Ben is a civilian investigator working for the Hi Tech Crime Unit of North Yorkshire Police in the UK.
Can you tell us something about your background? Why did you decide to work in the field of digital forensics?
Digital forensics is something I came to by chance, really. Upon finishing my A levels, I went off to university to read medicine. After 2 years doing that, I came to the conclusion that my calling was elsewhere. I moved back home and enrolled at my local university on an Applied Science and Forensic Investigation course. It was during this time that I was introduced to Forensic Computing. During a final year group-based module called ‘Crime Scene to Court’ we were exposed to practical forensic processes at every step of the investigation, including some digital forensic investigation. Also, as part of the lectures supporting this module, there were a few on forensic computing and they really caught my interest. In fact, so much so that I applied to get on the MSc program shortly afterwards.After that, I was fortunate enough to find a job going locally, which brings me to where I am today.
What does your current role involve? What types of crime are you typically asked to investigate?
Mostly we investigate cases involving indecent images, and a few involving drugs/thefts. Lately we have also been getting a few cases involving live website investigation too, which have been quite exciting.
In your experience, are criminals becoming better informed about computer forensics procedures and becoming more skilled at covering their tracks?
I don’t think I’ve been in the field long enough to have a definite view on such a trend, but I would say that I suspect the answer is no. In my experience, those criminals that do use ‘anti-forensic’ technology don’t seem to use it properly, although I would admit that some are better than others. However we always seem to be able to get plenty of evidence back, regardless of the lengths they have taken to cover their tracks. In the case of indecent images, a knowledgable criminal may well erase the images themselves, but traces often remain in places they would not think of.
What trends do you see in computer crime investigation and what new challenges do you envisage in the future?
The amount of data being submitted for investigation is definitely getting larger. I think that this is not just due to the ever increasing storage capacities of the modern world, but also because of the increasing awareness and ability of our SOCOs and other staff to recognise a diverse range of devices capable of storing data. This is certainly a challenge as it means investigations are taking longer and longer, but it’s also a good thing, as the investigations are more comprehensive as a result.
Are there aspects of computer crime legislation which you feel could be improved to allow investigators to work more effectively?
I think there is a great amount of work being done on regulation currently, which is really important. Forensic computing needs to be brought into line with the other more ‘traditional’ scientific forensic disciplines in terms of formal standards.
There is often debate as to whether we are a scientific discipline or not; something which seems to have spilled over from academic debates as to whether computer science courses should award a BA or BSc. I feel very strongly that we are a scientific descipline, or more accurately that we should be. There is a great book called ‘Software Engineering’ by Ian Sommerville which discusses in detail the benefits of formal, proper scientific specifications and a proper design, and I think a more formalised approach would go a long way towards helping the forensic computing industry satisfy scientific standards. I think computer science as a whole needs better scientific formalisation, which will have a knock on effect for forensic computing.
I also think legislation and regulation can and should be used to improve the quality of our forensic software and processes, as it will improve the reliability and dependability of investigations.
Many people are familiar with the concept and importance of validating and verifying (V&V) results (and the difference between the two), but it would be fantastic if this could be engineered into the software (perhaps through some form of fundamentals or ‘first-principles’ methodology). I doubt whether V&V can ever be made truly redundant by formal specifications, but the process could certainly be made far easier.
What would you most like to see changed or improved in the field of computer forensics?
I’ve already mentioned regulation and standards, so I wont bring them up again. Additionally, though, I think triage needs looking at. In its current state it does not really benefit us in the types of cases we do, but I am aware that it does benefit many others in case types that I do not personally encounter. I’m always wary of eliminating evidence based solely on a cursory look, particularly when there may be vulnerable persons involved – considering some of the offences we investigate, it’s just too risky. That being said, one way triage can be of particular help is in prioritisation of evidence, so more advanced (and faster) search tools that can be run across live write-blocked evidence could really help streamline investigations.
What qualities do you think are most important for anyone working in this field?
I don’t think there is a simple answer to that, or even know if such a question can be answered completely, but there are a few qualities that jump out; a scientific, logical mind, the ability to pay attention to detail and the ability to stay objective.
Investigators encounter material that can range from the plain bizarre to the horrific. Being able to recognise that other people have different values and ethics to yourself certainly helps you stay objective and move past anything that you personally may find disturbing.
A scientific and logical mind helps to carry out an investigation systematically, to ensure that every angle is considered, and attention to detail helps make sure nothing is overlooked or missed. There may be reasonable explanations as to why particular content was recovered from a piece of evidence, and it is your job to find these explanations. Evidence of innocence is just as important as evidence of guilt.
Something we see quite frequently at Forensic Focus is a desire on the part of students or those working in other areas of IT to move into a law enforcement digital forensics role. What advice would you give to someone in this position?
It’s certainly tough in the current economic climate and I don’t envy the current crop of students.
I would recommend they look at experience outside of the purely forensic arena. IT helpdesk and admin jobs provide valuable enterprise-based experience and will open the door to more mainstream IT roles. If you can get into a company that also has a computer forensic presence to work in mainstream IT, there is always a chance of moving sideways once your foot is in the door, especially if you throw yourself into the job and impress the right people.
Also, try getting yourself noticed. This is often overlooked. Do some research and publish it, write a program that addresses an unfilled niche (or contribute to the development of an existing software tool), even start a blog and discuss meaningful and current issues.
What is the most rewarding part of your job? What aspect of your job do you find most challenging?
Finishing a case is certainly rewarding; you get the feeling of having really made a difference. I’d also say that finishing the case is probably the most challenging aspect too; being able to step back and walk away from a job having done enough requires a lot of confidence, not just in yourself, but also in the tools and methods. The compromise between business targets and thoroughness is difficult.
What do you do to relax when you're not working?
From an early age I’ve always enjoyed messing with (should that be breaking?) computers. My main hobby and my job are very similar, something for which I feel incredibly fortunate. My other hobby, which takes up almost all of my spare time is music; listening and playing. I run a choir and sing in 3 others. Music has always been a big part of my life, and I find it a fantastic way to relax and unwind.