Tell us about your background and how you ended up in your current role at Staffordshire Police.
I first discovered my intrigue for digital forensics whilst applying for university and (thankfully) deciding to switch to a cybersecurity and digital forensics undergraduate program instead of software engineering. It was a field I hadn’t even considered as a career option until I started researching about it, and inevitably coming across Forensic Focus forums where I’ve spent dozens of hours since engrossed in topics!
Upon graduating, I decided to pursue a master’s degree in the same field, which is where I had my first exposure to mobile forensics from a hands-on perspective. Sitting in one of the labs on a weekend, conducting an extraction of my mobile phone in order to review app data as part of my master’s dissertation was incredibly exciting, as was learning firsthand the minutia of the information held on these devices which are integral to everyday life.
This experience had put me in good stead for my first graduate position as a mobile forensic analysis at Sytech, a digital forensics company providing services to both law enforcement and the defence. I was responsible for extracting and analysing data from phones, tablets, smartwatches, drones, and memory cards, as well as diagnosing and repairing these devices to facilitate data extraction — since they were often received in varying states of operation and cleanliness, as my time in the biohazard room will attest!
It was a fast-paced job at times, and I still remember an occasion where I had four mobile logical extractions in progress that required supervision while also training a junior member of staff. But it was also a rewarding environment — not only in terms of learning from experienced colleagues, but also being able to contribute to refining processes, practices, and ultimately working on investigations that led to offenders being brought to justice.
An opportunity came up at Staffordshire Police — one that, unbeknownst to me, would involve utilising the skills I had gained at Sytech almost immediately after joining. It sounded interesting, and my application was successful. The job was a result of significant investment from the force to develop its digital policing capabilities, and the unit has certainly delivered upon that and excelled in a relatively short time.
Each member of the team is expected to be a jack of all trades, delivering digital strategies and advice whilst also developing and deploying digital tactics. The role itself has evolved over time to encompass a greater level of expertise and expanding digital services, with the unit being responsible for cell-site surveys and analysis, vehicle forensics, router forensics, advanced open-source investigation, TSCM sweeps, and a lot more.
What does a typical workday look like for you?
In a word, varied! My first task of the day is reviewing emails that have come in overnight and assigning them a priority level. I then proceed with other commitments, which can range from contacting vehicle manufacturers to obtain telematics information, supporting officers on the ground with early morning warrants, and conducting digital scene searches to identify and locate all digital devices, to performing residential sweeps for covert devices.
No two days are the same, and the nature of policing often means urgent taskings can come in at short notice requiring weekend or overnight working. A personal favourite of mine was being on duty for 17 hours working on an infotainment examination of a vehicle involved in a kidnapping, for WMROCU, where the data recovered was relayed to the Senior Investigating Officer, and the threat to life was able to be downgraded as a result.
What types of data are often recoverable from modern vehicles, and how can this data help investigators?
Recoverable datasets can include geolocation data and information on previously connected devices, as well as more obscure details such as what songs were played in the vehicle, door opening and closing events, and screenshots of the infotainment screen — all of which can be pivotal to an investigation.
There has been great publicity of how data from vehicles assists investigators in high-profile investigations, but in my opinion it is equally, if not more, effective for volume crimes such as Theft of Motor Vehicles (TOMV).
In these investigations, we are limited to traditional forensic opportunities and CCTV trawls of the immediate area, but vehicles are now providing investigators with data that is identifying suspects who have been in the vehicle and CCTV and financial opportunities much further afield. Furthermore, we can establish and prioritise vehicle deposition hotspots for local officers to patrol to locate stolen/outstanding vehicles prior to being used to facilitate further offences. Lastly, the data from vehicles plays a substantial role in providing richer intelligence, which can often be the missing piece linking acquisitive crime and organised crime within a certain area.
Can you share an example of a case where vehicle forensics played a pivotal role in solving or advancing an investigation?
Following on from the previous question, I recall a vehicle theft investigation where a stolen/outstanding vehicle was recovered. As it was a Ford — a make known to contain a rich dataset — I was hopeful the recovered data would prove valuable to the investigation by helping identify potential CCTV opportunities, both at the crime scene and at the location where the vehicle was recovered.
Previously connected device information recovered included names and mobile numbers of devices which were paired with the infotainment system after the vehicle had been stolen, both identifying and placing offenders within it. This gave the officers a start for 10, as there was no waiting for fingerprint and DNA results to come back.
The impact of the availability of evidence within a short timeframe post recovery of the vehicle was further compounded by granular location data which placed the vehicle at a petrol station. CCTV and financial evidence helped place a suspect in the driver’s seat, identify associates, and further enrich our intelligence.
The CCTV was subsequently secured before it could be overwritten, with a final benefit being the identification of a rural location I had noticed was frequently visited. I brought this to the attention of the officer in charge of the investigation, and the site of interest was later visited by patrols. A number of further stolen/outstanding vehicles were identified and recovered. The vehicle began as just one strand of the investigation but ultimately became the most pivotal.
What tools or techniques do you most commonly use when conducting vehicle forensic examinations?
The most frequently used non-vendor specific techniques for vehicle forensic examinations are ISP and manual examinations. The latter is often dismissed as rudimentary, but in reality, previously connected device mobile numbers and Bluetooth MAC addresses can be recovered — although in some cases, accessing engineering mode is required. Further work can be carried out on these identifiers for attribution purposes during high-risk and time sensitive investigations.
Chip-off examinations are also conducted when circumstances allow, though they aren’t always pursued since this is technically a destructive technique. In terms of specific tools, Autel, Berla and VCDS are utilised. An alternative vehicle forensic suite, Rusolut’s Vehicle Data Reconstructor (VDR), is on my wishlist, as it would address significant capability gaps in current solutions. It supports not only data extraction and analysis from infotainment systems, but also from telematics and expansion modules — which is a gamechanger.
With connected cars and infotainment systems becoming the norm, what new challenges or opportunities are you seeing in vehicle forensics?
The advances in vehicle technology are both exciting and concerning — for consumers and law enforcement alike. The two main challenges I foresee are software security measures and data off-boarding.
Most infotainment systems today are no longer standalone units, but part of a network of interconnected systems within the vehicle. You only need to cast your mind back to the Jeep hack back in 2015 which demonstrated the feasibility of what was once thought to only be a theoretical threat. This is further exacerbated by the push for minimalistic interiors by manufacturers, where comfort functions are no longer adjusted using physical buttons but through the infotainment system.
What this means is that security measures are being implemented, whether they be encryption or the compartmentalisation of data, resulting in data that can no longer be accessed with traditional tools. Security is also being improved indirectly through a decline in use of proprietary operating systems in favour of those such as Android Automotive for infotainment systems.
Infotainment systems are recognised as one of the most exploitable gateways into other vehicular systems and, as a result, appear to be given the same developmental priority as other critical vehicle components by manufacturers.
I anticipate that the growing prevalence of connected vehicles will further reduce the types and volume of data stored on in-vehicle systems, as cellular data costs are no longer prohibitive and manufacturers can monetise the data as an additional revenue stream. Sending vehicle telemetry to servers rather than storing it onboard is also appealing from a risk perspective, especially given the growing public discourse around how much information vehicles retain and the increasing eagerness of companies to market their products as privacy-centric.
However, the challenges we face encourage us to seek opportunities elsewhere that may not have been considered until now. The aforementioned telemetry data may still be available to law enforcement even when the vehicle is no longer physically intact — whether it has been burnt out, damaged in a collision, or is still outstanding. For example, it may be possible to obtain a historic log of diagnostic trouble codes (stored in the cloud) for a specific vehicle, as we know certain passenger vehicle manufacturers are providing this as a service currently, albeit for fleet operators.
This data could be used by the prosecution to demonstrate a pattern of mechanical negligence by the vehicle’s owner, showing it was in an unroadworthy condition at the time of the collision. There may be further implications in a consequential civil setting in terms of insurance coverage suddenly becoming void or the insured party being held liable for any settlement costs incurred by their insurance company.
Looking further along the horizon at technologies in development and yet to be implemented, Vehicle-to-Everything (V2X) communication opens up a plethora of opportunities for all crime types. It may enable real-time geolocation of vehicles with GPS-level accuracy, help identify witnesses and suspects near key locations, and place individuals in vehicles with greater geographic precision. In fact, tier 1 automotive suppliers are already advertising the availability of telematics modules with V2X capabilities.
How do you stay up to date with rapidly evolving vehicle technologies and the impact they have on digital investigations?
Mainly through networking, knowledge sharing and keeping in touch with colleagues from other police forces, as well as external partners and experts such as Harper-Shaw and Rusolut. I’m a huge proponent of collaborative working between police forces. A significant proportion of offences involving vehicles are cross-border, and by assisting officers in other forces, there is an exposure to vehicles that I have not encountered to date in my own force, meaning that when I eventually do again, I’ll be able to provide an answer to the question of what data is held within the vehicle, with a bit more substance than “it depends”!
I’m also part of two national working groups focused on vehicle forensics and connected vehicles, where colleagues from other forces regularly present case studies and discuss novel investigative approaches. These groups provide a valuable and crucial platform for staying up to date with advancements in vehicle forensics and digital policing more broadly.
External partners are a valuable source of information, as they are often involved in serious investigations where every opportunity is explored, regardless of cost or complexity. The varied nature of their work takes them to conferences around the world, and their time spent networking benefits us as well — enabling them to signpost other subject matter experts within their networks and across both domestic and international law enforcement agencies.
Webinars — such as those hosted by Interpol — and product demos by tool vendors help bolster knowledge while offering insight into trends emerging in other countries, which we may not yet be experiencing but can begin preparing for by addressing potential capability gaps. And last but not least, the internet itself: online resources like owners’ forums, motoring journalism sites, and fleet news platforms are hidden gems for staying up to date with technological developments in vehicles.
Finally, what do you enjoy in your spare time?
I enjoy working out and hitting the gym — especially after being cooped up in the office all week writing reports! I also find a good book on existentialism entertaining, and I love going for drives on country roads, with plans to tackle the NC500 one day. When the weather allows, I spend time working on my car. I’ve currently got a Raspberry Pi set up for CarPlay and am developing a performance monitor that reads data from aftermarket sensors — a project that’s kept me busy over the past few months when I’m not doing DIY around the house.
