New to Forensic and...
 
Notifications
Clear all

New to Forensic and Help needed

17 Posts
10 Users
0 Likes
1,008 Views
dude2020201
(@dude2020201)
Posts: 2
New Member
Topic starter
 

Hi All,

I am an investigator working for a local authority in the UK.

We currently seize computers from operations which get sent off for examination.

We are now in a position to train staff on our team to be able to examine computrers rather than sending them away.

The only problem is that no one on the team has any real previous experience in this field, so really would be starting off from scratch.

Can anyone suggest what type of training, software / hardware we would require?

We would be looking to recover documents, spreadsheets, emails from seized computers and be able to present these at court as a prosecution case if required.

We already have trainied phone forensic staff on the team and one of them has suggested a forensic product called Detego from a company called mcm solutions. It claims that this is a fast and easy to use extraction tool.

Does anyone know of this product and if it is any good, or should we be looking for different training or products?

Thanks

 
Posted : 26/02/2012 4:01 pm
trewmte
(@trewmte)
Posts: 1877
Noble Member
 

dude2020201

I didn't see anything at MCM Solutions website about Detego. Problematical if the product details are underground then any reasonable assessment about its value is not easy. I see from their website they identify UME and UFED (http//www.mcmsolutions.co.uk/what-we-do.html) which is commonly understood to be cellebrite.

Recent discussions about UFED

http//www.forensicfocus.com/Forums/viewtopic/t=8785/
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6556610
http//www.forensicfocus.com/Forums/viewtopic/printertopic=1/t=8674/postdays=0/postorder=asc/start=0/

Common data harvesting tools from mobile phones and (U)SIMs in use are UFED, XRY, Oxygen, Aceso, USIM Detective, SIMIS, SIMCON etc

Here are links that list computer forensic tools lists (this is not a recommendation to buy from anyone, merely to give you an outlook on what is available)

http//www.e-evidence.info/other.html
http//www.forensicswiki.org/
http//www2.opensourceforensics.org/tools
http//www.timberlinetechnologies.com/products/forensics.html

It could be useful if you dropped an email to Craig Wilson at Digital Detective (craig.wilson@digital-detective.co.uk <craig.wilson@digital-detective.co.uk> ). Let him know I suggested you contact him. Yes he does produce/sell tools (NetAnalysis, Blade, etc), but he doesn't recommend tools that are not what you need and will not try and sell to you tools for the sake of it. Craig, himself, is a highly experienced digital forensics examiner and investigator.

Commonly, FTK, EnCase, DD, etc will come up in searches at Forensic Focus.

I hope that helps (and btw I have no tools to sell to you).

 
Posted : 26/02/2012 5:45 pm
abelsher
(@abelsher)
Posts: 7
Active Member
 

A comprehensive and easy to use computer forensic tool for recovering Internet related artifacts is IEF. You can download a trial at www.jadsoftware.com

 
Posted : 27/02/2012 7:51 am
dude2020201
(@dude2020201)
Posts: 2
New Member
Topic starter
 

Hi, many thanks for the reply.

MCM have provided us with our phone forensic kit, which is Cellbrite. I also checked the web site and could not see anything about the Detego tool, however I have a brochure that outlines what it does and its capabilities.

I will see if I can forward this to craig.

Many thanks

 
Posted : 27/02/2012 6:16 pm
Jonathan
(@jonathan)
Posts: 878
Prominent Member
 

Hi, many thanks for the reply.

MCM have provided us with our phone forensic kit, which is Cellbrite. I also checked the web site and could not see anything about the Detego tool, however I have a brochure that outlines what it does and its capabilities.

I will see if I can forward this to craig.

Many thanks

Check your PM inbox.

Jonathan

 
Posted : 27/02/2012 6:48 pm
nigel_cro
(@nigel_cro)
Posts: 29
Eminent Member
 

Just a suggestion, but if you manage to avail yourself of a copy of the ACPO Good Practice Guide for Computer Based Evidence and, perhaps more importantly the ACPO Managers Guide (both should be available at www.acpo.police.uk) they will give you a very good 'starter for 10' about everything from setting up a lab to a training path for examiners.

I don't know if I was the only one who winced slightly when I read your post? Good luck.

 
Posted : 12/03/2012 1:26 pm
pbeardmore
(@pbeardmore)
Posts: 289
Reputable Member
 

As someone who is ex local authority (10 years) with 9 years experience in CF, my advice is dont do it. With respect, it's clear from your initial posting that you are not even at stage 1 in terms of understanding what the issues are in terms of setting up and running a lab. (hence Nigel's wincing))
LA management simply dont seem to be able to understand what a complex topic this can be. I ran a CF lab within Surrey Council for 2 years (the first ever within a LA) before leaving and one of the issues was the lack of long term investment re staff, training, software, hardware, quality systems etc. (and this was before ISOs and the regulator) As a spin off from this, staff retention is a massive issue. If you train staff up to a certain level, they gain a value in the private sector and that will never be reflected in any renumaration offered by the local authority. And if you do it on the cheap, its just a matter of time before a defence expert comes out and exploits any weaknesses.

UFED is great (espeicially if you are just doing logical) but there is a massive difference between the push button UFED and the ability to carry out a forensic analysis of hard drive.

Obviously, I am a little biased but I can put you in touch with other experts who have had similar experiences.
N Yorks Council have just received additional funding for providing CF support to all of the LAs in England and Wales so it would seem natural to contact them if you need any further advice.
Sorry if this post sounds a little grumpy but better to be honest than beat about the bush.

 
Posted : 13/03/2012 9:34 pm
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
 

LA management simply dont seem to be able to understand what a complex topic this can be. I ran a CF lab within Surrey Council for 2 years (the first ever within a LA) before leaving and one of the issues was the lack of long term investment re staff, training, software, hardware, quality systems etc. (and this was before ISOs and the regulator) As a spin off from this, staff retention is a massive issue. If you train staff up to a certain level, they gain a value in the private sector and that will never be reflected in any renumaration offered by the local authority. And if you do it on the cheap, its just a matter of time before a defence expert comes out and exploits any weaknesses.

My own experience couldn't have been summed up better.

 
Posted : 13/03/2012 9:51 pm
PhillHatton
(@phillhatton)
Posts: 3
New Member
 

Dude2020201

Like pbeardmore I ran a computer forensics lab for a local authority and very much agree with what he writes. Also like him I do have a vested interest as I suspect my current business was at least one of the organisations to whom your team has sent work in the past.

I would recommend sending your team members on a 3 or 4 year digital forensics BSc at one of a number of universities offering such a course (I would be prepared to advise privately on which ones, but the four year courses are best as you have a placement year). The team leader should then obtain 4 or 5 years experience of examining PCs and reviewing other examiners' work and probably do an MSc.
A decent expert witness course such as the Bond Solon one wouldn't go amiss. Then start signing up for product speific courses at £2K a pop.
You may also want to look at the Skills For Justice NOS and see how your qualifications map to these (which they probably won't!).

Then you can start ordering the hardware and software. If you go the FTK4 route you could easily be looking at £10k a seat, although Encase and/or X-Ways are much cheaper. You may however be considering a triage solution - in which case you should remember that these are intended to decide whih computers should be submitted for a full examination not to replaces that examination alltogether.

Meanwhile you should get hold of a copy of ISO 17025 and the Forensic Science Regulator's Codes of Practice and Conduct and come up with a plan as to how you will get your lab UKAS accredited by October 2015 (or whenever!). Don't forget that this will also be a requirement for your phone examinations.

I would then total up what all this will cost and compare it to how much you expect to pay for digital forensic examinations over the next few years (I'll give you a very competitive quote) and see if it is really worth it. Don't forget the legal costs when it all goes wrong because you don't know what you are doing and are entirely in the hands of the forensic tool vendors.

If you really want to save money you should buy a barrister's outfit and start doing your own advocacy. It is about as sensible an approach and they tend to charge more anyway!

I realise we all have to start somewhere but the digital forensics world is now very different to the late 1990s (when hardly anyone knew what they were doing) to now (when there are lots of people who very much know what they are doing) and just buying a copy of Encase or XRY and doing a three day course does not make you a digital forensicator (although neither does a BSc in computer forensics necessarily!).

Regards

Phill Hatton

"Adventure is just bad planning" - Roald Amundsen

 
Posted : 15/03/2012 7:39 pm
Jonathan
(@jonathan)
Posts: 878
Prominent Member
 

And the moral of the tale is that it's far cheaper for local authorities to outsource forensic jobs to established providers rather than make the long term investment in setting up, maintaining and staffing your own forensic capability.

Next!

 
Posted : 15/03/2012 9:20 pm
Patrick4n6
(@patrick4n6)
Posts: 650
Honorable Member
 

No, it's cheaper to hire someone with the experience if you're doing enough work to justify that person full time. If you're not doing enough to justify full time, then there is a balance point at which it becomes cheaper to outsource. My employer would have to pay 3 times my salary at a minimum to outsource my function, plus technology costs, and my internal knowledge of my employer adds significant value with a potentially multiplicative value that you don't get with outsourcing. Same thing with government and local knowledge.

I'm not against outsourcing, it's the only logical way to handle overflow, or to do a small amount of work that doesn't justify standing up infrastructure and hiring the right people.

 
Posted : 15/03/2012 10:57 pm
Jonathan
(@jonathan)
Posts: 878
Prominent Member
 

No, it's cheaper to hire someone with the experience if you're doing enough work to justify that person full time. If you're not doing enough to justify full time, then there is a balance point at which it becomes cheaper to outsource.

That's just a truism.

My employer would have to pay 3 times my salary at a minimum to outsource my function, plus technology costs, and my internal knowledge of my employer adds significant value with a potentially multiplicative value that you don't get with outsourcing.

Your financial cost to your employer is far more than your salary. Most surveys put the 'real' cost of employing someone at between 40% and 100% of salary (to include deskspace, taxes energy bills, medical costs, holidays, etc). The lowest salary for experienced UK forensic analyst is around £30k. Let's take the mid-point, of 'real' costs to an employee and say it costs the employer 70% of the employees person to use them. So that person costs the employee £51k. Then we need to buy licenses of EnCase, FTK, NetAnalysis and other software and provide them with an analysis machine, a lap top, write blockers, hard drives, a secure lab and a back up solution, etc, etc. £40k minimum, split that over 3 years when items are renewed, so £13.5k a year. Send them on one one-week course a year. That's £2k.

So for one person for one year on a low salary would cost the organisation £65k at least per year. I can't speak about your situation but if a UK local authority could justify that to their electorate when essential services which they're also responsible for like education and cleaning the streets are under massive financial pressure then good luck to them!

 
Posted : 16/03/2012 12:06 am
pbeardmore
(@pbeardmore)
Posts: 289
Reputable Member
 

When I was at Surrey, they were very proffesional about doing a proper costing of the lab. So for example, we had to include a notional rental of the office space, photocopier etc etc plus all of the "on costs" that an employer has to cover (just as Jonathan pointed out).
I agreed with this as it is how any unit should be done and when this is done, thats when you see the true costs.
The other ellement that is hard to put a price on is reputational risk. If your external expert makes a hash of things (pardon the punn), you dump them and find another one (worst case scenario, sue them), if you as a local authority make a hash of it, who will carry the can?

 
Posted : 16/03/2012 3:16 am
Patrick4n6
(@patrick4n6)
Posts: 650
Honorable Member
 

So for one person for one year on a low salary would cost the organisation £65k at least per year. I can't speak about your situation but if a UK local authority could justify that to their electorate when essential services which they're also responsible for like education and cleaning the streets are under massive financial pressure then good luck to them!

Again, working on the basis that there's enough work being generated in the authority to keep an examiner busy full time, let's say as a starting point that your 65k figure is accurate, and it does seem reasonable to me. I still expect that if one were to outsource the work that person can perform, you'll easily be spending 120k+. So you'll still cover your capital costs in the first year on top of you labour, so there's no question of ROI nor NPV. Let's not forget that when you pay a consultancy, you're not just paying for people, facilities and equipment, you're paying for their sales/marketing overhead, and for their profit margin. Local govs don't market CF capability, and they don't have a profit motive.

I'd also argue that the reputational risk argument is moot since if an authority hires someone who screws up, the authority will wear the responsibility for that anyway. As I explain a lot recently, you can outsource your data, but you can't outsource your obligations.

The big problem, and you see this in the US also, is setting up single person labs, and trying to bootstrap your examiner from scratch. I was fortunate to start my career in a lab with 5 experienced examiners to draw on, and it wasn't until 3 years in that I ran a solo lab operation. I have doubts you could build the same quality of examiner without that mentoring and access. Hence why I suggested getting an experienced examiner.

 
Posted : 16/03/2012 9:16 pm
pbeardmore
(@pbeardmore)
Posts: 289
Reputable Member
 

Well I think we are all in agreement as only on some other planet are LAs going to recruit a forensic expert on £65,000. (if they did I would be back like a shot) I was given a £500 per year bonus on top of my basic grade and even that put some noses out of joint.

 
Posted : 17/03/2012 2:00 am
Page 1 / 2
Share:
Share to...