The Often-Ignored Value Of Training Investigators To Use Digital Forensic Tools

By: Simon Crawley, Senior consultant at MSAB

In January 2015 a rape case in London collapsed after police failed to find key evidence.

The defence lawyers were able to show a dozen pictures of the pair apparently cuddling in bed and to prove that the images had not been disclosed by police or prosecutors. They did this after hiring an independent forensic expert.

The failure to successfully prosecute this case was less an example of crucial digital evidence either not being found or handed over to the defence. It is rather an example of the severe pressures law enforcement is under when dealing with digital evidence.

One of the main issues is that Law Enforcement Agencies (LEA’s) initially tend to focus all their training resources on getting the data out of the device in the first place. This is of course important as getting the data out can be a challenge and needs to be completed in a forensically sound way so the courts can trust the data.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

But what happens to that data then? Who is tasked with reviewing it, analyzing it, extracting the evidence and presenting it to a court? And, most importantly, what training have those officers had to carry out all this work? I know from my previous experience that investigators were just given a download and told to ‘crack on’. Or the investigator took an extraction file and said that they would give it to the High Tech Crime Unit to deal with. Neither of these two models is sustainable in the modern world.

The sheer volume of data held on mobile devices these days is just mind-boggling. I recently had feedback from a customer re: an XRY file they had recovered from an iPhone. It was 346Gb’s in size. This file had 1.4 million pictures in it – and 2.8 million chat messages!

Another customer on the other side of the world had a file with 2.4 million chat messages.

These sorts of file and content sizes are going to become the norm. So not only do you need an extraction platform that can handle the extraction, you need officers who are trained to carry out the extraction in a forensically sound way, and you need investigators who are certified in the use of their tools in order to carry out their investigations completely and thoroughly.

Asking an investigator to ‘crack on’ and investigate, when you have data sets of millions, is just not sustainable. Investigators are going to miss vital evidence and courts, in whatever jurisdiction, are not going to tolerate it.

Equally, returning an extraction file to your forensic extraction team for them to find the evidence is also unsustainable. With huge file sizes you are tying up expensive resources conducting work that could be carried out by an investigator – given that the investigator is properly trained.

Investigators need to have the tools with which to quickly open up large files (XAMN opens files of this size in seconds rather than hours). Investigators then need training to understand the artefacts they are presented with. To quickly filter out system artefacts. And to use filters correctly and in a smart way to be able to speedily navigate the data to find what they are after.

Once the investigators have found the evidence they are looking for, they may need to return it to the Hi Tech Unit. This is for them to be able to show, without any doubt, that that data was on the specified device and that the suspect was aware of this,

In order to enable this to happen, agencies need to invest some of their precious training budgets in training their officers on how to actually use the tools they are given to conduct their work.

MSAB offers a number of different versions of their powerful analytical tool XAMN. From XAMN Spotlight, Horizon and Elements for the forensic analysis and hex carving, through to a free version (Viewer) for investigators to use – but these tools are not much use if the investigator doesn’t know how to use them.

There are also short training courses on how to use XAMN to get the best data from the extraction. These can be taken in a classroom or via an online platform so the investigators can study at a time that suits them. Organizations are free to choose whichever delivery method suits best.

The outcome of investing in your investigators is that not only will you have an extraction that is forensically sound, your investigators will be certified in the tools they use to find the evidence that helps convict the criminals. This will also help the courts have faith and trust not only in the extraction process, but also in the investigative process

Your agency can avoid making the headlines for the wrong reasons.

For more information visit our website:

About The Author

Simon Crawley is a former Police Sergeant in the Metropolitan Police Service, with 10 years of experience in Counter Terrorism intelligence gathering using digital forensic tools. Simon designed, built and managed an effective and efficient MSAB Ecosystem in order to improve data collection, and he is now a senior consultant for MSAB. He also holds a Masters degree in Forensic Computing and Cybercrime Investigations.

Leave a Comment

Latest Articles