Detego’s Andy Lister on Interoperability Between Field & Lab

Christa: As digital forensics decentralizes, shifting more responsibilities from lab to field personnel, tools that can manage the evidence from different user groups are ever more important. This week on the Forensic Focus Podcast, Si Biles and I talk with Andrew Lister, managing director at Detego Global. Andy, welcome.

Andrew: Hey, how are you doing?

Christa: I’m fine, thanks. How are you?

Andrew: Always average. We’ve already had that one. No, no, I’m good. It’s good here in the UK. It’s doing its typical raining here, so I’m out in my office, so I’m good to go.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Christa: Lovely. I personally like a good rain, so I’m going to say it’s lovely. So, in April you were appointed Managing Director at Detego. Congratulations. How has it been going?

Andrew: Yeah, I mean, for me it’s been an amazing eight years at Detego Global now.

Christa: Oh wow.

Andrew: Which was MCMS. Previous to that I had a nearly 20-year military career. I bounced into special projects for Detego. At the time when I came out of the military, I was injured and joined this group. I’ve been doing some of the digital forensics-type exploitation work within those roles and then graduated up to sort of Sales Director, the role for Managing Director came up and I’ve been sort of intrinsically involved with all the areas of the company, the leaders from various departments and subgroups from the ground up.

So joining the dots kind of felt right, the technology felt right, timing, teams, departments felt right, a client base and the feedback all felt right. So yeah, it was just sort of that time for me to step in and pull it together. And as far as we can see, it’s going really well. Managed now I guess with COVID and virtual meetings and things like that, it’s enabled us much quicker to get out to the rest of the teams, but I managed to travel to South Africa to our offices out there last month, meet some of the team there, out into Sweden and various other partners that we work with. So it’s been really good.

Christa: That’s awesome. You mentioned COVID, I think you had alluded in a previous conversation to some significant post-pandemic growth this year. There are some new tools we’ll talk about in another couple questions. Detego announced a global rebrand earlier this month or last month I think at this point. Can you tell us more about what’s happening for the company?

Andrew: Yeah, I think lots is the easy answer. We’ve been going from strength to strength, massively expanding, mainly out in the US but globally, as well. A couple of multi million-pound deals, which will obviously help us significantly grow, all the way through to supplying and supporting those small, standalone, typical kind of police investigator units that are out in the middle of nowhere for us.

And in the last few months we’ve expanded with new sales staff, new support staff, new developers, lead architects. We’ve got a further sort of five roles out there. As a company, we’ve been traveling to many, many multiple road shows. So, MH Services, NATIA, Defense and Security in Bangkok, ISS World Asia, out to Rome in Italy, FT in Germany. So all these things have massively been happening for us as a company. We have doubled our revenue this year as we continue to expand.

We’ve looked at the rebrand of course and as we had become more of a global entity with reach, we looked to sort of restructure the internal company to match what we were doing. So we’ve done that. We ran an alignment day so that all of our key members of staff, and this is something that runs through Detego, we want to make sure that everybody from the ground up truly knows who we are making this technology for.

And the three main groups generally are corporate, police and military. So quite often we were finding that maybe some of the key lead developers who were sat in the matrix, in the code, in the cave making the magic work were potentially not always being made fully aware of who’s actually benefiting from that technology. Everybody at the sharp end; marketing, support, training, sales teams, myself and pieces, of course we interact with that daily.

So we ran this kind of alignment data to make sure that everybody was aware of that and what’s happening. On top of that, obviously we’ve been expanding our partner bases and so bringing in new value-added resellers, as well as Budd and the marketing team putting in way more than 110% with our rebrand.

There was a bit of confusion, I guess originally with, we were known as MCM Solutions, that was the company name and Detego was kind of that brand name. So it got to the point where people were becoming to know Detego much more than MCMS and then it’d be a little bit of confusion.

So we felt that we needed to rebrand clearly, get that out there and at the same time that meant we could modernize the way we work, modernize what we do, partner with groups like Cyber Social Hub, DFIR, or DIFFER depending on what part the world you’re in and how you want to pronounce that, DFIRScience with Dr Joshua, and many other areas as well.  So that’s been a continuous boom for us.

In regards to clients, US SOCOM has been massive for us, they are clearly, that’s United States Special Operations Command for some of the viewers that might not know that, they are obviously the pinnacle of US Special Operations, the real tip of the spear. And as a good testament to what the team’s doing, where our technology is going, how we’re expanding, they’ve reconned with us three times to be part of their capability to disrupt and dispute terrorist threats whilst sustaining and maintaining them as a modern force.

And in fact, we are with the vast majority of the Five Eyes special operations teams and many others globally that are out there. Of course, quite a few people we talked to think initially, and I know you mentioned it at the beginning, frontline forensics, frontline tools, military intelligence comes to mind every time that we kind of mention that. But we are equally as powerful for the police and of course because some of that has been devolving forward to the frontline for law enforcement. They face many of the similar problems, but also being able to utilize our tool for the lab side, as well.

Simon: Out of curiosity, I mean, you’re a UK company originally. Are your developers in the UK or are you, I mean, taking advantage of the wonderful cyber space that we can have disparate teams across the globe, but how is the company actually structured in terms of your software development and those boffins that are sitting there in the code base?

Andrew: Yeah, no, we’ve gone through various different models and the model that we’ve found that works best for us is to have the vast majority of our senior developers and coding team and technical architects based in the UK, in a coherent team that can rapidly move and talk to each other, have that interaction when they need it. Mentor is a big piece in the company, so bringing junior developers up.

But at the same time, we do recognize the benefits of having teams in different areas. So out in South Africa, for example, we have an office and a team in Johannesburg. So we use some development areas in there and that feeds back into our UK team, it’s peer-reviewed and then goes into the core code. How we’ll work moving forward in the future, I think we will always keep that model, but there might be areas where we grow and potentially even with that kind of hybrid workplace that we’re working in now, we’re very aware that the developers in most cases, just by natural character traits, I guess are quite happy to sit in those sort of isolated boxes.

But actually when we pull them out and get them integrating with the team and themselves a bit better, that’s where the real magic happens and the ideas spread. So we’ve been enjoying doing that, but of course now, globally we can potentially link that out a bit more. So if we find a particular area that’s doing particularly well in a certain field, it’s not beyond the realms that we would go to that location and require a small team. Depending on what task we’re doing, depending on what locations, what security checks and pieces, because obviously we do work with sensitive organizations, as well.

Christa: So, when we talked in April, we went through our written interview in April you described a bit about doing more with less and I wanted to on this podcast, find out more about what that means in terms of each of the Detego’s three main user groups: so the military, law enforcement, and corporate in terms of efficiency, gains, results, et cetera.

Andrew: Yeah, I think really that for me can all be brought into one. So it used to be very separate. It used to be very disparate for these groups. But I think now with military law enforcement and those kind of corporate entities, they’re all facing similar problems. Yes, there are differences in each group, maybe how they use the tool, how they are required to present some of that data and areas there. But quite often they’ll all experience a shrinking budget, shrinking funds, maybe not as many highly skilled investigators or operators that they’re able to reach out to.

So, again, we’ve been trying to do more with less. So bring in a Detego all-in-one package. So that enables groups to come in and utilize one main technology base for the vast majority of what they do. Of course, in any forensic lab out there, we’re not just talking about frontline work here, if you can have the entire sweetie shop, I would have the entire sweetie shop of course, but to be what we would call ‘combat effective’ in my old role to make sure that an organization is really effective, we can put that 80% into one kind of product that does phones, computers, Windows, Mac, Linux, drones, thumb sticks, hard drives, field work, lab work, covert work, automated forensics, triage forensics, selective forensics. Because then whichever part of those skill sets you require for each of those verticals or industries are there and are interoperable.

So, for example, it might be that one of the parts of the team is needing to talk to another part of the team. They’re already speaking that same language. You’re able to come in and talk them through how to do the imaging, for example, forward how to reconstitute that image and then maybe how to pull the critical data out of it without them bringing that device back because it’s suddenly become time-sensitive, for example.

Christa: So, I’ve got to ask because I’m used to, and I think everybody in the industry is used to hearing about the toolbox approach. Like, no one tool can do it all, et cetera. What is it, as you’re describing these features, what is it about interoperable, frontline and lab tools that other solutions miss?

Andrew: Well, I think sometimes that might be the ability for each component to individually speak to the other component. So for example, with us, we have that blend of technology. For example, if I’m investigating a Windows machine, I’m investigating an iOS, an Android, a thumb stick, a hard drive, within that Detego environment, we’re able to do it all in the same fashion or the vast majority of that investigation in the same fashion. Because many of the data sets are very similar. Of course there are differences, there are different apps and pieces like that that will come out on the different technologies that are being used.

But the general principle that sits through those is once I’ve gone into say a USB stick as a junior investigator and I’m looking at the PDFs, the documents, the carved locations, whatever it happens to be, as I come and upgrade to maybe the computer forensics and I’m looking at the full computer system, I only need to learn a little bit more. When I go to try and find, well, I want to see what the optical character recognition does across the multiple images that I have, and can I find a keyword for somebody’s passport name? Andy, yes I can. I did that on a USB stick.

Well now I can do it in exactly the same fashion on the computer, a phone, those kinds of pieces. So we are trying to keep that as unified as possible. I think some of the other areas possibly that the competition maybe struggle with is obviously we have some patented technology out there, so they’re not going to be able to do some of those pieces that we can do.

Simon: So, do you structure the training that you provide in that way that, you know, you train on modules within it or if I come along to a training course, what do I get: a full training course on one piece or can I just pick and choose, well, obviously not just a thumb drive, I mean, it would be a good short training course, but it would be a unique thing. So is that the way you are managing the products on the training side, as well?

Andrew: It’s a great question. So the training side and the technology side obviously clearly go hand in hand. Any tool is only as useful as how you can utilize it and your knowledge on that tool. So the technology is modular. So groups that already are happy with let’s say their mobile phone technology that they’ve got or their imaging technology or their triage, they might look at other areas of our technology and go, “Hey, that is absolutely what we need to plug our capability gap.”

They can take just those specific parts of the technology. The same is very true of our training. So quite often we find organizations who many people out in the big wide world would expect and think that they are absolute boffins at digital forensics and they really might not have touched it before. So we can come in from the basic ground up, teach them all the basic principles of digital forensics and build up on that in line with the technology that they have invested in from us. Be that the mobile side, the computer side, the lab side, the frontline side, even going as far as working, we work with a couple of agencies, one in particular in my mind, every year we do it in sort of March time, it’s a two-week course, which is a long time for us.

Generally we can have basic courses that are almost plug-and-play for frontline users that are like gaining a driving license; go in, I know how to put it into gear, I know what happens when I press the accelerator, If I see a red, I know that’s a forensic hash match, I can secure that for our lab, for example, all the way through to the deep dive. But on this particular course, we will do a week of classroom. So that’ll take them through from almost zero to hero. They are technical individuals, but they haven’t had a digital forensic background at that point.

They come in, they learn the triaging, the imaging, the mobile forensics, the link analysis, the reporting, the exporting. A lot of our technology can automate some of the harder tasking for them. It can’t teach experience, so that has to be built up. And then what we do is we blend that into the second week. So we have multiple subject matter experts within the company. Our most recent ex-27 years state trooper Mike Bates joined our US team as a technical support and trainer there. So obviously a huge amount of investigative knowledge there.

We have Trevor from British Transport Police, myself from a special operations background. So we have the capability to bring other SME skills not only into developing the technology but the training, as well. So, long-winded answer, we end up going hand in hand with this group, for example, and we blend in with what they call their TTPs: their training tactics and procedures.

Some of us remain high-level security clear, top secret and so on. And we blend in with them to make sure that the technology works in synergy with how they need to utilize that. And it’s brilliant and we can do that with multiple different groups. But of course, the vast majority out there need a very structured, very laid out course of digital forensics from start to finish that could be graded, matched, and we facilitate that kind of level of training, as well. A bit of a long answer there, but it’s important, I guess.

Si: You answered it. That’s fine. That’s good.

Christa: I want to drill in a little bit. I know Detego Global has launched two new tools over the past few months. Could you tell us a bit more about remote acquisition and case manager, and whether these are targeted at a specific industry vertical or can any investigators benefit from them?

Andrew: Yeah, for sure. I think remote acquisitions, so again, both of these products are relatively new to us but have been on the agenda for a long time. And we’ve recently just released this and upgraded it for our current, what we call ‘Detego analyze users’. That’s the brain of Detego that does a lot of the work. However, it can also be a complete standalone product.

It was originally made for that kind of large, corporate government or commercial environment. So, giving you the ability to be able to track and secure data without the need to bring in that whole IT engine and machine or indeed travel to locations and go through the extremely manual process. We tried to get ahead of the curve when we did that to make it work with things such as Windows Remote Manager and similar other pieces to be compatible. So it can be set up quickly for those ITSOs, the IT security officers, et cetera.

And then, if there’s an investigation or something that is required that ITSO can then reach out to any of the systems that are within their network or their organization. Let’s say a thousand systems are spread out geographically across different groups, they can then dial in and say, “Oh, we have information on individual John Smith and they sit at computer system 299, we’ve been warned that there’s some corporate espionage, or they’re looking at indecent images when they clearly should not be those kind of pieces.”

Then they can remote access into those, they can forensically pull back the image, they can look at interesting areas like pulling the RAM if they’ve been cleaning their internet history, system profile, usernames, passwords, online activity and critical pieces. So clearly that can be done overtly or covertly so it can be set up as a deterrent.

And of course it needs to be in line with the legalities of the country, region or the IT policies and pieces like that. And interestingly we are, because I know the question will come, we are talking with other agencies clearly in the sort of circles we work in, hmm, there could be uses for this if we just tweak it a little bit. And I was out in Sweden actually and running a Detego kind of a demo on the more sort of standard, let’s call it digital forensic work. And at the time the question came up around remote acquisition.

We happened to have a system back in the UK set up. So I dialed into the remote acquisition to our agent on that computer and it had a 32GB thumb stick attached at the time. We imaged that thumb stick, brought it back and started our analytics livetime, which to the team that was there at the time was super impressive. So we’re just building on that piece.

Simon: Now, that’s a fantastic example because I was wondering about this. 32GB thumb stick from the UK to Sweden. How long did it take?

Andrew: Oh, do you know what? It was surprisingly quick. I’d have to pull it up. We were in a live demo at the time, so that’s how long it took.

Simon: That was what it sounded like, which is an incredible speed. And then that’s a very realistically usable performance, which is really impressive.

Andrew: Oh, for sure. But, of course, and this is one of my favorite sayings on nearly everything we do, you can’t break the laws of physics, right? Well, unless you speak to Professor Brian Cox or something like that. So, it can only maximize the bandwidth across the network that it’s using or where it’s at. But we have patented technology. Our imaging technology is the fastest in the world in standard forensics.

So we’ve done a one-terabyte drive or, I say we have, a government organization used our technology to recover a full bit-for-bit forensic clone of a machine that was a terabyte in under eight minutes, which is an absolutely ridiculous speed. However, that doesn’t mean every user out there is able to achieve that speed. It was a high-spec machine they were going after, they’d utilized all the correct ports on that, they had extremely high capacity, high speed SSD and MVME drives attached to it and pieces like that.

The same can be said for remote acquisitions. So, again, we are looking at future ways of utilizing that technology for local extraction and upload to the cloud, running the analytics with and maybe the power of the cloud in there and limiting those pieces. But yeah, certainly it is a fantastic piece of technology, especially if you are more in a localized lab environment or large office buildings and pieces like that.

But, of course, where you do have slower connectivity or bandwidths, let’s say I was going over to another country, again, you can have that run overnight, you can have it run as long as you require. And another benefit, we’re always trying to think ahead of the game because we’ve got those multiple individuals in the company that have the experience.

Well, what happens if the connectivity breaks? What happens if I’m 50 or well, I’m 520GB into my one-terabyte image of the laptop that’s over wherever it happens to be and my connection breaks? How many times have you had something similar to that and you’ve got to go all the way back to the beginning and start again? Not so. Our technology will catch up to where it was, understand what happened, and once the connectivity is strong enough, it’ll restart from where it left off and keep the integrity of the data that it’s pulling. So we’ve tried to cover off both aspects of that. There just needs to be obviously a little bit of expectation management around users that maybe haven’t updated either their infrastructure or are using low-bandwidth systems.

Simon: But in that regard, I mean, I assume you’ve got technology to handle pauses, issues with the connectivity to restart. But actually, if you’re doing a, I’ve forgotten the word, not subversive, that’s a bit unfair.

Andrew: Covert.

Simon: Covert, that’s the word. Thank you. Covert acquisition, there may well be somebody using that PC at the time and thus the data that you are recording might have changed earlier in the disc. How are you reconciling that Delta?

Andrew: Yeah, no, that’s a really good question. There are two parts to that. So at the moment, the technology, when we say it’s covert, that’s a road that we might be going down with other organizations. It’s covert in a manner of whether the organization has a very obvious, hey, Detego Remote Imager is sat on your desktop or when it’s actually running and pulling data at a livetime will obviously affect the performance of the machine. We are looking at areas for it to identify when the machine is quiet and pull that data.

If there’s data that is in flux and in change whilst you are extracting from a live machine, then kind of like mobile phone forensics, in the vast majority of cases it is changing. If you cannot lock down that environment, then it’s your contemporaneous notes if you like. But the technology automatically creates a full audit trail for you in what you were doing there to try and mitigate against that. But of course, if data is changing at the time, you can’t 100% guarantee that something hasn’t been added.

You can go back and do another extraction, for example. If they’d just done a fresh internet search, for example, that just happened to be the one that had the piece of information that you wanted and you’d moved on from that part of the extraction, you might not get that, for example.

Christa: So that was remote acquisition. It feels like all of this data potentially leads to some complexities. Is that sort of what Case Manager is designed to help with?

Andrew: Yeah, exactly. So, what we’ve found is a lot of the areas have synergy, cross-pollination, all that good stuff. So where we started off with imaging, we then found that triage was available, then we started looking at mobile, drone, automated analysis in the lab, these kinds of pieces. Then we bled across to, well, we’ve actually got another product called Endpoint which we won’t talk about today, remote acquisition and then Case Manager.

So all these kinds of areas generally have worked slightly compartmented, maybe, certainly the case management piece. So we’re trying to bring all that together and certainly as the engine under most of it is Detego, it means that we’re probably going to have an easier job of doing that than most others.

It was initially born out of, we didn’t touch case management, it wasn’t something we did as a company, and then one of the world’s largest commercial entities for supplying goods that everybody will be fully aware of their name, they came to us, saw what we were doing in the digital space, liked the kind of way that we were approaching that and said, “Hey, look, we’ve got a case management incumbent tool currently, but it’s not really fit for purpose. Can you guys look at what you wanted to do and again, how you could assist us with that?” Within a few months we had the developers pulling it out the bag.

They produced our kind of first-generation beta case management system in a loose form. This is going back a little bit of time now, and we knocked them out of the park with what we were doing there. So we grew on that and we decided, oh, there is a massive requirement for this. Initially we thought purely in the corporate space; so pulling in a lot of incidents, making sure that managers have the capability to monitor the statistics, the performance, key insights into investigations and pieces like that.

But what we rapidly started to find out was that, hey, some of our police clients already had case management systems, as well. They were pulling disparate bits of information in and some were staying out in little silo groups. So we wanted to make sure that our case management was usable, was able to take multiple data sources, and across the top of that, when we first looked at it, it was kind of like, here you go, here’s the case management, we know what we’re doing, that’s got to be good for you.

And then very rapidly we understood that it’s not quite one shoe fits all. One style of shoe kind of fits all, but they want it edited, they need it bespoke for the different users. So we then came up with a 75-80% pre-done template of a case management system that goes in. They’re able to interact with us, we are able to interact with them. And the final sort of 20% or so is bespokely made to integrate with those particular agencies, pull in the various different sources and requirements that they have.

They may not require someone junior to be able to see, for example, all of the cases and who’s running what where, but one of the seniors might want to jump in and monitor that. You can change your workflows, assign tasks, monitor tasks, and of course going back to the kind of audit trail piece and areas like that, upload this to the cloud and leverage that side of it, as well.

Christa: So I want to get a little bit more, I guess on the practical, I mean I feel like you’re going quite a bit into some of those aspects, but not long ago, Si and I talked with a digital forensics unit director in the UK about the new RASSO changes. So Rape and Serious Sexual Offenses under the National Police Chief’s Council Digital Forensics Strategy, I believe. How is Detego factoring into those kinds of frontline-oriented environments?

Andrew: Yeah, no, and it’s great that governments have started realizing that there are a couple of different ways to look at this. So RASSO, Rape and Serious Sexual Offenses, as you mentioned, we can look at it from two angles. We can look at it as the suspect that we want to investigate, but then also critically and what drove most of this was the survivor or the victim and how to treat that victim and hopefully keep them wanting to move forward for justice to prevail.

So, some of the issues that were previously with that were individuals feeling that they were maybe pressured or being investigated themselves to a large degree. So what we’ve done, I mean, we were lucky, to some degree we’re already ahead of the curve, because we’ve been using frontline forensics, blending that with police forensic integrity and having that ability to rapidly extract specific data.

So again, you’ve got your device on you, but maybe you’ve been doing something that you’re not too comfortable with, but it has nothing to do with this investigation. You’re not going to want me to take a full physical image of that device and hold all of that information and review everything that’s in there as a victim, as a survivor. As a suspect, well, that might not be so much the case.

So we’re working with another huge commercial company out there, much much bigger than ours. And the thing I like about it is we are blending our technology with some of their technologies, with the wider whole experience. So when we did, excuse a little bit of background noise there, when we did a lot of the research and we went in with a lot of the government kind of working groups and pieces like that where we had many victims come in and talk through their experiences, we realized very quickly, it’s not just technology that’s going to answer this question, it’s actually the extraction and sensitive extraction of technology, of data, but also the softer skills, the empathetic side and devolved power back to that victim.

So again, once that data is held, one of the options is that it’s held securely and then it’s almost entrusted so that it has to be on request. So again, if somebody comes in saying, “Hey, we’d like to look at these particular WhatsApps.”, then the individual is informed, they give their consent, that specific part of their data set is then put forward. So we’ve been working quite hard on that and that’s really good.

But that also floats across, as I loosely mentioned to the other side of, we’ve been able to utilize some of that technology to improve our triaging capabilities against the bad guys, girls and people, all that kind of piece. So now being even more selective potentially, honing the investigator down to quicker identification of their key illicit information or material for those pieces.

In fact, we were also working with similar, so the MOSOVO, the Management of Serious Sexual Offenders and this is what I always like to think about in my head and going, you know, if I was an investigator that doesn’t have our type of technology and I go in, I’ve got 20 years background in digital forensics and investigations and I’ve intelligently led to the management of this serious sexual offender, and I go in and during the interview process that we’re doing in the house I notice many multiple devices, whatever it is, that as an investigator is setting me off, there’s something not right in what they’re saying, they’re tripping up on pieces about where they using particular apps that maybe they’re not allowed to use as part of their probation. And at that point I go, “Yeah, there’s something not right here. But I have no digital forensic capability here with me right now to give me any more of an informed decision on that.”

I might radio back to my station or my lab and sort of say, “Hey, I want to put in the paperwork or I want a quick turnaround on devices coming back from this location.” Well, there are loads of problems there because one is, if that doesn’t happen instantly and the individual that I’m going to monitor or whatever to check on, I leave, they suddenly go, “Yeah, there’s something not right here.

I’m wiping everything I got or destroying all my technology.” we’ve lost that evidence and justice has potentially gone. The second part to that might be, well, maybe I have got to the point of asking permission there, but because the labs are so backlogged in some cases, more there’s a digital tsunami going on, too many devices, too much data, not enough experts. So we’re trying to hit that from the front side and help the lab team out.

Now, the lab team are there and they’re going, I’ve already got X amount of devices, there are 17 devices in this household and there’s no, let’s call it, and I have to be particularly careful, there’s no genuine direct evidence right now, but you’ve got a 20-year investigator saying something’s not right. They’re weighing up that problem of going, do I send 17 devices to go into that queue to now all the core issues and causes?

So necessity is the mother of invention. We’ve come forward and said, “Hey, look, we kind of learned some of this from the special operations where the guys and girls have many multiple skill sets. They need quick complex technology that’s simple on the hoof. Let’s push this technology forward.” So we’re actually working with the Home Office to push that technology forward and it’s been really successful so far. So we’re hoping that that grows.

That enables that user to quickly plug and play and get instant warnings to say, yes, hey, either 100%, forensically sound, there’s illicit material on this item, or giving them the balance of probability that there is highly likely illicit material and therefore upping the chance of them being able to send that data back, or send those devices back.

Christa: It gets into a question that I had also in what you were just saying about adapting the military field tool to these more regulated environments like law enforcement and corporate. What have some of the biggest challenges been with that adaptation, especially as the criminal justice systems labs in the UK continue their standardization efforts?

Andrew: Yeah, I think I’ll answer that globally rather than specifically on individual groups, cause everybody’s facing similar problems. In most cases, for me, from what I’ve seen, it’s mindset, policies, doctrine and bureaucracy. So there are technologies out there and we are one of the leading technologies in this, and they give you the capability to do the vast majority of the pieces that you need to do.

We often find that investigators that we work with are hamstrung by either outdated traditional mindsets, policies, pieces like that. It could be something as simple as, and I’ll use another country as an example in my mind, but individuals going in and they just happened to write on their warrant that they were looking for computers, and they get into the specific investigation, they go in there and it’s littered with hard drives, phones, thumb sticks, and it just creates a complete nause.

Why couldn’t that have just been we were able to go after devices that hold digital data? And then you kind of cut off, and there are thousands of these kinds of pieces that are slow in catching up. Most places thankfully have accelerated on from that. But again, those pieces are bigger barriers than the technology, in my opinion. Back in my kind of day of doing it in my old life, you very much had that argument of intelligence versus evidence and there is still a certain amount of that there now. But again, like most pieces from our technology, we need to cover off both sides.

And we took the view early on wherever possible, if we’re extracting data, regardless of the user wanting to use it evidently or for intelligence, we would make sure that it’s taken it for the highest standard, which would be the evidential level.

If there is a particular user group, and there are a few out there for whom seconds really are important, minutes are extremely important and they’re in quite precarious predicaments or locations when they’re trying to retrieve that data for the greater good of us all, then they do have in settings quite often the ability to turn off anything that might slow that down. For example, maybe hash checking on a forensic image to enable in those rare cases for the speed to be increased with that. But yeah, I think the rest, as I mentioned before, has just grown out of necessity.

The kind of having that digital forensics coming to the frontline from the special operations background really, and then having that forensic integrity blending across from the police side. So really genuinely pulling together that best of both.

Christa: Yeah, that actually does it for me. Andy, thank you again for joining the Forensic Focus Podcast.

Andrew: Hey, no worries. Great to virtually meet you both.

Christa: Likewise. Thanks also to our listeners. You’ll be able to find us recording and transcripts along with more articles, information and forums at Stay safe and well.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite

Forensic Focus 20th February 2024 11:49 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles