The following transcript was generated by AI and may contain inaccuracies.
Si: Ladies and gentlemen, boys and girls, the gentleman we have here is Gareth Davies. I met Gareth at the Forensic Expo in London where Forensic Focus had a stand. We got to play with one of the robot dogs from Boston Dynamics, which was great fun.
We listened to a few things. Friend of the show Sarah, Professor Sarah Morris, was there comparing the whole event. It was wonderful. Gareth was there and introduced himself. Now Gareth is with F3, which is the First Forensic Forum in the UK. Actually, why am I doing this, Gareth? You go for it. What the hell is F3 and why is this important?
Gareth: To get it completely right verbatim, the First Forensic Forum is a not-for-profit professional organization which exists to provide an open forum for people doing forensic computing, digital forensics, call it what you will. The ability to share knowledge and information with each other through the forum, through the workshops, through the talks, through the conference, and make training and content knowledge accessible.
Back in the day when I was trying to get my training courses together for vendors and tools and other things, they were very expensive, £5,000. Because F3 started in the 1990s, there weren’t many opportunities for training even. It was about getting information to people to upskill. That’s what we’ve been doing for around 30 years.
It’s a good lifetime for an organization in an industry that’s barely 30 years old. It’s been around for a long time. It was people who bumped into each other and said, “Oh, you do this forensic stuff with computers. How do you do it? What tools do you use? What kind of stuff do you work on?”
It was a case of: we’re better as a collective to move forward because there were almost zero tools back in the day. There’s no training. The internet doesn’t have Forensic Focus. It doesn’t have the Forensic Wiki, for example, so we can’t go there and get information. It was slowly building up a community that helps each other.
Si: Tell us a bit about yourself. How did you end up in forensics? This is a field that has a million different pathways to get into that we’ve discovered talking to people. And then how does that lead you to F3?
Gareth: I’ll try and keep it short and sweet, but I do have a tendency to drone on because I used to be an academic and lecture as Si, and that’s our bag. I wasn’t doing well at university. I was bored of computer science courses.
I didn’t want to be an e-commerce person. I didn’t want to be a computer programmer. I didn’t want to be a network specialist. I liked all of those things in bits, but I didn’t know what my fit was. So I took some time out and then went back to university.
At the time there was a digital forensics master’s being run at the University of Glamorgan back in the day, 2005 probably. I was interested in it, but I couldn’t study it because I was at a bachelor’s level. But I found a university hack where I could make my own course.
I went to the professors and asked them how I would do that at a bachelor’s level. They worked with me to put my own course together, and it lit a fire in me. It was interesting. It was problem solving. I grew up watching all the old cliché shows like Poirot, Miss Marple, Columbo, Taggart. They were on in the background with my folks in the house.
The investigation side – I’d always loved computing and devices and data and pulling apart and building machines. It all fused together and made perfect sense to me. That’s how I got into getting educated in forensics. I stayed on after my bachelor’s and did some research projects with the university.
I then went to the States and studied at Johns Hopkins for a while and got some more information and knowledge there working with professors I knew. I came back and started a PhD. I started doing research work, teaching, and casework in digital forensics on behalf of my professors in the university. That’s how I educated myself and broke into doing the work.
Si: What was your PhD thesis on?
Gareth: It’s on digital steganography.
Si: Oh wow, okay. That’s an intriguing little niche you’ve got there for yourself.
Gareth: There’s a load of publications out there. I won’t bore you with the details on the podcast, but it’s not complete. I’ve got some publications to finish, but it has been a journey for many years. It’s interesting and that’s what got me into hardware.
I was looking at it at a hardware level. I can talk about this because it’s published and open. If you look at me online, you’ll see my research history. It was about working with devices at a firmware level and looking at how they were configured and put together. All that knowledge got me into doing complex casework in advanced data recovery.
Then I created a niche for myself in helping law enforcement and other organizations out with repairing devices, exploiting devices, getting data out of anything with a chip or disk.
Si: Yeah, that’s a neat little niche. In terms of where you are now in your career, is that a major component of it?
Gareth: Certainly. I still do hardware. I still enjoy doing forensics. I’m looking at some work this week on various platforms with smartwatches, vehicles, and other devices. My current role is research-based. I’m at a large defense contractor, so I’m head of cybersecurity and resilience there.
Si: You can name them if you don’t have any problem with that. We don’t have a moratorium on naming them because I’ve worked for them as well, so it’s not a thing.
Gareth: It’s all public information. I work at Thales UK, large defense contractor, global technology company. You probably haven’t heard of us, but once you start to look at us, we probably make something that you’ve used today. Probably at least twice. We’re into space technology, so we’re in space, land, and sea in defense and global tech.
Big tech company. It’s a big role and responsibility to be head of cybersecurity there. I work on lots of different projects. Some I can talk about, some I can’t. Some I can talk about which are publicly funded and available online are things like cyber resilience looking at automotive industry.
I’ve got a £2 million project with Swansea University at the moment looking at resilience and system modeling for complex systems. Working with Cardiff on supporting some PhDs in the automotive cybersecurity arena and forensics. Working with University of South Wales looking at forensic testing of devices and data assurance.
Hoping to work with, of course, the good professor now, Sarah Morris at Southampton University. Also a shout out to a previous employer of mine, University of West of England and the team there who are also great.
Desi: You mentioned you’ve worked with some of the hardware devices like smartwatches and vehicles. To put you a bit on the spot, what’s the weirdest thing that you think you’ve ever had to be called in to work with?
Gareth: The weirdest thing I’ve been asked to work on – one springs to mind, but I won’t mention it because this is a PG forum. IoT devices are expanding into lots of different areas. I guess a Sky remote is one of the most interesting.
I was asked by a senior investigating officer if a Sky remote would create a log either on the device or the Sky box of buttons that were pressed and times and dates associated with that. It was about a murder inquiry and the Sky remote may allegedly have been involved in that crime.
Desi: Interesting. Beaten to death with a Sky remote? That’s terrifying.
Gareth: That may or may not be true.
Desi: Where the buttons matched.
Si: Out of curiosity, what was the technical outcome of that process? Were button presses recorded?
Gareth: No, there were no logs to suggest that was happening or occurring. But we have looked at Sky remotes and other weird and wonderful devices academically in some of my posts. We used to focus on games consoles for quite a while, so we looked at all the handheld Nintendos, PlayStation 4, PlayStation 5, the Xboxes.
We saw some of those used in cases around the world and people would call us up and ask what were our latest research findings? Did we have anything further to share past the papers we worked on? I’ve worked on anything with a chip or disk for over 15 years. It’s all about data recovery, getting data out of it and making it make sense when tools can’t parse it, it’s unsupported, or things like that.
If anybody’s watching this and can ever help with that problem, please contact Si. Get in touch and let me know.
Desi: Super fascinating.
Si: Yeah, no, it’s good. Thank you for the offer. It’s a small community, but there’s such a disparate skill set across it. It’s great if we can put people in touch with other people to get on and solve some of these crimes. It’s amazing.
Gareth: Thinking about one of the far-reaching requests I had was to do data recovery on a video camera from a storm chaser in America who didn’t quite make the chase out of the storm, if you see what I’m saying. So a fairly battered video camera by the end of the day, I would imagine.
Si: Yes. That was one of the strangest and far-reaching ones I remember. Wow. Talking about community, how did you get involved with F3? Where in your journey did you join with them?
Gareth: A committee member from F3 approached me because I’d been working with some organizations they were familiar with looking at flash technology. They said, would I come to F3 and give a presentation at the conference? I’d never heard of F3, so I had to inquire what that was at the time. It was early in my career and I was a researcher working on casework.
This particular research project was focusing on flash, like I said. I said, sure, why not? I’ll come and promote what we found. It was all back in the good chip-off days and chip-on days that we used to look at before the problem of encryption and things like that.
I came and presented and said, “This is currently state of the art for data recovery from flash memory, if it’s working, if it’s on-board, or maybe if it’s off-board and not working.” That was my first exposure to F3. Then I looked around the room and read the brochure. I could see forensic computing practitioners everywhere, people at the coalface doing the job, all trying to take home new skills to apply in the lab.
They had a huge range of speakers from loads of different vendors, companies, specialists, all from around the world and cool topics. I spoke to the committee of F3 and said to them, “How do I join? How do I come back next year?” They said, “Give a talk and become a member.” So I did those things and that’s how I got involved with F3.
Si: I think Desi emailed me slightly before this and went, “I’ve never heard of F3. What’s that?” Now, being an Australian, he’s entitled to be not aware of UK-only organizations. Are we a UK-only organization?
Gareth: Is F3? No. We’ve got memberships in Australia. I won’t name names, but we used to get some tool vendors coming over from Australia. We’ve got members there. Some people would like to start an Australian chapter of F3. We’ve had that discussion over beers and talk before.
We’ve got members in America. We’ve got lots of different members all over Europe. No, we are international, but we are based in the UK. People travel to locations in the UK to come to the workshops and conferences. But no, we get people flying from America to do training days for us, like Spider Forensics.
Si: Okay. And it’s quite – we were discussing previously that F3 is quite a subtle organization. It had, or at least when I first came across F3, it was recommended to me at the time by Brian Jenkins and Tony Sammes.
Desi: Yeah.
Si: Who were senior members of F3. And Lindy – Lindy Shepherd, who were senior members of F3 at the time. Yeah. And very – so that was my way into it.
Gareth: Yeah. Very prominent figures in the digital forensics community internationally as well. Those three people. Yeah, of course. Tony Sammes, Brian Jenkins – they taught many of us at different institutions. You could call them the headmasters of teaching and training.
Then Lindy, who was secretary for more years than I can remember, more years than I’ve been a member. She’s been an absolute conduit between people getting access to the events and speakers. She’s represented F3, she’s worked with the community, and all on a voluntary basis, I’ll say as well. Shout out to Lindy Shepherd for doing that. Thank you very much.
But yeah, it is subtle. It has been word of mouth. I guess that’s because it grew organically from a few groups of people getting together with the sheer knowledge that grew and grew into, “Right, now we can’t do this down the pub on a Friday night. We need to get an event going.”
Events start to happen. The organization started to grow. We had committees. Then it was formalized into: “Right, we’ll have a membership to create a base, and then we’ll start to ask the community what it wants.” So it’s always been a word-of-mouth type of thing.
I think that has worked great, but I think in 2025 there are lots of opportunities to advertise and take things forward. We’ve had a website for a long time, but if you don’t know about F3, why would you go to it? Why would you search for it? I think there’s a lot of things we could do as a committee – and the committee are all on board – to take F3 forward into the future and make it more accessible for more people.
I’ve been doing a lot of F3 organizing over the past couple of months. Last night I was going through old brochures and I think what we’ve got is something special and unique because we’re vendor-neutral and we’re as cheap as can be, as cost-effective training as you can get.
An example: what are we charging this year? I think it’s £650 per person. That is two nights’ accommodation, that is six meals thrown in – breakfast, lunch, dinners – and it’s access to the conference that has 14 expert speakers running workshops across lots of different domains.
We’ve got Magnet there this year, Cellebrite, MSAB Software. We’re hoping to have ControlF come along. And it goes on and on. I can give examples of other speakers we’ve had over the years. When you look at it, I don’t know another conference that I can go to in the UK or in Europe.
I’ve had a look around that has these types of talks which are focused on pure digital forensics, the bits and bytes. It’s all about vendor-neutral information that you can take back and implement into the lab. In terms of: “I didn’t know this open-source tool was available. I’ve never thought about researching an unsupported application in that method.”
“I’d never heard of Yara rules before. RAM analysis on Android phones – that’s interesting. How can I look at performing those types of techniques?” And it’s all practical stuff. I think that’s a bit different. What I’ve seen elsewhere has been slightly more research-based or vendor-based, so I think we’re a nice blend.
Desi: Yeah. Is that training that you have for F3, is that all in-person based? Is there any – like with COVID and everything that happened – did you guys offer anything that was remote?
Gareth: That’s a good question. It’s something that we are looking at as an organization. During COVID, we went straight online because we had events lined up and everybody was in the house. It was a case of: what can we do to support the community at home with online learning?
We ran, I think, three conferences online – two-day conferences, same sort of format. We used a good platform online that was very interactive. It was a place where you could go and chat with people. There were icebreaker moments. There were certain topics and groups set up to talk about mobile devices, vehicles, drones, etc. So you could find your own niche and talk to like-minded people.
It was like an integrated video brochure experience, the website. It was available on desktop or mobile. We put on events using that and it was massive. The numbers were huge because I guess everybody could tune in from the lab, tune in at home, and it was useful. It went very well.
We have considered doing hybrid events now in the future, but that’s still in discussion. We’re going to speak to the community and see what they think. We have to safeguard some of the speakers as well, so we have to be mindful of things like that. We’ll see what happens.
Desi: Yeah. I don’t know about your experience, Si, whether you’ve ever been to a hybrid conference, but personally, this is just my two cents – I’ve found them difficult when they’re hybrid. When they’re either all online or all in-person, they’re great. The hybrids I think the online community gets marginalized from any technical issues or just the conversation is so much harder.
Si: Yeah, I think it’s a wonderful idea. I think I have yet to see it done to its maximum capability. I think, like you said, it’s very – even an event that I attended that had water cooler breakout rooms for the online participants – I went into some of those and they were just dead silence.
Yeah. They didn’t engender that. And I say, I think the last F3 conference I went to is the single most drunk I have ever been in my life.
Desi: Oh, congratulations.
Si: It was that protein mate? Was that the protein mojitos that you were having?
Desi: Yeah, that was the protein mojitos.
Si: Yeah. No, somebody introduced me to a drink called Bénédictine, which is a very funny – I’m just going to look it up.
Desi: It just sounds like a medicine. I’ve never heard of that.
Gareth: I will say the F3 formal dinner on the Wednesday night is a lot of fun. To quickly go over the format while you look that drink up: Tuesday is registration, curry, and a quiz night. We do a technical quiz. We have a range of curries and other bits and bobs there. We have a bit of fun, get to know each other.
And if you haven’t done a technical nineties quiz on digital forensics, you haven’t lived. Wednesday it’s full of talks and workshops. In the evening we have a formal dinner, usually a comedian. Yeah, we share a few drinks, a few laughs, and we talk about the talks. Then Thursday is the final day – six or seven talks – and then it’s cheerio, feedback, and see you next year.
Desi: Nice.
Si: Yeah, I’m going to say that’s one of the interesting features I found. F3 was the comedy routine. The after-dinner speaker on the dinner night is not forensic-related. And in that year, I ended up as the butt of the jokes of the comedian as well.
Gareth: I’ve had my fair share of banter with the comedians as well. They are relentless.
Si: They’re a lot of fun. Yeah, we’ve had some great comedians that have broken it up and made it a more relaxed atmosphere and changed the vibe. Yeah, they’ve been a lot of fun.
Gareth: I wanted to say why I continued to go back to F3, and I guess that leads on to me becoming part of the committee and chairman, if I may. It was when I was studying, the only online resources I had to learn more about digital forensics were either from the NIST archives – we’ve had them come over and go over all the stuff they’ve done over the years and all the amazing research – or it was Forensic Focus.
It was your website. It was the only place I knew where to go and get articles, read about experts and what they were doing, and go in the forums and see what people were talking about. When I found F3, it was a case of creating a Rolodex of contacts for me from speakers and things like that.
Gareth: I’ve got an example. I remember having a difficult case with GPS, and at one conference, Professor David Last was talking about GPS reflection and issues about decoding it from inner cities. I looked up David online. I think I found his email because he was at a university still at the time.
I sent him an email and said, “Hi, it’s Gareth. I’m working on a case. I wonder if you could help me, please. I’ve got a question. I’ve seen you at F3.” “Yes, no problem at all. Please, what is your question?” So I asked him if he could look at something, and within half an hour he’d solved my problem.
Do you know why? He was one of the people who wrote the standard for the GPS coordinates I was trying to reverse-engineer. It’s stuff like that. I remember doing a pattern-of-life case before, and I reached out to Sarah Edwards, who’s the author of the Apollo Tool. I said, “Hi, I’m Gareth. I’ve seen you at F3 before. This is your tool. I’m trying to use it. Could I ask you these questions?”
“No problem at all, very happy to help,” and really helped me do my job. Then Sarah became a speaker for us during COVID and went over Apollo and some of her other tools, all the great stuff that’s out there.
I mean, over the years – I’m just looking now at my notes from last night – Cellebrite, NIST, AccessData, MSAB, Nuix, BlackBag, Spider, ControlF, Magnet, Berla, VSPL, HMRC, all the regional organized crime units, South Wales, DSL, Home Office, HP, Interpol, Amazon.
We get some phenomenal companies and speakers, and they tend to end up exhibiting as well. You can go and speak to the vendors about what they’re developing, where their R&D is going. You can share what is causing you pain at the moment and what they can do to help you. They’re able to demonstrate their tools and new technologies. It’s about information sharing, helping each other.
You meet new vendors every year that you go, “Oh, that’s interesting. I didn’t know you could do that.” And it gives you new opportunities. That’s why I kept going back to F3. It was my easy way, I guess, of connecting with the community, engaging, meeting like-minded people, connecting with people.
I thought, “I’ve got a vehicle person now, I’ve got an Android person now, I’ve got this, I’ve got that.” I had a network to reach out and speak to people I’d had face time with. Then I developed relationships with the vendors as well, and that led to me teaching various tools at universities I worked at – like Cellebrite tools, the Magnet tools, the Nuix tools, and others.
That was great for my students. It was great for me. They were learning industry-relevant software to go and get jobs with. So that was good. Yeah, I stayed on. I started to do more and more on the committee. I was the guy doing the AV. I was the guy wrestling speakers.
Si: Oh, that’s a hiding for yourself, doing AV.
Gareth: That’s it. It was tough. I was running back and forth every speech because everybody wanted a different platform with a different connector or this and that. I had guys at the back. I was running cups of tea to keep sweet, lighting, staging. It was just running around doing stuff. We all do as a committee.
We run around, we solve whatever problems are out there. We help do everything from set tables out to tape cables down, to do stage, to do this, to do that, to find speakers. But we love it, and it’s because of what it leads to – those community events and everybody’s progressing.
Then I did it for so long. Danny Faithe, who was chairman at the time, said he was going to be stepping down because he was concentrating on some other things. Would I think about taking on the chairmanship? I eventually said yes. Why not? I’ll give it a go. I’ve got some ideas for innovation.
The committee voted me in along with the members, and I’ve been chair now for – I think this’ll be my eighth event. And it’s been a lot of fun.
Desi: Oh, that’s amazing. That really is amazing. Speaking of the event itself specifically, this year is coming up but is still far enough away, hopefully by the time this podcast goes out, that you can join F3 and get a ticket.
Gareth: Yes, precisely. Part of the strategy for the future is outreach. Because at the moment we’re contacting our existing members and inviting them back. I believe there are many platforms and tools that we could use to advertise that we are here and ready to accept new members and expand. This is what we have to offer.
At the moment we’re trying to promote that. We’re eight weeks out from the event. So eight weeks today, it’ll be our second day. It’ll be coming up to lunchtime. We probably would’ve had three talks in the morning. There’s still plenty of time to book on.
Danny Faithe is now treasurer. Please flood his inbox with as many requests for tickets as possible – he’ll really enjoy that. But I can pass on the information and the links to the booking forms and the information where you can attach it maybe to this podcast, if that’s acceptable.
Si: Yeah, absolutely.
Desi: Links to everything including Bénédictine and some of the tools we’ve talked about in passing. And the F3 organization and the conference will all be attached in the show notes under this.
Gareth: Oh wonderful, thank you very much. But yeah, there’s still plenty of time as I said – eight weeks out. We’re happy to accept anybody that is on the tools, on the keyboard, at the soldering station. As long as you’re doing digital forensics, you’re welcome.
Desi: No, that’s really cool. And again, this is in the UK. Where’s the venue this year? It’s Warwickshire somewhere, isn’t it?
Gareth: Yeah, it’s Chesford Grange Hotel in Warwick this year. We tend to go to venues we know, venues we like around the UK and that are trying to be as central for people as possible. So yeah, we’re up in Warwick. The dates are November the 18th, 19th, and 20th of this year. So eight weeks – November 18, 19, and 20th.
Desi: I was just looking up where Warwick is because I had no idea. It’s near Birmingham.
Si: Slap bang in the middle, anyone? Yeah. It’s not near London, so I’d probably say don’t fly into there.
Desi: Okay.
Si: Bear in mind this is England. Okay? So Desi is looking at a map that he’s equating to the size of Australia.
Desi: Yeah, that’s true.
Si: Warwick not being near London is a 45-minute train journey, I think.
Desi: Let’s have a look.
Si: Yeah, it is. Because I’ve gone from Westminster to – ah, it’s a two-hour drive.
Desi: About an hour.
Si: Yeah, so you know, that’s nothing.
Gareth: The fact is it’s very approachable. We get a lot of people from London come to the event. We used to be based in Gloucestershire for many years. We’ve done it in Birmingham. That was in 2019. That was good. We plan to go back there, but COVID happened. So we are going around looking for the best sites as we expand.
Warwickshire is technically what we call the Midlands. More or less, it’s probably, I’m going to say it’s about an hour from Oxford.
Si: Desi, we were pretty close when we went to Bletchley Park.
Desi: Yeah.
Si: It’s not terribly far from Warwick in that direction. I forget how small the UK is.
Gareth: We fit inside Texas five times, I believe, which is mind-blowing to me.
Si: Yeah. But there we go. Even London to Liverpool is not that far of a drive. It’s only five hours.
Desi: Yeah.
Si: Yeah. When I first moved to where I live now, we moved down from Edinburgh. For the first couple of weeks we didn’t have somewhere to live in Oxfordshire. I was staying in a hotel, but I commuted home every weekend. It’s only about six hours between Oxford and Edinburgh.
Close to the speed limit, I’ll say at this point in time. But when you’re doing it late at night, the roads are empty. It’s a clear run. It doesn’t take long.
Gareth: I have a question for you, Desi. Not to go completely off message, but keep going off message. I still do some work in Perth over in Western Australia. I did read that you had – I don’t think you still have it – but you had an adjunct lecturer position there.
Desi: Yeah. Edith Cowan University. Yeah. Still work with Craig Valli and research and conferences and teaching. I’ve taught in more countries than I care to admit or remember. But it’s been great fun doing digital forensics teaching around the world.
We’re quite blessed at how mature our teaching programs are in the UK and in the States. It’s very different in some other parts of the world. Yeah. If I was based in Perth, then what’s the drive time between me and you?
Gareth: Oh, like three days.
Desi: There we go.
Gareth: Yeah, I thought it’d be something crazy.
Desi: I’ve done a drive between Adelaide and Perth. Adelaide, for anyone – Adelaide’s like in the middle of Australia down the bottom, which is like the closest capital city you can be land-wise to Perth, which is two capital cities. And I think that took me two and a half days to drive from Adelaide.
And that was with stops. So like, it’s three days full drive from my side of the country because I’m up in Brisbane now.
Si: Nice. The longest drive I heard is my friend Scott. I used to live in California. He drove from California back to where he lived in New York, and he lived on Long Island. Took him about five days.
Desi: I’ve done that drive before, but over 20 days.
Si: Yeah, yeah.
Gareth: We’re lucky in the UK that you’ve got everything nicely centered and yeah, everything’s quite accessible.
Desi: Yeah. Going back on topic now, I do want to ask you if you can share anything. We talked a little bit about you’ve got the discussion going about whether the conference may be hybrid or not and you’re going to ask the community members. Do you have anything else in the pipeline that you care to share that is coming in the future for F3?
Gareth: Yeah, we try and run three events every year. We have one big annual workshop, which is the three-day event, but we like to do individual days as well for training. We like to do something in the first quarter of the year and then the last.
We typically have two one-day events as well in addition to the three-day event. That one-day event – recently for an example this year, we had Rob Otto from Spider Forensics come over. Spider Forensics are a training company. They’re a fantastic training company. I’ve known Rob for over a decade. He’s been head of training for every tool vendor you can imagine.
Now he’s doing his own thing, vendor-neutral, and covers some fantastic stuff. He came over and taught his advanced UAV course for the day. I think members paid £30 to attend the event for a day’s training that included teas, coffees, and lunch. Not a bad deal. They had Rob’s expertise for a day.
Then we’ve done other days where we’ve had other companies like CCL or ControlF come and do training days. We’ve had vendor days as well. Looking forward to next year, we’re looking at running – we’re looking at running some biomedical forensic stuff.
Si: Oh, nice.
Gareth: There’s some new research being done around implants, medical devices, and research in that area. We might run some discovery days on looking at software-defined radios and connectivity and exploring that as a topic. There’ll be days where we do reverse-engineer and support applications on mobile devices, both iOS and Android.
Why not do a smartwatch forensics day as well? Because a lot more inquiries are coming in – I see across the nation – for devices that haven’t been paired to a smartphone. So you’re dealing with the smartwatch directly, and that’s a challenge. The accuracy of that data and the reliability of that data is also challenging. So research in that direction. We’ll run something on vehicle forensics and the cutting edge of that.
It’s just things like that that the community want. Last year at the conference, there was a heavy focus on the feedback for: let’s have more audio/video stuff for those types of departments. We spoke to Amped – Amped do some fantastic video forensic software. They’re doing one talk, maybe two talks this year.
The first talk that they have committed to is: right, digital evidence, video evidence is taking off with the advent of all the Ring door cameras, the dash cams, and all that new sort of IoT stuff capturing video. How do you process it effectively? How do you recover it forensically? How do you interpret and analyze it?
Of course, you’ve got deepfake technology now and AI altering things. So how do you authenticate material and content? How do you put it into the criminal justice system? How do you present it in court? We focused on that from the feedback from last year, and we’ve got Amped that are going to do some brilliant stuff for that at this conference. Then we’ll just go back to the community.
Si: Who’s coming over from Amped to do the talks? Because we’ve spoken to most of them on the podcast at some point in the past.
Gareth: I believe from memory it’s Emi.
Si: Oh, Emi. Okay. Emi’s great.
Gareth: Yeah. He seems fantastic. He’s got some talks on deepfakes and the research they’ve gone into looking at manipulated video. We’re trying to squeeze it in, but we have so many speakers and talks this year. It’s always difficult to choose.
Si: I think Emi is one of those people we got into trouble for saying something that he didn’t have the authority from marketing to say, if I remember correctly.
Gareth: That is the problem with these chats that we have because they’re so informal. You can see I’m trying to choose my words very clearly, considerately, and not get myself into trouble, but talk to you because this is a Forensic Focus podcast. It’s about forensics, it’s about bits and bytes. It’s about casework.
We know we’re working for law enforcement and we’re looking at getting evidence. You’ve got to be careful, but you’ve got to have some sort of conversation as well.
Si: Yeah. Yeah. And it’s really – I’m going to say the difficulty of finding good technical material that isn’t a vendor presentation of their software is a challenge. Yeah. And you and I talked about this last time we spoke off the record – not off the record, in just the friendly chat – which was: apart from DFRWS, the academic forensics workshops, which is fantastic, by the way.
The sort of new – bringing new techniques and new concepts to the table – getting hold of that information is quite challenging in the market. It is, yeah. In the conference space, it’s easy to turn up and hear a vendor talk about their project, their product, which is great. Occasionally they bring out new features which are interesting.
But to get to a byte-level description, because all of the vendors want to maintain their commercial advantage, so them not sitting there going, “Oh yeah, this is how we did it” – because they don’t want this. That’s the secret sauce.
Gareth: Yeah, exactly. Yeah, exactly.
Si: So I think this is where F3 and DFRWS both have this. And the Geosystems conference – you talked to me about this and sent me a link as well.
Gareth: Yeah, that was a new one on me and that looks good. I’m going to go to that next year. Yeah.
Si: To give DFRWS – it is Digital Forensic Research Workshops, but it’s now changed to conference, but DFRWS remains. Yeah. I looked up their conference this year. Some great, phenomenal talks. They do a great job of putting stuff together. It’s heavily focused on research, which used to be my bread and butter in academia doing forensics. It is again now.
I’m looking to go next year. It is a different type of conference. I still think it’s very worthwhile for digital forensic practitioners to go and learn from. It can be some challenging topics. It’s: have a look at the agenda and see what works for you. But I would promote it. I am an advocate of it. It is a great conference as well.
I believe it’s being held in Sweden next year. Is that going?
Gareth: That’s it. Sorry.
Si: No, that’s it. I’m getting that one busy.
Gareth: No, no, mine. I will be going next year. It’s all about working together. I’m not here to say F3 is the only conference and the best conference in the world, but I think it’s phenomenal at what we do. I would like to work with DFRWS and other conferences, working together, sharing speakers, information, opportunities. I think that integrated approach is the way forward.
I know of other academic conferences we could name over in the States and things. There are lots of opportunities. But as you say, going back to F3, it’s all about: right, you are a practitioner that does digital forensics in the lab four or five days a week. That could be: you’re the chip-off person, you’re the IoT person, you’re the vehicle person, you’re the mobile extraction person.
You’re the Windows person, you’re the Mac person. You’re across all sort of disciplines, devices, and platforms. F3 is designed to give each one of those people, when they go and attend a conference, something to take back into the lab and use to help them do their job, their work.
Whether that’s a contact to speak to an expert to get support, or they’ve learned about new tools and methodologies that they can use to be more efficient or to do things they couldn’t do before. So, example: we’ve got MSAB coming to talk this year and they’re giving us an update on the RAM acquisition from Android devices and how that’s new and interesting.
I know the speaker very well. He’s excellent and he’s not coming to sell product. He’s coming to show: this is how we go about it, this is the opportunity, this is what we get. He’ll be showing some open-source techniques because that’s how it starts, isn’t it, in the real world? He’ll be sharing methodologies and tools.
Then that speaker will go back outside to their exhibit stand and they’ll support the community by offering the services and selling their products into labs. I think that’s why we have such a great relationship with vendors. They can come, they can run sessions, they can give hands-on training on their tools.
They are able to connect with the community in an organic sort of way, with a giving back and sharing that creates a great relationship. Then they’re also outside as well if you want to go and update your products, buy new products, learn about new things coming out in the pipeline. It’s quite a nice ecosystem, I believe. It’s all based on good relationships. That’s what made everything interesting at the start for me.
Si: Yeah. Yeah. I think – again, we talk about it and it’s our bread and butter as Forensic Focus – that community is very much the lifeblood of what we do. The field has evolved in a fascinating way because in the beginning you couldn’t find anything out. It was all secretive. It was: you couldn’t find anything.
Now we’ve switched to the opposite end of the spectrum where there’s too much to know. Knowing what is relevant and precisely pertinent at the right point in time is now the new challenge. Half of that is knowing who to ask at the right point in time. Therefore, the idea of community and building these networks that we each have built up over time.
So that even – you phone one person and you go, “I’ve got this problem,” and they go, “You need to speak to…”
Gareth: Exactly.
Si: Yeah. It’s a wonderful place to be. This is a Si’s sheet problem, or a Gareth’s sheet problem, or a Desi’s sheet problem. You get a referral there and you’re only one or two hops from the expert in America or Australia or the UK.
Gareth: Just like myself and that GPS-type problem. That’s nice. I think that’s super important. And as you say, Forensic Focus – I still go to it at least once a week to have a look at what’s going on in the forums. I get the podcast. I listen to other podcasts. That’s a great way to get the information.
We’re lucky now that we have some email lists and we have some servers and things to go to where almost in real time you can get responses in the next 10, 15 minutes from somebody. Yeah, and it’s useful. So that is good. But not everybody knows about those opportunities and that’s something that came across last year at F3 to me.
I was talking to some of our newest members and there were a lot of new members, I’m pleased to see. They’d come from education backgrounds. They’d finished their degrees. They graduated into the job. They’d been doing the job 12 months. This was their first sort of conference. I was introducing James Lyle and Douglas White from NIST.
Now, I grew up reading their reports for my coursework and things. They’re like the godfathers over there, if I can use that term. They were doing tool testing 20 years ago, maybe more, before we ever had the problem of tool testing and accuracy of results. Publishing good documents on it. They were the forward thinkers in terms of digital forensic research.
Most of the crowd didn’t know who these two celebrities to me were. And that’s fine. It’s different time periods and things. But again, do you know NIST? Do you know how much research they do? Do you know what they have available to offer? A lot of people didn’t know that. So we were pushing that and the NIST speakers last year.
Then I was saying to people, what else do you know? Do you know Forensic Focus? Yes, no. You need to go to Forensic Focus and you need to engage with the community there. You need to see what they have to offer. Part of this job is keeping up with the technology, which is massively difficult because a few hundred devices come out every year.
They change platform on the upgrade. And, oh, we’ve just gone from iOS 18 – or should be 18. We’re now on iOS 26. What does that mean? What’s that going to change to some of the databases that we like to look at? Windows 11, macOS Tahoe. Now it’s just a challenge. So knowing your resources is key.
Forensic Wiki wasn’t well-known. Some of the original data carvers like Scalpel and Gary Kessler’s website for all the file headers. What we’re trying to do this year in the F3 brochure is go: right, this is a resource page. You need to go to these resources and you need to be aware of them. You need to engage with them because this is where the information is and this is how you get access to the experts.
That’s something that I’m doing for innovation this year: having that resource pool put down in black and white on paper in the brochure to advertise things like Forensic Focus and NIST and all the things I’ve mentioned.
Desi: Yeah, it’s definitely a – like, I still talk to new people when they’re getting in, they want to get into digital forensics, or even if they’re doing a cyber journey and digital forensics is one of their interests. It’s always: yeah, what should I go to and who, or what should I go read and try and get an understanding of?
And it’s always – here in Australia we’ve got a lot less choice, I think, in terms of – we do have the DFRWS over here in Australia. Yeah. It’s run usually down in South Australia. And there’s a few other conferences, but then they’re either really research-heavy or they’re vendor-heavy and it’s just tool presentations.
Si: Trying to find the balance.
Desi: Yeah. Yeah.
Gareth: I guess I was in education for 12 years, maybe more. I was teaching pure digital forensics, bachelor’s, master’s level, running lots of research projects, tens, hundreds a year across bachelor’s and master’s programs, all for the benefit of law enforcement and all my own research, my own casework, presenting my research.
I like to think that I gave students value for money. We were an NCSC-accredited university for digital forensics. I think that’s something the students out here that maybe listen to this podcast might like to look into in their future choices and looking at where the experts are in universities teaching.
We’ve mentioned Sarah Morris, we’ve mentioned UWE. These are NCSC-accredited universities. So is Cardiff, so is Swansea, so is USW. They’re just some names to mention. There are more. The NCSC website lists all the academic centers of excellence for education and research. I think it’s pushing that. I think that just helps the community learn effectively.
Si: Anything else you want to cover off on? We’re coming up to the top of the hour here.
Desi: Yeah, I think we’ve covered off everything that we set out to.
Si: Oh, you wanted to ask me what I do to get away from digital forensics and the keyboard.
Desi: Oh yeah. It’s probably a nice outro. What else do you do, Gareth, apart from all this technical stuff? When do you find time to do anything apart from this?
Gareth: I find time to enjoy family. What I really like to do: I like to drive, I like cars, which helps me with doing vehicle forensics because it almost feels like I’m playing with my hobby. Digital forensics to me is a hobby. I love it and I’m passionate about it. So I love doing it. Don’t tell my work, but it doesn’t feel like work to me.
But to get away from the keyboard, I drive, I travel, and I like hiking. I like being outside. All those things do not let me work in a lab and I leave my work laptop at home. Aside from that, I enjoy old eighties, nineties movies as well.
Si: Showing your age, I think.
Desi: I never – you’re showing your age, but I do wish you wouldn’t refer to them as old. Just say: I like eighties and nineties movies.
Si: Iconic movies from that eighties, nineties.
Desi: Yes. Yes. We are not old. We’re not showing our age.
Si: It’s just –
Gareth: If I sit here –
Desi: As I sit here, I’ve mentioned that I can see a DeLorean above my head from Back to the Future Lego that I need to build. Ah, and then I’ll be getting the Home Alone house this year to build for Christmas. So being into collecting Lego and building Lego ever since I saw one of our speakers with a massive Lego collection behind them.
Which was one of the guys from X-Ways when he was giving a talk on RAID forensics during COVID, and I was quite jealous. So I started collecting and doing Lego. Now it’s another puzzle.
Si: Yeah. No, I was going to say – the house is not devoid of Lego here either. We’ve got the Lord of the Rings sets of material. We have the Barad-dûr.
Gareth: So yeah, shout out to Lego.
Desi: If you want to send us any free Lego, I’m sure we’ll accept.
Si: You can probably…
Gareth: F3 and Forensic Focus.
Desi: Yeah. Sponsored by Lego.
Si: You can see here, why not? Where the pen’s pointing – I’ve got there, and then just here. These are Lego flowers.
Desi: Oh yes.
Si: Yeah. Yeah. They’re gorgeous.
Desi: Yeah. I think everyone’s got some form of Lego in their house these days. It’s just, it’s all engineering and problem-solving and puzzles. Yeah, I love it.
Si: Yeah. Thanks so much for joining us, Gareth, and sharing your insights.
Gareth: Thank you so much for having me. Yeah, it’s been an honor and a pleasure. What an opportunity. Appreciate you all very much. Thank you very much.
Desi: Yeah. And F3 sounds super exciting. When you were talking about your day conferences and you mentioned how much they were, I did the conversion – it’s about $60 Australian, which is cheaper than anything you can get in Australia for a conference.
Gareth: Yeah, we’re literally not-for-profit. We just cover costs. None of the committee get paid for doing any of the work. It’s all voluntary. We do it all in evenings and weekends and volunteer time off work.
Si: And just to add to that, the annual membership – assuming the website is up to date, which may or may not be true – is £90.
Gareth: It’s a little bit more than that, but not much this year.
Si: Yeah. And that is literally just to give us a base to work from for booking space, events, accommodation, paying for meals. It’s literally to cover the baseline and get as many people together and as much cool stuff going on as possible.
Desi: Yeah. Yeah. I’m interested in terms of talking to the people that want the Australian chapter. I would be very interested in helping out you guys set that up because it sounds like an awesome conference.
Gareth: Still trying to innovate our UK chapter and expand, but seriously, I can link you in with a lady there that would probably be happy to talk to you. We’d be happy to have you over in the UK helping us out with our conference as well.
We’re actively looking for some new committee members at the moment. We talked about Lindy Shepherd, the secretary and how wonderful she was earlier. Lindy has stepped down recently. So we have a couple of openings for committee. I’m talking to some people, but if anybody listening to this podcast wants to get involved in F3, become a committee member and help us run these types of events, please get in touch by the website or my contact details when I provide them to Si.
Desi: Nice.
Thanks again. Thanks everyone for tuning in and listening. Thank you. Hopefully you’ve got plenty of time to still sign up, get your tickets for the F3 conference and get across if you can make it. All the links will be in the show notes. We’ve been taking – Si and I have been filling up our Discord server with them. So those will all be there.
Glad that you could join us this week and we’ll see you all in the next one.
Gareth: Thank you very much.
