Jim, can you tell us something about your background?
I left school in Dundee, Scotland when I was 17 years old and joined the Royal Air Force Police. I served in the RAF Police for just over 15 years, the majority of which was spent in the Special Investigation Service. Like most service personnel I served all over the place including three years in Cyprus, also visiting Belize in Central America, the Falkland Islands and finishing off with three years at the Joint Headquarters at Rheindahlen near Monchengladbach in Germany.
On leaving the RAF I joined Merseyside Police where I served in Liverpool city centre. I ended up on a Pro Active vehicle crime unit. After three great years I transferred to West Mercia Police where I was initially stationed at Kidderminster to the South West of Birmingham.West Mercia is the fourth largest geographic police area in England and Wales. It covers the Welsh border counties of Herefordshire, Worcestershire and Shropshire. While West Mercia is predominantly rural, it also contains some densely populated urban areas and many market towns. As you can imagine it was quite a culture shock compared to Liverpool City centre.
After a short period in uniform I spent a number of years on the Pro Active CID, mainly employed in drug investigations at a local level, before successfully applying to become a Detective in the Criminal Investigation Department. In 2001 I successfully applied to join the Hi Tech Crime Unit. As they say the rest is history.
Why did you decide to work in the field of computer crime investigation?
I was always interested in computers from my days of being the proud owner of a ZX Spectrum and later when I seriously upgraded to an Olivetti 486. Whilst in the CID at Kidderminster I successfully completed a project management course and later during 2000 had the opportunity of going on an attachment to help the Force introduce the National Intelligence Model. Whilst part of the project team I first came into contact with the Hi Tech Crime Unit that at that time consisted of one member of staff. During 2001 the Hi Tech Crime Unit expanded and I successfully applied for one of the roles within the unit. As you can see from my background I’ve always worked in an investigatory role which is something that I enjoy and so computer forensics allows me to continue this, learn new things everyday and support the investigation teams.
What does your role involve? Can you describe a typical day?
My formative years in Computer Forensics involved working in the Hi Tech Crime Unit, where I was employed as a Computer Forensic Analyst and latterly as the Network Investigator.
After four years I left the unit and took up my current post as the Hi Tech Analyst working in a specialist support team together with Financial Investigation staff and a Crime Analyst, supporting the Force Serious & Organised Crime Unit.
My current role involves supporting the Investigation teams by providing Hi Tech Crime support for the examination of Computers, Sat Nav’s and Mobile Devices such as mobile telephones. Rather than being predominantly Lab based I tend to get out on search warrants and not only assist with the seizure of equipment but also where possible examine items so that the interviewing officers have the results available for the first interview at the station where the suspect has been taken.
This has proved to be really successful, as proved recently by the recovery of almost £25,000 from a hidden safe by me simply recovering significant SMS data from a handset prior to an interview. There’s no doubt that had there been a delay in the examination the money would have gone.
Working closely with the Financial Investigators allows me to feed directly to them information such as online bank accounts, details of overseas trips and foreign property ownership discovered during the examination of a suspect’s computer.
As far as a typical day, I don’t have one; my role ensures that my days are fairly varied, depending on priorities.
What are the main types of crime you investigate?
Typically our unit investigates the more serious offences, mainly involving Organised Crime Groups in the force area. These are predominately, but not restricted to, the supply and distribution of drugs on a large scale, frequently interlinked with money laundering. Our unit is also frequently called upon to assist the force Major Crime Unit with investigations into murders and the likes.
In your experience, are criminals becoming better informed about computer forensics procedures and becoming more skilled at covering their tracks?
In terms of anti-forensics, not really to be honest. I’ve seen some of the presentations at Blackhat where someone will demonstrate how to circumvent computer forensic techniques or tools, but how many of us have actually come across these advanced techniques in the wild, not many I would imagine. Like most examiners in the past I’ve come across suspects who use commercial anti forensic tools such as evidence eliminator and also like most examiners have nonetheless recovered plenty of incriminating evidence.
In terms of covering tracks I think that the latest browsers with privacy and browsing deletion settings that users can easily access are going to be more of a threat to us than anti-forensic techniques deliberately being employed by users.
What trends do you see in computer crime and what new challenges do you envisage in the future?
Far better people than me have attempted to foresee future trends and failed; so I’m not sure whether I can truly predict them with any great certainty although it’s fairly safe to say that we will continue to see the use of malware and social engineering techniques to extract personal data from computers.
In terms of challenges; increased volume is a massive issue although not a new one. When I started out an average case was a single computer tower with a 10 Gb hard drive and some floppy disks. Recently I opened the casing of a Sony laptop to find a 500Gb hard drive. This massive increase in volume of storage has brought problems for us all. There appears to be an arms race in terms of constantly upgrading our storage capacity to deal with this. The problem also impacts on the time it takes to index data or search across data sets. One area that may be of interest following on from the triaging of computers will be the next step of possibly creating logical evidence files rather than the traditional imaging of a whole disk.
What is the most rewarding part of your job?
Providing the investigation team with some crucial evidence. I will always remember one particular case involving a brutal double murder where the suspect’s laptop was sent to the HTCU at short notice. I started the imaging process off in order for it to complete over night and used Craig Wilson’s HstEx to extract all of the Internet history on the drive. Just before I left the office I quickly looked at the Internet history and was amazed to see a google search for “hammer murder methods”. To say that the incident room were happy with the phone call I made after picking myself up off the floor is putting it mildly. Much was made of the computer evidence at court and the suspect was subsequently sentenced to life after being found guilty.
What aspect of your job do you find most challenging?
The constant battle for resources in terms of funds for equipment or training. It’s no secret that in terms of finance for the public sector, things are going to get extremely difficult in the foreseeable future. Computer forensics is seen as an expensive area to fund and I have already seen a bit of a squeeze put on training budgets. Many senior managers still believe that the ‘find all evidence’ button exists. I did my initial training at Cranfield University and in fact recently graduated with an MSc in Forensic Computing. The skills and knowledge that I learnt from the likes of Professors Tony Sammes and Brian Jenkinson together with nationally respected practitioners such as Geoff Fellows and the many other lecturers just simply cannot be underestimated. It’s essential that new entrants to this field are given access to places like Cranfield and that those of us that have been around a little longer are pro-active in our continuing professional development.
One of the questions we're often asked at Forensic Focus is "how do I get started in a computer forensics career?" What advice would you give?
That’s an extremely difficult question. If you’re just starting out then some form of training or qualifications are a must. If someone has an IT background then it’d definitely be a great start, but not essential. In terms of qualifications there are a number of universities in the UK now offering degree courses in computer forensics. However I’d add a caveat to anyone looking around for a course; that is I’ve been alarmed at some courses which appear to be nothing more than a software engineering course with a few modules paying lip service to forensics. In terms of gaining experience many places are now taking students on placements, which is a great opportunity to add some experience to your CV to support any formal training.
What qualities do you think are most important for work in this field?
Attention to detail is crucial as well as the obvious character qualities of honesty and integrity. Doggedness and the desire to constantly strive to learn more are also extremely important.
What do you do to relax when you're not working?
I’m fairly family orientated, but when not spending time with family and friends I like to watch Rugby and am a season ticket holder at Gloucester Rugby Club. I also make the trip back up to Scotland at least once a year to watch Scotland play rugby at Murrayfield. In fact I have two trips booked in the next few months – the Autumn internationals against Argentina and the Six Nations against France!
Jim can be reached by email on [email protected].