FF: Tell us about your background and how you ended up in your current role.
Before joining MSAB, I worked in the IT sector as a systems engineer, as part of a small but very talented technical team. Among other things, we’ve carried out several IT-related projects for LEA customers. Some of those projects required additional specific solutions such as digital forensics and mobile forensics software/hardware. I was made responsible for these “exotic” matters, and it didn’t take much for me to get fascinated by this new world. Among other tools and solutions that were required by customers, there was a tool with a cool name – XRY (although I was mistakenly calling it X-ray for some time) – from a Swedish company, Micro Systemation AB. Communicating with them was always a breeze – they were always approachable and knowledgeable.
I attended the MSAB Partner event in 2016 to improve my knowledge about the products, and it was the first time I visited the MSAB HQ. That was probably the first time I started dreaming about working in such a company.
Later, I continued my professional journey as a freelancer and was invited to assist at various MSAB events as technical translator. I probably did a good job because shortly after that I was contacted by MSAB and asked if I’d like to work for them in the expanding new department of Product Specialists (Tech Sales) in 2017.
FF: What are your main responsibilities at MSAB?
I would say that bi-directional communication with our customers is my main responsibility. MSAB solutions help our customers at multiple levels, from the advanced acquisition features of XRY Pro to management-level orchestration of the entire ecosystem of mobile forensics with XEC Director. As a Product Specialist, I must be able to explain how it all works from general concepts to settings-level details and beyond. That requires me to constantly stay on top of our own technology and involves a lot of testing, preparing of visual and demo material, and communicating with the development team.
The feedback part of this bi-directional communication is equally (sometimes even more) important. It can be a question that gives me a hint where I should improve my presentation and/or demo material, or it could be a great feature idea that we would evaluate internally between fellow Product Specialists and eventually forward to our Product Development Team.
Sometimes, I would try to address this kind of feedback via a route that is possible due to a remarkable feature of XRY and XAMN – the Python API. During the past two years, we’ve been helping customers to solve certain specific tasks through python scripting. For example, back in 2019, inspired by a meeting with customers where I heard about their challenges with thousands of audio messages that had to be listened to to be analysed, I got this idea to develop a python script that would transcribe those audio messages to text and return the text property back to the XRY “report”. After finding a suitable offline AI engine, I’ve quickly developed a simple python script, and we shared it with the customer. Later, an even better AI engine appeared on the radar, and the original idea was upgraded with this better engine by my colleague. As of today, we receive a lot of messages from customers telling us how they’ve managed to analyse tens of thousands of audio messages in the scope of a larger case and find the evidence by using that script. All that without requiring extra costs on the customer’s side.
So, there is a lot of such “homework” going on before and after meetings with customers, and it’s another key responsibility.
FF: What are the biggest mobile forensics challenges your customers are facing in 2024?
I’d say it’s the same regular suspects: the data access and the analysis of large volumes of data.
Data access is the all-time champion. If less data is retrieved, there is less material to analyse (might sound like a relief, but it’s not). This is a classic cat and mouse game where the (smart)phone industry does its best to secure devices, and mobile forensics solutions do their best to find a way in. The forces are unequal. Additionally, devices are becoming inherently more secure, because there are huge teams continuously improving on device security at different levels, including platforms (the SoCs), vendors (smartphone brands), kernel developers, OS developers, etc.
Navigating efficiently through large volumes of data in search of the answers to the investigation’s questions is arguably the second most challenging type of task our customers are facing. It depends on country or organization type, and sometimes could be even more critical than data acquisition itself. Having the tools that allow flexible, efficient yet easy to use browsing through large volumes (both in size and quantity) of data is crucial. Software efficiency is one of the pain points for a lot of our customers as many must run the analysis on modest computers. Finally, it’s great to have tools that allow multiple built-in features to deal with volumes of data. But no single tool is perfect and can do everything, so it’s even better to have a tool that allows you to expand those capabilities “on-demand”, for any unforeseen challenges. Usually, it’s done via some sort of API.
FF: How do MSAB’s solutions help overcome such challenges?
We do our best to address all the above-mentioned (and many other) challenges.
When it comes to data access, it’s worth noting that MSAB is one of very few companies that has its own R&D department that continuously researches new unique exploits (and zero-day) and allows you to overcome the hurdles of device security and access data. With the device security landscape in mind, each new extraction method opens doors that were previously closed and is much appreciated by our customers. We’ve heard lots of success stories when customers were able to solve impossible devices using MSAB Office and even more so with the new XRY Pro.
Decoding of data has always been one of XRY’s strong points. Speaking about the speech-to-text story mentioned previously, now it is natively supported as one of XRY’s additional decoders that can be turned on if needed.
When investigators open an extraction, they expect something like opening a PDF file – some loading time and you’re ready to read through.
Navigating through large volumes of data efficiently has always been a strong point of our analysis suite – XAMN Pro. It adds on top of the built-in efficiency of the XRY files (pre-decoded, pre-indexed) which results in near-instant loading times (no waiting for data to be parsed), and fast search/filtering (artifacts are pre-indexed). Just having these two characteristics in an analysis tool helps customers immensely to save time. The tool is light on computer resources, so users don’t need special hardware to perform analysis, which frequently becomes an important factor.
XAMN Pro’s (and XRY’s) python API that allows you to additionally process data via python scripts has proven itself to be invaluable when the “zero-day feature” is required. I’ve previously described how we use this feature to help customers, but there are quite a few users that do that on their own. Sometimes it’s a niche application that needs to be decoded; sometimes it’s a custom bulk analysis based on extracted data.
FF: Mobile technology is constantly evolving, what role does MSAB play in collaboration and information sharing within organisations to help with mobile investigations?
Lab experts are the backbone of an organization’s mobile technology knowledge. They possess extensive field-specific knowledge and experience and are well-versed in the applicability of multiple tools to different scenarios.
In my opinion, it’s important nowadays that lab experts extend the reach of their expertise, for example to be able to seize the evidence in optimal state and benefit from state-of-the-art acquisition technology available in their lab. Or, when a junior lab expert joins the team and after the onboarding is finished, they might need an unsupervised but controlled environment to start doing extractions with some guidance, based on senior colleagues’ best practices.
MSAB has user account-based examination solutions that can implement an organization’s procedures via custom step-by-step sequences. It could be, for example, a sequence that helps first responders seize different devices in optimal state based on the organization’s best practices and considering lab experts’ current requirements (e.g., if they have a tool that can deliver amazing results when the device is in AFU mode). Or it could implement guided sequences for new lab members to help them follow best acquisition practices established in their lab/organization.
I think this would allow organizations to ensure that information and knowledge that is crucial for efficient mobile investigations is always there where it’s needed and can be updated when the organization requires.
Finally, all the above-mentioned could be centrally managed by the management solution (XEC Director), ensuring that organizations have visibility and mechanisms to monitor their entire mobile forensics ecosystem and be able to act promptly when needed.
FF: What kind of education or experience is most useful for someone aiming to become a mobile forensics examiner?
I think curiosity-driven steps into anything on the spectrum of computer science, such as the foundations of operating systems, databases, data structures, algorithms, and programming, or even computer architecture, would enhance any subsequent field-specific training and experience. Learn to read the Source, Luke.
Studying a programming/scripting language is usually a good starting point. One would inevitably cross the paths with other topics, for example, algorithms and data structures. Not mentioning some immediate benefits of applicability of some languages like Python in an examiner’s everyday work.
FF: Looking towards the future, what new skills or areas of knowledge do you think will become increasingly important for professionals in the mobile forensics field?
My feeling is that the more we advance in technology with layers and layers of abstraction (and sometime obfuscation) everywhere, the more important it is to know and understand the underlying foundations. So, I think it will become increasingly important to know and understand how these devices work and generate the data, where does it come from and what does it mean. In that sense, the important new skills will be the good old ones.
Another aspect that will become more important is efficiency through automation. Ability to automate routine tasks both through personal knowledge and skills (programming/scripting) but also through tools and solutions that foster those skills, will be making a big difference.
FF: And finally, outside of digital forensics, what do you enjoy in your free time?
I like spending time with my family, watching and developing a young Natural Intelligence (my son). As per hobby, I try to follow my curiosity, which as of now dragged me back into computer architecture and the world of low-level programming. Not that I’m particularly good at it, but advancing small steps into what I’m curious about and having those A-huh moments makes me feel good.