Sarah, tell us a bit about yourself. How did you begin your career, and what is your current position?
My career started when I was working in a legal practice. From a young age, I have always been interested in crimes, criminal process and the investigation of crime. In fact, I always wanted to be a lawyer. I started working in firms with criminal lawyers and was lucky to work in a department that was focused around serious crimes. Things got really interesting for me when computers and digital evidence were involved in offences; either in the commission of the crime or in the police investigations.I worked on some high-profile cases at that time and I found the whole process of digital forensics incredibly interesting. I ended up going to a couple of training courses whilst I was working in the legal practice and realised that I had fallen in love with digital forensics. That’s when I decided that I wanted my future career to move into digital forensics. I started a job as an investigator with an IT company that had recently opened a digital forensics department, and that’s where it all started.
At that point, we were working in version 1.6 of FTK® as well as other tools, and I started slowly by taking a couple of training courses. Before long, we had built up a small, organically grown, digital practice and I moved from a junior investigator to a senior investigator. I then moved into laboratory management, which I really enjoyed because that meant I could work with the cases, but also work with the management of the organisation and teams, building processes and an efficient lab. While I worked as a lab manager, ISO 17025 arrived. I learned a great deal about what it meant to try to achieve ISO 17025 accreditation and also what it means to maintain it.
At some point, I knew I wanted to develop my career in new areas and was asked to be involved in training at the same company. Shortly after, I started to work for AccessData. I had wanted to work for a vendor for a while because I could be at the forefront of innovation and development and would be able to respond to the needs of the community. And that takes me to where I am now, taking knowledge all over the world.
In my role, I am responsible for the management, delivery and creation of training for AccessData’s international customers. I enjoy a really varied role and I travel to deliver training and work alongside new and existing customers. Our training sometimes involves writing bespoke trainings for customers who have specific requirements. This is very rewarding as it allows me to learn about their workflows and processes, which I really enjoy.
What skills did you have to master as a foundation of your expertise?
Being able to demonstrate competence in using the tools is what’s really important. We need to know what happens not just at the front end of the software, but also how the artefacts and data in the evidence set are constructed, their characteristics and how tools are producing the results.
Just as importantly, we need to understand why we do what we do, understand the criminal process, procedure, what we can do and what we can’t do; whether we have to limit the scope of the investigation or not, who we are going to work with, and all of the supporting procedures. All of that information is as foundational as the tools themselves.
Our forensic toolkit (no pun intended) is an important part of our day-to-day job, so we must be proficient in using it. Additionally, we always need to be prepared for the unexpected, e.g., will we encounter new artefacts or something that we’ve never seen before?
What challenges have you had to deal with during the early stages of your career?
The biggest challenge for me was getting access to the right training, the right information to understand what’s going on, and to find the time to do so when I knew there was a case waiting to be worked on.
Also challenging is when you are working on a case and being exposed to new parts of the investigation, whether it’s a new type of encryption or software or how artefacts are created from those items. Trying to understand all those things in a limited period because of the time constraints of the investigation is one of the more consistent challenges.
How do you compare digital forensics now compared to how it was ten or fifteen years ago?
Ten or fifteen years ago, digital forensics was in a very different place. We didn’t have the number of investigations and requirements we have now. Digital forensics was still a fairly new area and our investigations used to take longer because we had to do more manual investigation to find the level of detail that was expected at that time.
We spent a lot of time breaking things down, to a very deep level, to ensure we could ascertain accurate and repeatable outcomes to our investigations. We also had more time to conduct the investigation.
Now, with the massive increase in the use of technology in the commission of crimes and as supporting evidence, our investigations need to be more focused, targeted and streamlined.
There’s also never been a greater requirement than ISO 17025. The community wants us to demonstrate competency in laboratories and to demonstrate that we are proficient to do the job we do. That said, laboratory accreditation is a demonstration of what we adopt… good practice.
The one thing that hasn’t changed is the community. A community that’s very focused on working together where opportunities for innovation exist. It’s a small but global community in which everybody wants to do the right thing and is focused on achieving the results of investigation. We are passionate about making sure we achieve the right outcomes in the interests of justice, or based upon the requirements placed upon us.
What are some industry challenges you have or have heard about?
There are a number of challenges in the industry. We all race against time to keep up with, or stay a step ahead of technology. We are always working hard to keep up with the speed in which criminal activity changes.
Digital forensics and incident response are a couple of the few crime areas where there is quite a level playing field between criminals and law enforcement. Typically, both have access to similar tools and securing a successful prosecution can be ultimately down to who can outsmart the other; therefore, staying one step ahead of the curve in intelligence gathering, technical knowhow, constant reassessment of assistive software and one’s own skills is imperative. This is where lab software and procedural reviews can assist greatly.
The other challenge is the number of devices, firmware versions, operating systems and “apps” we are seeing now. Digital devices play such a massive role in our lives and that can impact the amount of data that we need to investigate.
We have to make sure that we do our investigation well and understand what’s going on.
The other thing that presents a challenge for us as vendors and laboratories is bringing in new tools. If we bring in a piece of software, we need to go through a process of implementing that into an ISO 17025 environment. We need to understand how it’s going to fit into the workflow, make adjustments, and conduct rigorous testing. All of that takes resources, time and money.
It’s not easy to implement a product into a lab anymore and it requires a long-term commitment.
Is ISO 17025 a UK-only regulation?
No, ISO 17025 is an international standard. It is a huge part of our lives as investigators. We regularly speak to customers beyond the UK about the implementation of ISO 17025 in their laboratories. It’s something that is beginning to be adopted across the world.
What does Laboratory Accreditation mean for AccessData?
The most important thing that we need to understand is the process that the customer goes through to be able to bring the product into the lab environment.
We want to take our own products and go through our method validation process and simulate it so we can fully understand what the customer goes through.
It goes without saying that we always rigorously test our tools but we want to simulate the method validation process, so that we can put ourselves in the eyes of our customers, and what bringing new tools into the lab means. We plan a method, just like a customer would do, record that plan, go through a method validation process, and document the results.
This is something we also want to bring into our training program.
What are your plans for the future?
We are undertaking a huge amount of development in terms of innovation, automation, workflow optimisation and exciting new training packages (which go far beyond standard software training, into many more of the areas discussed previously). We have many ex-investigators within our company and work closely with our customer advisory boards to ensure we can continue not only to deliver what customers already expect of us, but also constantly analyse trends to help our customers stay that crucial step ahead of those under investigation.