Cyacomb’s Jeffrey Bell, Brandon Gardner & Alan McConnell on the Facets of Digital Forensic Triage

Christa Miller: The investigation of child exploitation is a delicate balance between rescuing children, ensuring perpetrators are correctly identified, and safeguarding investigator mental health. This week on the Forensic Focus podcast, Si Biles and I are with Cyacomb; talking digital forensics with Jeffrey Bell, Customer Success Manager; Alan McConnell, Head of Customer Success; and Brandon Gardner, Program Manager. Jeff, Brandon, Alan, welcome.

Jeff, Brandon, Alan: Welcome. Thank you so much for having us.

Christa: Oh, absolutely. It’s our pleasure. So, I guess, let’s start with some introductions. I think you all have a law enforcement background.I know two of you are newer hires, so tell us a little bit about where you came from and what attracted you to Cyacomb.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Brandon: Jeff, I think I’ll go ahead and go first if you’re alright with that. So, I’m Brandon Gardner. I’ve spent the last 15 years of my life dedicated to supporting law enforcement in some sort of capacity. I spent 10 of those years at the International Association of Chiefs of Police in Alexander, Virginia. There I traveled and worked on a wide variety of projects and managed some on my way out. I then got married, had our son, and realized it’s time to come back to smalltown Ohio where my family is. So I spent five years at the Ohio Department of Public Safety.

Initially, I was a senior advisor to the director. I transitioned to an Assistant Director of Ohio Homeland Security and most recently left the Ohio Narcotics Intelligence Center, where I oversaw two digital forensic labs and an intelligence team, one in Cleveland and one in Toledo. I’ve got a Master’s in Criminal Justice from the University of Cincinnati, a Bachelor’s from the University of Mount Union. And happy to say that this is my first semester of my PhD where I’m going to focus on leadership and privacy concerns as it relates to public safety, digital forensics, and technology just continues to advance and how does privacy play a role in that for leaders down the road is really where my focus and mind’s going to be.

Christa: Very cool, very cool.

Brandon: That’s a little bit about me.

Jeffrey: So, I’ll jump in to this point, too. Jeffrey Bell, So, I’ve got pretty close to 31+ years, either working directly inside or with law enforcement. I started my career in law enforcement just a bit ago in 1991 as a patrol officer, and worked my way through the ranks, you know, the various levels of street patrol and then into investigations, police supervisor, administrator, those sorts of things. My agency actually did a contract with a large sheriff’s office here in Utah, just right after the Olympics.

And it gave me the opportunity to kind of spread my wings a little bit. So I took on some more assignments in criminal analysis and criminal intelligence during that time. And then the tail end, almost five years out to where I had almost 20 in for my retirement, I was able to jump into computer forensics with the FBI’s CART Analysis and Response Team with the Intermountain West RCFL in Salt Lake.

So I started there as a forensic examiner, kept my teeth, and then moved into the Deputy Director position before leaving that position and retiring from law enforcement in the state of Utah in 2012. I sat out for just a little bit of time doing some work for Apple with their iOS and hardware support from home. Kind of one of my first workout gigs that I did for about a year. And then I had somebody came knocking on my door through LinkedIn and offered an opportunity with the DEA to do digital forensics with them out of Camp Williams, Utah.

And so 2013, I jumped back into the forensics game and spent pretty much the last nine plus years, with the DEA doing digital forensics with them here in Utah and across the nation as I traveled about. So, that’s my quick background, Bachelor’s of Science from Weber State University as well here in Utah. And various certifications, my ENCE and GFCE, of course, with SANS and a lot of other things that I’ve done before jumping on this opportunity, tremendous opportunity to be with Cyacomb.

Christa: Very cool.

Alan: Thanks, Jeff. Hi, everybody. I’m Alan McConnell. I’m Cyacomb’s Head of Customer Success. I’ve been with the company for three years now. Prior to that I was a police detective and digital forensic analyst with the police here in not so sunny Scotland today, but very pleasant Scotland. During that time, most of my work was based around child protection, CSAM, and kind of terrorism investigations on the digital forensic side. Prior to that, I’ve spent a lot of time overseas. I did a lot of work in Eastern Europe and Africa for 10-15 years before coming back to the UK. As I say, it’s working for Police Scotland, that’s where I met up with our Chief Technical Officer, Bruce Ramsey for Cyacomb.

He was also an analyst in Police Scotland. And it’s out of that work we did in the Digital Forensics Unit in Police Scotland, that what we do now, the technology we have in Cyacomb was born. We saw a need back then for a change in how things are done in digital forensics due to the proliferation of cheap devices, the number of devices being seized when you execute a search warrant was just expanding and expanding. So, you know, something really needed to be done to ease that kind of workflow and expedite the investigation. So it was out of that thought process and that work that our rapid triage technology was born. And here we are today.

Christa: Yep, yep. So, that actually is a good lead into my question. I posed a question, we spoke the other day with Graham and Mike, and that question was around the National Center for Missing and Exploited Children, which reported nearly 30 million cyber tip line reports in 2021. That was up from a total of nearly 22 million in 2020, and almost 17 million in 2019. So, obviously, the numbers are just accelerating. We know Cyacomb Safety is one part of this equation on the preventive side, but Cyacomb Forensics is the other part as each of those tips does need to be investigated and that it doesn’t count reports from other sources in investigators communities. So how is your side of the business addressing those daunting numbers?

Brandon: I think I’ll go ahead and take a stab at that first, and then maybe kick it over to Alan. But I think how we’re addressing these numbers is through a keyboard you’ll hear me say a lot through all this, and that’s speed. So speed is king in this industry. Being able to triage devices that have been on shelves for months and weeks on end are keeping safer communities, keeping criminals off the street.

But I’m going to go back to that big issue about speed. So in my old life, we used to have devices that would sit on shelves for hours that we knew had some sort of narcotics focus, but we didn’t know where to go and once you started using certain tools, things could take forever.

So, it was really hard for me to direct staff on where to go on what cases and whatnot. But being able to triage digital devices quickly, efficiently, and accurately is really where we are going to help in the biggest space. We’re going to be able to gear teams what phones, what computers, what vehicle system, like, where can we go to find that fast? I think I’ll kick it over to Jeff or Alan now to kind of deep a little bit more, but speed is king, and that’s really where our focus is.

Jeffrey: Yeah, absolutely. With Cyacomb’s technology, you know, it’s fast, simple and thorough. So, you know, the key points here are on scene where we have investigators that have numerous devices to go through. You know, time is limited, they need results, they’re able to do that, simple, the tool’s easy to deploy on a dongle base, literally and accurately to identify the present to CSAM and to do so very quickly in those settings.

Alan: Yeah, I mean, I can’t add much on top of that, but just to refer back to your original question, Christa, and that’s really the number of cyber tips as they grew. This is exactly why our company exists. This is where it was born from. It was born from that experience in the UK here, as opposed to the US of, and Brandon said that the backlog of devices was just expanding and expanding. And certainly here in Scotland, we got to the point we had devices sitting in a backlog of nine months to 12 months waiting to be examined for digital evidence.

Jeffrey: And I know what he’s talking about. I mean, obviously there’s tremendous backlogs. We saw that in the labs in my experience with both the Intermountain West RCFL and with the DEA. and so this is also a tool that can be utilized not only on scene, but in the lab, as well. So, you know, reducing time on scene and then reducing backlog in labs is a force multiplier obviously with this technology.

Brandon: Christa, can I build off what Jeff said here, Just to give you, like, a real-world example to kind of help paint this picture?

Christa: Yeah, absolutely.

Brandon: We’ve got partners out in California who just recently took our tool on scene, were able to triage three devices on scene in under four minutes, found contraband, arrested the suspect, took him off the streets. I can’t guarantee, but that probably all took under an hour. In the old way of doing business that maybe would never have happened. Maybe they weren’t able to find the contraband on the devices while they were there, they’d have to take them back to the lab, they’d then have to put them on the shelf that Alan was talking about, they’d sit there for nine months. and then that individual who’s interacting with this CSAM and this bad stuff is still out there doing it.

Whereas in this example, on scene, plugged the device in, ran it, under four minutes found somebody or found some contraband, arrested them on scene, took them off the street. So that’s a short real-world example, but I think it shows the powerful technology that we have and kind of talks to what Alan and Jeff are talking about.

Christa: Yeah, yeah, yeah

Si: So, I mean, your technology, and we’re talking, you predominantly sell on the idea of CSAM and not on other stuff. Are you selling into forensic units that are dedicated to CSAM? Because, you know, your tool is great and it does the job by looking for the block hashes of things. But the drugs case, and the drugs cases I’ve done, there’s not very much continuity from one case to the next. You know, I’ve got pictures of somebody who’s imported two kilos of cocaine, and then that’s totally different from the next person who’s imported two kilos of cocaine. And therefore there’s no hashing that you can be using in that. So, you know, this a CSAM tool, are you selling it as a CSAM tool or is it broader in the sense of who you’re selling it into?

Jeffrey: So it supports both CSAM primarily, but also counter-terrorism. The idea is is the way the filter’s built, we also have the ability to address those issues. So, you know, Alan can speak, you know, simply to this in the UK, but it’s widely used in the UK in counter-terrorism investigations. And we’re exploring those avenues here in the US as well, with some Intel fusion centers that we’ve spoken with that can see the use of the technology.

Si: Alan, is that on the same basis then that we have known, and again, you know, I’ve seen the things like Anders Breivik’s manifesto is obviously, you know, a particular document that is present in the number of anti-terrorism cases. So are we doing just block0level hashing for known files in anti-terrorism as well?

Jeffrey: Absolutely, yeah. Go ahead, Alan.

Alan: Yeah, absolutely, Simon, It’s purely a case of finding known content. It’s not limited to images or videos. It can be documents, audio files, anything like that. And you mentioned a few of them yourself. We’ve got terrorist manifestos out there. We’ve got the old classic, you know, terrorist cookbook, extremist video,s radicalization materials. Anything that in the CT domain to me that you think may exist on a suspect’s computer can be searched for in the exact same way as a CSAM, a major video can. And it’s why it’s at use here in the CT’s based in uk.

Si: One of the things that you’ve said is this tool is, and, you know, I’m not knocking it, it is stupidly fast, because of the block-level hashing and things like that. But you are quoting things like, I mean, I’ve got got on your website here. It says, “I ran Cyacomb’s tool against the suspect’s four-terabyte hard drive and within four seconds I had 10 CSAM hits.” I’m not suggesting that they’re lying because that would be, you know, incredibly unfair. But is that a lucky result? Or is, I mean, because the laws of probability would suggest that yes, some of the time it will operate like that, or have you got something really clever in the way of where it starts looking for files that means your probabilities of hitting something early on are higher than they would be if it was truly a random selection of places on a disc?

Alan: Yeah. So, it’s a combination of the statistical analysis we use and the contraband filtered technology. Because we don’t store hashes and we don’t need to read entire files to compare to an ND5 or a SHA1 file hash, the technology itself is incredibly fast for matching blocks from your original source data to blocks on the suspect’s device. The actual bottleneck of anything comes with the device you’re scanning. It’s really the rate speeds of the device you’re scanning. If you’re scanning an SSD, it’s going to be super duper quick.

If you’re scanning a really old mechanical hard drive, then your bottleneck’s going to be the rate speeds for that device. We say we’re between 20-100 times faster than traditional file matching technologies. Now, that’s quite a wide range, but what that means is if we scan a device and we scan the device to completion, and there’s nothing of evidential value found in that that matches our contraband filter, then we’re around about 20 times faster than a standard MD5 file scan.

If there’s content to be found, we generally find it around about 100 times faster than you will with an MD5 file heist, because in your traditional MD5 scan, you’ll need to read all the files on the device, then compare them to your high set to get your matches. So it’s not particularly suitable for a triage scenario. It’s more of a lab-based tool. But because we are randomly sampling and because of the speed with which we can compare individual blocks of data to the contraband filter, then it is suitable for triage and it is, you know, generally up to 100 times faster.

Si: Okay. No, that’s really cool.

Christa: So I’m going to, yeah, no, I’m going to refer to the same brochure that Si just mentioned. The phrasing that caught my eye was risk reduction for the four different tools, for the various stages of digital forensic triage. What risks are those exactly?

Brandon: Jeff, that’s probably a good one for you, if I had to guess.

Jeffrey: So, you know, the risks are delays. Obviously, when you’re on scene, you’re dealing with these active investigations, you know, the search warrant is going, a lot of times the clock’s ticking, and depending on what they’re able to determine or not determine on the scene makes a difference of whether obviously this person goes out in handcuffs or not in custody, or if they’re, you know, left there to await further analysis and determination at the lab. And so there are a lot of things that come into play in regards to risk of victims of further victimization and further offenses continuing.

You know, obviously, we know with the justice system, the delays in court proceedings, you know, those types of things that go on. So, you know, we definitely look at this as something to aid our law enforcement folks on scene to help mitigate those risks, for sure.

Alan: Yeah, I mean, Jeff’s absolutely spot on there. And it sort of depends on the use space or demeanor you’re looking at. In the CSAM space, you know, ultimately you’ve got potential child victims out there who may not be identified for months and months if the digital evidence can’t be analyzed. You’ve got offenders who are guilty and are at large because they can’t be charged yet because the evidence hasn’t been found. It’s been known for offenders who know they’re guilty, they know the evidence is going to be found whenever it’s examined and they’ve taken their own lives in the mean time. None of these are good situations. Any delay in time-sensitive situations is not good.

On the CT side of things, you’ve got terror plots that may be completed or actioned while the evidence to prevent them is sitting in a backlog. And again, not a tenable situation at all. So, it’s all about empowering the investigator to give them tools to, you know, discover and present evidence at the earliest opportunity of investigation, which can really drive or change the direction of an investigation. And so it’s all about reducing that risk in that time period.

Jeffrey: You know, Christa and I also would say, I think it’s also fairness and balance to other folks that may be on scene. Because there’s often times we go into scenes that it’s a multi-family, you know, residence and, you know, it’s unfortunate that all the computers have to go, you know, and get seized in certain circumstances, right? So maybe we have dad’s laptop where there’s nothing on it at all, but just due to the nature of the circumstances it gets seized and, you know, he suffers losses and some issues as a result of that. So this also helps mitigate those things. We can clear devices faster.

Christa: So that actually raises another question that I had in terms of risk. I mean, in these kinds of multi-family environments, or I mean, really any time you seize a device, how are you, I mean, I wrote a case study about this several years ago. The investigator that I talked to was very clear that this was a one in 100, or possibly 1000 kind of case. But in that case, there was a suspect that was falsely accused. It turned out that somebody else in the household had been using his machine. And what happened was that the investigators got tunnel vision. And so what ended up happening was a deeper forensic examination as the case was being prepared for trial and found more evidence that supported the alternate hypothesis of this other person in the house using this machine.

So, I know you offer training. How does your training counsel users to formulate and test hypotheses about how the illicit material got there, especially in those time-sensitive situations?

Jeffrey: Well, and I can speak to that because, you know, you talked to these folks about their existing SOPs and how they operate. You know, coming from a law enforcement background, I understood what needed to go into search warrant affidavits and preparation to serve those warrants. And electronics means I’ve also testified as an expert witness on several occasions in regards to digital evidence.

So yeah, we can not take the, you know, realm of a legal counselor, but we can all definitely say, you know, use this in best-case scenarios with your SOPs, your standing SOPs, and caution what the tool can and can’t do. You know, we make no bones about saying, look, first-generation material that’s on that device, there’s a brand new victim, it’s not going to pick that up. And you need to use other means to make sure you’re not missing anything potentially. And we’re open and honest and transparent about that.

Alan: Yeah. I think Jeff’s right. There are no tools out there which are the magic bullet for catching people. It’s all about providing the investigator with more information than they had previously. And then they can make decisions based on the results returning from our tools or any other tools. They need to make a conscious decision on those results based on the context of their investigation. You know, they may have other intelligence about who the suspects may be in the property. So it’s all about bringing all this information together and using it in conjunction with the other intelligence you have to make informed decisions about your investigation as opposed to uninformed decisions at the end of the day.

Christa: Yep. Yep.

Si: So, I mean, I’ve rocked up at a suspect’s house and I’ve pulled his computers out. And we’re trying to do this in a way that is quick and efficient. Your tool uses statistical analysis in order to attempt to identify stuff at an early stage. At what point is it that an investigator is being trained to stop searching? Because, I mean, I walk in and I start this up and it’s statistically analyzing it. And statistically, depending upon the size of the file, I would have to get a certain percentage through the disc before I was certain that there were no other files of that that may contain what, because this is a triage tool where are people drawing the line at triage, as opposed to certainty in the sense of walking away at the end of the day?

Jeffrey: Right. No, and I clearly understand where you’re coming from with that and, you know, we’re going to tell our users, look, you know, we’re the quick identification. If this is flagging green and you still have concerns, then use another tool and take a deeper look at it. You know, I’m never going to be the person to say, don’t use this exclusively to make those determinations. That’s just not a smart way of doing business as an investigator or as a, you know, forensic examiner, per se. So, you know, take a deeper look. If you have other concerns potentially, use a different tool and dig a little bit deeper, for sure/

Brandon: And it’s also going to be based on the laws and regulations in a given country or a given jurisdiction about how much. I mean, in the United States, it’s very quickly, I mean, they’re able to use our tool to find the CSAM, even if it’s one, it’s a felony and it’s going to lead to an arrest immediately. So I also think that plays into the factor, not only the SOPs like Jeff was mentioning, but also just the laws and rules of that given area.

Christa: Just out of curiosity, when you’re offering training, do you offer training to prosecutors as well as to digital forensic examiners? Or do prosecutors ever show up to the training that the examiners are going through?

Jeffrey: Oh, I’ve spoken with prosecutors. These last three weeks I’ve been from Lake Tahoe to Seattle to San Diego just these past three weeks and had conversations with prosecutors. And I understand what prosecutors need in these cases, you know, because I’ve had to provide it either as an investigator or as a forensic examiner. So, you know, we’ve had some good conversations and they have good understandings with what is needed for their cases and how they need to present that material potentially to a jury, as well. So yeah, we’ve also had those opportunities, for sure.

Brandon: We always try to invite the prosecutor if possible. We’ve been working with some out on the west coast here and just helping them come in and understand the tool. I just talked to one last week and just said, “Listen, like you may not use this ever, but it’s smart for you just to listen to understand that when an investigator comes with a piece of evidence and they claim to use our tool, you know how it got there.” So yeah, Jeff had spot on there. Definitely the prosecutors are a big piece of that puzzle.

Si: In the same regard, is there material available to the defense to understand where this evidence has come from? Is there, you know, some material that could go to defense experts who are attempting to understand this stuff that’s being put forward?

Jeffrey:Yeah, I mean, that’s going to be up to the prosecution, you know, to release that sort of information. Any good defense attorney out there is going to go out to, you know, websites and do their homework and research on these things, you know, but we haven’t that I know of been approached by any defense folks to provide any information, but that would come through discovery, obviously, here in the US.

Si: Alan, do you know of any in the UK at all?

Alan: It’s a very similar situation. It would all be through the UK version of discovery or disclosure they call it here. So it would be entirely up to the prosecution to disclose that kind of stuff to the defense. But we never shy away from the capabilities and limitations of our tools. And it’s, you know, I find particularly when I’ve been in the box giving evidence in cases like this, it’s usually relatively straightforward and cut and dry. Either the evidence is there or it’s not. You know, we don’t magically, you know, produce evidence. Our tools, knowledge, digital forensic tools, find that evidence and that evidence is still on the disc that, you know, the defense can equally come along and find it, as well. So, I’ve never really found it an issue. But yeah, it’s just the same as in the US. It’ll be entirely up to the prosecution to disclose that to the defense.

Si: I mean, I ask because I’ve seen, I’ve seen in the UK cases put forward with, to be fair, mobile phone evidence, not anything that you guys have done, but where somebody has plugged something into a particular kiosk, they’ve obtained a download, somebody has presented this evidence, and there is no understanding from the prosecution at any point what exactly it is they’re presenting other than going, “Oh, look, there’s a file there.” And I’m just wondering sort of how you manage that, because the risk is the same with yours is that at the lowest levels, you’ve got a guy who’s rocks up at a suspect’s house, he’s plugged in his device, he’s pulled off a report that says, “I found these 15 files.” and then because of the constraints and the problems and the pressures and the cost overruns and all of the problems that actually happen is that that finally ends up in court, and, you know, a defense expert will rightly say, “You have no idea what this actually means and where this has come from and why it’s there.”

I just want to, you know, without upsetting the audience, I do defense work, so I apologize to all of you. But there have been times where the police get it wrong. And that is one of those things where there’s insufficient detail. How are we addressing that? Is it just a matter of training to make sure that people know the limitations of the tool? And you’ve said up front that you are very happy to discuss those?

Jeffrey: Yeah, I mean, absolutely. That’s where that leads to. And when I speak with potential users, I mean, obviously I always advise this is one piece, one tool that you’re utilizing, right? And then there’s an entire investigative process that needs to, you know, continue on from this. And I’m going to be the first person to tell you, yeah, I’ve got positive CSAM hits on something. That device is still going to a lab to a computer forensic examiner to do a full analysis. And most prosecutors in the US are going to require that anyways.

You know, everything is a case-by-case basis, and there may be some exceptions where, you know, potentially somebody does that initial triage and they make determinations and that moves forward to charging, et cetera. And those are different. And, you know, Simon, I respect the defense position. And as a computer forensic examiner, you know, my job was to be a dispassionate scientist, right?

And so I had the obligation that if there was evidence that presented itself, that led credence to the defense that was presented, and that was given to them, you know, it wasn’t anything that we shied away from as examiners. And that was hammered into us from my early FBI days. Even with the DEA, you know, we were dispassionate scientists in the way we approached those examinations. And, you know, I teach that to this day still with folks I talk to. You know, I mean, you don’t focus on one part and miss the entire pie, right?

Si Yeah. I mean, professionals such as yourselves, I, you know, honestly have no doubt that you are forensic scientists and you operate according to the principles of that. My concern, and the one that I’ve actually seen in action is that there are people who aren’t forensic scientists who are given these tools because of the sheer pressure that we’re under. And in fact, you know, I mean, this is, I mean, I love your tool, absolutely. I think it’s brilliant.

And I think as a way of handling the sheer volume of discs, you know, even if we’re not going to deal with all the drugs cases or all of the, if we can just deal with all of the CSAM, fantastic, that will alleviate the problems elsewhere. So that’s excellent. But it is that in doing so, in this creation of a tool that helps us with this problem, we may actually be overlooking the larger problem of there aren’t enough trained examiners at a high level who are able to, you know, process this stuff.

Because, you know, you’ve got some guys on the ground who’ve suddenly got some great evidence and they’re going to go and try and present it, and all you need is for a couple of cases to actually succeed. And then somebody a little higher up will go, “Well, why are we paying Jeff and Brandon this amount of money?” Because they know what they’re talking about when these guys have got just as many convictions. It’s a real concern for me and it’s a concern because that’s what I’m seeing happening.

And, you know, I haven’t actually got a point with this, which is a bit unfair, but, you know, I think your tool is great. I just want us to be, and you seem to be addressing that issue and you’re being cognizant of the fact that it is a tool amongst many, and, you know, thank you for the tool, thank you for being honest about it and that’s really cool.

Alan: I think you’ve covered several points there, Simon, which all come back to the nature of the product and the reason it exists. It’s all about digital triage. So, you know, I wouldn’t expect a frontline officer with no digital forensic experience to use this tool and prosecute on it. It’s all about identifying which devices to seize and which you may leave behind; which devices contain the evidence and are worth seizing, and which ones are just going to sit in the backlog and take a month to examine when there’s nothing actually on there. So, I really wouldn’t expect an untrained officer to prosecute on the strength of the tool. It’s all about seizing devices and getting them back into the hands of a trained analyst in the lab.

And as you say, you know, we’ve got the likes of myself in the past, Jeff, Brandon sitting there in a lab with, you know, backlogs as long as your arm, you know, if we use a triage tool like this responsibly and properly, that backlog will come down. These guys who are very well trained can focus purely on the devices which do contain the evidence, and they’re not wasting time on devices which don’t contain any evidence. So it’s really all about that, you know, the reason we exist is triage. It’s about making that informed decision of what to seize and what not to seize. And that’s where I’d say the tool, you know, making a difference, you know, n expediting investigations which are just sitting in logs at the minute.

Brandon: And in building off of that, I start thinking from a leadership perspective and that speed equals cost savings. There’s definitely a huge cost saving to any user that we have here. The digital forensic space as a business, and any time that we can shorten some of those cycles inside that huge business process, we’re saving taxpayers money, we’re saving city councils money partnering with our customers across the country. So, there is that component from a leadership and administrative perspective that not only is it helping boots on the ground, the Allens and the Jeffs of the world, but it’s also helping the CEOs or the Directors of the world move their budgets in certain directions and focus on other priorities and still getting the same, if not faster results using our tools. So just building off what Alan had to say there.

Alan: Yeah, and I think one thing that always gets overlooked, we talk about the risks of devices being in backlog to see some cases people seem to forget the risks to the investigators to the officers’ welfare issues. Now this is, you know, I’ve been there, done that. I’m sure Jeff has and others have, we’ve seen the material and it’s horrible, horrible stuff. You know, if we can cut down the exposure of this material to officers and investigators, you know, we’re really helping their own wellbeing.

You know, if we can cut down the number of these images that have to be viewed manually, you know, then we’re going to make a massive difference to officer welfare. And it’s just one thing I always think seems to get forgotten. You know, we talk about the victims, we talk about the offenders, very few people talk about the investigators’ officers’ own welfare. And if we can streamline this process so they have to view less material, then we’re them doing them a service, I think/

Christa: I did want to ask about that actually, cause I feel like mental health is one of those things that it’s hard to attach metrics to, right? and I’m wondering like what kinds of metrics might go along with the use of a tool like this? Does it come back to fewer sick days or less attrition, you know, people transferring out of labs where they’re really needed?

Brandon: I think it’s all of that. I also think from that leadership perspective in my old life, our SOP was focused around, Simon, we did a lot of narcotics. I mean, that’s really what I did before I came here. But we also had a policy dedicated to CSAM that obviously people that are in narcotics are in the CSAM world, some of them are, that if somebody comes across CSAM training, days off, things like that, that takes them away from their digital forensics focus, that takes them somewhere else. And not only what Alan was saying around their mental health and the wellbeing of them, which is a huge priority,  it’s also that the business then is impacted as a whole, taking people out of the puzzle and things like that.

Si: Yeah, absolutely. So the tool, I mean itself, you run it and it just comes back with, I found 50 hits that match. And then that’s the information that’s displayed and I assume it tells you which references to what’s matched and the categorization of what those images are? I assume categorization is a thing that certainly Alan knows what I’m talking about. I assume there’s a similar thing in the US as to what they categorized as. And then that report is then put along with that disc for further processing. That’s my understanding of it. Then somebody will pick it up and look at it with NCASE or FTK or whatever. So that’s, it is not just a triage tool, it’s an amazing triage tool, but it’s a triage tool to highlight and alert on known content, but not to actually process and produce output from other than that report saying it’s matched.

Alan: Yeah. That was how the tool was designed. Cause it was designed in the UK sort of use space where certainly in the UK you would never prosecute on the strength of triage alone. So it’s all about making a quick decision on which device to seize. So, you know, if you’re scanning a terabyte drive and you get a red result in 10 seconds, if I was on scene at that point, I’d just be seizing that device and moving on to the next one cause it’s going to get a full examination anyway. You know, so when you’ve got 15 devices in a house to scan, if you can get through them like that, seize five, leave 10 behind, then you get a massive difference in investigation already, and then they’re going back to the lab for full examination, the report will indicate what’s found.

And what’s particularly interesting is it’s because we are block hashing as opposed to file hashing, then we can find partial files in an allocated space. So, even where we may not be able to give an absolute file path to the result if it’s not in the file system, what we can do in our reports, we can list the physical sector of the disc where that block was found, that matching block. So that can go back to the lab and that gives the analyst a steer of where to look and where to carve for this potential file. So it’s given them a bit of a heads up.

So the report in that sense is really for further investigation in the lab. Slightly different use case in the US where, you know, in certain jurisdictions they’re happy to prosecute on triage alone. So again, you know, a slightly different use case, you might want to let the tool run a bit longer to get a few more results and you might get enough to prosecute right there and then without the full examination. So it really depends on the procedures and sort of legislation in place in different areas of how you might use the tool.

Si: Now you said that if you got a red hit, you would pull it immediately. It’s block level, is there a chance that that’s a false positive?

Alan: There’s always a chance. I mean, block level technology is not new. You can use block level searches in the likes of x-rays and stuff, but it’s never been used heavily because of the false positive rate. That’s where a lot of the research went into our product behind the scenes. We knew when our CTO, Bruce left the police, he went back into academia to head up a research project. And a huge part of our technology and our IP is based around false positive reduction. And we’ve cut that down at such a level now where you can use the tool.

There’s always a chance of false positives in block hashing. You’ve got common blocks across certain files, things like jpg, color tables, that kind of stuff. However, obviously, you know, in a triage tool like ours, if you do get a match to the file system, we have the option to view the file if you wish to confirm it is a true positive.

But what we find, you know, in operational reality is that any false positive that’s seen, the small numbers seen are down to probably per quality source data. You know, yourself, Simon, if you carve a file from unallocated space, carving tools are not exact. So you’re going to carve, you know, three quarters of your file and maybe bring along a few blocks of a window system file with you from unallocated. That system file’s going to be on many other machines. You know, if that file makes it into a contraband filter, it’s potentially for a false positive. So, you know, it’s a lot to do with the quality of the source data to reduce that false positive rate. But what we find operationally is that any false positives seen are down to poor  quality data at the outset.

Si:Okay .Brilliant. Christa?

Christa: I’m good. I think we’re going to wrap it there. So gentlemen, thank you again for joining the Forensic Focus Podcast. It’s been a great conversation.

Alan: Thank you so much.

Si: Thank you, guys. Really interesting.

Jeffrey: Appreciate the opportunity.

Si: And again, I just want to reiterate, I think it’s a fantastic product. The speed improvements are amazing and I honestly hope you do really well in getting your mission out there to reduce CSAM. You know, I wish you every success, honestly, completely from the bottom of my heart.

Alan: Thank you Simon, that’s very kind of you.

Jeffrey: Thank you, Simon. Appreciate that.

Christa: Thanks also to our listeners. You’ll be able to find this recording and transcript along with more articles, information, and forums at www.forensicfocus.com. Stay safe and well.

Leave a Comment

Latest Videos

Latest Articles