The Often-Ignored Value Of Training Investigators To Use Digital Forensic Tools

By: Simon Crawley, Senior consultant at MSAB

In January 2015 a rape case in London collapsed after police failed to find key evidence.

The defence lawyers were able to show a dozen pictures of the pair apparently cuddling in bed and to prove that the images had not been disclosed by police or prosecutors. They did this after hiring an independent forensic expert.

The failure to successfully prosecute this case was less an example of crucial digital evidence either not being found or handed over to the defence. It is rather an example of the severe pressures law enforcement is under when dealing with digital evidence.

One of the main issues is that Law Enforcement Agencies (LEA’s) initially tend to focus all their training resources on getting the data out of the device in the first place. This is of course important as getting the data out can be a challenge and needs to be completed in a forensically sound way so the courts can trust the data.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

But what happens to that data then? Who is tasked with reviewing it, analyzing it, extracting the evidence and presenting it to a court? And, most importantly, what training have those officers had to carry out all this work? I know from my previous experience that investigators were just given a download and told to ‘crack on’. Or the investigator took an extraction file and said that they would give it to the High Tech Crime Unit to deal with. Neither of these two models is sustainable in the modern world.

The sheer volume of data held on mobile devices these days is just mind-boggling. I recently had feedback from a customer re: an XRY file they had recovered from an iPhone. It was 346Gb’s in size. This file had 1.4 million pictures in it – and 2.8 million chat messages!

Another customer on the other side of the world had a file with 2.4 million chat messages.

These sorts of file and content sizes are going to become the norm. So not only do you need an extraction platform that can handle the extraction, you need officers who are trained to carry out the extraction in a forensically sound way, and you need investigators who are certified in the use of their tools in order to carry out their investigations completely and thoroughly.

Asking an investigator to ‘crack on’ and investigate, when you have data sets of millions, is just not sustainable. Investigators are going to miss vital evidence and courts, in whatever jurisdiction, are not going to tolerate it.

Equally, returning an extraction file to your forensic extraction team for them to find the evidence is also unsustainable. With huge file sizes you are tying up expensive resources conducting work that could be carried out by an investigator – given that the investigator is properly trained.

Investigators need to have the tools with which to quickly open up large files (XAMN opens files of this size in seconds rather than hours). Investigators then need training to understand the artefacts they are presented with. To quickly filter out system artefacts. And to use filters correctly and in a smart way to be able to speedily navigate the data to find what they are after.

Once the investigators have found the evidence they are looking for, they may need to return it to the Hi Tech Unit. This is for them to be able to show, without any doubt, that that data was on the specified device and that the suspect was aware of this,

In order to enable this to happen, agencies need to invest some of their precious training budgets in training their officers on how to actually use the tools they are given to conduct their work.

MSAB offers a number of different versions of their powerful analytical tool XAMN. From XAMN Spotlight, Horizon and Elements for the forensic analysis and hex carving, through to a free version (Viewer) for investigators to use – but these tools are not much use if the investigator doesn’t know how to use them.

There are also short training courses on how to use XAMN to get the best data from the extraction. These can be taken in a classroom or via an online platform so the investigators can study at a time that suits them. Organizations are free to choose whichever delivery method suits best.

The outcome of investing in your investigators is that not only will you have an extraction that is forensically sound, your investigators will be certified in the tools they use to find the evidence that helps convict the criminals. This will also help the courts have faith and trust not only in the extraction process, but also in the investigative process

Your agency can avoid making the headlines for the wrong reasons.

For more information visit our website: https://www.msab.com.

About The Author

Simon Crawley is a former Police Sergeant in the Metropolitan Police Service, with 10 years of experience in Counter Terrorism intelligence gathering using digital forensic tools. Simon designed, built and managed an effective and efficient MSAB Ecosystem in order to improve data collection, and he is now a senior consultant for MSAB. He also holds a Masters degree in Forensic Computing and Cybercrime Investigations.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite

Forensic Focus 20th February 2024 11:49 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles