How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Si: So friends and the enemies, welcome to the Forensic Focus podcast. Owing to the vagaries of the way the sausage factory works, this is actually our first recording for 2024, and we are delighted today to have Alan Platt with us from MSAB. Desi is stupidly early in the morning, and Alan and I have definitely pulled the, we’re both in the same country card and we’re doing this at the reasonable time and we’ve had plenty of coffee. So we’ll kick off.

Alan, do you mind introducing yourself to us and giving us a bit about your role with MSAB, as it stands? And then we’ll go into your background, which I have a little pre-knowledge about and it’s fascinating, but we’ll get into that in a sec. But tell us about your role with MSAB at the moment and introduce yourself.

Alan: Okay. Yeah. Hello. So Alan Platt, I’m a professional services consultant with MSAB. Been with the company now for two years and work with the professional services on a small team and my job is really the managing of projects. So some big projects that we’ve got with customers, to managing those projects, and managing some services that we’ve got. We’ve got some service contracts that we have with some larger accounts, if you like, and it’s just managing those, managing the personnel, keeping the customer happy, making sure that everything runs smoothly and making sure that the right people talk to the right people with the customers, the right people, our side, talking to the right people, their side, and also just doing whatever I can to help out.

Si: Fantastic. And so how did you get into this? Forensics is an odd industry and everybody seems to come into it in a slightly different way, but for yourself, I know in advance what your background is, but do tell, how did you get into working with MSAB and why?

Alan: So I’ve been a police officer, so I was a police officer in the UK. Previous to being a police officer, I was a civilian in the Metropolitan Police. So I did about eight years as a civilian and then joined BTP, British Transport Police and did about eight years with them. Moved over to the Met Police. And for the last eight years or so with the Met Police, I was in specialist operations and I was working on a small digital forensics unit. So I was doing phone extractions of phones, all the way up to laptops, so whatever. So if you’re looking at Level 1, 2, 3, we were more of Level 2.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


And I was heavily involved also with training. So as I got further into it, got more experience, got more confidence, if you like, I got involved with the training. So I’d train in XRY, so I train Level 1 users. So we had a cadre of users on… using Kiosks. So I’d be training them. I was trained to train the training level from MSAB.

And, for the last two years or so of my time with specialist operations in the Met, I wrote a training course for XAMN, but I didn’t just want to do a training course in how to learn XAMN. It was more training course aimed at investigators, so that anyone who is involved in investigation where they are thinking or there’s a possibility that there could be digital forensics involved, particularly mobile phones, then the importance of that data, what to expect from the data.

So you have a lot of people that, because I was training all users, they’re all different levels, you might have someone who, they’re not interested in digital forensics, they’re not interested in phones particularly. They’ve got an iPhone, but they know how to use an iPhone, but they’ve got no idea how an Android works.

So training the difference between those two, understanding what can be captured from each one. So it’s important for them to understand where that phone should go, maybe. So should it go to the lab? Or is it suitable for the frontline side of things?

Legislation, so we got all the information we needed about particular legislation. So if you found media on extraction and it was maybe an offense, what type of offense was it? What do you need to do to prove that offense? So you’re not just blindly looking through the data. How to look for that material and what to do when you see it.

Apps, the importance of apps, and especially chat apps and things like that.

And then, finally, we went into XAMN. So it was all learning how to use XAMN to a good standard. Although we were training everybody to use it, it was training everyone to a good standard. And then it’d be a two-day course. And then, the second day, they would be learning how to use XAMN with like, I’d set basically three phones. I’d got three different phones, Androids and iPhones. Filled them up with data, chat data, location data. The three people were all communicating with each other, so there was links. And it was a case of, “Right, find the answers to these 150 questions. You got the whole day. Go through it and try and find the data.” And did it in easy, medium, and hard level. So they had to do the easys. They could try and do the medium and hard and stuff like that.

And I’d also trained… Previously I trained something like 30 people up as SPoCs, in XAMNs, so they were really good levels. So we basically did it so that myself and a colleague would do day one.

So day one, Monday, Tuesday, Wednesday, Thursday, training all these people in day two, they’d sit in a room on their own where the SPoC could be nearby. If they needed help, then they’d call them in. And it was really good. And we trained 200 people in that, to XAMN, gotten them trained to a really good level.

Did a similar sort of thing for a refresher, but for that one I wanted to make it a little bit more interesting. So I got basically a topic of the type of topic that we were dealing with. So a particular category of interest, if you like, and filled three phones with data using the type of language and terminology that these people would be using.

And then, so rather than just saying, “Right, here’s your refresher course. Learn XAMN. Here’s the updates,” it was a case of learn XAMN, but at the same time, I’m going to teach you all about the type of stuff that you’ll see when you’re doing your triages. And it just makes it more interesting.

And so the first course that went national, so I was teaching it nationally, for a train-the-trainer course. And then I did that, and then in the middle of that I went in and joined MSAB. So yeah.

Si: So do you still do training for MSAB?

Alan: No, I don’t. So I’ve just written a training course, funny enough, so XEC Director. So I’ve written a training course in how to use XEC Director of the admin client. So just an online course.

But no, I don’t do training anymore. I loved it. It is maybe not something I’d want to do day in, day out, because it is mentally exhausting.

But really rewarding, especially when you get someone come in that’s looking petrified and they’re thinking, “I don’t think I’m going to be very good at this.” And they’re really nervous. And then, by the end of the two days, they walk away and they’re actually like, “You know what? I really enjoyed that.”

I was heavily on, it’s not pass/fail. Because we had to train everybody, it was a case of, “Look, you’ve got to do this, but you’ve got to do it to a good standard. You need to know what you’re doing.”

So that instantly relaxes them. And then it just becomes about learning, which is, if you’re enjoying something, I find I learn it better.

Sometimes you go on a course and such focus is on the exam and you worry about… and I think it infringes learning sometimes. So this was just, “Look, let’s get you to a really good level so you can use XAMN, to a good level, find the data,” and it worked. So it was good fun.

Desi: So going back to all your training and everything, that sounds really awesome that it was practical.

I think I just wanted to ask a few questions. I think you dropped some terminology there that I’m not familiar with, and I’m sure some of our listeners won’t be familiar with. And I’ll go backwards from I think the most recent to the early ones. So you mentioned “Spock”?

Alan: Okay. Sorry. Yeah. Typical in the police, you just live on acronyms and stuff, so “SPoC” is the main point of contact, if you like. So the singular point of contact.

Desi: Ah, okay.

Alan: Yeah, so we had SPoCs. We had 30 or so SPoCs, senior point of contact, so that anyone dotted around a particular location, if they had a particular problem with XAMN, and they were like, “Look, I know I was trained on this a couple of months ago, but it’s gone straight out of my head,” they knew that they could go to one of those individuals and say, “Can you help me out?”

Desi: Okay.

And then the other one that you mentioned was you were using Kiosk. So I come from a military background into commercial, but not policing. What are Kiosks? Just so people could visualize what you’re talking about.

Alan: You can see, that’s a Kiosk there.

Desi: Oh, okay. Yeah.

Alan: So it’s very heavy, but it’s a portable device, so it’s more for frontline usage.

Desi: Mm-hmm.

Alan: And you basically got the screen at the top, which has got all the hard drive in it. And down the bottom you have the kit where you just plug in if you want to do, you can do DVDs, CDs, USBs. And you can just do extractions.

And it’s just a big heavy box so that the users can, wherever it’s posted, just use it from there. So it’s more aimed at the Level 1 users, so the frontline officers.

Desi: Right. Okay.

And I guess that’s a nice lead into the last question that I had, was the definition of what the different levels are. You did mention Level 1, 2, and 3, and that you sat at Level 2.

But that’s the first time that I’ve heard that kind of terminology in policing.

Alan: Yes, so Level 1 would be the frontline. So the frontline officers, so they’re trained to a good standard, because we would obviously train people that were Level 1, so they’re trained to a good standard, but they’re not day-to-day users. They have a full-time job, but they’d also do extractions.

So I think your colleague spoke to Simon Crawley a couple of years ago, from my team. So he talked all about frontline policing. So it’s the frontline officers. It’s the ones that might be told to do a phone extraction from a victim or witness or maybe even a suspect. They’re not trained to the highest level, obviously as the lab. They’re trained to exceedingly high level.

Level 2 is where I used to work, so it’s more sort of you’re one step above Level 1. We could do phones, laptops, and any type of digital media advice, but we went to lab. We would also do mobile forensics and we’d go out and visit sites and do it, still to an evidential standard, to a very high standard, but you’re not a lab and your labs are your Level 3, and trained to the very high standard, can do any type of extraction that they can.

Desi: Awesome. Yeah, thanks for that. Yeah, there was just a few in there that the first time I was hearing him, But, yeah, all makes sense. Okay.

Si: So in that regard, you’ve touched upon both the Kiosks, which, obviously, are quite heavy, and then frontline extraction. So MSAB does tablets as well, you mentioned those earlier.

Alan: Yes. So Kiosks and Tablets. So for your frontline offices, you’ll have the Kiosk, the Tablet, and you’ll have MSAB Express. So that is essentially a laptop with the same… everything is the same as a Kiosk. So XRY is the same. So the software is the same for everything.

But the Kiosks, the Tablets and the Express have… The general difference is they’ve got a workflow with it. So that’s the GUI as you see, as you work through.

So where I worked before then I would just go straight… And if I wanted to do an extraction, I’d have my notes and I’d go straight into XRY, whereas the Kiosk, the Tablets, and Express for Level 1 officers, they would be following through a workflow and that’d be something that we would help the customer sit down and design.

So for the likes of, say my colleague Simon, he’ll sit down with the customer, like, “What do you want? How do you want it to look?”

And there’ll be a consultation, “Okay, well, consider this, this, and this.” And, eventually, what the user uses is what’s been designed by the customer, working with us.

And that is essentially you just went through and you’ve got your case data. You’ve got the details about whether the phone was on or off, was it in airplane mode? Developer options, was that set? And everything is how the customer wants it to look.

So some customers have really long, detailed workflows. And you just literally just work along the Kiosk and you go next and fill out all the details. So there’s no writing. If it’s a modern workflow, it’s designed in a way so that you are not actually writing anything. It’s a case of filling in the data.

And, at the end of it, we can produce some notes or case notes or whatever you want to call it. And that is everything that the officer has done, basically. So the case details, any photos they’ve taken, if there’s a digital signature that would be recorded on there. And you’ll also have maybe a summary of the extraction.

So if you’re doing the training, it makes it much easier to train because, obviously, you can concentrate on the actual digital forensic side of it. So the complexities of Android, maybe compared to iPhones. So for users that don’t use it every day, you can concentrate more on that.

And it also means it’s much easier for the customer to comply with legislation. So ISO, if you’re trying to go through ISO accreditation, then you can really narrow it down and make it very, very tight so that it helps you comply.

So yeah, so that’s the sort of the difference between [inaudible 00:14:35].

Si: Between the two.

So, I mean, essentially, you work with professional services now. Is that a feature of professional services, to help to develop that workflow? That’s something that you are going in and offering to work with?

Alan: Yeah. So we’ll just basically… It’ll start off with, the customer will contact MSAB. So they might contact sales or their account manager and say that they’re interested in a workflow. They’ll get pointed to us.

And we’ll sit down with them and it would just be a Teams meeting and it would be, “Right. Okay, well, have you got a workflow already?” Maybe it’s a new customer that has never had a Kiosk or Tablet or Express before.

So we’ll sit down and say, “Right. Well, what do you want? What are you looking for out of this?” And we’ll go through the options for them and show them the latest updates, what it can do.

And then it’s just a case of, over a period of time, lots of emails going back and forth, more meetings, lots of shared PDFs and stuff.

And, eventually, at the end of all of that, they’ll end up with a lovely new workflow that they can easily load onto their Kiosks and it can be managed through XEC Director. So you can just push out the workflow if you have a networked environment.

And it’s just a case of keeping it updated, hopefully. So as new developments come out, then they can just update their existing workflow.

Si: Now you said if you have a networked environment, so the Kiosks themselves are not necessarily, or the devices, are not necessarily standalone, isolated… I’m not going to say unprotected, that’s not fair. Isolated bits of equipment. They are pluggable into networks?

Alan: Yeah, they can be both. So you can have standalone and you might have an environment where you’ve got 10 or so sites, where you’ve got standalone Kiosks.

And you can take the data, you can export the data out and pump it into XEC Director so that you can keep all that data and you know what’s going on. Or you can connect it to maybe a local environment or you can connect it up, you can connect the two through the cloud. So the data’s going into the cloud, I should say.

So, yeah, you can connect it all through your network and manage it all centrally. So we have a lot of customers that maybe have large geographical sites and they’ll have XEC Director sitting at one site and then they can see from their office, they can see whether the Kiosks are online or offline, whether they’re working, whether there’s a fault, who’s using it, and on what. So it makes it much easier if it’s networked.

Si: Now, given the nature of the potential content that’s being put in, not because you are putting it in, but because it’s what you are pulling off objects that are being plugged into it, how is this managed in terms of security? Because Desi and I, we’ve both been around the security industry long enough to know that there’s no such thing as a secure computer on a network, and therefore how are you managing this risk? Or is this being delegate- not delegated, given over to the organizations as their bailiwick and their problem?

Alan: No, well, it’s a case of working together, really. It’s a case of giving advice and giving advice from other customers that we’ve had and maybe offering them to speak to other people. So we’ve got people that are going through different stages of their progress, if you like. So we’ve obviously got tech experts that can give them advice in how to make it as secure as possible.

But it’s also, you’ve got the XRY file, which is encrypted anyway, so that helps to it. It helps the security side of it. But it’s a case of working together, so that they come away with a secure environment.

And you have some customers that the data is going out, it will sit on the Kiosk and they’ll export it out onto an encrypted USB. So I’ve got one customer I’m working with, and that’s how it’s done. It’s exported out to an encrypted USB, so there’s actually no data passing through anywhere. And then once it’s sent to the USB, then it’s deleted from the Kiosk.

And then you have others that will just export it out or upload to a cloud, to a secure environment in the cloud. And then, again, it’s deleted from the Kiosk. So once it’s exported, then it’s gone.

But, yeah, it’s a case of working together and they’ve got their experts on their side and we’ll work very closely with them so that they have the secure environment that they should have.

Si: Cool.

Desi: So when you’ve gone through and made those workflows with the customer and it’s specific to their environment and all that, does professional services, or sorry, I can’t remember whether you said that you don’t do training or MSAB doesn’t do training, but do you do a [inaudible 00:19:37]-

Alan: I don’t do training.

Desi: Just you? Okay.

Alan: Yeah.

Desi: Yeah. So then is there another part that works with the customer to develop training so that if they have employee turnover, then they can get trained up on their own workflow and get up to speed quickly?

Alan: Yes.

Desi: Yeah, okay.

Alan: Yeah, so you can have it so that if a customer… So what we do is when a customer comes in, the training team will make sure that they’ve got their particular workflow, so when they go through the training, they’re actually seeing it exactly as they will see it when they go back to their home environment.

And we’ll also do the training team, have a train-the-trainer.

Desi: Awesome.

Alan: So they’re trained to a high standard and they’ll go away. So I was trained as train-the-trainer and I was trained in my workflow, and then I would then pass on that to my colleagues.

Desi: Yeah. Okay. That’s really cool.

Si: So we’ve talked about, or we’ve touched on, let me rephrase. We’ve touched on loosely in the idea of the workflows, the fact that it makes it easier to comply with, certainly in the UK, some of the ISO standard stuff that’s coming in, which is clearly causing a lot of pain for a lot of people in a lot of ways.

Can you talk us through how… First of all, that is something that you are able to address with MSAB and the features that’s going to make that work, but secondly, we talked briefly, again, about validation and verification stuff. And that was something that you were saying that you are also able to assist with. So that’s no longer something that’s being necessarily entirely something that the force themselves have to deal with or the provider, the user themselves actually, has to deal with?

Alan: Yeah. Okay. So I’ll come to that last bit later, afterwards.

But the first bit, so with the ISO accreditation, yeah, so we’ve got obviously the workflows, as I’ve just been saying. So you can design your workflow and make it as tight as possible. So the user basically is very, I suppose, restricted in what they’re doing. So they have a path, how they follow it through. They can’t just go and maybe decide to do whatever they want. It is a case of, “Here’s the question. Answer the question. Fill in the data.”

Then when they get to XRY to do the extraction, you can limit it, so that on XEC Director, when you manage it, you can have user groups.

And so, for instance, if you have maybe five sites, you could have five user groups, five for each site, we could have one. So they all fit into one user group. And then you can set it so that each user is on a user level.

So, for instance, you might train a whole lot of users and you might say, “Okay, well, they’re trained now they’re up to a good standard. Let’s put them up to, say, Level 4.” So go from 4 down to zero, which is disqualified. And you put them as 4, and it’s a case of managing the users so that you can see what they’re doing so that they’re keeping their skills up, which is really important for ISO accreditation. You’re not just keeping people on the list that just aren’t doing extractions. You can monitor what the type of extractions they’re doing.

And if you have a user that is dropping down a level, is maybe not doing the sufficient number of extractions as they should do, so you can set it maybe to say, “Look, you need to do three extractions a month. One of them has to be Android, one has to be an iPhone, one has to be SIM.” If they don’t do that, then they drop down a level.

And then, with a recent addition, we’ve had to… XEC Director, you can make it so that if they drop into maybe, say, Level 2, so they’re two off being disqualified, then it can limit their actions and what they can do within XRY.

So you could say, “Okay, so Level 4, you can do logical, you can do no files and maybe you could do target extractions.”

But then if someone drops down a level or two, you can say, “Okay, you dropped down a level. You now need to do four or five extractions, because we’re keeping an eye on you,” and you can now only do target extraction, which is one of the profiles that we’ve got.

So the target extraction is another really good way for ISO accreditation because it really helps you with the data protection. So if you’ve got your digital processing notice and it’s basically saying you’re allowed to get data for this date and time or this week or whatever, then you can select it so that you get exactly the data that you need for that time period and you are complying with what the rules and regs say.

Yeah, so between the two, between the workflow, I’ll put into two, the workflow, XRY, so how you can restrict offices to doing certain type of profiles. So you might have it so that you just want your offices to do target extractions, and if a job comes in that requires more than that, then that goes to the lab, for instance. And it’s a case of training the users.

So that’s how we can comply or help them comply with ISO accreditation.

And the verification side of things, that’s a new thing that we’ve got. So we’ve got a customer with something like around now, something like 200 Kiosks and Tablets. So a really, really busy estate. They’re up to a stage of about 150, now connected to Azure. And they’ve got about 50 or so Kiosks that are standalone. So they would do all of the validation themselves. So that is something that they do and it’s not something that we get involved with. Obviously, they validate and verify their own software, their software and their hardware, et cetera.

So one of the projects I’ve been working on is where we have a service contract with this customer and we have a service engineer. Any hardware faults, then that service engineer will go out. They’ll also work on site, so it’s really good for the customer. They’ve got someone from MSAB sitting in their office.

And a new thing that we’re just starting this week, actually, and it is where the engineer who’s trained by us and is a qualified, experienced engineer, they’re trained by us in XRY and XAMN, then they would do the verification. So they’ll basically be given a test phone and a spreadsheet or whatever, spreadsheet or document, and it will say, just fill out the… so they’ll basically do an extraction. Maybe we’ve had an update to XRY, so say 10.9 comes out in the next update for XRY, it’s already been validated and verified.

And then so the customer knows the results, what it should do. And then the engineer will go out and then they’ll do an extraction using their test phone, record the results, and then go around all those 50 Kiosks or so and then pass the details back to the customer, who will then confirm whether it’s done.

So we’re not marking our own homework as such. It’s nothing like that. It’s just a case of helping the customer really getting a really good, tight, close working relationship with that customer, helping them out with what can be a really laborious process because it’s got to be done every single time there’s an update to software, to comply with the ISO accreditation.

Si: That’s fantastic.

Now, just as slightly contentious off-topic, not entirely off-topic thing, but as a former policeman, as a former investigator, do you think that the ISO standard is restricting the police in what it is that they can achieve? Because you were saying, for an example there, that if you’ve dropped down to Level 2, that you’d only do targeted extractions. Do you think there’s a risk of missing evidence?

Alan: No, I don’t. Having been someone who was involved, not necessarily the manager, but involved with managing the users, it’s really important that those users know what they’re doing, that they’re at a certain skill level.

And if, for whatever reason they’re not, maybe because it’s just not for them, they thought it might be, but it’s not, or they’re just not good enough, then they shouldn’t be doing extractions or they might need extra training.

So I think it’s super important that you have people that are doing the extractions that want to do it and they’re good enough to do it and they’re doing good quality extractions, because if you are going to comply with the legislation, you’ve got to be to a good enough standard.

ISO, no, well, it’s here, isn’t it? I mean, you’ve got no choice. If you are running a digital forensics department, then you have no choice. You’ve got to comply with ISO accreditation.

Yeah, it’s expensive and I’m sure it’s a real mission to get through. One of our customers is soon to be going through it for their frontline, I think may be the first to do it.

But I think it’s for the benefit of the person who’s having their phone extracted. I know if I was maybe a suspect or a victim of crime, then I’d want to know that there were strict rules that the law enforcement have to comply with those rules and procedures.

So it is something you just have to do. It’s part of change, isn’t it? And I think it’s a change for good, but I’m sure it’s hard work and very expensive.

Si: Yes, I think it’s hard work and very expensive is a good summary for somebody who’s got over 200 Kiosks and there’s as many staff as some of those clients you have. It will be an entertaining experience for them, I’m sure.

Okay. So I mean, in terms of MSAB, what can we expect coming up? What’s in the pipeline for, well, for professional services, what are you sort of looking at offering and what’s in the pipeline for the products that you’ve got coming up soon?

Alan: Okay, well, we’ve got a new CEO, so obviously with that comes, we’ve got a big strategic overview and there’s some investment coming in. So it is probably at the early stages of that. So, obviously, they’re looking at everything. So it’s interesting times, exciting times, whatever, for that. So lots going on. Continued development with all the products.

I mean, I’m a big fan of XAMN, so I’ve obviously used it loads. And that now, I think, is just the best it’s ever been.

So XEC Director, I’ll probably plug my training here, actually. So that’s something that we’ve not had before. So if you are a user of XEC Director, then to have that, to sit there for three, four hours, learn all about XEC Director, so that’s pretty good.

Yeah, we just had some big updates in XEC Director as well, so making it faster and more efficient in how it uploads the data. So, obviously, if you’ve got something like 200 Kiosks, they’re connected to a network, then you want that upload to be fast and work as efficiently as possible. So we’ve made some big changes in that.

I’ve been working really hard, and the development guys, working really hard on the database. So for XEC Director, obviously, if you are getting all that data from all these phones, you want to know what they’ve been used for. It’s really important for the manager of any digital forensics unit, okay, you’re spending all this money on these Kiosks, Tablets, whatever, lab, whatever, you can connect XRY office to a lab, you connect XAMN to XEC as you can to XAMN Pro, so you can connect everything to XEC.

And all that data is available to, you know, so you can see who’s using your lab, Kiosk, Tablets, examine what data’s coming out, where’s busy, what particular times are busy, what type of phones they’re doing. So all that data is available in your database and we just made it much easier to get that data out. So that’s pretty good and it’s taken a lot of work, I know, for those guys.

So just lots of really good general improvements, but I’m sure there’d be more coming out, but maybe some stuff that I can’t say right now. But, yeah, looking at the whole lot.

Desi: I’m just wrapping my head around the process as well. So you’ve got the Kiosk and Tablets out in the field, that is doing the acquisitions and pushing it all to that central server or cloud storage.

And then can that be pushed into, when you’re talking about lab, does that have to be a similar bunch of Kiosks? Or can it just be pushed into whatever that lab has to do digital forensics and parse that data?

Alan: Yeah, so, I mean, you can connect, if you have an environment where you’ve got, in particular, MSAB. So you might have, for instance, I don’t know, 50 Kiosks out and about for the frontline offices, but you’ve also maybe got a central lab, which is probably quite common. I mean, you always have a lab and there’d be some that don’t have frontline, but there’d be many that do. So they’ll all have their Kiosk and Tablets dotted about their state, and they will have the lab as well. You can connect, if you have XRY office, then you can connect all of that to XEC Director. So you can push out your software updates to the lab offices and the lab equipment.

But their lab equipment is obviously, they’re using it, they’re separate, they’re doing their own thing. And XEC Director managing, probably more so for the frontline officers, just keeping good tabs on everything, keeping it running, making sure it’s all running smoothly.

Desi: Okay. Yeah. Cool. Because we talked about XEC Director and a few of the upcoming features, but is there anything else in XEC Director that really helps organizations manage their frontline or just the management of the data flow as well that you wanted to that we haven’t discussed, that you wanted to highlight?

Alan: So new software comes out, you can push out the updates so you can do it so that you can time it so that all the updates go at a particular time so when the Kiosks aren’t being used.

You can manage the users. So use, as I said, user levels. User groups, you can put people in user groups.

You can look at log data, so you can see all of the data that is coming out of the Kiosk. So you can do management information reports. So if you want to know particular user group or particular area that you have, what type of data they’re doing, what type of extractions they’re doing, a particular user. If, for instance, you want to see whether a particular individual user has been complying with doing all the extractions, you can see what type of extractions they’re doing, whether they’ve made any errors, and just basically just managing your XEC-connected network, really, just sort of keeping an eye on it, making sure it’s all working correctly, working connected, and not fallen offline.

If it’s fallen offline, then you’ve got diagnostics and you can do your diagnostic checks and do as much as you can to feed the data back maybe to the network team or back to MSAB maybe. Maybe there’s an issue in professional services. We’ve got some really, really clever tech guys that will basically just be able to help them diagnose what the fault is and maybe it’s a fault with XEC. Might be a fault with the network. And then you can narrow it down. So it’s really good at sort of helping you fine tune and find out exactly what is the fault.

Si: So I mean, for a permanently connected network Kiosk, I mean, that’s impressive anyway, but does it handle the laptops and the tablets when they come and they come into a network within range?

Alan: You can’t do a laptop, so that laptop would probably just go straight to a lab. That would never be touched by anyone on a frontline.

The tablet, tablets basically, I always used to say to the people I trained, a tablet is just a big phone, basically. So just don’t treat it any differently. You treat a tablet exactly the same.

So yeah, phones, tablets, SIM cards, memory cards, that all can be done by the frontline officer.

Obviously, usually they’re logical. So remember, it’s really important for the investigator to understand that has its limitations. So if you just want a particular set of data out and it’s suitable for the frontline officers, then great, pass it to them.

But if it requires something more, then really consider sending it straight to the lab, especially if you’ve got a particular phone where it might not be best if it’s powered off, for instance, you might need to keep it powered on.

But that’s all about training, good training of all your officers, not just the ones doing extractions. If you’ve got officers out and about, or the law enforcement officers that have got a good awareness of what the capabilities of the frontline and the lab and what the phone is capable of or whatever, then that helps a lot.

Si: Yeah, and that’s part of the training that gets dished out, isn’t it?

Alan: Yeah.

Si: Is that very frontline first responder, this is a phone, this is where it needs to go and what needs to happen to it, that kind of stuff.

So no, that’s brilliant. That’s brilliant.

Desi: Maybe another example you can give us then is, I know we discussed before this, but the managed service, where you can remotely help administer the XEC server with one of your customers.

Alan: So, predominantly, a lot of my time is dealt with two sort of key or big customers, if you like. So the one I just said before, the 200 Kiosks. And another one, that they’ve got something like 70 Kiosks and Tablets.

And the project that I’ve been managing is all about getting the transition over from a different provider using our Kiosks and Tablets and getting everything up and running with the workflow, helping out with getting XEC Director connected to the network.

And it’s got to a stage now where they have all their Kiosks and Tablets out and about in the field. They’ve done the trainings, so they’ve been trained MSAB, by our training team.

And so you have specific staff from MSAB who are UK-based. So because it’s the strict rules from the customer’s point of view, then certain UK-based members of staff from MSAB that have been vetted and then on the approved list, we can remote in. So we’ve got a remote desktop that we can remote in. So we’ve got a static IP.

And then, if we are requested, so we can’t just go straight into their server, but if we get a specific request, then our job is to update their XRY software. So they’ve got a pre-production environment and a production environment, so two XEC Directors with Kiosks and Tablets, or Kiosks on both.

And if they request us to update their XEC Director, then they request us to do it, official request comes in, we make the request to go in through their IT.

And then we get into their server with our… so I’ll have an individual login, so it’s recorded that I’ve made the request to come in and I’m now into their server.

And then I seek permission to get into their XEC Director. I get that permission. And then I’m in.

And once I’m in there, everything I do is recorded. Obviously it’s recorded by their own software, but you can also, everything is logged in XEC Director, so all the actions that I do, if I make an update to the software or if I… Anything I do is logged.

And, yeah, so we’ll update their XEC Director software. And we’ll also, if an update comes out, say, the recent update to XRY, we’ll push it out to their pre-production first. They go away. Do all their testing. Do whatever testing they need to do.

If they’re happy that the update to XEC Director is good and the update to XRY is good, then they’ll then request us to do the same for the production environment. So again, exactly the same process. We’ll go in and then we’ll update the environment.

So it is really tightly managed. Obviously, everything we do is logged, it’s for specific request. We don’t do anything more than update their environment and also maybe help out with… If there’s a particular issue, maybe there’s a couple of Kiosks have gone down or something and it’s unsure whether it’s network or whether it’s there’s a fault with maybe the Kiosks or exactly where it’s at. So it’s a case of then we can help problem solve that.

And, yeah, I think it’s quite unique. It took a lot of work to set up and it’s brilliant that it’s now set up and running and it’s updating and doing that sort of stuff when it’s you and when I was in the police or whatever. But doing it as part of a company, you really want to do a good job. And, obviously, now, once it’s all been set up and all the effort that’s gone to it’s really, really quite rewarding to log out, knowing that it’s all gone smoothly and they’ve now got their updates, their Kiosks, and that’s something that they don’t have to worry about themselves.

So the two particular managers of those, they’re two different police forces. So the two different managers of those estates, they can just concentrate on doing other stuff, knowing that they can rely on us to do that side of things.

Because if you’ve got 70 or so Kiosks, then that’s a bit of effort to manage and to do the updates and stuff, so they can concentrate on doing everything else.

And as part of that, we also have a hardware, sort of SLA side of things, where we’ve got, again, we’ve got one of our service engineers will go out and fix things.

So we’re sort of really heavily involved with both of those customers. And I think it works really well for both, brilliant for them because they’ve got someone from MSAB in their office and they know the names and if there’s an issue, then they know that they can just speak to that engineer.

And also it’s really good us as well, because we’re really closely working with that customer. We know the contacts and if they have an issue, then it’s really easy for them just to get in touch with us. And it’s really easy for us to just keep that contact going and keep the customer happy, which is really important.

Desi: Yeah.

So I guess if I was an external customer listening to this and about that example that you just gave, which sounds really cool, is there a clear segregation between you coming in to administer the XEC Director and then any type of access to the data that they may be dealing with?

Alan: Yeah, so that’s something we may… At the end of the day, the customer doesn’t want us to see the dat.

Desi: Exactly.

Alan: And no, we see no user data. So as much as you’ll see is a list of user numbers as such. So usually police forces have users through user numbers and stuff. You’ll never see the data that is from digital media, from the phone, if you’re talking about that.

And, to be honest, if all you’re doing is literally updating the software, you literally go to a couple of pages on XEC Director. You go to there, you update the software. You’re in and you’re out and you’re done. It’s recorded.

So they wanted to go back and see what the MSAB staff member did. It’s really easy for them to do. They just need to go to the logs or use their own monitoring software.

But no, we definitely don’t want to see the user data. The customer won’t want us to see the user data, clearly. So yeah, that’s very, very segregated.

Desi: Yeah. Cool.

Si: And this environment that this is running in, is this an on-prem hardware or is this a cloud environment?

Alan: So for that particular one, they want to get to the stage soon when they are in the cloud, but it’s all, you know, so you’ve got the Kiosks dotted around lots and lots of different sites. They’re all connected on their own network to XEC Director, but the extractions and everything all go off onto USBs and stuff.

Si: So is there any data in the XEC Director, at all, being uploaded?

Alan: So you’ve got… Not the data from the extraction. So for that particular one, if you’ve got an environment where your Kiosks and Tablets are connected to a network, but the extraction is going to USB or whatever, hard drive, then the XEC Director will collect all the user data, the usage data of the Kiosk, the Tablet, all that sort of stuff. It would tell you how many artifacts in an extraction, for instance. So you’ll know that maybe there were so many pictures and videos and whatever, but you don’t see the pictures and videos. It’s just managing the systems, if you like, the systems and users.

Si: Okay.

So going back again to Desi’s question, in an environment whereby those Kiosks are uploading to the cloud-

Alan: Yes?

Si: … are you still segregated from the data?

Alan: Yeah, so if you’re using XEC Director, then, again, you see the user data and everything else. Obviously, if it’s going to the cloud, then there’ll be a SharePoint where that data is accessible and whatever system you’re using to view the data.

But XEC Director is, again, it’s just managing the users, the systems, and that way. So yeah, you’re not seeing the data if you’re using XEC Director.

Si: Right. Okay. Okay, cool. As I built that in my head, it started to make more sense as opposed to where it started off. Oh, that’s brilliant. Okay, cool. Thank you.

Alan: It’s all right.

Desi: Yeah. Well, thank you so much for joining us, Alan. It’s been a pleasure having you and to talk through the XEC Director and learning about what the Kiosks were and all about what’s new to come because it all sounds exciting as well as you guys keep going and some of those projects sound really cool. So, hopefully, there’s more and more of that for you guys.

But, yeah, all of our listeners, as always, you can find us on YouTube, Spotify, Apple Music, anywhere you get your podcasts from, but the videos will be available on our website, ForensicFocus.com, and YouTube, along with a transcript as well.

And we’ll see you guys next time. I know we’ve got a few more podcasts and videos lined up. And Si and I need to do another one between us soon.

Si: Yep. Definitely.

Desi: So we’ll be back soon with lots and lots for 2024.

But thanks everyone and we’ll see you all next time.

Si: Excellent. Thank you very much, Alan.

Alan: Thank you.

Leave a Comment

Latest Articles