Russell May, 4N6 Investigation

Russell, can you tell us something about your background and how you became involved in computer forensics?

Like many people I first became involved with computers as a hobby in the late 70’s, building my first computer from scratch. I soon discovered that the thing I found most enjoyable was computer programming – at first writing BASIC programs and then moving on to machine code. Throughout this time I was a police officer serving with West Midlands Police. In the mid 80’s the computerisation of crime records began and because of my knowledge of computers, I was drafted in to train operators of these new computer systems.Sometime later I moved to the newly formed computer training department where we would teach computer users how to use applications. It was during this time that detectives, encountering computers thought to be used in crime, would bring them to me and ask me to examine the computers for evidence. This grew to a point where I was spending more time examining computers than I was teaching and in 1998 I was asked to help setup what is now the West Midlands Police Hi-tech Crime Unit.

Retiring from the Police in 2002 I started work for Guidance Software, the developers of EnCase, and for sometime was director of training here in the UK before moving in to Professional Services as a forensic consultant. In 2007 I was offered the post of Senior Director of International Training at AccessData, the developers of Forensic Toolkit.

In 2009 I left AccessData and set up my own company – 4n6 Investigation and Training.

What services does 4N6 Investigation and Training offer? What is your own role?


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


At 4N6 Investigation we offer Consultancy, Investigation and Training Services. Consultancy, in the main, is offering advice and assistance to companies wanting to build their own in-house forensic capability.

The investigation services involve the forensic collection and analysis of computer data for our corporate customers. Owing to the nature of the data most of this work is carried out on-site.

We also provide module based computer forensic training courses that can be tailored to meet the needs of our customers.

My role is to develop the business, but I still like to be as ‘hands on’ as possible and keep up to date with the current challenges and trends in the field of computer forensics.

What makes a good computer forensics training course? What challenges do you typically face and what qualities are most important in an instructor?

A good course is one that offers in depth discussions and practicals of the subject matter, presented by knowledgeable individuals who are also, preferably, practitioners in the field. Practitioners are better placed to offer insight into the real world application of principles and techniques being taught, as well as being able to demonstrate with real examples.

Computer technology and software development move at an alarming pace making it a challenge to stay current and present courses that are relevant to practitioners.

How important is it that someone teaching a computer forensics course has "real world" investigative experience?

I may have answered this in the previous question. I believe it is preferable teachers have “real world” investigative experience, but not essential. Forensic methods and theory can be taught by someone with a good understanding of computer science, but investigation is a skill developed and learned in the “real world”.

Each new job is different from the last and provides challenges, helping to hone the analyst’s investigation skills.

There has been an interesting discussion at Forensic Focus about "push button forensics" recently. While this isn't a particularly new topic – discussions of this type have been around for years. What is your sense of the way the role of the investigator has changed as forensic software suites have become more fully-featured? Have investigators become overly reliant on these features at the expense of a deeper appreciation of what is going on "under the hood"?

Gosh, “How long is a piece of string?” It is always an advantage to have an in depth understanding of computer hardware and how it is programmed, but again it is not necessarily essential, it really depends on the case under investigation.

I think it is important to understand what automated features are doing, so that you know how to test the results and confirm the features are working correctly. However, as forensic labs grow in size and investigations become more complex, investigators are becoming more focused and skilled in specific areas of expertise. So, not everyone needs to be able to formulate an EnScript or understand Linux operating systems. So long as that expertise exists and can be called upon to assist an investigator, I don’t see a problem.

Automated features appeared as a result of users’ requests. They are designed to make those repetitive, time consuming tasks quicker, and speed up the results the investigator is really interested in. So long as you are sure the automated feature is doing what is says then I do not see a problem with using it.

Many members at Forensic Focus find themselves needing to choose between an academic course, vendor training, non-vendor training and pursuit of a certificate such as the CCE. What advice would you give to someone in this situation?

To coin that well known forensic phrase, “It depends.” All the above types of training serve a purpose and have a place in career development.

With a view to long term career development and given that funding is available, I would opt for an academic course. These give the student a very good grounding in all the basic disciplines, giving them the opportunity to identify their own strengths and weaknesses and identify areas of special interest. However, with a few exceptions, academic courses teach the theory but not how to use the tools of the trade.

A criticism of academic institutions I often hear from employers, is that new graduates need a large investment in vendor training before they become productive employees of the company. If vendors and universities were to collaborate more efficiently I am sure the industry as a whole would benefit.

What would you most like to see changed or improved in the field of computer forensics?

I would like to see the introduction of minimum standards with regard to forensic training and laboratory procedures. These issues are starting to be addressed with the introduction of ISO standards for laboratories. The police have begun an initiative to develop Europe-wide standards of training for police personnel.

What is the most rewarding part of your job and what are your plans for the future?

Forensic investigation and training keeps me current with hardware and software innovations and helps me to keep the little grey cells active. My enthusiasm for computer forensics and thirst for knowledge in the subject has never diminished. I enjoy teaching and hopefully some of my knowledge and enthusiasm rubs off on students along the way.

As for my future plans, I would like to continue investigating and teaching as long as I am able.

What do you do to relax when you're not working?

Sad person that I am, I still enjoy computer programming. I enjoy photography and like to keep a record of my children and grandchildren growing up and the places I visit. When my first grandchild was born I purchased a video camera and I have great fun using software on my computer to make small movies.

Russell can be reached by email on admin@4n6investigation.com or through the 4N6 Investigation website at http://www.4n6investigation.com.

Leave a Comment