Ben Findlay, North Yorkshire Police Hi Tech Crime Unit

by

Ben is a civilian investigator working for the Hi Tech Crime Unit of North Yorkshire Police in the UK.

Can you tell us something about your background? Why did you decide to work in the field of digital forensics?

Digital forensics is something I came to by chance, really. Upon finishing my A levels, I went off to university to read medicine. After 2 years doing that, I came to the conclusion that my calling was elsewhere. I moved back home and enrolled at my local university on an Applied Science and Forensic Investigation course. It was during this time that I was introduced to Forensic Computing. During a final year group-based module called ‘Crime Scene to Court’ we were exposed to practical forensic processes at every step of the investigation, including some digital forensic investigation. Also, as part of the lectures supporting this module, there were a few on forensic computing and they really caught my interest. In fact, so much so that I applied to get on the MSc program shortly afterwards.After that, I was fortunate enough to find a job going locally, which brings me to where I am today.

What does your current role involve? What types of crime are you typically asked to investigate?

Mostly we investigate cases involving indecent images, and a few involving drugs/thefts. Lately we have also been getting a few cases involving live website investigation too, which have been quite exciting.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

In your experience, are criminals becoming better informed about computer forensics procedures and becoming more skilled at covering their tracks?

I don’t think I’ve been in the field long enough to have a definite view on such a trend, but I would say that I suspect the answer is no. In my experience, those criminals that do use ‘anti-forensic’ technology don’t seem to use it properly, although I would admit that some are better than others. However we always seem to be able to get plenty of evidence back, regardless of the lengths they have taken to cover their tracks. In the case of indecent images, a knowledgable criminal may well erase the images themselves, but traces often remain in places they would not think of.

What trends do you see in computer crime investigation and what new challenges do you envisage in the future?

The amount of data being submitted for investigation is definitely getting larger. I think that this is not just due to the ever increasing storage capacities of the modern world, but also because of the increasing awareness and ability of our SOCOs and other staff to recognise a diverse range of devices capable of storing data. This is certainly a challenge as it means investigations are taking longer and longer, but it’s also a good thing, as the investigations are more comprehensive as a result.

Are there aspects of computer crime legislation which you feel could be improved to allow investigators to work more effectively?

I think there is a great amount of work being done on regulation currently, which is really important. Forensic computing needs to be brought into line with the other more ‘traditional’ scientific forensic disciplines in terms of formal standards.

There is often debate as to whether we are a scientific discipline or not; something which seems to have spilled over from academic debates as to whether computer science courses should award a BA or BSc. I feel very strongly that we are a scientific descipline, or more accurately that we should be. There is a great book called ‘Software Engineering’ by Ian Sommerville which discusses in detail the benefits of formal, proper scientific specifications and a proper design, and I think a more formalised approach would go a long way towards helping the forensic computing industry satisfy scientific standards. I think computer science as a whole needs better scientific formalisation, which will have a knock on effect for forensic computing.

I also think legislation and regulation can and should be used to improve the quality of our forensic software and processes, as it will improve the reliability and dependability of investigations.

Many people are familiar with the concept and importance of validating and verifying (V&V) results (and the difference between the two), but it would be fantastic if this could be engineered into the software (perhaps through some form of fundamentals or ‘first-principles’ methodology). I doubt whether V&V can ever be made truly redundant by formal specifications, but the process could certainly be made far easier.

What would you most like to see changed or improved in the field of computer forensics?

I’ve already mentioned regulation and standards, so I wont bring them up again. Additionally, though, I think triage needs looking at. In its current state it does not really benefit us in the types of cases we do, but I am aware that it does benefit many others in case types that I do not personally encounter. I’m always wary of eliminating evidence based solely on a cursory look, particularly when there may be vulnerable persons involved – considering some of the offences we investigate, it’s just too risky. That being said, one way triage can be of particular help is in prioritisation of evidence, so more advanced (and faster) search tools that can be run across live write-blocked evidence could really help streamline investigations.

What qualities do you think are most important for anyone working in this field?

I don’t think there is a simple answer to that, or even know if such a question can be answered completely, but there are a few qualities that jump out; a scientific, logical mind, the ability to pay attention to detail and the ability to stay objective.

Investigators encounter material that can range from the plain bizarre to the horrific. Being able to recognise that other people have different values and ethics to yourself certainly helps you stay objective and move past anything that you personally may find disturbing.

A scientific and logical mind helps to carry out an investigation systematically, to ensure that every angle is considered, and attention to detail helps make sure nothing is overlooked or missed. There may be reasonable explanations as to why particular content was recovered from a piece of evidence, and it is your job to find these explanations. Evidence of innocence is just as important as evidence of guilt.

Something we see quite frequently at Forensic Focus is a desire on the part of students or those working in other areas of IT to move into a law enforcement digital forensics role. What advice would you give to someone in this position?

It’s certainly tough in the current economic climate and I don’t envy the current crop of students.

I would recommend they look at experience outside of the purely forensic arena. IT helpdesk and admin jobs provide valuable enterprise-based experience and will open the door to more mainstream IT roles. If you can get into a company that also has a computer forensic presence to work in mainstream IT, there is always a chance of moving sideways once your foot is in the door, especially if you throw yourself into the job and impress the right people.

Also, try getting yourself noticed. This is often overlooked. Do some research and publish it, write a program that addresses an unfilled niche (or contribute to the development of an existing software tool), even start a blog and discuss meaningful and current issues.

What is the most rewarding part of your job? What aspect of your job do you find most challenging?

Finishing a case is certainly rewarding; you get the feeling of having really made a difference. I’d also say that finishing the case is probably the most challenging aspect too; being able to step back and walk away from a job having done enough requires a lot of confidence, not just in yourself, but also in the tools and methods. The compromise between business targets and thoroughness is difficult.

What do you do to relax when you're not working?

From an early age I’ve always enjoyed messing with (should that be breaking?) computers. My main hobby and my job are very similar, something for which I feel incredibly fortunate. My other hobby, which takes up almost all of my spare time is music; listening and playing. I run a choir and sing in 3 others. Music has always been a big part of my life, and I find it a fantastic way to relax and unwind.

Leave a Comment

Latest Videos

Forensic Focus

Forensic Focus
In this webinar, David Spreadborough, Forensic Analyst at Amped Software, provides a closer look at those important early stages in investigations involving video evidence. Starting with establishing the integrity of the digital data and evaluating the authenticity of the produced visual image. From demonstrative timelines to speed estimation, the evidential foundations are paramount in every case. Failure to consider these steps and misinterpreting the data can cause unnecessary delays, mistakes, and potentially even miscarriages of justice. Amped FIVE is used to conduct data analysis, file conversion, and assessment of image reliability. Useful links: Amped FIVE - https://ampedsoftware.com/five Video Evidence Principles - https://blog.ampedsoftware.com/2023/0... CCTV Acquisition introduction - https://blog.ampedsoftware.com/2023/0...

In this webinar, David Spreadborough, Forensic Analyst at Amped Software, provides a closer look at those important early stages in investigations involving video evidence. Starting with establishing the integrity of the digital data and evaluating the authenticity of the produced visual image.

From demonstrative timelines to speed estimation, the evidential foundations are paramount in every case.

Failure to consider these steps and misinterpreting the data can cause unnecessary delays, mistakes, and potentially even miscarriages of justice.

Amped FIVE is used to conduct data analysis, file conversion, and assessment of image reliability.

Useful links:

Amped FIVE - https://ampedsoftware.com/five
Video Evidence Principles - https://blog.ampedsoftware.com/2023/0...
CCTV Acquisition introduction - https://blog.ampedsoftware.com/2023/0...

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_dnSPwNdMn5M

Investigating Video: The Vital First Steps

Forensic Focus 14 hours ago

Read more at https://www.forensicfocus.com/news/forensic-focus-digest-may-10-2024/ #dfir #digitalforensics

Read more at https://www.forensicfocus.com/news/forensic-focus-digest-may-10-2024/ #dfir #digitalforensics

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_QVjq2Xu_MQ8

Forensic Focus Digest, May 10 2024 #dfir #digitalforensics

Forensic Focus 10th May 2024 12:43 pm

In this webinar, Jordan Portfleet from the Oxygen Forensic Training Team introduces KeyDiver, a new module integrated into Oxygen Forensic Detective. KeyDiver is designed to find passwords to decrypt various encrypted data sources like BitLocker and FileVault2 encrypted volumes, encrypted ZIP files, Apple Notes, Telegram Desktop app, and more. Jordan provides an in-depth walkthrough of KeyDiver's features and demonstrates how to create different types of brute force attacks like mask attacks, dictionary attacks, and custom password guessing. He explains the various settings available for customizing attacks, managing GPU utilization, monitoring progress, and more. Jordan also shares tips on leveraging additional data sources and social engineering techniques to improve password guessing success rates.

In this webinar, Jordan Portfleet from the Oxygen Forensic Training Team introduces KeyDiver, a new module integrated into Oxygen Forensic Detective.

KeyDiver is designed to find passwords to decrypt various encrypted data sources like BitLocker and FileVault2 encrypted volumes, encrypted ZIP files, Apple Notes, Telegram Desktop app, and more.

Jordan provides an in-depth walkthrough of KeyDiver's features and demonstrates how to create different types of brute force attacks like mask attacks, dictionary attacks, and custom password guessing. He explains the various settings available for customizing attacks, managing GPU utilization, monitoring progress, and more.

Jordan also shares tips on leveraging additional data sources and social engineering techniques to improve password guessing success rates.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_3hDBpcA9rdw

Oxygen Forensic® KeyDiver

Forensic Focus 9th May 2024 11:08 am

Load More... Subscribe
This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles

Investigating Video: The Vital First Steps
Webinars

Investigating Video: The Vital First Steps

ByAmpedSoftwareMay 13, 2024
Forensic Focus Digest, May 10 2024
News

Forensic Focus Digest, May 10 2024

ByForensic FocusMay 10, 2024
Oxygen Forensic® KeyDiver
Webinars

Oxygen Forensic® KeyDiver

ByOxygenForensicsMay 9, 2024
Detego Global Announces Webinar To Demonstrate The Powerful New Features Of Detego v4.16
News

Detego Global Announces Webinar To Demonstrate The Powerful New Features Of Detego v4.16

ByDetego Digital ForensicsMay 8, 2024
Digital Forensics Round-Up, May 08 2024
News

Digital Forensics Round-Up, May 08 2024

ByForensic FocusMay 8, 2024
UK Parliamentary Legislation Introduced Against Deepfakes
News

UK Parliamentary Legislation Introduced Against Deepfakes

ByForensic FocusMay 2, 2024