosts, registrars, multiple regulators and even more legislative frameworks. All of these elements need to work together to create a safer online environment for everyone, but particularly for women who are disproportionately affected, and even more particularly black and minoritized women who fare the worst online.

The demonising of online platforms makes me uncomfortable. They can’t fix this alone: tech companies can’t stop men from wanting to be abusive to women on their platforms. Yes, they have a part to play, but what is needed is a collaborative effort across all stakeholders and jurisdictions to build consistent responses. Our platform StopNCII.org is a great example of what can be achieved if platform stakeholders work together. Coupled with raising awareness and educational initiatives, perhaps we can build the culture change that isn’t just needed, but absolutely necessary.

Jessica Hyde, Founder, Hexordia

Jessica, it’s been a few years since we last spoke to you. Bring us up to date with what you’ve been up to!

It has been some time, and great to connect again!

Since we last chatted, I launched Hexordia – which has been great. But I’ve been doing so much more as well. I am heavily involved in two community projects at the moment: namely, as the 1st VP on the International Executive Committee of HTCIA (High Tech Cyber Investigation Association) and as Chair of DFIR Review.

HTCIA really focuses on networking at the chapter level, providing digital forensics practitioners a community to learn with and from and to network. With DFIR Review, we are able to conduct peer review of practitioner generated blogs, lending credibility to the work of examiners who share their work in blog format. It is an honor to volunteer with both organizations.

I am also working on building content for CybHER, a summer camp for girls where myself and another examiner volunteer to teach digital forensics to middle school girls.

So I have been busy with my digital forensics extracurriculars! I also love teaching Mobile Forensics at my alma mater George Mason University in their Digital Forensics MS program. Of course, that is what I have been doing outside of the great work at Hexordia.

Your company, Hexordia, does a number of things in the DFIR space. Tell us more about the products and services you offer.

Thanks for asking. At Hexordia, we focus on Finding Truth in Data – be it through the courses we teach or the digital forensics services we provide in both case work and research.

It is great to be able to continue to do active case work for government entities while also developing cutting edge training content to support digital forensics examiners in a variety of areas from mobile forensics to Internet of Things to diving deep in data structures. In the last year, we have been able to greatly expand our Training Course catalog. In addition to our virtual live and in-person courses on a variety of topics, we do have several free micro courses on our website for folks who are just getting started!

From the services side of the house, we support several government customers in contracts, both where we perform digital forensic analysis and where we conduct cutting edge digital forensics research. I think one of the best things about working in training, services, and research is that the work in each area informs the other and enriches the products we can provide – be it a forensic report, expert testimony, or our forensic courses with hands on labs and a focus on going beyond the find evidence button.

How important is ongoing training and education for digital forensics professionals?

Training and education are absolutely critical for digital forensics professionals. Our landscape is constantly changing with new technologies, applications, and data structures. This means that for an examiner to be able to adapt to these changes, they will need to continue to learn.

Continuing education is also critical for demonstrating to stakeholders – be they jury, judge, counsel, generals or C-suite executives – that we have the knowledge necessary to provide the meaning behind the data.

Tell us more about the CTF challenges Hexordia is involved with.

I am so excited that Hexordia continues to build and create Capture the Flags (CTFs). It provides a variety of opportunities for folks to learn and challenge themselves. We just completed the 2025 Magnet Virtual Summit CTF. CTFs are a great learning opportunity, but also great for accessing test data images. The images can be used for learning but also for testing tools and internal proficiency exams. We share our CTF data sets with the NIST Computer Forensics Reference Data Sets (CFReDS) after each event.

One of the other great things about participating in a CTF is the opportunity to blog how you came to your solutions. I am always impressed by the different solutions folks use. That blog can be a great resume builder, and a great reference for others to learn from the walkthroughs after the event.

How do you see the field of digital forensics evolving over the next few years, and what areas should practitioners be focusing on today to prepare for future challenges?

There are numerous challenges that we will continue to see because of new technologies, devices, operating systems, and applications.

We will encounter the increased use of AI (both by users and examiners), movement of more data to cloud infrastructure, an increase in Internet of Things devices, increased usage of cryptocurrency, and other adaptations of society to our changing technological landscape.

However, I truly believe that the largest challenges will come from policies and legislation as to how we adapt to these challenges.

Your blog often features in our digital forensics news round-ups and is a fantastic resource for the DFIR community. Why is it important for practitioners to share their digital forensics knowledge?

The question is phrased perfectly – as there is so much to do in our field, it is critical that we share. Without collaboration we will never be able to understand the sheer number of artifacts and the nuance! Our field is a constant continual build on the research of others, because of new technologies, applications, and operating systems.

I encourage folks to blog the new things they uncover, share them with thisweekin4n6, and consider submitting those blogs to DFIR Review for peer review.

And finally, what do you enjoy in your spare time?

In my spare time, I like to disconnect to connect! I am a fan of camping and board games with family. The whole idea is to spend my time away from technology – truly away from technology – and instead spend it with friends and family.

Oxygen Forensics CEO Lee Reiber: The Digital Forensics Landscape In 2025 – What Lies Ahead? 

In this interview, Oxygen Forensics CEO Lee Reiber explores the key trends transforming digital forensics in 2025, including advancements in cloud forensics, AI, mobile devices, deepfake detection, and cybersecurity convergence. 

Navigating the Cloud Forensics Challenges of Distributed Data

FF: Cloud computing has stimulated exponential growth in stored cloud data since Oxygen introduced the industry’s first Cloud Extractor in 2014. What challenges and trends should the industry anticipate in 2025 and beyond? 

Reiber: Cloud forensics will be even more complex in 2025, as data will increasingly be spread across multiple platforms, devices, and geographical locations. Devices can store more and more data, but the most significant storage, particularly applications, will be cloud based. 

For investigators, this distributed nature of data presents several challenges. Cloud providers’ differing policies on data retention, encryption, and access rights will require forensics professionals to develop more nuanced approaches to acquiring digital evidence. The development of specialized tools for cloud data extraction and analysis will be crucial, as traditional forensic methods may not always be applicable in the cloud environment.

By 2025, we may see the standardization of cloud forensic tools and methodologies, supported by international legal frameworks that make cross-border data retrieval more efficient. Additionally, the integration of cloud forensics with other emerging technologies, like blockchain, may lead to more secure and transparent investigations. 

AI and Machine Learning Will Be Game Changers for Digital Investigations

FF: Companies are investing billions in leveraging AI and Machine Learning in their products and services. How will the AI and Machine Learning boom affect digital forensics investigations? 

Reiber: Artificial Intelligence (AI) and Machine Learning (ML) will be at the forefront of the digital forensics’ revolution in 2025. These technologies will dramatically enhance investigators’ ability to process and analyze large volumes of data quickly and efficiently. 

Currently, forensic examiners spend a significant amount of time manually reviewing data — whether it’s logs, device contents, or network traffic. In 2025, AI-powered tools will take on much of this load, automatically flagging relevant information for manual review, identifying anomalies, and even making predictive assessments about potential leads. 

For example, AI algorithms will help investigators uncover patterns in seemingly unrelated data, support cyber attack responses, and analyse recovered data to identify attackers.

Mobile Forensics Must Keep Up With Evolving Devices

FF: Mobile forensics of smartphones and devices are becoming more integral across investigations. In what ways should mobile forensics tools evolve in 2025? 

Reiber: As smartphones and Internet of Things (IoT) devices continue to become more integrated into our daily lives, mobile forensics will become increasingly important. By 2025, new devices with advanced encryption and increasingly sophisticated operating systems will make extracting and analyzing data more challenging for forensic investigators. 

To keep up, forensic tools will need to evolve with the hardware. Advanced mobile forensics software will be capable of bypassing high-level encryption, recovering deleted files, and even extracting data from secure apps. With the wide availability of 5G networks, the amount of data that can be transmitted and received will increase along with these advancements in the cellular network. In turn, mobile forensics will have to focus on specific artifacts that can be collected because of the vast amount of data both resting and in transit. 

In addition, with wearable devices and smart home appliances generating massive amounts of data, digital forensic experts will need to refine their methods for capturing evidence from a wider range of IoT devices. This will require the development of new legal standards for data privacy and collection protocols, as IoT devices may store sensitive information. 

The Future of Compromised Media

FF: Deepfake media capabilities have become more accessible and easier to use for even untrained media creators. In what ways can digital forensics investigators detect deepfake media from real evidence? 

Reiber: Deepfakes are becoming an increasingly significant challenge in digital forensics due to their potential to manipulate digital content — specifically video, audio, and images — at an unprecedented level of realism. In digital forensic investigations, deepfakes can pose a serious threat to the integrity of evidence. With advancements in Artificial Intelligence and Machine Learning, creating convincing fake videos or audio recordings has become easier than ever. This makes it difficult for forensic investigators to distinguish between real and fabricated content, especially when these falsified materials are used in criminal activities such as defamation, fraud, or the dissemination of misinformation. Therefore, forensic investigators must develop advanced techniques to detect and analyze deepfakes to verify the authenticity of digital evidence. 

The growing use of deepfakes also raises concerns regarding the security of digital communication channels. Forensic investigators must be equipped with tools that can identify subtle inconsistencies in video frames, audio frequencies, or pixel patterns that indicate manipulation. The use of deepfakes in cybercrime, such as in phishing schemes or identity theft, amplifies the need for digital forensics professionals to stay ahead of emerging technologies. As deepfake technology continues to evolve, forensic investigators will require specialized software and skills to spot and analyze these fakes, ensuring that they do not become a tool for criminal exploitation or a means of undermining the credibility of evidence presented in legal proceedings. 

Furthermore, deepfakes can be used to create false narratives in high-stakes legal or political cases. In the context of digital forensics, ensuring that deepfake materials are identified and excluded from investigations is crucial in upholding justice and maintaining truth in data. As the legal implications of deepfakes unfold, digital forensic investigators will play a central role in safeguarding against their malicious use. The ability to detect and prove the authenticity of digital evidence will be critical to upholding the integrity of investigations in an era where deepfakes are increasingly common. 

Convergence of Cybersecurity and Digital Forensics

FF: More public and private digital forensic teams are adding cybersecurity to their investigation responsibilities. How can forensics professionals become more adept and valuable to cybersecurity prevention and investigations?  

Reiber: As cyber threats become more sophisticated, the lines between cybersecurity and digital forensics will blur. In 2025, I expect digital forensics professionals to work more closely with cybersecurity teams to both prevent and investigate incidents. Real-time forensics will become more prominent, where digital forensics teams will be embedded within incident response teams to trace the source of breaches as they happen. 

The integration of digital forensics with Security Information and Event Management (SIEM) tools will enable forensics professionals to analyze live network traffic and pinpoint malicious activity in real time. In turn, these findings can help shape future cybersecurity defenses. 

Moreover, as ransomware attacks, data breaches, and insider threats continue to rise, the need for coordinated efforts between digital forensics and cybersecurity experts will be essential. This convergence will lead to the development of hybrid roles, where professionals are well-versed in both fields, allowing for a more holistic approach to both crime prevention and investigation. 

Striking a Balance With Ethical Considerations and Privacy Laws

FF: Ethical challenges and privacy debates go hand in hand with digital data access. What hot ethical and privacy topics and regulations will come to the forefront in 2025 and beyond?  

Reiber: The explosion of digital data presents significant ethical challenges in digital forensics. By 2025, the collection and analysis of digital evidence will require careful consideration of privacy laws and ethical boundaries. Forensics professionals will need to ensure that they respect individuals’ privacy while also securing vital evidence for investigations. 

New laws and regulations governing data protection — such as the GDPR in Europe — are likely to become more stringent as data privacy concerns rise. Digital forensic experts will need to stay up to date with these changes, ensuring compliance while also making sure that investigations are not compromised. The development of clear guidelines for digital forensics in the context of evolving privacy laws will be crucial to maintaining the balance between law enforcement needs and individual rights. 

Additionally, ethical debates surrounding AI-driven forensics, such as bias in Machine Learning algorithms, will likely become even more of a hot topic. 

Conclusion: A Brave New World for Digital Forensics

FF: How would you sum up these trends and what lies ahead for digital forensics professionals and the industry as a whole? 

Reiber: The digital forensics landscape in 2025 will be characterized by an increasingly sophisticated and interconnected ecosystem of tools and technologies. From AI and Machine Learning to deepfake and cloud forensics, the future of digital investigations will be more efficient, precise, and data driven. However, as technology advances, so will the challenges—both technical and ethical—that digital forensic experts will face.

As I look ahead, one thing is certain: the digital forensics landscape of 2025 will be shaped not only by technological advancements but by the ability of professionals to adapt, innovate, and balance the need for justice with a complete vision of what the data says, either in favor or against – data does not lie when an investigator investigates and does not rely on only the tool. With the right tools, legal frameworks, and investigator training and competency in place, digital forensics will continue to evolve as a crucial pillar in the fight against cybercrime. 

Contact Oxygen Forensics to continue this conversation and explore the company’s solutions.

Contact Oxygen Forensics

Andrew Tyshchenko, Head of Hardware, Atola Technology

In this interview, we speak with Andrew Tyshchenko, the Head of Hardware at Atola Technology. With over 18 years at Atola, Andrew has led the design of all the company’s hardware products. Today, we discuss Atola’s latest release, the TaskForce 2 forensic imager, and explore the innovative solutions his team developed to make it a robust tool for forensic labs.

FF: Launched in July 2023, TaskForce 2 arrived exactly five years after the first-generation TaskForce. What challenges were you looking to address with the new imager?

We designed TaskForce 2 to meet the growing needs of digital forensic examiners. Our customers reported the increasing challenge of faster evidence processing due to the ever-growing number of drives involved in cases and their increasing sizes.

Each of our forensic devices has surpassed its predecessor in capabilities and complexity. TaskForce 2 is an evolution of the TaskForce architecture, featuring more processing power and additional ports for various types of connections.

To better understand the differences between these two imagers, it’s important to note that TaskForce was designed as a dual-purpose product: a compact yet powerful field unit, which can also be a stationary device for a forensic lab. Its physical dimensions were a key factor when choosing its computing platform, power consumption, and heat dissipation. TaskForce’s hardware was a balanced solution that met the requirements for both use cases.

 Andrew and part of his team working at the Kyiv office

With the development of TaskForce 2, we wanted to provide an even more powerful computing platform to empower our users with the capability to image 26 drives in parallel.

FF: How did your team choose the key components for TaskForce 2?

TaskForce 2 incorporates over 250 types of components, totaling more than 1,500 pieces. Let’s dive into a few of the key components.

To meet the demands of the features already implemented in TaskForce—like RAID autodetection and hash calculation, along with a significant increase in the number of ports—we required a powerful processor and motherboard. We started by selecting a Supermicro motherboard that supports 3rd Gen Intel Xeon scalable processors in the LGA-4189 socket.

Out of the whole range of supported CPUs, we chose a Xeon Silver 4309Y, with 8 cores, 16 threads, 12MB of cache, and a moderate 105W thermal output, ideal for handling parallel imaging streams. We also designed a custom cooling system using Dynatron N11 coolers and magnetic levitation fans and custom air ducts to keep the system cool while minimizing noise levels. Acoustic comfort is important to our customers, therefore we provide fan speed controls in software settings.

When the computing load is low, the user can keep the fans at a minimum speed and increase the speed when the computing load increases. For example, when many imaging sessions with hash calculation are running.

The chosen motherboard supported a variety of drive ports: SATA, NVMe PCIe 4.0, and USB 3.2. To meet the desired product specifications, all we lacked was the support of 8 SAS ports, which we supported using a PCIe add-on card.

TaskForce 2 includes 16GB DDR4 server-grade ECC RAM for error detection and correction. It also features an IcyDock four-slot drive bay for convenient M.2 and U.2 drive connections, which was a highly requested feature by our customers.

FF: Why did you opt for a server rack-mountable design?

TaskForce 2’s increased processing power and heat output required a higher-capacity power supply and cooling system. This led us to opt for a larger casing suitable for server rack mounting. Our customers, who already use racks for their servers and networks, found this addition exciting. The unit fits into a 19″ rack and can also be used on a desk.

Atola TaskForce 2

For the use on a server rack, the front panel had to be the primary location for controls and drive connections: 25 of the 26 ports including 8 SATA, 8 SAS, 4 NVMe M.2/U.2, 4 USB drives and an IDE drive via adapter are located on the front panel. In addition, there is a PCI Express port on the back side of the unit used for extensions that support M.2 SSD, Apple PCIe SSD and Thunderbolt interfaces.

We managed to fit all these ports and controls into a front panel that’s only 100mm high, which is a little less than 2.5U (U aka “rack unit” is a standard measurement unit for the height of server rack equipment and equals 1.75” or 44 mm).

Fun trivia: The first TaskForce 2 prototype was made from a cardboard box. All the ports and indicators were drawn with a felt-tip pen! We designed this prototype in a group and it was presented at Atola’s Innovation Day, an annual event where employees work in hackathon mode on new ideas.

FF: Why did you decide to add color LED indicators to the device?

TaskForce 2 introduces dual LED indicators on each port for at-a-glance feedback on system status and drive operations. The Source/Target indicator shows the port’s mode, helping to prevent accidental data overwrites and ensuring the integrity of evidence. The second indicator provides real-time feedback on the task performed on the connected hard drive.

Since the launch of its first imager in 2008, Atola has incorporated diffuse round green LEDs as a signature design element in its devices. This time, we switched to programmable RGB LEDs for more nuanced and informative indicators that enhance the communication of process status on each port. 

Implementing the new RGB LEDs presented a significant engineering challenge. The LEDs’ appearance required a light pipe, and we found a transparent material with excellent light transmission capabilities that can be precisely manufactured to tolerances of 0.1 mm for a component measuring 19×2 mm.

We initially explored milling technology to create the light pipe components, but the results proved inconsistent. Then we tried out low-volume molding using silicone molds, a process that delivered high-quality parts at an acceptable cost. The outcome was remarkable: the new indicators looked fantastic, exceeding the expectations of the entire team.

Here’s a breakdown of the color scheme used for a port’s status indication:

  • Green blinking: Indicates that an active process, such as imaging or another task, is in progress on the port.
  • Green steady: Signals the successful completion of a task on the port.
  • Yellow steady: Indicates that a task has been completed, but with some issues encountered during the process.
  • Red steady: Signifies that a task on the port has failed.

This design empowers users to effortlessly monitor and assess the progress of their tasks.

Fun fact: If you’re at a forensics conference, stop by the Atola booth and ask them to turn on the police lights on the TaskForce 2. You’ll see what these LEDs are capable of.

FF: The heart of every device is its motherboard. What are the other boards you included and what functions do they serve?

TaskForce 2 is based on a commercially available motherboard and relies on 7 other proprietary PCBs developed by Atola. The boards responsible for power management, status indication, and Source/Target mode control for individual SATA, SAS, USB and PCIe ports are the most important to the end user. Their core features are:

  • Protection of the imager from a short circuit, generated by a connected faulty drive.
  • Control of the drive power supply.
  • Measurement of electric current. For SATA and SAS drives, we track the current on the 5V and 12V lines. For PCIe, the 3.3V and 12V lines. USB devices use only 5V, so we only measure the current on that line. You can find the graphs of the current consumption in the drives’ diagnostic reports.

The so-called Main PCB has additional features:

  • Overcurrent protection for 4 NVMe ports rated at 5A level for 5V and 12V, without measuring current.
  • Fan speed control to maintain an optimal balance of cooling and noise.
  • An alphanumerical OLED display shows the unit’s IP address and other information.
Andrew and Oleksiy with the proprietary PCBs used in TaskForce 2

Here is another fun fact: the SATA/SAS Main PCB contains only power connectors for hard drives. The eSATA connectors for data transfer tend to wear out faster than their respective power connectors, so they were placed on smaller, separate boards. It is optimized for fast, cost-effective replacement when they wear out. This way, we provided for TaskForce’s 2 efficient maintenance during its long lifecycle.

FF: How are the drives connected to the device?

It depends on the drive’s interface. If it’s a 2.5″ or 3.5″ SATA or SAS, we use a universal cable, which TaskForce 2 has inherited from our previous imagers: DiskSense 2 and TaskForce. This cable has an eSATA connector for data transfer and a Molex Microfit 4-pin for power supply. On the drive side, it has an SFF-8482 connector (also known as SAS 29-pin), which is compatible with both SAS and SATA drives.

For drive connections, Atola continues to rely on universal cables, which are more reliable than drive racks with built-in contacts. When a cable wears out, it’s easy to diagnose and replace, and the problem is limited to a single device port. If we used a drive bay, we would have to replace the entire bay, resulting in longer downtime.

To connect USB drives, we use USB 3.2 Type-A ports, and the drive is connected using its standard cable. To connect NVMe drives, we use an IcyDock, a fast, user-friendly and durable solution.

FF: Why did you opt for NVMe docks?

We looked at different ways of connecting M.2 NVMe drives. IcyDock products stood out because of their excellent design. Atola and IcyDock designs have a lot in common and both have a solid black painted metal case. The ability to easily hot-swap drives was another key benefit: you plug an M.2 drive into the connector and put it in the tray, which is then securely inserted into the IcyDock.

IcyDock bays for M.2 and U.2 drives

We tried out a few Icy Dock models and settled for the MB699VP model due to its user-friendly design, allowing for frequent and effortless drive swaps. It was originally designed for U.2 drives up to 15mm in height, the support of which is now a bonus feature. To connect M.2, an adapter is used: the M.2 drive sits in the dock and connects to an internal card with an M.2 connector, while externally this card has a U.2 connector that mimics the concept of SATA/SAS connectors, which were designed and tested for numerous connection cycles.

And the best thing about this solution is the speed of 4.5 GB/sec on each of the M.2 ports. You have never acquired NVMe or PCIe drives faster!

FF: Is TaskForce 2 compatible with other existing Atola extensions?

We made sure that the new unit works with all existing Atola extensions. The Atola extension port is an extended version of the PCIe interface from the motherboard, protected against ESD and excessive power consumption.

TaskForce 2 has a PCIe 4.0 x16 interface with a theoretical maximum data transfer rate of 32GB/s. The new imager’s extension interface is a big step forward in bandwidth compared to the previous Atola products, which had a PCIe 3.0 x8 interface.

FF: How did you get the idea for the device rack?

Compact drive placement in the forensic workplace has been one of the most requested features since 2018. When designing TaskForce 2 in 2021, we realized the new unit would require a dedicated drive organization system.

The core of the drive organization system is a case that is installed in a 19″ rack right next to TaskForce 2, within reach of our standard drive cables. This design must be compatible with all possible 3.5″ and 2.5″ disk form factors, and all possible drive height variations, from 7mm to 15mm for some server SAS models.

We were looking for a simple and reliable solution, inspired by an idea I came across a long time ago in a science fiction novel by British author Arthur C. Clarke: “No machine may contain any moving parts”. It is a utopian ideal, almost unattainable in reality. It implies that the fewer parts there are in a device, the better: fewer parts mean fewer potential points of failure and lower production and assembly costs.

For our project, this idea meant minimizing the number of moving parts, ideally to zero. At the same time, the rack had to ensure a fast and effortless drive swap. The task was complicated by the fact that each cell of the rack had to fit all known form factors:

  • SATA/SAS desktop drives of 102 x 147 mm, up to 26mm high
  • Mobile SATA drives of 70 x 100 mm,  7mm or 9.5mm high
  • Mobile SAS drives of 70 x 100 mm, up to 15 mm high

We have looked at different design options and settled for the most suitable concept: A simple shelf is divided into disk cells, in which you can place a drive horizontally, secured with corners preventing the drives from slipping out if you accidentally pull a cable.

As straightforward as the design may sound, its practical implementation was much trickier.

Four drives take up almost the entire width of a 19″ rack. We still had to fit the case and cell walls. The hardware engineers had to really “rack their heads” but we did tackle all the challenges and designed a rack that holds 8 drives and has a fan to keep them cool. A rack can be installed in a 19-inch rack or sit on a desk; it can be placed above or under TaskForce 2. Optimally, a rack above TaskForce 2 is used for all the drives plugged into SATA ports and another one is underneath to accommodate the drives in SAS ports.

The racks brought a substantial improvement to the user experience, and we could not be happier with the outcome.

TaskForce 2 with drive racks

FF: What’s next for Atola in terms of hardware design?

We are busy developing a brand new standalone imager. With a comprehensive range of ports and market-unique features, it will be crafted to handle the most complex tasks with ease. While I can’t reveal too much yet, this imager is set to redefine your workflow and elevate your forensic toolkit.

Stay tuned for more sneak peeks and behind-the-scenes updates by following Atola on LinkedIn!

Alexis Brignoni, Special Agent and Digital Forensic Examiner, FBI

FF: Alexis, tell us about your background and how you ended up in your current role at the FBI.

When I graduated college, I went to work in the information technology department of the university I graduated from. As I was thinking about what I wanted my career to look like down the road, I came across the FBI Special Agent position on the USAjobs.gov website. At that time, 17 years ago, they were looking for candidates with technological backgrounds as well as foreign language speaking abilities. As a computer science graduate with an MBA in Management of Information Systems, who also happened to speak Spanish natively, I had the right skills at the right time. After a very hard and intensive process, I was given my badge and credentials as an FBI agent. It goes without saying that this was one of the proudest moments of my life.

One of the many good things about the FBI is that we want to hear from people with all different levels of experiences and skills that are interested in keeping our country safe while doing meaningful work every single day. Folks can go to fbijobs.gov and research all the different careers available at the FBI.


FF: What does a typical day at work look like for you?

AB: As a Computer Analysis Response Team (CART) Digital Forensics Examiner (DFE), it is my job to Identify, Preserve, Analyze, Document, and Present on items of interest from digital systems and media. This means I will be working on mobile devices, computers, and even vehicles (cars, trucks, EVs) in order to determine the truth of a past event as recorded in these devices.

Most of my work involves mobile devices like iOS and Android cellphones. This fact informs my approach on the open-source tools I maintain, as well as how I understand developments across the broader field of digital forensics. It is important to underline that neither the tools nor the opinions I express are endorsed by the FBI. These DO NOT represent or reflect on the FBI or FBI policy in any way. I speak only for myself and no one else.

It is important to recognize that this truthful reconstruction of the past from digital media by a skilled DFE can demonstrate guilt, or innocence, in the context of a legal proceeding. This fact places on the DFE an immense level of responsibility. Getting it wrong is not an option. This is why for 2025 I want to focus on three aspects of the DFE that speak to our quality as individuals beyond our technical knowledge. These are:

  • Probity. It is defined as having strong moral principles. We are not here to please our stakeholders. We are here to find and present facts. Probity is leaving our beliefs at the door and working based on our values, with the value of truth being the one to lead us.
  • Attention to detail. Accuracy is key. Being able to look at massive amounts of data in order to pick out what is really important is a skill we have to consciously work on every day. It requires discipline and work ethic, especially when you are pressured to get results quickly. DFEs need to push back and assert that attention to detail takes time and is a requirement we won’t compromise on.
  • Due Diligence. This is what we owe our cases, what we owe our stakeholder, and what owe to ourselves. We owe our cases time, expertise, and thoroughness. We owe our stakeholders concise, clear, and accessible explanations of our work and how it impacts the case. We owe ourselves to reflect on what we could do better, to make time to self-train and to conduct research. We owe ourselves to not be content with being mediocre and making sure we share what we learn with others.

FF: Tell us about your RLEAPP, ALEAPP, iLEAPP and VLEAPP open-source tools and how they benefit digital forensic practitioners.

The tools are collectively known as the LEAPPs and their purpose is to quickly triage items of digital evidence using an open-source framework. They are coded in Python and are designed to be accessible to developers with a beginner level of experience, while providing for the complexity advanced developers need.

One of the benefits of the framework is that it automates the ingestion and reporting of data, which means it is easy and quick to build a parser for an artifact that third-party paid tools don’t support yet.

We are currently working on a new reporting system called LEAPPs Artifact Viewer App (LAVA) that we unveiled recently at the 2024 Cyber Social Hub Conference. It will allow for faster, modern, and efficient reporting of LEAPPs’ parsed data. Folks can sign up at LEAPPs.org to receive notifications of the latest LEAPPs releases, as well as when LAVA will be made available to the public.

As data sources multiply exponentially, we can’t expect paid tools to keep up with all our parsing needs the moment we might need them. The job of the DFE is not to just use tools or press buttons to see what the tool is unable to identify. The main job of the DFE is to be able to recover, parse, and interpret data when the commercial tools cannot. This assumption that commercial tool output is all encompassing is a willful negation of our due diligence responsibilities.

Since the tooling is open-source, transparency is built in. Anyone can look at the code and follow the operations of it. Even though source code access is not needed for validation and verification, having it does help.

I believe the future will favour the DFE that uses tools, knows code, and understands how relevant technology operates, while also being able to put it all together in the context of an investigation. Alex Caithness has said: “Learn to code because every artefact exists because of code.” I agree. This understanding needs to be part of every DFE skill set moving forward if we are to be successful in our mission to uncover the truth, wherever it might be.

FF: Are there any other challenges within digital forensics for which you’d like to see open-source solutions?

I would like to see not only open-source development but also any type of development that grows our understanding of how memory operates in Android devices. MSAB is doing great work on this front and I would hope others will join them in this area. Memory analysis of Android devices is an area that many are not aware of, and we need to be. Unlike RAM analysis on computers, the memory of an Android device keeps data between reboots and after turning the device off. This means there could be a lot of data persisting in memory that might not be found on the device’s storage anymore. I welcome any and all developments in this direction.

FF: Tell us about the Digital Forensics Now podcast. What is it like being the host of such a popular show?

When I proposed the idea to my wonderful and amazing co-host, Heather Charpentier, we had no idea how well received the podcast would be by the community. It has been a little over a year since we started the podcast, and we are enjoying every second of it.

I believe the podcast is filling a need for consistent content that speaks specifically to current matters in digital forensics, as opposed to other podcasts where the focus is the broader fields of incident response and cybersecurity. We have tried to stay away from making the podcast an interview show, in order to present the current news and our opinions on these topics of interest.

To me, one of the unexpected sources of value that the podcast provides is the chat community that has grown when we are live on YouTube. I know you won’t find a more active and smarter group of people than the folks that chat with us when the show is being streamed live. We leverage their knowledge during the show for the benefit of the rest of the audience but also, and mainly, for our own benefit. I don’t have enough words to express how grateful we are for the folks that chat live, the ones that send us messages over at our podcast’s social media presence, and for all the opportunities the podcast gives us to disseminate important information with a personal touch from those that are active in the field.

FF: How do you see AI evolving in the digital forensics space, and what safeguards need to be in place to ensure its proper use?

This is a great question that could easily fill a 300-page dissertation. From my perspective, current generative AI implementations come with a risk level that has yet to be mitigated by standardized policies or procedures. It is also important to recognize that adoption proponents rarely talk about AI limitations and how using those systems might affect current processes. There is work to be done before we add these technologies into our workflows.

If DFEs start using Large Language Models (LLMs) without output verification, we will quickly find that such reports will be filled with errors. In fields where the output can change lives forever, like medical or legal, we need to go slow and make sure we are doing things right.

Some things to consider:

  • Discovery responsibilities. I can easily foresee an immediate future when the opposing party in a legal proceeding will require the prompts that were given to the AI in order for it to achieve the provided output. Are the prompts consistent with the legal authority provided? Has the AI touched upon matters not covered in the legal authority? Legal proceedings are based on transparency, and we need to start thinking about how to make these technologies more transparent, in regards to how they work and how we explain the way they work. More logging and more traceability are needed.
  • Training data provenance and bias. Where has the training data come from? Has it been procured in a way that does not violate the authorship rights of others? In the same way we will never use unlicensed software, do we know where the training data came from? There are many documented cases of bias manifesting in AI output. Bias needs to be fully avoided. We need to establish not only best practices on usage but also best practices on how to compile the training data to be used for these systems within our field.
  • Lack of consistent answers / variability. AI will give you the same answer to a question only once. The multiple answers to the same question might change a little, a few words here or there, or they can change a lot, to the point of hallucination. This means that current validation processes are not suitable for AI, and therefore all AI output needs to be verified for accuracy. We need to think about validation processes that are suitable for these technologies, while realizing the time limiting reality that these tools impose when the verification of every single piece of output provided is needed.

FF: And finally, apart from coming up with brilliant digital forensics memes, what do you do in your spare time?

I love memes! Being able to make a joke that other DFEs relate to brings the community together. We are not as distant as we might think we are. Even if you are the single DFE in your office, there are thousands of others that understand you, want to help you, and laugh with you when you enjoy a meme about our field.

Memes are great, but I do like other things. Since 1998, I’ve been playing a video game called Starcraft. I love lifting weights but hate cardio. Teaching is an activity that fills me with joy.

Because of that, I am proud of being the author of the Android portion of the IACIS Mobile Device Forensics Course and also the author and instructor of the data structure portions of the IACIS Advanced Mobile Device Forensics Course.

I literally love long walks on the beach and reading books but mostly the audible kind. At the end of the day, there is no real spare time. We decide what we do with the time we are given, and my hope is to use it as best as I can.

Chris Vance, Resident Mobile Expert, Magnet Forensics

The world of mobile forensics is one that’s always shifting and adjusting. It takes a dedicated expert to be able to find the latest sources of evidence from mobile devices, and at Magnet Forensics, Chris Vance is the one taking that challenge head on.

Over the years, Chris has contributed a great amount of mobile forensics research into his role at Magnet Forensics. He’s brought all of that knowledge into a highly successful webinar series, called Mobile Unpacked. Fresh off the latest episode, focusing on iOS 18, we caught up with Chris about some of the latest trends he’s been seeing in the field.

FF: Tell us a little bit about your experience in the field and what you bring to your mobile research?

I’ve been doing mobile forensics since around 2007 while working with the West Virginia State Police’s digital forensics unit. Back then, it was about recovering a few calls or messages off a device and maybe one or two “potato-quality photos” as I liked to call them. As the devices evolved, so did the crimes we investigated. Suddenly we were brought smartphones which brought a whole new library of applications that there wasn’t anything to support.

For me, it was always these little things that drove me. The one-offs and questions that weren’t in any books or blogs. I knew that if I needed these answers, eventually someone else would too, so maybe I could start sharing them with the community to help that next person down the line.

FF: What’s been a particularly new trend that’s caught your eye?

While I’m usually primarily focused on messaging changes as my first priority, one thing I’ve noticed is that we just keep seeing exponentially larger forensic images being returned from these mobile devices. It’s not uncommon to see a 256-512 GB mobile device now, or even larger. While we always want to capture every piece of data we can, sometimes we have to prioritize what we’re going to collect, when we’re going to collect it, and how quickly we can get to the key points that matter to determine if it’s even worth the full analysis. If I had a dollar for every case I performed a full extraction and analysis on where a quick collection and scan of the data would have proven it wasn’t needed, well, let’s just say I could probably buy a new iPhone 16 for testing.

FF: What Magnet Forensics solutions are there to help?

What I love about our company is that we’re trying to tackle this a bunch of different ways. For example, we have Magnet Graykey Fastrak, which allows us to decouple the extraction process from Magnet Graykey and allows you to get your image from the phone to your forensics computer much faster (especially when a device has USB-C).

We also offer content-based extractions on both our Graykey and Magnet Verakey products that allow for examiners to select just specific types of information and/or a specific time window to extract from the device.

Additionally, we’ve been working on several different ways to speed up processing once you bring the data over into Magnet Axiom, with more of them coming in each new release. Of course, that’s just the stuff I CAN talk about. There’s lots more still to come!

FF: What kind of training/resources do you think people should seek out to improve their mobile investigations?

I’m going to be a little biased as a former trainer and curriculum manager for Magnet Forensics. Our mobile courses like Core Mobile Acquisition & Analysis (AX150), Magnet Graykey Examinations (GK200)/Magnet Verakey Examinations (VK200), and Axiom Advanced Mobile Forensics (AX300) can provide people—regardless of experience level—an entry point to learning more about iOS and Android forensics.

Capture The Flag competitions are another amazing way to learn in a fun, interactive environment. Even if you’re not joining a CTF live, you can usually find the images and questions, work your own solutions, and there’s always great write-ups in the community that you can compare your own work with!

FF: What’s next for Magnet Forensics in the mobile space?

We’re always trying to push ourselves to access the latest devices, OSes, and parse the latest artifacts. With Mobile View out now, we have a few other features we’re working on to help examiners AND investigators locate data quickly and easily. Beyond that, there’s some great new features coming to our products that’s going to streamline your imaging and processing even further! Keep an eye out for more information!

And be sure to keep up with our Mobile Unpacked webinar series. We’re up to #22 in the series, with each episode focusing on a specific area of study in mobile forensics that can definitely help you in your investigations. Our latest episode, “Eyes on eighteen”, focuses on the newly released iOS 18, and you can find a recording here.

Chris Doman, Co-Founder & CTO, Cado Security

chris doman headshot

FF: Chris, how did your background in security operations and threat research lead to the founding of Cado Security?

The US Department of Defense used to run a fantastic forensics competition, open to people the world over. Sadly, that’s no longer operating, but it got myself and plenty of other people into DFIR. That led to an opportunity to work in the DFIR team at PwC UK. When you’re in your 20s, flying around to acquire hard disks and help clients is pretty exciting. It was a fantastic place to learn, but as many people on Forensic Focus know, incident response is pretty tiring after a while.

I then moved to cybersecurity vendors headquartered in the US and got to work more on the threat intelligence side of things. The UK cyber-security industry is strong, but I was keen to learn from fast growing US companies how start-ups work. There’s a great community for sharing information in threat intelligence, particularly on the more targeted attacks, and that’s invaluable to both the industry and personally if you want to start your own company one day.

James Campbell (my co-founder) and I worked together at PwC. We found that investigating and responding to threats, particularly in the cloud, was a slow and manual process. A few years later, James and I reunited to build a platform that could automate a lot of the work we were doing, and that’s how Cado Security was born.

FF: Tell us more about the Cado Platform. Who is it for and what does it do?

Cado started out as a platform for security teams to collect forensic data, whether it be in the cloud or on-prem, and also to centrally investigate in a single cloud platform. We found our customers were increasingly asking for more automated capture and analysis, often building that themselves using our API. That resulted in what is really a second iteration that has evolved over the last two years – where most data is now captured automatically, either following a trigger from a detection product like Crowdstrike or from another platform such as ServiceNow.

FF: Cado integrates with tools like AWS, Azure, and Google Cloud. How do these integrations improve the forensic and incident response process?

Part of the opportunity here is speed – we’ve spent years iterating how we capture data from these platforms, and we can now do it in a way that is both fast and reliable. Certainly much faster than the manual methods that many teams were using previously. The other part is just being able to capture data before it disappears. We’ve filed plenty of patents on how we can capture data from Kubernetes environments for example, as that required a lot of research to work out. The other part is that we can unify data from multiple sources, so that security teams can work seamlessly in multi-cloud environments. We can also analyse SaaS, cloud, container, serverless, and on-prem assets in a single platform, which is a big
win for security teams.

FF: Our recent review highlighted Cado’s ability to quickly acquire evidence and identify threats like webshells. How do these strengths support real-world investigations?

The most common investigations we see are around cloud security incidents. These can be anything from a crypto-mining worm in a container to a webshell on a server. The Cado platform automates forensic-level data capture and processing, which can help security teams respond faster. We’ve also built in a lot of threat intelligence, machine learning, and YARA rules to help teams quickly identify malicious activity and potential risks.

FF: Your recent research covers threats like Selenium Grid and Mac malware. What are the key findings, and how should security teams respond?

The key finding for me from the Selenium Grid crypto mining malware is that pretty much any exposed build platform is going to have problems eventually. We’ve previously published reports on attacks against Jenkins build servers, exposed Kubernetes APIs and Redis databases, etc. Preventing those issues is often the basic hygiene of limiting what services are internet accessible, and the built in cloud firewalls do a pretty good job of making fixing that easy. But in a large estate there are often either exceptions or outliers, and that’s when you need to be prepared to be able to quickly investigate. Mac malware is always a bit more interesting to see, given it’s historically been less common, but absolutely exists.

FF: Cado Security recently launched a product focused on SOC automation. How does it help SOC teams streamline their workflows?

It fits into a wider trend we’ve seen with SOC teams being increasingly responsible for not only triaging incidents, but also investigating and resolving them. I think that’s a credit to the wider industry, both in terms of training and tooling, beyond just what we’re up to at Cado. Our SOC automation features work by automatically consuming detections from platforms like Wiz or Microsoft Defender to capture data. The key part we’ve managed to get right recently is then providing a more assisted investigation.

As a forensic tool, we’re lucky to have a really large set of data to look at during an investigation, and we have a machine learning model that identifies things such as “this user logged on just before the malware was executed, let’s raise that to the analyst”. That’s a simple example, but it’s the kind of thing that can really speed up an investigation. In a sense, what we are doing is “SOC Augmentation”, as it’s not about replacing the analyst, but about making them more effective.

FF: How has the demand for cloud-specific forensic tools evolved, and what challenges does cloud forensics present compared to traditional on-premise investigations?

It’s an interesting question, as sometimes cloud forensics feels 90% like on-prem, and sometimes it feels 10% like it. For example, if you’re investigating a virtual machine in the cloud, you’re probably going to be looking at a disk image, and much of the investigation will be similar to on-prem. Albeit collecting the data, and associated cloud level logs and meta-data, is quite different from on-prem. If you’re looking at a compromise of a managed container service like ECS Fargate in AWS, things start to look very different, and the data may not live where you would expect in the on-prem world.

FF: With the rapid evolution of cloud services and new attack surfaces, where do you see the future of cloud-based digital forensics heading?

I think the majority of attacks will remain the same – opportunistic, wide-spread threats, primarily against misconfigurations. But the cloud providers are making some good steps to make misconfigurations harder and default security easier, so I’m optimistic on a downward trend there. More targeted threats will always follow wherever the most interesting data lives, and that’s increasingly in the cloud. There’s starting to be some more public reporting of those incidents, but overall the threat there is likely underreported due to the typical sensitivity around those kinds of incidents.

When we started the company in 2020, there were a few great resources on cloud forensics, but there weren’t many. Jonathon Poling published some great resources on cloud forensics nearly a decade ago, but there wasn’t much else. Now we have excellent training (e.g. SANS 509), and there is much more mature tooling, so teams don’t have to tape together a bunch of scripts to get the job done. So again, I’m optimistic both on the growing market and the growing maturity of the tools available here.

FF: Finally, what do you enjoy doing in your spare time?

I plan to clean out my shed this weekend. Hopefully this time I’ll finally get around to it ;).

Dr. Rebecca Portnoff, Head of Data Science, Thorn

photo of rebecca portnoff

FF: Tell us about your background and how you became Head of Data Science at Thorn.

My background is in computer science – I got my bachelor’s at Princeton and my PhD at UC Berkeley, both in computer science with a focus on machine learning (ML) / artificial intelligence (AI). My PhD dissertation focused on what my team at Thorn does today: building ML/AI to defend children from sexual abuse.

I first got introduced to the issue of child sexual abuse my senior year at Princeton, after reading a book covering human rights abuses against women and girls around the world. At the time, I was trying to decide between going to graduate school or getting a corporate job. After reading the book, I couldn’t shake the issue from my mind. After some thought and prayer, I decided to go to graduate school – as I figured it would be easier there to learn what a computer scientist could do to help combat this issue.

I spent the first year or two of my PhD program cold calling non-profits, law enforcement, and anybody who would answer the phone, to try to understand how someone with a technical background could join this mission. I learned a lot during that time, especially about the dedicated efforts of front-line defenders in this space. It was through these conversations that I got connected to Thorn, and it was a very natural fit to join the team as one of their first data scientists, after finishing up my degree. Since then, I’ve grown and built the data science team, and now have the privilege of leading an amazing group of dedicated professionals.

FF: What does Thorn do?

Thorn is a non-profit that builds technology to defend children from sexual abuse and exploitation in the digital age.

We were founded in 2012, and today we create products and programs to empower the platforms and people who have the ability to defend children. Thorn’s tools have helped the tech industry detect and report millions of child sexual abuse files on the open web, connected investigators and NGOs with critical information to help them solve cases faster and remove children from harm, and provided parents and youth with digital safety resources to prevent abuse.

FF: What does your typical working day look like?

My days are a split between engaging externally (e.g. collaborating with external institutions and stakeholders, driving external initiatives and conversations, etc.) and supporting my team internally (e.g. making sure my team has what they need to thrive in their work).

FF: How has the rise of generative AI changed the landscape of CSAM creation and distribution?

Generative AI is being misused today, to further sexual harms against children. This technology is being used to make AIG-CSAM (AI-generated child sexual abuse material). It creates photorealistic content and can do so at scale – making thousands of new images in minutes. In some cases, bad actors are building generative AI models to target specific children, specializing their models using existing CSAM to make those models better at producing more abuse content of those same kids. It’s also being used to broaden the pool of their potential victims, for example via the use of “nudifying” or sexualizing apps to sexualize benign content of children and then use that new imagery to sexually extort them.

Minors are also increasingly using these same apps to create sexual content of their peers and then use that content to bully and harass them. This is all against the backdrop of an already overtaxed child safety ecosystem, which receives millions of reported files of suspected CSAM from platforms online every year. That backlog of content contains reports of children who are in active harm’s way. Anything that adds to that haystack, adding to the investigative time to find a child in active harm’s way, is a real problem.

FF: How will implementing Safety by Design principles help guard against AI-generated child sexual abuse material?

If the Safety by Design principles and recommended mitigations in Thorn and All Tech Is Human’s paper are followed, the resulting generative models will be less capable of producing AIG-CSAM and other child abuse content, the content that does get produced will be detected more reliably, and the spread of the underlying models and services that are used to make this abusive content will be limited. We see opportunity across the entire lifecycle of ML/AI – develop, deploy, maintain – to prioritize child safety.

I’ve been working in the intersection of ML/AI and child safety for over the last decade, and what I’ve observed is that there are no silver bullets in this space – any single intervention is not going to solve the problem. We believe the power in these principles and mitigations will come from engaging with all of them, so that you have layered interventions across the entire ML/AI lifecycle.

FF: Tell us about CSAM Classifier and how it uses AI to identify child sexual abuse material.

Thorn’s CSAM classifier is our best tool for identifying new CSAM content. If the image or video is a new one, the hashes for these images by definition won’t be on the lists for known CSAM. So how do you find this new content then? It could be from user reports or manual moderation. But these strategies can be slow. It might not be for weeks, months or even years after a new CSAM image appears on the web that it gets found. In the meantime, that could mean that a child victim could be trapped for years in their abuse without help. The CSAM classifier accelerates that prioritization and triage work – and combined with human decision making, it can significantly reduce the time it takes to find a victim and remove them from harm.

The CSAM classifier uses deep learning to classify images and video into three categories: CSAM, adult pornography, and benign. We continuously improve our classifier, regularly re-training the model with new false positives (adult pornographic content mislabeled as CSAM), new false negatives (CSAM mislabeled as adult pornographic content) and new true positives (CSAM). The data used to build the CSAM classifier comes from a variety of sources and trusted partnerships, including organizations with the legal right to house CSAM. Thorn’s CSAM classifier was trained in part using trusted data from the National Center for Missing and Exploited Children’s (NCMEC) CyberTipline. This high-quality data helps Thorn’s model predict if image and video content contains CSAM.

The CSAM Classifier is currently used within Safer, Thorn’s industry offering to support hashing, matching and classification at scale to detect CSAM on partner platforms. It is also directly integrated into several law enforcement forensics platforms, including Magnet Forensics and Griffeye. You can learn more about our integration with Griffeye here: https://www.thorn.org/blog/thorn-and-griffeye-empower-global-law-enforcement-to-more-quickly-identify-abuse-victims/.

FF: You recently spoke at the Virtual Summit on Deepfake Abuse – what key points did you highlight in your talk?

The key points I highlighted include much of what we’ve talked about here today – that bad actors are misusing generative AI to further sexual abuse against children. But we still have an opportunity to act and course correct for this emerging technology, such that we are prioritizing child safety across the full lifecycle of ML/AI – develop, deploy, maintain.

FF: Tell us about your role on the AI for Safer Children Advisory Board.

I just joined the advisory board as Thorn’s representative for the group – so I don’t have much to share as I haven’t yet had a first meeting! I look forward to supporting AI for Safer Children’s mission to build the capacities of law enforcement worldwide to leverage the positive potential of artificial intelligence (AI) and related technology to combat child sexual exploitation and abuse.

FF: Finally, what do you enjoy outside of work?

I am an avid musician; I minored in vocal jazz in college and love to sing. I also enjoy spending as much time outside as possible, reading a good science fiction novel on my porch or going on long walks when the weather permits.

Noel Lowdon, Director, Harper Shaw Investigation Consultants Ltd

photo of Noel Lowdon

FF: Tell us about your previous background in law enforcement and what led you to set up Harper Shaw Investigation Consultants Ltd.

My background stems from Roads Policing in the UK, where I spent an early part of my career investigating road collisions and tackling vehicle related crime. I was part of a proactive roads policing department responsible for disrupting criminal activities involving vehicles, before moving into a dedicated department responsible for investigating fatal road collisions. I was fortunate enough to be able to follow my passion for investigating in this role and became a qualified detective and investigative interviewer, as well as forensic collision investigation and digital media investigator, as this started to feature more in investigations.

There was a culmination of factors that led me to set up Harper Shaw Investigation Consultants Ltd. Pension changes in the UK police service underwent a major transformation, meaning I was effectively going to have to work a further 7 years with no additional benefit. Also, resources were becoming less and less, so I felt I could not deliver a gold standard in those investigations that involved a death. Dealing with death every day is not good for your mental health, and after seven years of some seriously devastating collisions I was becoming poorly, as were others around me who had been in the same role. I still had a passion for vehicle related investigations, so with these factors and some others it was a case of entering into the unknown, with support from family and friends, to offer consultancy services in serious road collisions with an eye on vehicle data as part of the services.

FF: What services does Harper Shaw Investigation Consultants offer and what types of evidence can investigators recover using vehicle forensics? 

Over the past eight years, we have offered a wide range of services from forensic collision reconstruction, speed analysis from CCTV, vehicle identification from CCTV, and acquiring crash data from vehicles as well as infotainment data. The business now specialises in extracting data from vehicles and training. It was never intended to go this way, but the proliferation of people wishing to use vehicle data in their investigations has increased year on year. In our first year, I think we examined about 4 vehicles for digital data from infotainment systems, whereas I think I have looked at 4 vehicles this week alone for infotainment type data, and there is no sign of it letting up coming out of the summer break.

The evidence that can be recovered using vehicle forensics can be wide reaching, as the vehicle has what I term an eco-system, whereby it interconnects with infrastructure and our devices along with third parties. The data types are endless, however the more common types are crash data, i.e. what was happening in the last moments before a crash, such as speed, braking input, steering input and seat belt usage, as just some of the data types seen on the airbag control module. Infotainment is another area of interest, with journey history, connected device information, and vehicle events such as odometer readings or door events that are sometimes stored on the infotainment module.

FF: What does a typical day at work look like for you?

As a small business owner, there can be so many different tasks in a typical day, as we still run the business in house with minimal staff. I might be literally cleaning the entrance to the building before students arrive for a training course at the start of the day, and later that morning, I could be inside a car removing an ECU for a serious crime investigation. We tend to work as and when required for law enforcement, so weekends and evenings are included. I can spend a large chunk of my time triaging enquiries to assist investigators in deciding whether they are to pursue the investigation, as well as writing up our findings after we have completed a vehicle examination.

As the modern world evolves, we also spend a large chunk of time creating content for our application (The Vehicle Network), which is becoming a resource hub for this type of work and for those public audiences that have an interest in our work. So, I guess a typical day is busy like most.

FF: Can you tell us about a specific case where vehicle forensics played a crucial role in securing a conviction?

Last year (2023), we assisted a law enforcement agency with a murder investigation where a number of vehicles had been used. A vehicle had been used to ram another vehicle before people got out of the cars, and tragically a person was stabbed which resulted in a fatality. One of the vehicles immediately prior to the confrontation had crashed into some railings, which then activated the emergency call feature on the vehicle using a paired and connected device to the vehicle. Whilst the vehicle’s infotainment system had a record of the device stored on it, it didn’t have any connection times. So, the fact that the emergency call feature got activated in a crash at the time meant that by utilising the connected and paired device to make the call it must have been in Bluetooth range of the vehicle to do so. Investigators could attribute the device to a suspect and were keen to know how close the device was to the car at the time and if it could have been inside the car.

The scene was chaotic, with masked individuals moving around and getting in and out of cars. We conducted tests to determine the range and performed a digital reconstruction. We had the vehicle returned to the crash site and used a test device paired with the infotainment system. We then established the range in most directions away from the vehicle until the connection was lost. The findings were surprising, in that we managed to exceed over 100 metres in one test, maintaining a Bluetooth connection to the vehicle from the device.

I do a lot of testing, which I find interesting, and it not only helps the community but also ensures that I understand the limitations of the data when presenting in court. This use of vehicle forensics placed a suspect at the scene of the murder, and he was subsequently found guilty by a jury. Other evidence may also have played its part, but in my experience of dealing with complex and serious crime, it’s the layering up of evidence that helps build the picture, and I was proud that we could do our bit on the vehicle side of things and understand the limitations for the benefit of the court. This case study is available as a video presentation in our app.

FF: How is AI being utilized in vehicle forensics, and what advantages or challenges does it bring to the data recovery process?

AI is here isn’t it, and I do not think it is going way anytime soon. I love new technologies, and the possibilities of AI are endless in my opinion, but we have to nurture it and be wary of adoption too soon without checking veracity. With regards to vehicle forensics, I already see it in action in some areas a little left of field – stick with me here!

I have a contact that compiles a database of all the MOT (annual roadworthiness test of the vehicle after it’s 3 years old) failures here in the UK, and what this means is that when a certain age, make, model and trim level of vehicle fails the MOT on a certain fault it is logged. AI is being used to project the likelihood of failure on those components on that age of vehicle. This could mean that when somebody is planning a vehicle systems forensics examination, they could possibly identify weak points on the vehicle, possibly more useful in crash investigation. This is perhaps no different to human intelligence, in that a mechanic may well know typical faults on certain vehicles and what components are likely to fail, however what AI is doing is accelerating that knowledge and refining it with larger data sets.

AI is impacting how cars operate. They are machine learning (or not if we look at the recent cruise taxi scenarios), and this will impact crash investigators who will have to understand the technology to know if the vehicle operated as it should have and what was used to train it. This will impact both criminal and civil cases where there are serious injuries.

Another area where I believe it will change the landscape is in script writing and programming. Caution is needed here, but with the right amount of testing and refinement, automation can start to become a self-derived possibility, reducing the need for people with those specific skill sets—or at least decreasing the number of people required with those skills. Personally, I think it’s a good thing, but it needs nurture.

FF: What are some of the emerging trends or challenges in vehicle forensics, and how do you see this field evolving in the next few years?

Data privacy and the securing of personal data will be a challenge for investigators in the coming years. We are already seeing levels of encryption on newer infotainment systems here in Europe to protect personal data, which means accessing it for criminal investigations is a challenge. However, this is not something new; we are just following the phone landscape of years gone by. However, there are minimal commercial tools out there for vehicles, and the population of variations of vehicles globally is huge, so it’s a real and present challenge. Data privacy is also huge, and the vehicle is so different to the mobile phone in that it can have many users (just think hire cars and taxis).

The law is always behind technology, and I do not think the ramifications of accessing data on a vehicle is properly understood by the judiciary, and I feel changes will be implemented. One of the biggest challenges we have here in the UK at present is the Forensic Science Regulators Codes of Practice that came into force last year, where you have to demonstrate accreditation in ISO17020/25 for digital forensics. The car has been pulled in under that umbrella, along with many other IOT devices. The challenge here is that the car is not a phone or computer on wheels – it is a safety critical real time mechatronic system that just happens to control wheels – and the methods for examining them are totally different, meaning a whole new standard must be developed for this type of work. In short, we are in the wild west of vehicle forensics (which does sound mad when I am into my eighth year), and there is a long and undulating journey ahead.

FF: And finally, what do you enjoy in your spare time?

Spare time? Joking aside, after experiencing burnout and being consumed by work in the past, I can sometimes (not aways) see the signs, and I try to manage that with some of my hobbies. I do put them first more often than most and include them in my daily/weekly habits, so as to try and keep a balance.

I enjoy running and fitness, so I tend to train most days by either running or the gym. I completed a marathon back in May this year so am just deciding what the next fitness challenge is and ticking over so to speak.

My other hobby is DJing (House/Dance music), and I spend a lot of time listening to music and sourcing new music. More recently I have started collecting vinyl again, which was an addiction in the 90s. I am collecting a lot of 80s Soul and RnB, where the 1990s took samples from the original 80s tracks and turned them into dance songs for a rave generation. I do a weekly mix show on a platform called mixcloud. I did go back to DJing when I left the police to bring in some extra cash and support myself, which I enjoyed. My last physical outing was at a local outdoor festival in the summer.

Jad Saliba, Founder & Chief Innovation Officer, Magnet Forensics

Earlier this year, Magnet Forensics introduced an early access feature with AI capabilities in their Magnet Axiom & Magnet Axiom Cyber products to fight in the battle against deepfakes: Magnet Copilot.

Originally trialed and tested in the Magnet Idea Lab and in collaboration with Medex Forensics, Magnet Copilot became available with Magnet Axiom & Magnet Axiom Cyber 8.0 as an early access feature to fight against deepfakes by giving users a chance to identify synthetic media and surface relevant evidence in cases.

In this Q&A, we talk with Magnet Forensics’ Founder & Chief Innovation Officer, Jad Saliba about what’s next for Magnet Copilot, his thoughts on AI in DFIR, the acquisition of Medex Forensics, and what other emerging technologies trends the community should be keeping an eye out for.

FF: What trends are you seeing in synthetic media?

Folks across the whole DFIR field have seen a large increase in the malicious use of deepfake technology, including non-consensual pornography, CSAM, disinformation, false evidence, fake news, scams, blackmail, and fraud. While deepfakes aren’t new, advances in machine learning and AI have increased the speed, accuracy, and availability of developing that synthetic media.

This is definitely a case where the technology (and misuse of it) is getting ahead of general knowledge of enforcement and legislation—many people don’t even know what a deepfake is, making it a dangerous tool in the wrong hands.

FF: What should examiners be on the lookout for?

When investigating a case, it’s crucial for examiners and investigators to know the validity of the evidence they’re looking at. It’s part of the bedrock of the whole investigation. That’s why we integrated Magnet Copilot for Magnet Axiom & Magnet Axiom Cyber—we wanted to give users the ability to analyze images and videos to determine their authenticity and identify synthetic or generated media.

FF: How did Magnet Copilot come to be?

Magnet Copilot originally took life in the Magnet Idea Lab, which is a community of DFIR professionals and Magnet customers that take an early look at new and innovative solutions we’re offering and help stress-test them to make sure they’re the best products possible before becoming generally available to customers. From there, we were able to first introduce it in Magnet Axiom & Magnet Axiom 8.0.

FF: Are there any other challenges that Magnet Copilot helps with?

In addition to giving examiners the ability to analyze images and videos to determine whether they are synthetic or generated media, Magnet Copilot also helps examiners use integrated AI tools to quickly find the evidence that is relevant  to their case, with a Q&A function that can help you quickly narrow in on key results.

As the quantity and sizes of devices have grown, forensics teams are consistently faced with an overwhelming volume of digital evidence in their investigations. So, getting to the evidence that is relevant is a persistent challenge.

To use the Q&A function, you simply select the data, such as a conversation thread or web search, and then you can enter questions about the data, and Magnet Copilot will highlight relevant artifacts. Responses provided through the interface also include citations for the case data so that you can easily validate the results and investigate further.

FF: What is next for Magnet Copilot?

We initially piloted and launched Magnet Copilot as a cloud-based integration but saw that some agencies haven’t been able to use it because of the need to upload data to the cloud—especially when it comes to cases that have sensitive data.

So, we have been working to bring the powerful AI capabilities of Copilot to even more Axiom users and are excited to share that we are going to be making Copilot functionality available offline with a fall release of Axiom and Axiom Cyber.

The offline version lets us bring the deepfake detection and Q&A capabilities to labs that are not connected to the internet or can’t upload case data to the cloud. We will keep building on the cloud-based version of Magnet Copilot for our cloud native applications but feel that the upcoming offline version of Magnet Copilot opens up the opportunity for more customers to experience the benefits of AI in their local environment.

And of course, we’re continuing to iterate on functionality and features based on customer use and feedback!

FF: How does Medex Forensics help?

For analysis of videos, we initially partnered with Medex Forensics to help determine where video files originated, if they are camera-original content, and if they have been edited or generated with tools such as face-swap or re-face. Once that Medex analysis is completed, users have an option to save a PDF report which can be added to your case.

We’ve since announced that we’ve acquired Medex Forensics and are extremely proud and excited to have them join the Magnet Forensics team! It’s an amazing opportunity for us to continue to innovate with technology that is already best-in-class and has proved vital for agencies across the world to validate critical video evidence.

FF: How can users get started?

Stay tuned for more information on the upcoming release that will bring Copilot functionality to users whose forensics workstations aren’t connected to the internet.

Once that release is live, if you’re a user of Axiom or Axiom Cyber, you can update to the latest version or start a free trial to start using the early access of Magnet Copilot. 

And we’d love to hear any feedback about Magnet Copilot, so please don’t hesitate to reach out to us at sales@magnetforensics.com to let us know what you think or to learn more!

Andrea Lazzarotto, Digital Forensics Consultant and Developer

FF: Can you tell us about yourself and how you got started in digital forensics?

Sure. I have been working for years as a Digital Forensics Consultant, as well as a Software Developer. This has allowed me to gain experience in the field of web and mobile applications, both from a programming and a reverse engineering perspective.

In my work, I also like to explore other topics. For instance, I have conducted research on methods for tampering with WhatsApp chats (without leaving any trace). Web page acquisition is another topic I enjoy.

My background is primarily in Informatics: I started with a high school diploma in Industrial IT, followed by a BSc and MSc in Computer Science. My interest in Digital Forensics peaked when it was time to prepare my final dissertation. I wanted to create a program that could be useful for digital forensics practitioners.

When the project became a reality, I reached out to several professionals—one in law enforcement and others in the private sector. This was an excellent learning opportunity, and getting to know them encouraged me to start working in the field.

FF: A few years ago, you developed RecuperaBit, a tool for forensic file system reconstruction. What motivated you to create this tool, and what are some of its key features?

Yes, that’s the one! At the time, I started to become fascinated by file systems and their inner workings. Moreover, there were only a few programs that were really good at recovering data from NTFS, but all of them were proprietary and often not geared toward forensic aspects.

For this reason, I decided to pursue an ambitious idea: I wanted to write a thesis about the forensic analysis and reconstruction of damaged disk partitions in NTFS format, documenting the process in detail and with a forensic approach.

RecuperaBit is the practical implementation of the techniques and algorithms I created for this purpose.

It is the only open-source program that attempts to recover NTFS partitions under the assumption that they may be badly damaged and unreadable by Windows. It attempts reconstruction of the directory structure regardless of a missing partition table, unknown partition boundaries, partially overwritten metadata, or just a “quick format.”

The end result turned out pretty well. During these years, I received messages from people telling me that RecuperaBit saved their data, and the tool has been included in the CAINE Linux distribution. It has been very rewarding!

FF: More recently, you developed Fuji for macOS forensic acquisition. What challenges does it address in acquiring data from modern Apple computers?

Some years ago, obtaining a forensic image of a Mac computer was relatively easy. You could extract the hard drive, connect it to a write blocker, and proceed to acquire a physical disk image, just as we do today with several kinds of HDDs, SSDs, and memory sticks.

Technology has now evolved, and several generations of Macs have been released since then. Newer Intel-based Macs introduced the T2 security chip for hardware-level encryption, and the storage drive is soldered to the motherboard. Apple Silicon Macs are even more hardened.

Today, we cannot obtain a physical image anymore, and we need to tackle the problem of acquiring these Macs as we would with a modern smartphone. The aim is to achieve a full file system acquisition when the device is already turned on.

Luckily, macOS includes command-line tools that can do this, especially ASR and Rsync. Fuji leverages them through a user-friendly interface that allows the examiner to acquire the entire drive or a single folder using two different methods. No command-line knowledge is needed.

I created Fuji because there are few programs that can perform the forensic acquisition of modern Macs. Most of them are pricey, and none are free or open source.

It was also another nice learning opportunity, given that I had never had the chance to do forensic work on Macs before. To be honest, Fuji is basically the first Mac application I have ever developed.

FF: Why is open source software important in digital forensics?

At first glance, you may think the answer to this question is related to budget. Most digital forensics programs are paid-for, and several of them are outrageously expensive. Not every practitioner or agency can afford to spend money on every item in the toolset, so open source fills this gap.

However, I think this is a limited perspective, and there is more to it.

The most important aspect, I believe, is the ability to understand what a tool does and the chance to ensure the process is repeatable. This is true for open source software written by others, but even more so for the programs that examiners write themselves.

I believe that writing some tools or scripts on your own is very important, and I expect people working in this field to be proficient in programming, at least to a certain extent.

When you write your own software, you can be sure that you know exactly what the program is doing. There is no doubt that you can explain the process when questioned or challenged about it. Even better, it’s a very formative activity because you can gain a deep understanding of the data you need to analyze.

This is totally different from looking at the output results after a black box has analyzed or extracted data without telling you how it did that.

Publishing the software you have written as open source is a natural choice because it can help other examiners. At the same time, you receive scrutiny and reviews from an amazing community of professionals.

FF: Why do you think so many notable open-source digital forensic tools – such as CAINE, Tsurugi, and your own projects – are being developed in Italy at the moment?

Alright, this is where I can definitely play the “budget” card!

Joking aside, I think it’s an interesting question, and I am not sure I know the answer to that. It’s probably related to how this job is done here.

Unlike some other countries, in Italy the majority of the work in this field is done by consultants, i.e. people working as freelancers. We have a few large digital forensics companies and even tool vendors, but these are rare cases.

Most digital forensics “firms” are actually one-man shops, so to speak. This may stem from criminal law, as public prosecutors cannot appoint a company to perform analysis, but only an individual.

The low compensation for examiners working for the prosecution would also be a tough point of discussion.

Other than that, the scientific aspect is heavily emphasized here. You know, techniques and procedures need to be clear and explainable. Routinely, they must be repeatable because there are special provisions for non-repeatable procedures, and those complicate things a little.

Open source facilitates the verifiability of what is being done. Imagine if, during a trial in which DNA evidence plays a crucial role, the biologist told you, “I cannot discuss how I extracted the suspect’s DNA from the scene because it’s a trade secret, but trust me.”

This is what we risk when we use proprietary, black-box-like tools. Sometimes we have no choice, but we like to have an alternative.

And above all, Italians love to experiment and are renowned for their ability to make do with the resources available.

FF: What are you planning to work on next?

Fuji is working pretty well, but there are some rough edges that need to be smoothed out here and there. While I am taking this interview, an additional acquisition module is almost ready to be released.

It does not perform a full disk acquisition, but it is focused on acquiring Sysdiagnose information. Fuji adds a unique twist to the process: it takes the collected unified logs and converts them to SQLite automatically. This provides a smoother experience for the analyst.

I would also like to resume work on RecuperaBit. It was developed more than eight years ago, and at that time, I did not have my current level of experience. Today, I would approach several aspects differently to avoid excessive memory usage and to enhance the user experience. However, reviewing all of the code is a substantial task, and I’m uncertain whether I will find the time to complete it.

FF: And finally, what do you enjoy in your spare time?

I have been practicing karate for several years and still do. Recently, I started attending a group dedicated to board games. I hope to become a black belt in that as well!

Paul Gullon-Scott Bsc MA MSc MSc FMBPSS, Higher Assistant Psychologist

Paul Gullon-Scott

Paul Gullon-Scott is a former Digital Forensic Investigator with nearly 30 years of service at Northumbria Police in the UK, specializing in child abuse cases. As a recognized expert on the mental health impacts of digital forensic work, Paul now works as a Higher Assistant Psychologist at Roseberry Park Hospital in Middlesbrough and is the developer of a pioneering well-being framework to support digital forensics investigators facing job-related stress. He recently published the research paper “UK-based Digital Forensic Investigators and the Impact of Exposure to Traumatic Material” and has chosen to collaborate with Forensic Focus in order to raise awareness of the mental health effects associated with digital forensics. Paul can be contacted in confidence via LinkedIn.

FF: What motivated you to explore the topic of secondary traumatic stress (STS) among digital forensic investigators (DFIs)?

DFIs are routinely exposed to extremely distressing content, particularly child sexual abuse material (CSAM), which can have significant psychological impacts. The constant exposure to such material makes DFIs a high-risk group for developing STS.

There is a lack of empirical research specifically focused on the psychological impact of viewing CSAM on DFIs, particularly within the UK. This gap in the literature can motivate researchers to explore this under-researched area to provide a deeper understanding and evidence-based insights.

The impact of STS can lead to reduced productivity, higher turnover rates, and difficulties in retaining highly trained staff. Something I find difficult to understand is the financial impact on stakeholders who invest tens of thousands of pounds into training their staff but do not invest in the wellbeing support to protect those highly skilled and highly trained investigators. Understanding STS among DFIs can help organizations implement better support systems, thus maintaining a more effective and positive workforce.

The mental health and well-being of DFIs are of paramount concern. High levels of STS can lead to serious psychological issues such as anxiety, depression, and PTSD-like symptoms. By studying this area, researchers aim to improve the mental health outcomes for these professionals.

Researching STS in DFIs allows for the identification of specific risk factors (e.g., frequency of exposure to traumatic material, gender, coping strategies) and protective factors (e.g., strong social support, effective coping mechanisms). This knowledge is crucial for developing targeted interventions to mitigate STS.

Given the crucial role of DFIs in investigating and prosecuting child exploitation and other crimes, ensuring their psychological well-being is vital for the overall effectiveness of criminal justice systems. Researchers may be motivated by the broader societal impact of supporting these professionals.

The most important motivator for myself has to be advocating for enhanced support and further research for digital forensic investigators (DFIs), along the following lines:

Enhanced Support

All of the studies carried out thus far highlight the need for implementing a monitoring system with standardized tools for the prompt identification and intervention of STS symptoms among DFIs. They also recommend increased understanding and awareness of the mental health consequences of negative coping styles to enhance resilience among DFIs.

Specific Support for Younger DFIs

Younger DFIs may need enhanced support, such as regular debriefs, limits on exposure to child sexual abuse material (CSAM), graded exposure to CSAM and role guidance.

Workshops and Mental Health Support

Research findings could inform the development of workshops to help DFIs understand the mental health impact of viewing traumatic CSAM and the negative consequences of inappropriate coping strategies. They also emphasize the need for services to provide access to appropriate mental health support for their DFIs. This is something I am currently developing – I plan to run a CPD accredited workshop which will make DFIs aware of the stressors and what they can do to combat them, this will not only help DFIs recognise these issues in themselves but also in others. This is important because when we become unwell, we don’t always recognise the signs and symptoms in ourselves.

Further Research:

Additional Variables and Mixed Methods Approach

My study acknowledges that while its regression model explained 28% of the variance in STS, there are unaccounted factors. This suggests a mixed-method approach, combining qualitative and quantitative data, to identify additional variables and address potential limitations.

Longitudinal Studies

Previous research has advocated for longitudinal studies to better comprehend the impact of STS over time. The current study echoes this call for longitudinal research to provide a more comprehensive understanding of STS among DFIs.

I often post developments into my research and the research of others on LinkedIn, through which I have received many messages from past and serving DFIs and many requests from stakeholders around the country who seek advice on how to support their DFIs. I’d like to share with you one such message from a past DFI (I have sought permission to share this with you). They wrote:

“Paul, this is cracking work. I thought I’d share my last ever shift with you. I was on nightshift on my own in 2020.

Because of the pressures of work, they had me grading 36500 indecent images. I went to bed that night but couldn’t sleep because of a pain in my chest and left arm. My wife called an ambulance, fearing I was having a heart attack.

They ruled out a heart attack, then further tests ruled out angina. The whole incident had been triggered by the stress I was under and many years of exposure to child abuse material.

I never returned to work. You are doing a great service to policing, Paul. Keep going.”

In conclusion, studies emphasize the importance of robust support systems and further research to mitigate the mental health consequences of traumatic exposure for DFIs.

FF: Have you compared your work to other studies which have been carried out in other countries?

I have compared my study to a study carried out by Bourke & Craun, 2014. The main findings regarding levels of STS among DFIs in both studies are:

Bourke & Craun 2014 Study

  • Significant Predictors: The study identified that difficulty in viewing child abuse material (CSAM) was the most significant predictor of STS, contributing notably to higher levels of stress among investigators. However, the increase in STS reported by Bourke and Craun was lower (0.37 points) compared to other studies.
  • Variance Across Studies: The outcomes of various studies on this topic showed some divergence, warranting further exploration of broader influencing factors on STS levels.

My Study

  • High Levels of STS: A substantial portion of the sample reported moderate to severe levels of STS. Specifically, 33.3% reported little to no STS, while 46.6% reported moderate to severe levels.
  • Age and Experience: Younger investigators experienced higher levels of STS, and the years working as a DFI did not correlate with increased levels of STS. This indicates that newer investigators might need more support compared to their experienced counterparts.
  • Coping Strategies: The study found that negative coping strategies, such as mental disengagement, were significant predictors of higher STS levels. Positive coping strategies like active coping, positive reinterpretation, and social support did not significantly affect STS levels in this study.
  • Gender Differences: Contrary to the hypothesis, there was no significant difference in overall levels of STS by gender. However, there were significant differences in the arousal subscale, with higher levels of arousal correlating with distress among female respondents.
  • Difficulty Viewing CSAM: The difficulty experienced when viewing CSAM was a strong predictor of STS. For every 1-point increase in difficulty, there was a 7.70-point increase in STS.

These findings underscore the critical need for appropriate mental health support and interventions for DFIs, particularly those who are younger or experiencing significant difficulty in their work. They also highlight the complexity of factors influencing STS, suggesting that both individual and contextual variables play a significant role.

FF: What were the similarities between the study carried out by Bourke and Craun in 2014 and your own study entitled UK-based digital forensic investigators and the impact of exposure to traumatic material in 2024?

Based on the context from both studies and the findings, the comparisons between the two studies are:

Similarities

  1. Focus on DFIs
    Both studies focus on secondary traumatic stress (STS) among digital forensic investigators (DFIs), particularly those exposed to child sexual abuse material (CSAM).
  2. High Levels of STS
    Both studies found that a significant proportion of DFIs experience moderate to severe levels of STS.
  3. Impact of Exposure
    The difficulty in viewing CSAM was a strong predictor of STS levels in both studies.
  4. Importance of Support
    Both studies advocate for enhanced support mechanisms for DFIs, emphasizing the need for mental health support and interventions.

Differences

  1. Participant Demographics
    The study carried out by Bourke & Craun included a diverse range of participants with different years of experience and varied exposure levels to traumatic content. My study highlighted the age differences more explicitly, noting that younger DFIs reported higher levels of STS.
  2. Predictive Factors
    The study carried out by Bourke & Craun identified difficulty in viewing CSAM as a significant predictor but did not delve deeply into other specific coping strategies. My study examined coping strategies more thoroughly, finding that negative coping strategies like mental disengagement were significant predictors of higher STS levels.
  3. Gender Differences
    The study carried out by Bourke & Craun did not focus specifically on gender differences in STS levels. My study noted no significant difference in overall STS levels by gender but found significant differences in the arousal subscale, particularly among female respondents.
  4. Quantitative Analysis
    The study carried out by Bourke & Craun mentioned the need for further research to understand the variance in STS levels. My study provided specific statistical analysis, such as the regression model explaining 28% of the variance in STS, and suggested a mixed-method approach for future research.
  5. Recommendations
    The study carried out by Bourke & Craun focused broadly on the need for monitoring and intervention systems. My study provided specific recommendations, such as the development of workshops, regular debriefs for younger DFIs, and appropriate mental health support access.

These comparisons highlight both the commonalities and the unique contributions of each study, providing a comprehensive understanding of the impact of STS on DFIs and the necessary support mechanisms.

FF: In your own national study were there any significant differences in STS levels based on gender, years of experience, or frequency of exposure to traumatic material?

My study found the following significant insights related to gender, years of experience, and frequency of exposure to traumatic material:

  • Gender Differences
    Female respondents reported slightly higher mean STS total scores (39.03) compared to male respondents (34.88). However, this difference was not statistically significant.
    A notable exception was found in the arousal subscale of the secondary stress scale, where female respondents scored significantly higher than male respondents (12.75 vs. 10.81, p = 0.03).
  • Years of Experience
    Years working as a DFI did not correlate with increased levels of STS. This was contrary to the initial hypothesis but consistent with another study involving UK police officers, which indicated that more years of service might lead to the development of effective coping strategies and lower stress levels.
  • Frequency of Exposure
    Contrary to the hypothesis, the frequency of viewing child sexual abuse material (CSAM) did not show a significant correlation with STS levels. This suggests that the period of exposure to these materials does not necessarily influence STS levels.
  • The primary predictor of STS was the difficulty experienced when viewing CSAM material, not the frequency or the number of cases handled.

These findings underscore the complexity of factors contributing to STS among DFIs and highlight the need for targeted interventions, particularly focusing on the difficulty of viewing traumatic material rather than the frequency of exposure. Additionally, the gender-specific response to trauma, particularly in the arousal subscale, suggests that female DFIs might benefit from specialized support strategies.

FF: Years working as a DFI did not correlate with increased levels of STS, however you might imagine that the longer you work as a DFI the more susceptible you become – why do you think years working as a DFI does not correlate with high levels of STS?

The finding that years working as a digital forensic investigator (DFI) did not correlate with increased levels of secondary traumatic stress (STS) can be attributed to several potential factors:

  1. Development of Coping Strategies:
    • Experience with Exposure: Over time, DFIs may develop effective coping mechanisms and resilience in response to repeated exposure to traumatic material. Experienced investigators might learn how to manage their emotional responses better and employ strategies that mitigate the impact of STS.
    • Training and Support: More experienced DFIs might have received additional training or support over their careers, which helps them handle the stress associated with their work more effectively.
  2. Adaptation and Desensitization:
    • Conditioning: With prolonged exposure, some individuals may become desensitized to traumatic content, leading to reduced emotional responses. This conditioning can result in lower reported levels of STS among those with more years of experience.
    • Professional Identity: Experienced DFIs may have a stronger professional identity and sense of purpose, which can buffer against the negative effects of trauma exposure.
  3. Selection and Retention Bias:
    • Attrition of Vulnerable Individuals: Those who are more susceptible to STS might leave the profession earlier, leading to a workforce of more resilient individuals over time. This attrition can result in a cohort of experienced DFIs who are less affected by STS.
    • Survivor Effect: The DFIs who remain in the field for many years might be inherently more resilient or have better support systems, which helps them manage stress better than those who leave the profession early due to high levels of STS.
  4. Support Systems and Organizational Culture:
    • Improved Organizational Support: Over time, organizations may implement better support systems and mental health resources in response to recognizing the challenges faced by DFIs. Experienced DFIs might benefit more from these resources due to their longer tenure.
    • Peer Support: More experienced DFIs may have stronger peer networks and support systems within their work environment, providing them with emotional and practical support that helps mitigate STS.
  5. Job Role Evolution:
    • Changes in Job Responsibilities: Experienced DFIs might take on supervisory or managerial roles that involve less direct exposure to traumatic material. Their job responsibilities might evolve to include more administrative or oversight tasks, reducing their exposure to distressing content.
  6. Individual Differences:
    • Personal Resilience and Personality Traits: Individual differences in resilience, personality traits, and personal coping styles can play a significant role. Experienced DFIs might have personal characteristics that make them less vulnerable to STS.

Supporting Evidence

The lack of correlation between years of experience and STS levels found in the studies aligns with research in other high-stress professions, such as police work, where more experienced officers often report lower stress levels due to similar factors.

In conclusion, the interplay of these factors likely contributes to why years of experience as a DFI do not necessarily correlate with increased levels of STS. These insights underscore the importance of ongoing support and training for DFIs at all career stages to promote resilience and effective coping strategies.

FF: What’s next for you and the research?

I am currently developing two CPD accredited workshops, the first aimed at discussing the research which has already been carried out in this area. This workshop will focus on the findings of the current research, the identified stressors and suggestions to reduce the effects of working as a DFI.

The second CPD accredited workshop is aimed at DFIs and supervisors. This will raise awareness of each individual stressor which DFIs may become susceptible to, what they look like, how they can affect you and how to find help.

From a research perspective there is still so much to do – I’d really like to re-run my previous national study but this time using a mixed methods approach to capture any comments or personal experiences of DFIs. I’d also like to examine the current support structures in place for DFIs and correlate those with reported symptoms to see if those lucky enough to have good support systems report lower symptoms, thus reenforcing the need for appropriate support systems to be provided.

Chad Gish, Forensic Expert, Magnet Forensics

Chad Gish has just closed the books on an incredibly impactful career with the Metro Nashville Police Department (MNPD)—building a truly world-class lab and helping to reduce some of the crime affecting the Nashville area.

In his time with the MNPD, Chad utilized Magnet Forensics products to help maximize the potential of his investigations and has been a tireless evangelist for all things DFIR. With his recent retirement, it was only natural for Chad to bring his expertise to Magnet to help customers make the most of their digital investigations. Learn more about Chad’s history, his views on current DFIR trends, and a lot more, in this interview.

FF: Hi Chad, thanks for joining us today. Can you start off by telling us a bit about your history in law enforcement?

Certainly. I spent 26 years with Metro Nashville, starting in patrol and later serving as a detective in major crimes. In 2005, recognizing the increasing significance of computer-related evidence, the police chief asked me to lead in the creation of a pioneering unit in our region—a digital forensics unit. This marked the beginning of an intense two-year crash course to learn digital evidence, despite my initial lack of experience. Interestingly, the continuous evolution of technology turned that two-year crash course into a twenty-year learning journey.

But I’ll tell ya, designing and building the lab, managing cases, and creating policies for the digital forensics unit was also a 20-year journey. Like a lot of folks, I began with humble beginnings: a small room with minimal equipment, gradually developing the unit into Nashville’s current state-of-the-art facility, equipped with top-tier tools and a highly skilled team. Building this advanced digital lab not only enhanced our investigative capabilities, but also set a new standard for digital forensics in our region.  

Throughout my career, I investigated hundreds of homicides, crimes against children, sexual assaults, active shootings, internal investigations, and various other cases. A couple years ago, I began sharing insights from these impactful investigations through a LinkedIn blog where I was hoping to achieve three goals:

  1. Emphasize the critical role of digital evidence in solving cases.
  2. Showcase Metro Nashville PD’s use of cutting-edge tools like Magnet Graykey, Magnet Automate, Portable Case in Magnet Axiom, Magnet Review, and Magnet Graykey FastTrak.
  3. Provide guidance to investigators—both seasoned professionals and newcomers—in this very important and challenging field.

The blogs had their intended effect as so many investigators have reached out to share how my investigations helped them with their cases. After a few months, I discovered an unexpected benefit: the impact on recruiting at MNPD. I’d say no fewer than twenty people contacted me about starting a career as a police officer in Nashville.

FF: What made you want to join Magnet Forensics?

There are a lot of things that drew me to Magnet, but first and foremost is Magnet’s unwavering passion for protecting our most vulnerable. There is nothing more noble than fighting for a child.

Magnet is renowned for their powerful yet user-friendly forensic tools, consistently leading the industry with cutting-edge technology tailored to the needs of law enforcement. Their artifact-first approach, emphasis on Time to Evidence, focus on investigator well-being, and their genuine understanding of the needs of law enforcement are unparalleled.

Every interaction I had with the team at Magnet Forensics reinforced their professionalism and unwavering support in delivering justice. I haven’t met anyone from Magnet who I wouldn’t consider a valuable partner, someone who I’d gladly work alongside in my lab.    

However, it’s not just their dedication to protecting children and unwavering support for law enforcement that attracted me to Magnet. Their commitment to innovation by always anticipating what lies ahead is truly remarkable. Their forward-thinking approach ensures they are prepared for any future challenges we might face in digital forensics. I’d have to say that joining Magnet is not just about a job—it’s about being part of a community that strives for excellence and contributes so much to fighting crime. Over the last 10 years or so, I’ve had a front-row seat watching how Magnet Forensics has revolutionized digital forensics, and that’s also a big part of why I am now on Magnet’s team. I want to be a part of helping them shape the next 10 years.

Magnet offered a unique opportunity for me to join a team that continues to make a significant impact, and after years of service in Nashville, I’m eager to leverage Magnet’s cutting-edge tools to help investigators worldwide. The thought of applying my experience on a global scale, assisting law enforcement agencies in obtaining and utilizing the very tools that have proven invaluable in Nashville, is deeply motivating. I will say this is more than a career move, it’s a chance to expand my reach with an established team and contribute even more to the pursuit of justice on an international scale.

FF: What types of initiatives are you looking forward to taking part in with the company?

The most significant transformation we’ve ever experienced at our lab occurred with the implementation of Magnet Automate, followed by Magnet Review and Graykey Fastrak. I know I have mentioned it many times before, but we were overwhelmed by data, operating with limited staff, and struggling with morale and well-being. If you’ve investigated the most challenging and heart-wrenching cases as a front-line detective, you understand the immense stress involved. Now, imagine the stress of investigating everyone’s toughest cases using traditional forensic methods of ‘connect and wait’. That’s a lot of waiting and little solving.

One thing I’m particularly excited about is supporting agencies in establishing modern, cost-effective forensics labs. These labs can deliver crucial data to stakeholders in hours and days, a significant improvement over the weeks and months it used to take. Additionally, I’m looking forward to contributing during the rollout of the Magnet One platform, which provides seamless technology integration. I’m all about fast, efficient, and convenient, and Magnet One checks all these boxes with collaboration, case management, automation, storage, usage metrics and more, allowing forensic teams to focus on what they should be doing: actual case analysis.

FF: What trends and challenges are you seeing in the field?

Well, in this field, the challenges stack up quickly and always have. I’ve witnessed significant trends and obstacles that have fundamentally reshaped our investigative methods. Initially, there were concerns from some folks that BitLocker would render computer forensics obsolete. Then, we faced the necessity of conducting chip-offs and ISPs on mobile devices to bypass security. The battle then moved to full chip encryption, restricting some of our mobile phone access until technologies like Graykey emerged. The evolution of the landscape has been remarkable.

Looking ahead, I anticipate there will be even faster progression, driven particularly by generative AI, the exponential growth in data volumes we must extract and process, and the ongoing debate over cloud storage vs. on-prem storage for law enforcement. As I mentioned earlier, it’s impressive how Magnet Forensics anticipates what lies ahead. Much of this due to their culture, their strategy of hiring top talent across various disciplines, and their innovation initiatives such as the Magnet Idea Lab, which creates solutions to problems before they become problems.

FF: How do you think people should combat those challenges?

I believe it starts with two essential factors: education and willingness to embrace change.

I’ll admit, change isn’t always easy, and it affects all of us. When Magnet first proposed their new Automate solution to address our growing workload, I initially dismissed the idea, insisting that we could just ‘overtime’ our way out of the problem as we’ve done in the past. But, after educating myself and my command staff on their innovative platforms, I realized that making a few adjustments could significantly reduce our years-long backlog of devices.

Promoting a culture of continuous learning and adaptation within our law enforcement agencies is important. To combat all the challenges that will arise, we must continually emphasize to our command staff and decision makers that nearly 90% of all crimes committed today involve digital evidence—a stark contrast from only 20 years ago when digital evidence in a case was rare. This evidence has become central to criminal investigations, necessitating investments in new technologies to ensure justice is served quickly. Years ago, it was said that digital forensics was a nice thing to have in a police department. Today, it’s a necessity in nearly every investigation and I’m excited about my role with Magnet, where I’ll team with the best to assist law enforcement agencies in navigating the complexities of modern digital forensics to embrace this necessity.  

FF: Any other words of advice?

I’ve been in this industry for nearly two decades, starting out with a copy of Norton’s Disk Edit and JadSoftware to the cutting-edge software we are working on today. My advice to fellow professionals is simple: don’t stop learning and don’t lose sight of the fact that you hold potential evidence in your hands that can determine someone’s fate. Each digital clue you uncover has the potential to change someone’s life. Embrace the responsibility that comes with this role and continually hone your skills to uphold integrity and deliver justice effectively. 

Looking back over my career, I wouldn’t change a thing. Hundreds of families experienced a measure of justice because of the work I did in the lab, and that’s something that’s hard to put into words.

Joshua King, Grant Writer, Magnet Forensics

One consistent issue for agencies performing digital investigations is maintaining labs and equipment within budgetary restrictions.  

There’s where grants can come in. 

Agencies can often benefit greatly from the grants available to them to help them in their pursuit of justice. But it can be hard to know where to start. 

Magnet Forensics offers a Grant Assistance Program specifically to help in this area, and it’s assisted many agencies apply for—and receive—substantial grants that have made all the difference for digital forensics teams. In this Q&A, we talk to Joshua King, Grant Writer for Magnet Forensics, about his role in grant writing, how it can possibly help your agency, and how you can get started. 

Hi Joshua, thanks for taking the time to talk to us. Maybe start by telling us a bit about the Magnet Forensics Grant Assistance Program and your role in it. 

I am the Grant Writing Assistant Specialist for Magnet Forensics. Magnet Forensics offers the Grant Assistance Program to law enforcement agencies for free. This program is designed to assist agencies locate, research, and complete grants to gain the grant awards that will give the agencies the ability to secure the funding needed to allow projects and equipment purchases that they may not otherwise be able to obtain. The agency will be paired with a grant writing professional that has extensive experience with grant writing.

Why are grants worth applying for? 

Grants are essentially free money allocated by the government that typically does not have to be paid back. A lot of agencies do not have the experience, staffing, or time needed to successfully complete the grant application process. I have assisted numerous agencies across the country. I also teach grant writing for law enforcement. I have yet to find an agency that has the budget to purchase any and everything they want and need. Law enforcement agencies have stringent budgets that typically will not allow the agency to make all the necessary purchases needed to make investigations easier and more productive. There are several grants available that can assist with this struggle. That is where the Magnet Forensics Grant Assistance Program can be a major asset.

Who would you say is a prime candidate to get help getting grants? 

I feel that every law enforcement agency should utilize grants and apply for as many as possible that they qualify for. There are some grants that are tailored for small, rural, or urban areas, and there are other grants that are designed for larger metropolitan areas. The grant opportunities can range for drug investigations, violent crime reduction, innovative technology implementation, and a variety of other topics. I think every law enforcement can be a prime candidate depending on the details of the grants available.

What should applicants keep in mind as they go through the process? 

The grant application process can be very time consuming. Without the experience and knowledge of the grant process and what the grant administrators expect, the process can be very difficult and frustrating. Having a grant writing assistant can ease that burden and make the entire process less stressful. Grant writing requires careful planning, thorough research, persuasive writing skills, and a clear presentation of the project’s goals, objectives, and expected outcomes. After the application process is completed, it can take months to receive notification about the awards as well.

Anything else you want people to know? 

Some difficulties that may arise when seeking grant funding are a lack of government funding, fierce competition, and poor grant-writing skills. We can’t do anything about the government funds. We can, however, do a lot about poor grant-writing skills, which in turn will make your application more competitive. That is just one of the benefits of using the Magnet Forensics Grant Assistance Program. We cannot guarantee a successful award from a grant, but we can assist you in being in the best position possible when applying, and we have been very successful with the agencies who have utilized the program.

How can people get started? 

If you’re a Magnet Forensics customer, the best way to get started is to contact your account representative. If you’re not a Magnet Forensics customer, we can help you get started on the journey to applying for grants to obtain Magnet Forensics solutions. You can also utilize the Magnet Forensics Grant Assistance Program page to get in contact with a grant writing specialist to begin this process.

Vaibhav Malik, Global Partner Solution Architect, Cloudflare

FF: Vaibhav, can you describe your current role at Cloudflare and how it intersects with the fields of digital forensics and incident response?

As a Global Partner Solution Architect at Cloudflare, my role is multifaceted. I work closely with our global partners to design and implement robust security solutions that protect our clients digital assets. My work significantly impacts digital forensics and incident response in several ways:

  1. Prevention: We implement advanced security measures like Web Application Firewalls (WAF) and DDoS protection, which can prevent incidents that would otherwise require forensic investigation.
  2. Detection: Our solutions provide real-time threat intelligence and anomaly detection, which are crucial in identifying potential security incidents early.
  3. Logging and Visibility: Cloudflare’s edge network offers extensive logging capabilities, providing valuable data for forensic investigations. This includes detailed request logs, which can be crucial in reconstructing attack timelines.
  4. Incident Response Support: In the event of an attack, our systems can provide immediate mitigation, buying time for incident response teams to investigate and respond effectively.
  5. Cloud Security Posture: We work on improving overall cloud security posture, which indirectly aids forensics by ensuring better data governance and access controls.

FF: How has the adoption of cloud technologies impacted digital forensics investigations?

The adoption of cloud technologies has fundamentally transformed digital forensics investigations:

  1. Data Dispersion: Cloud environments often span multiple geographic locations, complicating data collection and potentially introducing legal and jurisdictional challenges.
  2. Shared Responsibility Model: Understanding the delineation of responsibilities between cloud providers and customers is crucial. It affects what data investigators can access and how.
  3. Scale and Volume: Cloud environments can generate massive amounts of data, requiring new tools and techniques for efficient analysis.
  4. Containerization and Microservices: These technologies introduce new complexities in tracing application behaviors and data flows.
  5. Automated Forensics: Cloud platforms often provide APIs that allow for more automated and scalable forensic data collection and analysis.

Despite these challenges, cloud adoption also brings benefits like improved logging capabilities, centralized data collection, and the potential for more rapid and comprehensive incident response when leveraged correctly.

FF: Multi-cloud environments present unique challenges for forensic investigators. What are some best practices to help overcome these?

Addressing multi-cloud forensic challenges requires a strategic approach.

  1. Unified Logging and Monitoring:
    ○ Implement a centralized logging solution that aggregates data from all cloud environments.
    ○ Use tools like ELK stack (Elasticsearch, Logstash, Kibana) or Splunk to normalize and analyze logs across platforms.
  2. Consistent Identity and Access Management:
    ○ Implement a single sign-on (SSO) solution across all cloud environments.
    ○ Use identity federation to maintain consistent user identities and permissions.
  3. Cloud-Agnostic Investigation Procedures:
    ○ Develop standardized playbooks that can be applied across different cloud environments.
    ○ Focus on data types and artifacts common to all clouds (e.g. network logs, access logs) as a baseline.
  4. Multi-Cloud Forensic Tools:
    ○ Utilize forensic tools designed for multi-cloud environments, such as CloudTrail or Azure Monitor.
    ○ Develop custom scripts or use open-source tools that can interface with multiple cloud APIs.
  5. Network Traffic Analysis:
    ○ Implement network monitoring solutions that can provide visibility across all cloud environments.
    ○ Use virtual taps or cloud-native traffic mirroring features for comprehensive packet capture.
  6. Forensic-Ready Cloud Design:
    ○ Design cloud architectures with forensics in mind from the outset.
    ○ Implement immutable logging and ensure all relevant API calls and administrative actions are recorded.

By implementing these practices, organizations can create a more cohesive and manageable multi-cloud environment for forensic investigations.

FF: How do identity-centric security approaches, which are becoming more prevalent, influence modern forensic analysis, particularly in complex incident response scenarios?

Identity-centric security approaches have significantly transformed modern forensic analysis, especially in complex incident response scenarios.

  1. Enhanced User Activity Tracing:
    ○ Identity-centric approaches provide a more granular view of user activities across systems and applications.
    ○ This allows investigators to trace actions back to specific identities with greater accuracy, crucial in insider threat investigations.
  2. Improved Anomaly Detection:
    ○ By establishing baseline behaviors for each identity, it becomes easier to detect anomalous activities that may indicate compromise.
    ○ Machine learning algorithms can be applied to identity data to identify subtle deviations from normal patterns.
  3. Privilege Escalation Analysis:
    ○ Identity-centric logs provide clearer insights into privilege escalation attempts or unauthorized access to sensitive resources.
    ○ This is particularly valuable in detecting advanced persistent threats (APTs) that often leverage stolen credentials.
  4. Attribute-Based Access Control (ABAC) Forensics:
    ○ ABAC systems provide rich contextual data about access decisions, offering investigators insights into not just what happened, but why it was allowed to happen.
  5. Federation and Single Sign-On (SSO) Insights:
    ○ In scenarios involving identity federation, investigators can trace user activities across organizational boundaries.
    ○ SSO logs become a crucial source of evidence, providing a centralized view of authentication events.
  6. Non-Human Identity Analysis:
    ○ Identity-centric approaches extend to service accounts, APIs, and IoT devices, allowing for more comprehensive analysis of machine-to-machine interactions.

In complex incident response scenarios, these capabilities allow for more precise, context-aware investigations. Investigators can reconstruct events with greater fidelity, understand the full scope of an incident more quickly, and provide more actionable intelligence for remediation efforts.

FF: How can Zero Trust Architecture principles be effectively leveraged in forensic investigations?

Zero Trust Architecture (ZTA) principles can significantly enhance forensic investigations in several ways.

  1. Comprehensive Logging and Visibility:
    ○ ZTA requires continuous monitoring and logging of all access attempts, providing a rich dataset for forensic analysis.
    ○ This includes failed access attempts, which are often as important as successful ones in investigations.
  2. Granular Access Control Insights:
    ○ ZTA’s principle of least privilege means every access decision is explicitly logged, offering detailed insights into who accessed what, when, and from where.
    ○ This granularity helps in precise reconstruction of event timelines during investigations.
  3. Network Segmentation Analysis:
    ○ ZTA often involves micro-segmentation, which can help contain breaches and provide clear boundaries for investigation.
    ○ Analysts can more easily trace lateral movement attempts within the network.
  4. Device Trust and Posture Assessment:
    ○ ZTA typically includes device health checks, providing valuable forensic data about the state of devices at the time of access attempts.
    ○ This can be crucial in determining if a compromised device was the entry point for an attack.
  5. API and Service Mesh Forensics:
    ○ In ZTA implementations using service meshes, all inter-service communications are logged and can be analyzed.
    ○ This provides unprecedented visibility into application-level activities and potential API abuse.
  6. Identity-Centric Investigation:
    ○ ZTA’s focus on identity over network location aligns well with modern forensic approaches, allowing for more user-centric investigations.

By leveraging these aspects of Zero Trust Architecture, forensic investigators can conduct more thorough, precise, and context-aware investigations. The principle of assuming breach, central to ZTA, aligns well with forensic mindsets, providing a rich environment for both proactive threat hunting and reactive incident response.

FF: Looking towards the future, what emerging technologies or threats do you believe will most significantly shape the field of digital forensics?

The future of digital forensics will likely be shaped by several emerging technologies and evolving threat landscapes:

  1. Artificial Intelligence and Machine Learning:
    ○ AI-powered forensic tools will enable faster analysis of large datasets and more accurate anomaly detection.
    ○ Conversely, AI-generated deep fakes and advanced malware will pose new challenges for investigators.
    ○ Forensic AI models will need to be explainable to stand up in court.
  2. Quantum Computing:
    ○ Once viable, quantum computers could break current encryption methods, necessitating new approaches to securing and analyzing digital evidence.
    ○ Quantum-resistant cryptography will become crucial in maintaining the integrity of forensic data.
  3. Internet of Things (IoT) and 5G:
    ○ The proliferation of IoT devices will vastly expand the potential sources of digital evidence.
    ○ 5G networks will enable more real-time data collection but also facilitate faster data exfiltration by attackers.
    ○ Forensic tools will need to adapt to handle the volume and variety of IoT data.
  4. Advanced Persistent Threats (APTs) and Nation-State Actors:
    ○ Increasingly sophisticated APTs will require more advanced forensic techniques to detect and analyze.
    ○ Attribution will become more challenging as nation-state actors employ more advanced obfuscation techniques.

To address these challenges, the field of digital forensics will need to evolve rapidly. This will likely involve:

  • Continuous education and upskilling for forensic professionals
  • Development of new standards and best practices
  • Closer collaboration between academia, industry, and law enforcement
  • Ethical frameworks for dealing with increasingly powerful and invasive forensic capabilities

The future of digital forensics will require a delicate balance between leveraging powerful new technologies and respecting privacy and legal boundaries.

FF: And finally, what do you enjoy in your spare time?

In my spare time, I enjoy staying at the forefront of cybersecurity trends by reading industry publications and participating in online forums. I find it intellectually stimulating to explore the latest developments in Zero Trust Architectures and cloud security.

To balance the technical aspects of my work, I love the outdoors. There’s something refreshing about disconnecting from technology and connecting with nature. It provides a different perspective and often inspires new approaches to problem-solving in my professional life.

I’m also passionate about mentoring young professionals in the cybersecurity field. Sharing knowledge and seeing others grow in their careers is incredibly rewarding. Additionally, I enjoy attending and occasionally speaking at industry conferences, which allows me to network with peers and contribute to the broader security community.