MSAB’s James Eichbaum Takes Us Behind the Scenes of Digital Forensic Tool Training

Christa Miller: Just as digital forensics constantly adapts and evolves, so must the training that goes with it. This week, Christa and Si with the Forensic Focus Podcast welcome James Eichbaum, Global Training Manager at MSAB. Welcome, James.

James: Ah, nice to be here.

Christa: It’s been I think two years since we last spoke with you and that was a written interview rather than a podcast. So what’s new?

James: Oh my, yeah. COVID, that’s what was new. So it’s been a while. But yeah, that’s kind of changed a lot in training anyway and how we do some deliveries, I think we’ll talk about that. But yeah, but now we’re finally back at it getting into the classroom, which is good. It’s a lot of fun for my staff. I mean, they’ve been itching to get back out there and get on airplanes and hotels, so…


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Christa: I’m sure. Yeah. Cause the feedback from the audience just isn’t the same virtually, is it?

James: No, it’s not. I mean, we do get good feedback nevertheless, but nothing beats being in the classroom and having hands on.

Christa: Yeah. How about what’s the same with MSAB training?

James: Well, the same with our training, we still have our certification courses and we are doing some changes that are coming down the line, soon hopefully. We’re working on some changes to our course material to make it even better.

But yeah, the training’s constantly evolving. It’s not staying the same, you know, even as we do our courses, we always have, like, the foundations built into them of forensics in general, best practices. And we try to keep, you know, up to date with that and make sure our students are doing the best they can and doing the right things, not only just using our tools, but in the practice of digital forensics doing it properly.

So I mean, that changes, you know, as we go through time, and our tools, you know, our tools are constantly evolving. So that’s been changing too, adding new features and keeping our material up to date. That’s a constant task that our guys have to work with. So a lot of work, a lot of things happening with the training department.

Christa: I think you’re getting a little bit into my next question here and I’m hoping you’ll go into a little more detail. So you’ve been at this a really, really long time and the market has matured in many ways. What are the main technical or procedural challenges that you’re seeing customers bring to classes that I think it sounds like are factoring into the changes that you’re talking about with training?

James: Yeah, well, I think it’s, I mean, one of the big questions in training all the time is can you get into this device? Can you get into that phone? And that’s one of the big challenges that we see our customers facing and they bring those questions to the classroom.

And it’s not just the devices, it’s the apps that they’re seeing on the phones, as well. You know, some apps, you know, they’re popular for a while, then one’s going to pop up out of nowhere and take over and be the next thing.

So it’s all about, you know, we have the training, but we also have this R&D that just has to keep happening behind the scenes, reverse engineering and figuring out ways to get into these devices that are locked.

That’s the big challenge: devices that are encrypted. Big challenge. And then the same thing with the apps. So yeah, that’s one of the things we have to tackle, challenges and what we’re working on and our R&D guys are doing a great job.

The other thing too is our customers. You know, they are in demand of being able to do their job faster and more efficiently all the time. You know, as we see throughout the years, you know, things have just gotten bigger; devices, storage, time that it takes to extract data, laws change over the years, case law comes about, and we have to answer those. You know, how do we answer to what’s happening?

And so we come about with new ways of tackling these challenges with targeted extractions, helping our customers, “Okay, this is what you need. Let’s just get straight to it.” Get that data off the phone and start working with it. That’s faster. They can get the data and narrow the search a bit so they can get to the evidence we’re looking for much faster.

You know, trying to find ways to identify the data. You know, our XAMN tool is pretty powerful. I think it’s the best tool on the market, but, you know, we have these powerful filtering capabilities built in there to help people narrow down the data to get to what they’re looking for quicker. We have the content recognition engine, it’s amazing, to help them find data.

So we’re always innovating to try to find new ways to help our customer. Steganography, that’s a new feature coming out where we’re looking for and identifying media within media. So that’s another cool feature.

And there are always little things too we in the training department don’t even know about sometimes that kind of sneak through and we don’t even see it on the release notes that come out when it’s a surprise and then somebody discovers it and we’re like, “Oh my God, we do that? That’s cool.”

Simon: So sorry, can I jump in? I know you’ve got your questions, but you said you talked about the legislative changes and things like that. And obviously we’re seeing that with privacy laws being implemented in various countries, but you are based in Sweden yourself, MSAB is an American company?

James: It’s a Swedish company.

Si: It’s a Swedish company, as well? So your focus is that around European law, or are you trying to be as global as possible?

James: Exactly. We try to be as global as possible. I mean, we have, you know, a huge presence in Europe, yes. We have a huge presence in North America and other countries around the world.

And, you know, we just get feedback from customers. The larger they shout the easier it is for us to react. You know, the squeaky wheel’s the one that always gets the grease.

So if we hear something that’s happening, “Oh, you guys have to have this in the product, it’s necessary”, definitely we’re going to be trying to implement that for them because we want them doing the best job they can and get that evidence presented in court without issue.

Whether it’s, you know, we’re only allowed to look at a certain timeframe. Okay, then we want to be able to target that timeframe for the extraction. We only can look at this particular data. Okay, we want to be able to target that data for you and you don’t have to worry about it.

And then we have all kinds of other features built into the tool to help us get customers, get the data and only the data that they’re allowed to see, or at least filter down the data where then they can pass it off to somebody else for them to take a look at.

Christa: So I guess that was…

Si: It’s all right. (This goes to a comment I made earlier about getting three recording streams.) So yeah, no, we’ve had some interesting conversations with guys in forensics talking about a very targeted collection of data.

And that seems definitely to be the way that things are going. You know, with regards to that, one of my concerns is, I do a lot of defense work, one of my concerns is that we’re potentially missing out on collecting valuable data that could be of an exculpatory nature.

How do we sort of address that with your product, with training to, to make sure that we are not being too blinkered in our approach when we are doing our collections?

James: I mean, absolutely. Yeah, that’s one of the things we do teach in training and training’s essential. They have to go to training so they can understand this, that there is that exculpatory evidence that, you know, you should also be looking to potentially find.

You know, because you don’t want to ignore it and then have the defense find it and then show how biased you were in your analysis, because we’re just supposed to be fact finders. So yeah, we can narrow this down and you’re supposed to take it from a specific timeframe.

But there, you know, obviously, who can change the timestamp or their phone’s date/time settings, of course, and then get around that, and then you potentially miss that because they’ve purposely tried to keep evidence from, you know, or try to hide it or try to hide their tracks.

So yeah, we have that option. We can broaden that and then display that or you can use our time filter and exclude that. So yeah, those are options and those are always I say, things that you could trip over in your investigation.

But people, you know, going through doing this job in this field have to be aware that that is a possibility; you can’t just take a timestamp as gospel. And so, you know, that’s absolutely correct when now we know things can be altered by suspects who are trying to do nefarious things.

But then we could also take into effect, okay, what could have happened here to make this timestamp outside of our field of what we’re looking for? Could it have been something else? Or like you say, could it be something that is totally innocent in nature and it could show that the defendant actually did not do what we’re saying he did?

But, you know, being able to identify these things, you know, using the tools properly, but also using some investigative knowledge and common sense and then also some experience behind it is going to help them realize or see these things and be able to articulate this, of course, in court.

Or, articulate it when they’re going to the warrant and say, “Okay, I know you may want to be restrictive in this, but in this situation we may need to look outside this area because these things can happen.” and don’t just lock me into, “Oh no, I can only look at this when I know from my own experience that this could happen.” Got to try to fight.

Christa: How do you counsel trainees, though? I mean, like, I’m thinking about the practicalities of this when, I mean, I think a big subject of discussion is backlog. You know, when you’ve got the supervisor or the manager, the commander that doesn’t understand the science that is, you know, wants to see a certain case clearance rate or backlogged court systems.

I mean, it just doesn’t seem like it necessarily, like, I think it’s the landscape or the environment around the examiner that might not lend itself to that kind of meticulousness. So how are you counseling them to kind of deal with those practicalities?

James: Yeah, triaging, trying to get to the data they’re looking for to try to make their examination a little quicker. I mean, we have those things built into the tool to help them with that. They do have to educate their supervisors and their supervisors should get at least some overview training themselves to see what their staff is encountering.

I remember my own bosses back in the day, they had no idea what I did, you know, and it’s like, “Oh, I need this and this and that.” And oh, unfortunately for me, they were able to just sign off and say, “You can buy whatever you want, because I don’t really understand what you do.”

But, you know, things do change. You get some supervisors, you know, of course management, who are not educated in this field, and they need to be. And maybe the examiners need to have them come in and see, you know, how much time this actually takes, how much time an extraction actually takes.

You know, how long does it take to get the data off this phone? Okay, now I’ve got the data off the phone. Now I’ve got to look for the evidence from what I just extracted and that’s going to take some time.

But then seeing that, okay, these tools that I’m using and, you know, why I need to buy certain pieces of software is so that I can get to filtering and get to the data that I’m looking for quicker so I don’t have to spend all this time looking through needless things where I can get those out of view and make my job easier, faster, more efficient, get those cases cleared.

You know, I can just relate back to — I mean, I always say it is funny because, you know, I say now I remember back when and the kids kind of laugh. “Oh yeah.” But it’s the same thing with, I remember way back when in digital forensics, in the beginning, you know, where, you know, it would take a long time to do a hard drive and then they got bigger and bigger and it just took more and more.

And man, those exam times were long and it was the joke that if you sent something off to a task force to do it, it was a black hole. And you’d be lucky if you saw it again in months, you know, three or four months. And we don’t need that. We can’t have that happening.

We need to have these, you know, these cases solved faster. And there’s just, the volume is just too great now to send it off someplace, you know, we have to have, you know, folks doing this job, doing the analysis, a lot more of them.

Not just the, like the old days where I would say that was us propellerheads sitting in a lab. We did the extraction, we did the analysis. we gave the results when we were done with them. That’s not the case these days. We may be the extraction, but somebody else has to be doing the analysis.

It’s just too much for one person to do it all. And we just need whatever help with the tools that we have to make that job easier.

Si: An interesting sort of difference between computer forensics, mobile forensics is the device is very much more alive in mobile forensics than it is in computer forensics, hard-disc-based forensics, anyway. When you are training on this sort of triage-type process, are you training them up on the sort of impact that they’re having on the device in the process of creating these images and looking for stuff?

Because obviously they’re interacting with something in a live way. And that seems to me that we need to very much, it was phrased the other day in fact, by somebody we’re going to talk about the, FORMOBILE project in a minute and it was Matthew and I forgot his name, Sorell?

Christa: Yes, Sorell.

Si: We were talking to the other day. And he was saying that, you know, it’s very much that there’s a sort of a layer of dirt that we start to create above a point in a forensic examination of a mobile phone. How are we addressing that in training that, you know, everything before X is good, everything after X is something that we’ve added to it or have altered in some way?

James: Yeah. I mean, we stress the network isolation portion of that. We try to, you know, make sure that the phone can’t be interacted with remotely from the user to preserve data, but we also, you know, teach them, okay, when you have the phone, how do you properly use it?

We want to make as little changes as possible, if any, whether, you know, we’re doing an Android extraction and we’re forced to push an agent onto the device. All right, well, we’ve done something, we’ve pushed something there. Is there a possibility that something could be overwritten? Yeah, it’s possible.

So we have to educate them that it can happen during the extraction process. And as we work with the phone, we have a log that’s generated that keeps track of everything that the tool has done in this case. So we can always go back and say, “Okay, yeah, this was written to the device at this date and time.”

And then the examiner should be able to explain what that’s doing because they went to the training to learn this is why this has to happen in order to get the data from the phone to talk to it.

But yeah, it is stressed during the training courses that yeah, it’s a live device. The clock is always ticking. You do an extraction of a phone one day, you do it the next day, you’re not going to have a hash value that matches between the two like you would have expected in the old-fashioned computer forensic days with the hard discs.

And so you just have to be able to number one; document everything you do, and ensure everything you do is repeatable so that the defense, you know, they can go through the same process and come to the same conclusion. And that if something happens and goes crazy screwy, you know, you just have to document it and be truthful about it.

I always give an example in my classes, if I teach, you know, there’s a really good example of a search warrant that was conducted with my old agency. I wasn’t there. But other detectives were seizing evidence at the time and they decided to look for it themselves and they didn’t have any training in this field.

And the next thing I know, I pull this piece of evidence out of the evidence room. I extract it and I find two deleted videos on there, a video that was taken during the search warrant. And I’m, okay, they realize what they did, they tried to delete it.

And I had to tell them, “Hey, if something happens, you know, this is the device you’re working with, just document it, record it, and we can work with it. Don’t hide it. Don’t try to cover it up because then everything you’ve done is in question.”

Christa: I’m…

Si: I was going to say, we all have a version of that one. I mean, my similar story is that the police officer had managed to pick it up. It was during a harassment case in the UK. And in the process of examining the phone actually managed to dial the person who was being harassed by the owner of the phone which obviously went down like a lead balloon with the court.

So yeah, it’s definitely a real issue that first responders need to be educated. So do you, in your courses, are there various levels that you are providing, so a sort of a first responder one for a shorter, more blunt course before you get to an examiner?

Christa: Well, that and the supervisors as well, because you were talking about that a little bit earlier where it’s really the same problem with supervisors that we were seeing 20, 25 years ago where they didn’t understand what people are doing, so…

James: Yeah. I mean, and we do have, and I know you wanted to talk about frontline, but frontline being those first responders are the ones that are first taking the phone. Whenever — and I don’t know if I’m going to jump ahead or anything about what you want to talk about — but with the Frontline solution that we have; our Kiosk, our Express, our Tablet solutions; we’ve already found that it doesn’t work if even though you think this kiosk is simple enough to use, or you just push the buttons and walk through the extraction and yeah, everything’s going to be great.

Now it’s not the case, you know, if we happened to have a Kiosk drop shipped years ago, and of course the customer opened it up, didn’t know what to do, but when we have a sale of a Kiosk solution or Frontline solution, training goes with it.

And whether it’s, you know, we have logical training, we have physical training with our Frontline solutions. But during that training, not only are they taught how to push the buttons on the screen, advance a workflow that’s accustomed to their organization, but they also get the same basic foundation principles of digital forensics that they would get in a full blown, you know, certification course of using the office product.

So we want everybody to be able to, you know, handle evidence properly, maintain that integrity so that, you know, yeah, we got the data and we want you to be able to go to court and testify to this and not have to worry about it being a question, you know, and potentially thrown out, we don’t want that happening.

So Frontline, anybody that’s using our Kiosk or Frontline solutions, they’re either going through training from us personally, or we’re seeing them go through training from those that have been through the trainer program. And they’ve been certified by us to be trainers and we were comfortable with them delivering our training to their users.

Si: Fantastic.

Christa: So what are some specific training challenges in that, I mean, across all of these, whether it’s train a trainer or the different levels of investigators or examiners at your training, and you had mentioned COVID obviously, I think that’s been the big one for everybody.

But what are some of the other training challenges that your team has run into and how have those challenges changed over time?

James: Well, I do have to, you know, talk about COVID. COVID has changed the way we deliver some things. I mentioned earlier at the beginning that, you know, being in the classroom is the best, because nothing beats being in the classroom.

You know, you could say that the classroom’s not scripted. So the only scripted part about it being in a classroom is just the slides, if we have those, or the workbook. But other than that, you know, when we have a training course, students are handed multiple phones throughout the week.

You know, our trainers carry 70 phones in a Pelican™ case when they go deliver a course. So they get hands on feature phones, Androids, smartphones, off-brand chip sets, you know, just to play within the classroom.

There’s always going to be that situation in the classroom where things are not going to go the way you want them to go. It always happens. And that’s the best learning environment for the student, because they can learn how to troubleshoot better that way, figure out, okay, what happened here and then we have to walk through it.

COVID brought up the situation where we couldn’t get to the classroom. And we had to find another way to deliver our material to the students and get them certified. We had just started working on on-demand training and we figured, okay, we have one course that’s perfect for on-demand training because it’s our software, XAMN, analysis tool where we can use sample files for that and they can go through those sample files, use the ODT and get certified.

But that course had just come out and then COVID hit. So we decided to take our XRY certification course, which is traditionally classroom only, and move that into an ODT scenario.

It took a while to develop, but we had it going around May 2020, so not too long after the lockdowns and such, which was great. And that took off, and that was nice.

We had a magnificent developer in our training staff who put that together, created some simulations. So it made it look and feel like you were using XRY, and you were doing extractions, but you didn’t really have a phone in your hand on the other end of the screen. So that was the major drawback.

Then we found another way to implement training to our customers and that was with live online. So yeah, we had the on-demand situation, but people still like to talk to an instructor.

So then we worked a way around it where we could have Teams, that’s our platform, MSAB, and so we would have a Teams meeting run, our students would join that, and then every student was issued a virtual machine.

And so they would log into their virtual machine and then have Teams up and running and we had all the software licensed on the VM that they could access and sample files, plus the simulations that we created for the ODT. And you had the instructor live interaction.

So last year, especially Q1 last year, that was it. And we did a lot of days of training with live online, and none of our staff traveled. Now, it’s changed. Q1 this year, they asked, “Why do you have so much more spending in your budget this year?” because we’re back on the road and buying tickets and, and hotels.

So now we’re back in the classroom, we don’t have as much live online training, we still have it, we have a class coming up in just a few weeks. But now we’re back in the classroom and that’s the way we want to have it. If we’re going to be using devices, that is the way we want it. Otherwise, ODT is great for the other options.

Other challenges, you know, keeping our courses up to date, I mentioned earlier, things are always changing. Our advanced acquisition course, you know, having to revisit that and keep that relevant in the time that we’re in.

Because when we first started that advanced acquisition course years ago, you know, it started off was JTAG and then we evolved and went into chip off, and chip off, you know, with encryption, you know, that’s starting to not be as relevant, you know, we’re looking at ISP and trying to get work with that.

So we’re always looking at new ways to introduce new ways of doing extractions, new ways of getting to the data into that course. Yeah, so just keeping everything up to date and making sure we’re in the classroom, that’s the biggest challenge.

Christa: Yeah, are you seeing any new audiences come into training? Is it still kind of the same or do you see more like attorneys or corporate investigators or other other sorts of walks of professionals?

James: No. I mean, with MSAB our target audience has always been, you know, law enforcement, military, and government. And so we have very little space in the market for corporate.

So, I mean, we did have some big names that are customers of ours, but there’s not many. And so our audience is still mainly law enforcement and military as the big ones. And as far as attorneys go, yeah, it would be Das, primary target for that. We don’t see private attorneys or public defenders.

Si: Sorry, I’m going to say, I’ve been relatively familiar with XRY, I mean, I’ve never had the license myself, sadly, I can’t afford it. I’m independent and I’m broke. But I have come across evidence provided and it’s always turned up with a beautiful viewer that comes with it and that’s been fantastic and it’s something I think is a great product.

But I’ve only ever seen mobile phones. Do you branch out beyond mobile phones as a company? Cause obviously there’s a huge amount of, well, in iWatch and Android wearable devices, but also, you know, tablets and games, doohickeys and all sorts of other things.

Christa: Drones.

James: The thing with games, I just saw one of our, Martin Westman, you know Martin, I just saw him walking into the office, it was last week or the week before carrying a Nintendo Switch. I’m like, “Hey, what are you doing?”

You know, so yeah. It’s got two things, you know, a little R&D and a little gaming, so yeah. But definitely we do other other devices besides phones, you know, mobile devices, so yeah, gaming platforms, tablets for sure, but drones, yes. We had been doing drones and IoT devices are in research and development.

So anything that travels with you, we’re trying to support as best we can. You know, you could do a hard drive with XRY, it’s not recommended. I mean, we’re not going to decode it for you unless it’s, you know, got Android apps and stuff on there. But now our focus is mobile devices, whether it is wearables or it’s iPads or tablets or yeah, gaming devices. Keep an eye out.

Christa: I have a final question. I can’t speak for Si, but I want to jump back. I feel like the conversation, it got to a point where it had multiple branches and we followed one branch and we didn’t follow the other, but I was curious about your role in the FORMOBILE project, as Si mentioned earlier. It wrapped this past spring; training was one of its key deliverables. How did MSAB help shape that deliverable?

James: I mentioned a little while ago that had this fantastic curriculum developer within the mind department. He developed our ODT material from the beginning, it was fantastic. If you want to check it out, I’d love to show you some time. I think it’s amazing.

But he ended up tasked and his full focus was to assist and help with the FORMOBILE project. His name is Phil Cobley, if you know Phil. But he ended up creating the ODT material for FORMOBILE and being a big part of FORMOBILE’s curriculum.

Of course the Norwegian Police College, they’re the ones that were in charge of FORMOBILE, they had that block as their task. And so we were one of the side, you know, factors to help them out.

Of course, my training team helped out during the process, not with just training, but other portions of the development of FORMOBILE, creating a file system manual, one of my team was one of the essential parts of that, which was great.

But yeah, that was our contribution. We also, you know, through our LMS now their ODT was hosted on the same LMS platform we were using, yeah.

Christa: Very cool.

Si: Okay. So I’ll go with my last question. I mean, you said earlier that you’re expanding into some interesting areas, like stenography.

James: Yeah.

Si: And also you said that, you know, sometimes features turn up that you don’t know about, which is pretty cool. What features that you do know about that are coming up excite you? What’s the next release going to bring to us that, or a couple of releases down the line, if it’s truly an R&D, but what’s floating your boat at the moment? What’s lighting the fire that’s going to bring real interest into the next training session where you’re going to be excited to open it up and go, “This is the coolest tool that I’ve seen in a while”?

James: Well, the steganography part is coming. That’s going to be pretty sweet. I have to talk about our report building feature in XAMN now.

I can only go back again, back in my day back a long time ago when we were doing our examinations, I always had Word document open and I was sitting there at the same time. I’m doing my exam, I’m over here in Word typing along what I’m doing.

And I have, you know, everybody has their own format and how things are done at their own agencies. And then if I find something I have to copy and paste it over into Word and make it look pretty, our report building feature now in XAMN it’s fresh, it’s amazing.

And it’s better than things that I’ve used, other computer forensic tools in the past that had its own built-in reporting features that were kind of in my opinion, clunky.

And yeah, but this is a nice drag and drop once you’ve figured out and you can make it mimic what you’re reporting has to look like for your agency as well, or what you’re used to, you can make it look like that.

So that’s an amazing thing. It’s a big time saver. The XAMN tool, the timeline features, the geographic view features that are coming, being updated, those are going to be amazing as well, keep a lookout for those.

The one thing I have to say, when you’re just talking about features you don’t know are there until later and someone else finds it, it’s a little known feature, it didn’t make anything in the release notes, but it’s a dHash. And our developers created it, and it was a great idea.

And, you know, if you’re looking on a device for maybe a particular image and you have the hash value, and you’re trying to find it with a hash set, yeah, you’re going to find that precise image if it’s there, but we all know if I send you something via WhatsApp, or I send you something via Messenger or something else, that image is going to get stripped and it’s going to be altered. So that hash value is not going to match.

But one of these cool features that made it in there that we didn’t know about was dHash where we’d take an image and we create a dHash out of it. I can almost think of it as like, making all the images like black and white, and then doing a little comparison. Hey, what images are black and white kind of match each other?

And so yeah, I have a particular image on my computer that has a hash value that you know about, and I put it on my phone, send it to you on WhatsApp. If I look at the dHash of that image on my computer, and look for that same dHash value on your phone, I’m going to find it, even if it’s just a thumb now and small. That was an amazing thing that came out.

Si: That sounds brilliant. So a proper degraded fingerprint that can match. That sounds fantastic. I’m surprised they didn’t yell work from the rooftops, frankly.

James: Yeah, that was a fun one to find. And I have to give props to our tech sales as they did a presentation and I’m like, what? And okay, we need that in training, because nobody knew about that. So some of, sometimes those are kind of cool things that we find in the product.

Si: Really exciting. Cool, good stuff.

Christa: Well, James, thank you again for joining us on the Forensic Focus Podcast.

James: Absolutely. Thanks for inviting me.

Christa: Absolutely, absolutely. Thanks also to our listeners. You’ll be able to find this recording and transcript, along with more articles, information and forums at www.forensicfocus.com. Stay safe and well.

Leave a Comment