Ben Findlay BSc (Hons) MSc PgCLTHE FHEA MBCS MCSFS MIScT MCIIS is Senior Lecturer in BSc (Hons) Computer and Digital Forensics and MSc Digital Forensics and Cyber Investigation at Teesside University.
FF: Last time we spoke, you worked for the Hi Tech Crime Unit of North Yorkshire Police. You’re now a Senior Lecturer at Teesside University. What led you to leave law enforcement for academia?
It was a really tough decision to be honest! There was a great opportunity to return to where I had actually studied, prior to taking up my investigator role with North Yorkshire Police. NYP was going through an exciting growth phase, and there was lots happening in force, so it certainly wasn’t due to being dissatisfied in my current role. Such vacancies just don’t come up very often, so at the time I looked at it as a “now or never” kind of situation. If I was still working for the police now, I’m certain I would be happy, as it was an incredibly rewarding role. And from time to time, I certainly miss doing active casework!
FF: What digital forensics courses and research opportunities does Teesside University offer? What can students expect to learn?
We currently have two digital forensic courses; a BSc (Hons) in Computer and Digital Forensics, and an MSc in Digital Forensics and Cyber Investigation. Our courses are highly practical and are very much focused on policing, as that is where our graduates typically end up working. Three of the core teaching team (myself included) are former law enforcement practitioners, so we have first-hand experience and try to bring real-world, relevant examples in our teaching whenever possible. We’re very much focused on employability, and giving our students the practical skills and evidence they need to impress at interview, and more importantly, the relevant practical skills and knowledge to be able to hit the ground running when they do land that first job!
Our students learn about digital evidence from crime scene to court; seizure, handling, acquisition, processing, analysis, investigation, interpretation, reporting and presentation of evidence.
In terms of research, all of our students have to complete a final research project, and we try to make those relevant to what is happening right now in industry. To give but a few specific examples of recent research projects; our students have looked at mobile “stalkerware” apps, significant changes as a result of the latest release of iOS, and artefacts created on devices as a result of the use of Kik messenger.
FF: What are your own teaching and/or research interests?
I teach across quite a few of our modules, on topics that very much span right from the crime scene all the way through to court. I particularly enjoy teaching students about the inner workings of Windows, especially manual examination of some of the more interesting NTFS artefacts like the MFT. My own research, as of late, has taken me somewhat down the path of Linux and IoT. Most recently, I have published a method to attribute user knowledge and show access to files that had been deleted on Linux desktop operating systems, under the right circumstances. There are a lot of useful artefacts in Linux, and because the OS is relatively uncommon, they are often not well explored, and also the tool support often simply isn’t there.
FF: What impact do you think machine learning and AI will have on digital forensics? What impact might there be on teaching?
I have to say that I’m somewhat sceptical about the impact that ML and AI can have. ML/AI get held up as the silver bullet to solve all the problems (just like triage did, once upon a time), but in practice that just doesn’t seem to be true. I think ML/AI has a real place as a supportive tool, to help scaffold investigations, and with the current ML/AI on the market, I can certainly see the benefit in using it to improve efficiency, especially for some of the more routine tasks we have to do, but key investigative decisions ultimately need a human eye, owing to the additional context that often exists and therefore needs to be considered. Facts need verifying, or data needs to be considered in light of other facts, and that’s something that ML/AI seemingly can’t do, at least not yet!
That being said, there are some excellent ML/AI tools already out there, and right now I think they can best be used as a method to highlight material of potential interest in an investigation; allowing a human to cast an eye over the data and make an informed decision. If we look at Griffeye Brain for instance, we see something that be used to proactively identify apparent CSAM. That’s an awesome capability, as it means that investigators can get to pertinent files faster, and ultimately victims can be safeguarded sooner.
FF: One of the questions we’re often asked at Forensic Focus is “how do I get started in a digital forensics career?” What advice would you give? What qualities do you think are most important for work in this field?
I think this is a question that very much depends on where you are in the world, as it seems different countries do things very differently. In general though, I would say that getting a degree in the subject would be a good start, but I am of course biased there! Here in the UK we now have two DF-based apprenticeship standards, so I think going forwards, these will be a good option to pursue.
I also think getting practical experience is a big help too. Given this is often seen as a “catch 22” situation, I should say that this doesn’t need to be from actual casework. There are some excellent Capture the Flag events happening on a regular basis; these provide realistic, real-world relevant, scenarios and cases, and also give access to industry-standard tools, so they’re really valuable for those just getting started, or trying to break into the field.
As for the qualities that I think are important to work in the field; I would have to say attention to detail, objectivity, scientific and logical reasoning skills, resilience, and of course, a passion for technology.
FF: How important is it for academia, law enforcement and the private sector to work together?
Vitally important, but sadly I think this is something that needs significant improvement. In my experience, there seems to be a real disconnect between the respective sectors. When I was a practitioner, I would frequently come across things that required significant research to understand, but I had so little time to do it (because of case backlogs and other priorities). Now that I’m in academia, I have students who are crying out for industry-relevant research topics, like the ones I used to routinely encounter, but because they’re not working in industry yet, they don’t have the opportunity to naturally encounter such topics.
So I’m certainly aware that there’s some great research that goes on within industry, that never gets published. Sharing it with others often isn’t seen as a priority, or worse is actively discouraged. I would just love to see more of that excellent research undergo peer review and be published formally for the benefit of the entire DF community, and ultimately society as a whole.
My frequent plea to those I encounter in industry is to tell academia what challenges they’re facing now, what are the new apps they’re seeing criminals use, what research/questions do practitioners need answers to? We have students (and indeed staff!) who can answer those questions for you, and who would welcome such topics being brought to their attention. This could be a win-win for all involved; those in industry get to outsource some of their R&D (most often for free!) and our students get better quality research projects, which ultimately helps their employability.
Also, academia as a whole needs to do better. I see and read a lot of DF research that gets published in peer reviewed journals, and too often find myself thinking “this research does not help solve cases”. It is often highly theoretical and abstract, with little to no application to professional practice. DF, at it’s core, is an applied science, and good research should reflect that fact more.
That all sounds really negative, so to end this question on a more positive note, I think it’s important to recognise the excellent research that goes on in the wider community, that gets published online in blogs, on websites etc. So, to anyone reading this who is looking at putting some new piece of knowledge out there, please consider publishing it in a peer-reviewed journal! And if that’s a prospect that maybe scares you, you could always reach out to someone in academia (your local, friendly neighbourhood DF lecturer!) who may be able to assist.
What would you most like to see changed or improved in the field of digital forensics?
You know, I was asked this very question for my previous interview, 12 years ago. At the time, I said regulation and standards, and triage. 12 years later, rather sadly, my answer hasn’t really changed.
Here in the UK, regulation has resulted in less innovation, less efficiency and less expedient investigations, with absolutely no tangible improvement in the quality of the evidence. At least, that’s been my personal experience of it.
As for triage, we have more (and better!) tools available now than there were 12 years ago, which is certainly a good thing, but I still see triage as hugely inefficient. My personal experience was very much that, because the intelligence was good, the cases coming in were almost always positive. Furthermore, the established risk assessment and forensic strategy processes we used were well developed and implemented, and so were sound. As a result, triage was therefore almost always a waste of resources. That situation doesn’t seem to have changed. Further improvements in automation, and the increase in mainstream forensic tools with built in evidence processors mean that investigators spend less time sitting in front of cases, manually putting them through preparation and processing stages, and are therefore able to juggle more cases at once. Being able to “spin more plates” is how we ultimately can be more efficient and get things done faster.
What do you enjoy outside of digital forensics?
I still very much enjoy listening to music, but alas don’t have the free time that I used to have (due to changing jobs and now having a family!) to actively participate in music like I used to. Most of my free time is now taken up spending time with my family, and I wouldn’t have it any other way!
If you’d like to connect with Benjamin, you can find him on LinkedIn (login required).