MSAB’s Simon Crawley on the Importance of Frontline Forensics

Christa: Time is of the essence when field extractions of mobile devices are needed, but so are forensically sound extractions as strong links along the chain of custody. Today the Forensic Focus podcast welcomes Simon Crawley, a senior consultant with MSAB. I’m your podcast host, Christa Miller. Welcome, Simon.

Simon: Hi, welcome.

Christa: So before coming to MSAB, you worked at the London Metropolitan Police as a digital forensics lead, focusing on Specialist Operations Directorate work. Tell us about how that experience informed your approach to frontline acquisitions.

Simon: Well, at a very early stage, way back in 2010, my work recognized the value of mobile phone extractions and the data mobile phones contained and how useful that data was in informing decision making for investigating crimes.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

And we were spread over a geographical area, which meant that when I went to the digital forensics lab, we said, “Well, we need your assistance, but we need you 24/7 (because we run operations 24/7), we need technicians across this geographical area, and we need resilience to do it 24/7/365.”

And they of course looked at me and said, “No, we can’t do that. We don’t have enough people to run our own lab.” So that was when we pitched the idea of saying, “Well, how about frontline users? How about our frontline cops doing extractions? Why not?”

And the original response was, “Oh, but this is technical, this is specialist, this requires years of training.” I said, “Okay, well, I come back to my original point then: you provide me with your experienced and skilled technicians, 24/7/365 over a number of sites across a geographical area.”

“Oh, we can’t do that.” — “So the option is I train (we train) frontline cops to do this. And we understand there are risks involved but that’s the way of getting the data quickly, effectively and efficiently.” And so eventually the idea was approved and that’s what we did. We trained all of our (I think we had at one point over 200 frontline cops) trained to do extractions.

And of course what that meant was we were getting great data for our customers and they were loving it because they were suddenly getting this real wealth of rich, deep data that the extractions were providing.

We deliberately designed it so that there was training for the user. We deliberately trained it so it was forensically sound. So, even though we were intelligence gathering, it could be used in court at a later stage.

But we — it wasn’t without its difficulties at the beginning. But the big step forward for me personally was the introduction by MSAB of their Kiosk system. Because that really tied down the computer system, the operating system, and removed that away from the frontline user.

And that meant that the user didn’t have to think about what they named the file, where they put the file, because those were mistakes that people were making, and the process that the user followed was designed by myself.

And in fact, I taught myself how to write the code in order to make sure that I got the process that I wanted. I worked with MSAB very closely on that, and I wrote the code and I wrote the process that our users, they still follow it to this day.

And that was a massive step forward. Mainly for the confidence of the frontline user. Because they were following a process. They didn’t have to keep stopping and asking, “What do I do now? Where do I go next? What do I call it? Where do I save it?”

That was removed from them and they were then able just to follow the process as laid out on the steps on the screen, connect the phone when they’re told to connect the phone, and follow the steps, end up with a forensically sound extraction at the end of the day.

And other things followed on from that was: a), we started doing more downloads, at that time after the Kiosk had been introduced, because user confidence had improved. Because user confidence had improved we were able to redesign our training to forget about the policy procedure and legal side of stuff, because that’s already in the workflow, so they see that every time.

But what we were able to do was focus more on connecting the phone to the Kiosk, especially with Android phones, because every Android phone is different in the way that it does the same thing. So we were able to focus on training I use on how to do the actual extraction rather than the legality and the proportionality and the processes that was all part of the original training, because that’s all in the workflow.

And of course that then also freed up my time and my small team’s time, because we were no longer having to firefight and problem solve and answer calls. Because user confidence had improved, and at the end of the day, what
we were getting was a lot more downloads that were error free for our customers, which has got to be a good thing.

Christa: I’m wondering — it sounds like there’s been a certain evolution of this. Because what I’ve been hearing from a lot of labs over across countries and over time is that the backlog problem is just getting worse. That problem that you described earlier of not having that 24/7/365 availability. How is this continuing to evolve?

I’m thinking as you’re talking of the backdrop of standardisation in the UK, efforts to make sure that everybody’s following the same process. What s the balance, or how have you been able to achieve the balance between these custom needs of different forces and workflows per operational requirements, and then the quality standards that can withstand scrutiny and increase confidence?

Simon: Yes. The aim of our ecosystem is to have an integrated approach, and so you have the Kiosk, you have the tablet, you have a centralised management system, and the aim is to try and alleviate some of the pressure on the labs.

Because the way that I think, is that if you have an experienced lab technician that you’ve invested a huge amount of time, effort and money training, they’ve developed themselves, they’ve got the experience, and then you go to them, “Well, I’m investigating a drug dealer, could you just get calls, contacts, SMS out of this phone for me please?”

And they’re going to look at you and go, “Thanks, I did five years training to do this.” And as an agency that’s dealing with these you’re gonna say, “Well, is that the best use of that highly experienced, highly trained technician’s time? Is that the best use for our money, our investing?”

So if we can train frontline users to do the vast majority of phone extractions, because it’s the old 80/20 rule: probably 80% of the extractions only really require pictures, calls, contacts, SMS, chat. They don’t require a deep dive, you don’t need file carving, they don’t need to go into deleted SQL databases.

They don’t need any of that sort of thing. So if you can prevent those phones getting to the lab in the first place, and you have a process that the user follows so that the agency knows that that extraction has followed their process, followed their policies, followed the legal requirements, then you can be fairly certain that that extraction is forensically sound.

And you can use that extraction in a court of law. But what it does mean is that you free up your investment in your lab technicians (your highly trained officers) that they then can do the murder, the rape, the terrorism all the really important things that require a lot more time, effort, and energy and money to get that data out.

And so if you free them up to do that, they can use all those great skills they’ve got of recreating deleted databases and getting out that data that was deleted and the user thought they’d foil the police and stop them getting our data. But you know, it’s a computer: once it’s there, it’s there. It’s just a question of getting at it.

So our approach has been (and certainly my approach has been) is to work with our customers when designing a frontline ecosystem. So one of the things that I do, I invest a lot of my time in consulting with the customer about their processes.

Even within the UK (obviously the UK is following all the same laws), but there’s always a slightly different approach to implementing those policies and having those procedures written down. There’s 43+ forces in the UK and they all do something slightly different, which is absolutely fine, that works for them.

And so, I spent time discussing with them what works for them and how would they like that represented on a screen for the user who may not have five years experience, they may only have a basic two day training course? So how are you going to get that across them in the simplest way that they can just read the information on the screen, press button next, make an option about what they’re doing, and that leads them down a slightly different path?

But at the end of the day, they still end up with the same thing: a forensically sound extraction that can be used in court and hasn’t needed to tie up the lab with a basic extraction, really. And there’s nothing basic about it, but you understand that a frontline officer doing calls, content and SMS is slightly less time consuming for a frontline officer than it is for a lab person to go and do.

And that’s really been our whole approach, is we work with the customer to build that. And so every workflow I’ve done has been different from the next one. And that works really quite well because we will work with and sometimes I can advise, and sometimes I learn something new from the customers about how the approach is and why they do things in a certain way.

And I can propagate the good practice when I’m having further discussions with the next agency. If I like something I hear from a police service, I ll say, that’s a good idea actually. Yes, I’ll move that, and I’ll suggest that to the next people.

And equally, if I’m asked for some really complicated code from one customer, I can then reuse that for the next customer. Say, “Look, we’ve done this for customer A and we think that works really quite well. Would you like that in your code?”

And so we try to propagate good practice. We try to, as a development of the workflow goes on, we try to make sure that the forces get the best as we move forward.

Christa: And you’re — sorry, you’re having to do this within, I imagine, the remit of the Forensic Science Regulator and those efforts to use ISO 17020, I think, for field forensics. How are you able to make sure that the forces are doing what
they need to within their own workflow, but still within the sort of broader umbrella of the Regulator’s work?

Simon: Yeah, the regulatory environment in the UK is challenging, and rightly so. It is incumbent on police to act lawfully and proportionally at all times. And do we work with — we ask them what, if they’re following 17025, what is it they’ve written down? What is their process and how can we make sure that that does apply and works for them?

And it is a consultancy. I sit and talk with people and just discuss the options that they have. Say, “If you want to do this, then you have option A, B and C. A will work for you, but it may not fit in quite so nicely into 17025. B works not
so well, but it actually fits better with the Information Commissioner’s Office and the limiting of the data.”

And it is a process that I will offer the options available to the customer and sit and discuss them. And we have developed iterations of trying to fit in with the proportionality of data.

Our first iteration we did about five years ago now, so we were quite ahead of the game in terms of what we call dynamic triage, where the user selected the artefacts that were then presented in the final extraction file.

But we’ve recently (working with the ICO’s office) sat with them and tried to make it quite clear that getting artefacts out of a mobile phone isn’t a surgical process. There is bound to be a small amount of collateral intrusion, but we’ll do what we can to limit that collateral intrusion.

And we’ve developed a new extraction profile which is available, which is much more in line with the ICO’s office and their aspiration to only pick out certain bits of data. So we now can select the artefacts to be extracted within a time
scale, whether that be 24 hours, one week, one month, or a custom time profile that they set themselves.

And we can also select the apps that you get that data from, and that data’s recorded. What the user selected is recorded in the extraction log. So it shows that they were doing their best within the confines of the software available to them at the time, they were doing their best to limit that data.

And of course, if you’re dealing with pictures and videos, then we already have file selection, so you can be surgical and pick a picture out or a video out.

But it’s more about the app, the messaging, the chat messages, they are very difficult to be surgical about because they’re stored all over the place in phones. And it’s difficult and challenging, but it’s one of the things that MSAB has stepped up to. Just dealing with mobile phones is challenging. The apps change every day, so it’s challenging!

But we have a very good team of developers that have helped us with the extraction profiles and helped us with the workflow code to make it much more adaptable. So I can now do quite a lot to fit in with the customer’s needs
and requirements.

And I think it’s a really good product now. I liked it when I started looking at the code back in 2014, 15 (whenever it was). And I think it’s a good — it’s a key component of why MSAB is so successful in frontline forensics in the UK, is because
we will work with a customer. We will adapt, we can make changes and we welcome feedback to help make that development more in tune with what customers want. And that’s, I think, really quite important.

Christa: I want to back up a minute. You were talking about the processes that the frontline personnel have, and proportionality in particular. And I’m wondering what the balance is, again with confidence, in terms of making sure that
crucial data isn’t being missed. When you’re selecting the apps or looking for the chats, especially if there’s an unsupported app, for instance, how can those frontline personnel be sure that they’re not missing something?

Simon: That’s the “you don’t know what you don’t know” type question, isn’t it! It is about the agency actually recording down their rationale for deciding to limit extractions and their rationale for their investigation, proportional intrusion based on their current investigation, based on what they know about that suspect and recording all of that in some way for the hindsight police to come in 10 years later and say, “You should have known about that.”

It’s a very difficult one for everybody involved. But I do agree that there needs to be some proportionality. We can’t just go taking everybody’s data here, there, willy nilly, like we used to.

But it is about the agency having a process and training their officers about: what is an SMS? Is it a chat? Is it an SMS? Is it an MMS? Because the actual artefact changes its state depending on the operating system and depending on the network coverage and depending on who it’s talking to.

So it’s training those frontline users and giving them enough information for them to make an informed decision based on what they know about the investigation to then be able to apply proportionality to the extraction that they’re conducting.

It’s not easy, and it will never be perfect. But it is about the agencies training their officers, recording stuff down, following their process. If you have a written process and you deviate from it, then you need to record that justification. Otherwise you follow the process.

If the process is wrong, that’s a different question to, is the user wrong? But you’ll never know what you don’t know. So you’ll never know if there’s data.

The other thing is to have a procedure whereby if you believe there’s data on this phone, and you’re not getting it through the frontline method, then either you’ve allowed the user to conduct more intrusive extractions on that Kiosk (because you can do full physicals on that Kiosk, you can do app downgrades on that Kiosk), but you need to ensure that the user is doing full physicals and doing app downgrades know what they’re doing and the organisation is aware of the risk involved in those procedures.

Or you ask them to say, “Well, no, we’ll finish off this extraction, we didn’t get the data we want, we’re going to send it into the lab to ask them for a deeper dive.” That’s always got to be an option. Or you’ve got the option of just taking a screenshot. But I don’t think that that’s the best way forward, but it is an option. You’ve got some sort of data.

Christa: So we’ve talked fairly broadly about some of the major challenges that you’re seeing across customers. In the past four years, as you’ve worked in this consulting role, what are some of the biggest challenges that you’ve found and help customers to overcome? And then how do you see these challenges evolving in the coming years?

Simon: My initial role, I was a global consultant, so I was travelling around the world. And this is — there are three main, but this first one, isn’t so much for the UK. But it’s about resistance to change and labs protecting their environment and saying, “Hold on a minute, you are taking away my job. I’ve trained for five years, I don’t want to lose my job.”

And really, it takes a lot of time to overcome that fear, and that resistance to change, because humans are humans all over the world and they don’t like change and they protect their own. They ring fence their little environment, but I try to show them that actually by allowing change to happen in a controlled way, that they actually increase their importance within an organisation rather than decrease it.

And that’s just time and revisiting and answering questions and showing and demonstrating the value of allowing users to do certain extractions. It’s difficult, but the UK already has that mindset of, we have gone down the frontline forensics path. The UK has embraced it wholeheartedly, and I think the UK is years ahead of everywhere else in the world in terms of this adoption of ecosystem approach. And I think they’re the leaders in the world for mobile phone extractions on the frontline.

But that leads me onto one of the big problems for the UK in particular, as many forces are now doing this approach of having Kiosk tablet in the hands of frontline officers, what do they do with the data? How do they store that data? Where do they store that data? Because there’s a vast amount of data.

Even by limiting extractions, you’re still getting lots of data and how do you get that to the investigators? And so the investigators are investigating (if they’re not the extractors) how do they deal with that data?

And there are many aspirations amongst many forces to move wholesale to a network solution, which is by far the best way of being cost effective in these ecosystems.

But there are many now, and there’s a couple of progressive forces, that are now moving wholesale to our software on Kiosks and tablet in the frontline, they’re centrally managed and that platform is a cloud based platform and all of their data is going to a cloud central storage.

And that is challenging to set up, but once it’s set up and running effectively they will see cost-efficiency benefits from not having to maintain vast repositories of onsite servers for data.

There are still some forces who are burning files using optical disc, which needs to be — but the reason they’re doing it is they don’t have the network infrastructure to actually move it around. Because even with limiting extractions, you’re going to see some lumps of data gigabytes in size.

Christa: The video evidence, I can imagine!

Simon: Absolutely. Yeah. My team had an iPhone extraction that was 360 gigs in size. That’s a logical extraction that was that size. That’s very hard to move across PNN infrastructure.

So that’s the biggest challenge for the UK is networking, having a digital forensics network that’s isolated and separated from the normal PNN network, so that there’s no risk of contamination or malware, having data dumps for that data, allowing user access, so investigators can pop in and, “Oh, I’ve been told that my file’s now ready. I can just log in to a central data dump, there’s my case, open it up and hey presto, I can start doing the filtering and checking and finding
out and doing my investigating.”

That I see as one of the biggest challenges for the UK ahead, is upgrading its network infrastructure and overcoming the security challenges of going to cloud, because that is a big factor that’s limiting and holding back UK law enforcement at the moment.

Christa: Are there privacy law implications? I’m not familiar enough with privacy laws to know, but I’m curious about that.

Simon: There may well be, but when you’re dealing with cloud infrastructure, you can obviously set up your cloud storage or your cloud server to be only based within the UK. So no data ever leaves the UK.

And then it’s about securing that data and all cloud offer encryption in transit and encryption at rest. You can have the keys so that only the force who want to manage it can have the keys to it. And they hold the encryption keys to it.

So personally I suggest that actually moving to cloud is cheaper in the long run and actually more secure in the long run, because if you have it on site then you: a) have to keep upgrading those servers, keep on increasing the data storage dump. That costs, that takes time, procurement processes to go through.

Whereas increasing your cloud storage is almost as quick as a mouse click (and it can be that quick). But it’s more that there’s no human interaction. There’s no individuals who can access that and go to it and start reading the data off the server because it’s impossible to find in these massive data storage hubs. You’re not going to know where it is, where
it’s stored.

Whereas your onsite requires staff 24/7 to actually go in and there’s, as with every human element involved in a security chain, the human is always the weakest link. So in my opinion, moving to cloud in the long run will be more cost effective and more secure, but there are challenges to get there.

And the other big challenge that I see is a constant change of the topography. Your apps updating, your encryption updating, your operating systems updating, but that’s always been the case and will always be the case.

But equally the regulatory topology of the requirements at the moment we had, then we had 17025, then we had the ICO office about restricting data. Once we’ve done as best we can to overcome those challenges, I’m sure there’ll be further challenges down the line that will come along.

And that’s just policing. Policing has always had challenges and police officers overcome them and work within the regulated framework to do the best they possibly can.

And that’s what MSAB set up to do, is to help the police do that. And that’s where we work awfully hard behind the scenes to do that. And I know that our development team has put a huge amount of effort in making sure that I can offer the customers options and choices within the workflow for their Kiosk or tablet. It’s now pretty good. I quite like it.

Christa: I want to flip a little bit. We’ve been focusing mainly on technical challenges, but as we’re talking about those challenges and the rate of change, I wanna talk a little bit about the less predictable, more chaotic forms of change as the world is continuing to witness historic inflection points along the borders of many countries, people fleeing war, genocide, climate catastrophes etc. How is MSAB currently consulting those customers along the border and within interiors of countries on the balance between national security and human rights?

Simon: It’s a very good question. As you know our vision is to make the world a safer place and work in partnership with our customers. But we do work very, very closely (and we have to work very, very closely) with the Swedish authorities, the EU regulations and the international initiatives around the world to ensure that countries and people we work with don’t overstep the mark.

But equally we do have to work with countries to try to protect their borders from infiltration by terrorists. Terrorists are moving around the world, freely, and we have to work with them to try to prevent that. There are many, many migrations of refugees because of circumstances around the world. In amongst those refugees, maybe people that aren’t entitled to claiming asylum.

And so we have to work with the border authorities in order to help provide them with tools to help them weed out those that are entitled to help and support, and those that are not. So we work with countries that we make sure they have their lawful authorities to do that.

They’re not just targeting anybody they don’t like. We provide them with tools and training. We will, I sit and consult with them and talk to them about, what is it you want to get out of this? And how can this extraction actually help you?

So, we work with third party tools. We will extract the data and we’ll pass them the data, and they do fast time analysis on things such as: where was the phone bought? Where are the user’s contacts? Where are they all from?

So for example, if they say they’re from country A, but all of the contacts are from country B and all of the and the phone is bought in country B, and all the networks are in country B, and all the calls and the country codes are to country B, then there’s a good chance that person isn’t from country A, as they say.

We are not gonna say it’s definite, but we’re gonna say, this is the analysis. This is the tools that we’ve provided you with. We’ve given you this, you make your decision based on what you know and all the other factors that you pull into the case. Such as most people trying to cross borders either lawfully or unlawfully will ditch their ID documents, so it’s very difficult.

But we will provide them with the tools that we can to do fast time extractions. And we’ll work with third party systems to help the deep analysis of that, to help give them the information to make an informed decision.

Christa: At the field level of this question, I wanna go back to something you said earlier about making sure that the frontline personnel are trained properly. Front lines in these kinds of situations are high pressure environments. How do you adapt the training, I guess, to make the kinds of decisions that reflect that delicate balance between security and human rights?

Simon: It’s difficult. It’s about… we will work with the agency involved and say, “Well, you need to train people on this, this and this. If you’ve built your workflow correctly, then the proportionality side, there should be information screen to direct the user about what to do.”

It’s more about ensuring that you connect the phone correctly to make sure you do get the right data, and you don’t end up with an officer that just says, “The phone won’t connect, therefore I can’t do a download.”

And there could be something on that phone that supports that person’s case, because it’s not always about disproving that somebody it’s not all about proving that somebody isn’t entitled, it can also be used to prove that that person is entitled.

So it’s a two edged — It’s also about training people to understand the data they see. Once that extraction has taken place and it’s presented to you on a screen, understanding that data. Understanding things like timestamps are malleable, they’re moveable. Understanding when something says it was created just before the extractions start, it doesn’t actually mean that it was created then, because you’ll find that timestamps are all over the place.

And so training officers not to jump to conclusions based on little bits of information, they need to understand what this extraction is in the whole, understand how these bits fit into it, understand that they then move it all together and join it with other information that they have.

And each bit of the jigsaw helps them build up a fuller jigsaw. They may never ever have a complete jigsaw, but the more bits you have, the better it is. But it’s about training is the key, to be honest, and documenting what you’re doing.

And that’s certainly what our Kiosk and tablets do. We can document the steps. We log every single step, so we can rebuild what a user has done throughout when they followed the workflow, we can show what the user has done, because there’s a mutable log that’s kept in the background about what they did what, what data they entered, and what screen they saw and what they did.

And then I guess the extraction and that records what they did for the extraction. And then it’s about showing that they’ve followed and understood the data they’ve been presented with to make a decision that they can then act upon. It’s a very difficult process. It really is.

Christa: Oh, I can imagine!

Simon: Logging, training: they are key.

Christa: Yeah. Well, Simon, thank you again for those insights and joining this on the Forensic Focus podcast.

Simon: No, thank you very much for inviting me. It’s been great.

Christa: Thanks also to our listeners, you’ll be able to find this recording and transcription along with more articles, information and forums at Stay safe and well.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:46 pm

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:14 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles