Hi All,
I am an investigator working for a local authority in the UK.
We currently seize computers from operations which get sent off for examination.
We are now in a position to train staff on our team to be able to examine computrers rather than sending them away.
The only problem is that no one on the team has any real previous experience in this field, so really would be starting off from scratch.
Can anyone suggest what type of training, software / hardware we would require?
We would be looking to recover documents, spreadsheets, emails from seized computers and be able to present these at court as a prosecution case if required.
We already have trainied phone forensic staff on the team and one of them has suggested a forensic product called Detego from a company called mcm solutions. It claims that this is a fast and easy to use extraction tool.
Does anyone know of this product and if it is any good, or should we be looking for different training or products?
Thanks
dude2020201
I didn't see anything at MCM Solutions website about Detego. Problematical if the product details are underground then any reasonable assessment about its value is not easy. I see from their website they identify UME and UFED (http//
Recent discussions about UFED
http//www.forensicfocus.com/Forums/viewtopic/t=8785/
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6556610
http//www.forensicfocus.com/Forums/viewtopic/printertopic=1/t=8674/postdays=0/postorder=asc/start=0/
Common data harvesting tools from mobile phones and (U)SIMs in use are UFED, XRY, Oxygen, Aceso, USIM Detective, SIMIS, SIMCON etc
Here are links that list computer forensic tools lists (this is not a recommendation to buy from anyone, merely to give you an outlook on what is available)
http//
http//
http//
http//
It could be useful if you dropped an email to Craig Wilson at Digital Detective (craig.wilson@digital-detective.co.uk <craig.wilson@digital-detective.co.uk> ). Let him know I suggested you contact him. Yes he does produce/sell tools (NetAnalysis, Blade, etc), but he doesn't recommend tools that are not what you need and will not try and sell to you tools for the sake of it. Craig, himself, is a highly experienced digital forensics examiner and investigator.
Commonly, FTK, EnCase, DD, etc will come up in searches at Forensic Focus.
I hope that helps (and btw I have no tools to sell to you).
A comprehensive and easy to use computer forensic tool for recovering Internet related artifacts is IEF. You can download a trial at
Hi, many thanks for the reply.
MCM have provided us with our phone forensic kit, which is Cellbrite. I also checked the web site and could not see anything about the Detego tool, however I have a brochure that outlines what it does and its capabilities.
I will see if I can forward this to craig.
Many thanks
Hi, many thanks for the reply.
MCM have provided us with our phone forensic kit, which is Cellbrite. I also checked the web site and could not see anything about the Detego tool, however I have a brochure that outlines what it does and its capabilities.
I will see if I can forward this to craig.
Many thanks
Check your PM inbox.
Jonathan
Just a suggestion, but if you manage to avail yourself of a copy of the ACPO Good Practice Guide for Computer Based Evidence and, perhaps more importantly the ACPO Managers Guide (both should be available at
I don't know if I was the only one who winced slightly when I read your post? Good luck.
As someone who is ex local authority (10 years) with 9 years experience in CF, my advice is dont do it. With respect, it's clear from your initial posting that you are not even at stage 1 in terms of understanding what the issues are in terms of setting up and running a lab. (hence Nigel's wincing))
LA management simply dont seem to be able to understand what a complex topic this can be. I ran a CF lab within Surrey Council for 2 years (the first ever within a LA) before leaving and one of the issues was the lack of long term investment re staff, training, software, hardware, quality systems etc. (and this was before ISOs and the regulator) As a spin off from this, staff retention is a massive issue. If you train staff up to a certain level, they gain a value in the private sector and that will never be reflected in any renumaration offered by the local authority. And if you do it on the cheap, its just a matter of time before a defence expert comes out and exploits any weaknesses.
UFED is great (espeicially if you are just doing logical) but there is a massive difference between the push button UFED and the ability to carry out a forensic analysis of hard drive.
Obviously, I am a little biased but I can put you in touch with other experts who have had similar experiences.
N Yorks Council have just received additional funding for providing CF support to all of the LAs in England and Wales so it would seem natural to contact them if you need any further advice.
Sorry if this post sounds a little grumpy but better to be honest than beat about the bush.
LA management simply dont seem to be able to understand what a complex topic this can be. I ran a CF lab within Surrey Council for 2 years (the first ever within a LA) before leaving and one of the issues was the lack of long term investment re staff, training, software, hardware, quality systems etc. (and this was before ISOs and the regulator) As a spin off from this, staff retention is a massive issue. If you train staff up to a certain level, they gain a value in the private sector and that will never be reflected in any renumaration offered by the local authority. And if you do it on the cheap, its just a matter of time before a defence expert comes out and exploits any weaknesses.
My own experience couldn't have been summed up better.
Dude2020201
Like pbeardmore I ran a computer forensics lab for a local authority and very much agree with what he writes. Also like him I do have a vested interest as I suspect my current business was at least one of the organisations to whom your team has sent work in the past.
I would recommend sending your team members on a 3 or 4 year digital forensics BSc at one of a number of universities offering such a course (I would be prepared to advise privately on which ones, but the four year courses are best as you have a placement year). The team leader should then obtain 4 or 5 years experience of examining PCs and reviewing other examiners' work and probably do an MSc.
A decent expert witness course such as the Bond Solon one wouldn't go amiss. Then start signing up for product speific courses at £2K a pop.
You may also want to look at the Skills For Justice NOS and see how your qualifications map to these (which they probably won't!).
Then you can start ordering the hardware and software. If you go the FTK4 route you could easily be looking at £10k a seat, although Encase and/or X-Ways are much cheaper. You may however be considering a triage solution - in which case you should remember that these are intended to decide whih computers should be submitted for a full examination not to replaces that examination alltogether.
Meanwhile you should get hold of a copy of ISO 17025 and the Forensic Science Regulator's Codes of Practice and Conduct and come up with a plan as to how you will get your lab UKAS accredited by October 2015 (or whenever!). Don't forget that this will also be a requirement for your phone examinations.
I would then total up what all this will cost and compare it to how much you expect to pay for digital forensic examinations over the next few years (I'll give you a very competitive quote) and see if it is really worth it. Don't forget the legal costs when it all goes wrong because you don't know what you are doing and are entirely in the hands of the forensic tool vendors.
If you really want to save money you should buy a barrister's outfit and start doing your own advocacy. It is about as sensible an approach and they tend to charge more anyway!
I realise we all have to start somewhere but the digital forensics world is now very different to the late 1990s (when hardly anyone knew what they were doing) to now (when there are lots of people who very much know what they are doing) and just buying a copy of Encase or XRY and doing a three day course does not make you a digital forensicator (although neither does a BSc in computer forensics necessarily!).
Regards
Phill Hatton
"Adventure is just bad planning" - Roald Amundsen
And the moral of the tale is that it's far cheaper for local authorities to outsource forensic jobs to established providers rather than make the long term investment in setting up, maintaining and staffing your own forensic capability.
Next!