The following transcript was generated by AI and may contain inaccuracies.
Desi: Welcome all to the Forensic Focus Podcast. You’re joining myself, Desi, and Si, and this week we’ve got Stuart from ADF Solutions, who’s going to walk us through a very interesting topic. Before we get started — we always forget to do this right at the top — if you’re listening on whatever platform, please like and subscribe if you haven’t already. That really helps us out.
You can watch the video on YouTube or on the website, so you’ll get to see our beautiful faces live. If you’d rather not see our beautiful faces, you can listen as a podcast — that’s probably the better way. What I do is just minimise YouTube while I’m working, so you can also not watch our faces while we’re doing that.
You can find us pretty much anywhere — Spotify, Apple, iTunes, on the website, on YouTube. There’s a transcript on the website as well, so if you like reading along, or want to skim through, or use AI to summarise everything we talk about, you can grab that from the website.
Si: Or if you decide you don’t like our voices and would rather have it read out in a different way — also a valid option nowadays. If you’re going down that route, I would suggest using Ryan Gosling as my voice over the top.
Desi: And just sub me in as Rocky.
Si: If you haven’t seen Project Hail Mary yet, do that. It’s a brilliant film. As opposed to Rocky and Bullwinkle? That’s probably more accurate. Or Rocky Balboa. Anyway, welcome, Stuart. Thanks for joining us. It’s fantastic having someone on at a really good time slot for me — it’s only 7:30 PM.
Desi: Welcome to the show. Could you give us a little bit of background about yourself, and how you’ve arrived at where you are with ADF Solutions?
Stuart: Absolutely. I’m ex-law enforcement. I spent 23 years with the Met Police in London. I’ve been in the digital space since the late ’90s, early 2000s. As is usually the way, I ended up here purely by mistake.
I was a close protection officer, would you believe, and I’d returned to New Scotland Yard to book in my firearm — we’re not allowed to wander around with them in the UK. We were going up in the lifts — we call them lifts, everyone else calls them elevators — and the two guys in front of me were from a financial investigation team.
As part of an Al-Qaeda terrorist investigation they were doing, they’d encountered an Apple iMac, first generation. I’m a photographer as well, and I had one — I was the only person in the building that had one. So this was literally on the Wednesday. On the Monday morning I was in Pasadena on a Guidance Software EnCase Basic course.
Si: There’s a follow-up question that’s clearly going to come out of this. If you had a first gen Apple iMac, as I did, what colour was it?
Stuart: I had a grape one.
Si: Ah, same as mine. Purple.
Stuart: The biggest issue I had sitting in the EnCase class was it was all Windows-based. I’d done computers at school. I remember the instructor, [unclear — “Howie”?], was talking about the Master File Table and all of this sort of stuff. It was great, I understood it. I’d stick my hand up and say, “That’s fine. Is that what I’m going to see on a Mac?”
After about the first two or three hours of me asking, “Is that where I find it on a Mac?” the guy sitting next to me — a US Secret Service agent — said, “Look, just shut up. It’s all different on a Mac. You’re in the wrong class. There isn’t a Mac class at the moment, but phone this guy.” He gave me a guy called [unclear — “Derek Donnelly”?]‘s telephone number. Derek was at Apple at the time, heading up internal security.
I phoned him that evening, and he sent me a load of Apple-specific forensic tools. That collection of tools went on to become BlackBag Technologies and Blacklight. So I spent another eight or nine years with the police, resigned, joined BlackBag Technologies, and that’s how I moved from a practitioner into the vendor space. I spent some time at BlackBag, they got acquired by Cellebrite, I then moved to Oxygen, and I’ve been here at ADF for about eight or nine months now.
Desi: That’s a fantastic origin story. Just, “I was in an elevator and I happened to own a Mac.”
Stuart: That’s how it all started. Right place, right time — or wrong place, wrong time. Depends on your viewpoint.
Si: In British law enforcement, at a certain point in time, that seemed to be the way to get into the industry. People went, “Okay, everybody put their hands up who’s got a computer. Right, you’re now digital forensics.”
Stuart: That’s exactly as it was, and it was the same for the two guys in the lift — they were both financial investigators. It’s a little bit like you’re all standing in a line, and instead of stepping forward, everyone else steps back, and you see someone paying attention.
This is going back donkey’s years — we were three nerds sitting in a cupboard, and we were lucky if a desktop tower came in once every two weeks. How times have changed.
Si: To be fair, you’re now lucky if a desktop tower comes in once every two weeks. It’s just that everything else is coming in in the interim.
Stuart: Hanker for a desktop. And generally, you’re still nerds in a cupboard — the cupboard’s just got slightly bigger because they’re trying to fit more nerds in there to do the work.
Desi: It’s now four floors. I remember when I started, they shoved us in an old server room. You had to wear a jacket, because they never replaced any of the HVAC, so it was freezing in there. You used to have these towers making it really hot, but then they took them all out and just shoved us all in there, and were like, “All right, go do your thing.”
So I guess we’ve got you on today because we’re going to talk about — the title, which I don’t know, do we have titles for the episode?
Si: We never have. I did actually notice yesterday that for the first time ever we have a title, rather than making up something that Zoe sticks on it at the end. The title is On Scene Digital Forensics: Winning Investigations Before the Lab.
Desi: So we’re going to talk a lot about first responders getting there, probably not so technical people working with stuff. Let’s set the scene — how are you approaching this? Are we talking about officers that have no training, people who have training, a mix of both?
Stuart: It’s a bit of both, to be perfectly honest. From an investigative point of view — and this spans both law enforcement and, to a certain extent, commercial — when you arrive at a scene, your responsibilities have changed so much in the last 15 or 20 years.
When I first went on my first murder scene as a uniformed police officer, decades ago, everything was about preserving the scene from a wet forensic point of view — fingerprints, DNA, all the usual stuff. First responders had a lot of input in that. It was part of our training, part of our ethos. We never went around with a senior crimes officer in the boot of the car. We were there, it was our responsibility.
From a first responder point of view these days, that responsibility has grown enormously, because 99.9% of investigations are going to have a digital element. Messing that digital evidence up is as much of an issue as trampling through a scene with size 10 Doc Martens boots on and trampling through traditional forensic evidence.
The flip side is, demographically — as police officers get younger, and this is me throwing myself under a bus — they understand the technology a lot more. What’s needed, and what we’re trying to provide, is a way to empower those first responders: to give them the ability to safely preserve that evidence, but equally have a way to look at that evidence and make real-time decisions about the contents of those devices.
We talk about this as triage, but it’s that golden hour. It’s walking into the scene of a crime — could be child abduction, could be terrorism, could be murder. How can we quickly, efficiently assess the evidence we’re presented with, and make informed decisions about the actionable intelligence we can get off those devices? Speed is of the essence.
I’m not saying they necessarily need to do a full acquisition of everything. But there are ways we can have a quick look at that device without tampering with the forensic integrity of it, to give them a start to the investigation and give the senior investigating officers a real leg up.
Si: That’s a really interesting thing. We talk about golden hour, that critical start to an investigation. When we’re looking at the potential things a first responder is not going to step on — blood splatter evidence, DNA, fingerprints — the return time on fingerprints must be considerably longer than the return time on digital. I’m not a fingerprint expert, I’ve never done a fingerprint in my life. I’ve probably left some somewhere.
We’re actually in a position where we’re getting a heck of a lot more actionable intelligence a lot quicker through good triage of digital devices than we were from wet forensics, no matter how well we preserved it.
Stuart: Absolutely. There’s so much in the palm of your hand in that device. You could be looking at history from Uber — what were the last six trips they took? Text messages, last 15 photos, internet search history. There are so many directions, and depending on the crime type, that’s going to depend on where it leads investigators.
It might be a desktop machine. Let’s have a look at how many USB devices have been plugged in. How many of those are external storage? Okay, 15 have been plugged in in the last three days. Why have we only got 12? Do we need to look a bit further for more? The possibilities are endless.
It’s about empowering those officers to confidently take that device and extract relevant data. This isn’t a full-blown forensic examination. It’s: what can I safely and securely take off that device which is going to give me a real advantage in the first hour or two of the investigation, so the investigation is set off on its best possible course?
Desi: If we’re thinking in terms of this golden hour, time-critical investigation — what thoughts should investigators have in mind, and what tools should they use to pick something to triage first that can be most valuable? Does that depend on the type of investigation? In my mind, phone is the key asset. What are we triaging off that first?
Stuart: It’s dependent on the situation. When I was with the Counter Terrorism Commander at the Yard in London, we triaged — we just didn’t call it triage, we called it prioritising. If we went through the door and the bloke was sitting there with a laptop on his lap and a phone by his side, those two devices we’d prioritise first. The 15 USB sticks in the drawer in the spare bedroom get pushed back.
From a CT point of view, we used to take everything. Everything used to come in. A lot of that triaging was done right back at the lab, and everything got done. That’s going back a few decades. The amount of data was still quite high, but that was predominantly because we took everything.
Now we’re getting to the point where — do we really want to be taking the wife’s iPad, or the children’s iPads, or the wife’s laptop from work? There’s a lot more thought needed on the collateral intrusion side. We’re not at liberty in the same way now to go in, put the door in, take everything, and analyse everything. That doesn’t happen anymore. It shouldn’t happen anymore.
From an essentially non-digitally-forensic-trained first responder, that’s never going to happen from their point of view. It’s about having the ability to go in and say, “This person’s been arrested. Here’s the iPhone in his pocket. What can I get off that?” Because that’s the other issue — what physically can we recover from that device? How can we use that intelligence to drive the investigation forward?
Desi: Where are we at in terms of ADF’s offering on this front? What is an officer actually taking through the door with them to achieve this triage?
Stuart: It depends on what they find on the other side of the door. From an ADF point of view, we’ve got it on ruggedised tablets and laptops. With those, you get access to both the computer forensic and the mobile forensic side. It’s a plug-and-play solution.
You need that phone unlocked. The whole point of triage is to get it done in the golden hour or the first couple of hours. If the phone’s locked, there are other vendors that will unlock it for you, but that could take three weeks, six months, considerably longer. So from a triage point of view, if that phone’s locked — unless they’re prepared to give up the PIN or biometrics, and that’s clearly the first question you should be asking a first responder, “What’s your PIN?” — we’re looking at an unlocked device.
Then it’s plug and play. They’re walked through accessing the device, getting it onto the screen of the laptop, and there’s a wizard that takes them through analysing it. We’ve got a couple of options. This goes back to the collateral intrusion aspect — we can preview the device before we acquire it.
Rather than do a full acquisition — and it’s an advanced logical acquisition, not a full file system — we can preview. A full logical takes time. My 128 gig iPhone 15 probably takes about 45 minutes. The preview means we’re pulling stuff off real time, but displaying it to the end user immediately. From an investigative point of view, this has real advantages.
We’re looking for the most pertinent types of files — pictures, videos, audio files, recently accessed files. As soon as they’re looked at, they’re displayed. First responders are going in, plugging in, running the preview. After two or three minutes, they’re finding stuff of evidential value. Then they’re able to make an informed decision: “Do I stop this now because I’ve seen enough?”
At which point any forensic integrity issue is halted. The device becomes locked and goes into the lab. Or do I let it run to find a bit more? We’ve got officers that manage sex offenders in the community. If they’re doing a regular weekly visit — plug it in, run preview, two or three minutes. “I’ve seen 15 or 20 images that really shouldn’t be on this device. I’m happy to stop it now because he’s in breach of his court order, his release order.”
Yes, we’ve interfered with the device in terms of plugging it in, and depending on the device, we might put an agent on it — no different from what any of the other vendors are doing. But the officer’s seen enough. The process is stopped. It’s all recorded, all auditable, all in logs. That individual’s been detained, the device goes into a bag, and into the normal forensic workflow.
From a practical point of view, sometimes doing a preview rather than waiting 40 minutes to do a full logical acquisition — and then having to process the data anyway — means it’s a lot easier, more efficient, faster for the officers, and they’re spending less time at scene.
Desi: With preview mode — say it was a drug case, and you knew they were taking photos of their stash, and you were looking for a particular date. Could preview just go and, if you said, “I want to look at photos between X date and X date, grab anything you can find that’s marked as a photo or video and show me,” would it do that?
Stuart: It won’t do it within specific dates. It’s a set methodology, so we can’t change it hugely. It’s going to grab the photo reel first, in chronological order. It’ll then grab whatever’s next on the list.
Desi: So there’s a list of artefacts that it’s pulling in order. What are the top five it’s grabbing first?
Stuart: Photo reel, videos, call log, some of the messaging apps. It varies depending on the device we’ve connected — iOS versus Android, and we can do the same with a computer.
Desi: If you were going into a case and you knew that photos potentially weren’t going to be important, could you omit that so it just skipped it and did the next thing?
Stuart: We can’t with preview mode, but the real power within ADF is the ability to do that. With preview, it’s a set search profile. A search profile is essentially a container which contains a variety of artefact captures. With preview, because it’s that very first quick and dirty, there’s really limited user interaction required — we set those artefacts.
The real power with the tool is the ability of users to build their own versions. The tool comes with a load of search profiles. We’ve built them for child sexual abuse material cases. We’ve built comprehensive ones, and less comprehensive ones built for speed rather than a full examination.
If you do know what you’re looking for, you can be really granular. “I know from intelligence in relation to this investigation that there were three photographs. They were all taken between this date and this date, at this location, and they’re in this format.” We can build a search profile granular enough to say, “Between date A and date B, give me all of the JPEGs with geolocation data associated with them.” It will go in and grab those.
Si: I think it makes sense to restrict the capabilities in the preview version, because the preview version is for triage, for first responders. As soon as you start adding in extra “ooh, configure this, configure that,” that’s where extra training is required, and that’s where mistakes start to creep in. On the one hand, it seems perhaps restrictive, but actually in reality it solves a lot of issues.
Stuart: It’s designed to cover 75 to 80% of all cases. Part of the training explains that — run this first. If you don’t find what you’re looking for, you could be outside that 70 to 80%. You can then run a number of the other search profiles if you want to.
It’s not just about preview, it’s about triaging generally. You’re weighing up time and effectiveness. “Do I want to be on scene for 20 minutes? I’m going to run a really quick one. I’m 90% sure the quick one will bring back what I’m looking for. Oh, it hasn’t. The next level up is going to take me maybe an hour. It’s going to look for different artefacts, in different areas of the device. The smoking gun wasn’t in that first search — so I need to look at the device in a bit more detail.”
If that comes back with a negative result — and this is the really important thing, applicable to first responders as much as seasoned forensics professionals — if you’ve typed in a keyword and the result has come back negative, and you’re looking at your suspect who’s sweating profusely and showing a number of tics, and your spidey senses are tingling: “Maybe I didn’t put the keyword in properly. Maybe it’s case sensitive. Maybe my regex is wrong.”
Everything he’s telling me is I should find something. “I’m going to take it the next stage, look a bit deeper.” That comes back to part of the training: getting people to understand you’re the investigator. This is just a tool in your toolkit. Generally within the industry, we’re going towards that automation, one-button forensics approach, and we’re taking the human investigation element out of it.
At the end of the day, you’re on the scene. You’re likely to be in front of a suspect. Don’t forget you’re an investigator. If the tool isn’t telling you what you think it should be, and your suspect is giving you a number of clues that would suggest you should be seeing something you’re not, move it to the next level.
Desi: Working closely with law enforcement, do you manage to get much feedback on how often these fast triages are working versus switching to a more in-depth mode?
Stuart: Yes. It’s difficult to talk in a huge amount of detail because we work closely with law enforcement. A number of forces have had really significant successes. Certainly in the management of sexual offenders in the community, it’s made a real difference — not only in catching repeat offending, but also discovering contact offending at the time. It pays dividends. It increases efficiency. But more importantly, it’s having a real impact from a victim-centric point of view as well.
Si: Obviously, helping to get through stuff quicker, getting to results faster, is great for the examiner. But is ADF able to do things like CSAM hash matching from CAID, to try and solve that?
Stuart: Yeah, absolutely. UK forces obviously have the Child Abuse Image Database — they add it into ADF. There are multiple millions of hashes in there. Again, it’s trying to give them the confidence to take an intelligence-led approach. Let’s say there’s 8 million hashes in CAID. Do I need to do all 8 million?
One UK force is doing this with spectacular results — can’t name them — where they’ve looked at the CAID database and said, “Of all the files in CAID, how many are JPEGs?” I don’t know the numbers, but let’s say 80% are JPEGs. Of those 80%, how many are over 10 meg in size? Only 20% are over 20 meg.
So if we say we’re going to look for JPEGs under 20 meg in size, how many files does that give us? You’re trying to look at what you know and use that information intelligently. “Of the 8 million files in CAID, X million are JPEGs within a certain size, within certain dimensions. If I just search for those, I cut my search time down dramatically.”
Of the 8 million, 2 million are GIFs, 2 million are all sorts. The vast majority will be JPEGs, under 20 meg, 1280 by 1280 dimension. Let’s just focus on those. What I can then do is cut down my processing time, cut down the amount of stuff — but I know that’s the sweet spot.
One UK force has done this. They’ve reduced their lab submissions by over 40% just by focusing on that. The stuff going through to the lab, they know they’re going to get a hit from. They’ve taken that approach and turned it on its head: “CAID is a fantastic resource. But if I’m going to look for everything in CAID, that’s going to take me hours. I don’t want to be sitting in a suspect’s address for a huge amount of time. So what can I do to make this process as efficient as possible?”
To your point earlier, Si — if there’s a tick box, I’m going to tick it because I can tick it. I don’t necessarily know the implications, but it’s there. As investigators, we all want to be thorough, and I don’t have an issue with that. However, it’s about focusing on efficiency — getting the most out of that device as quickly as possible, which will have the most impact on your investigation. That granularity is one of the biggest advantages we’ve got at ADF.
Si: It’s an interesting side note. In other fields — my wife is a project manager, and they have this wonderful triangle: time, cost, quality. The running joke is pick any two out of three. But the reality is, you need to offset them against each other.
We don’t really think about that when it comes to forensics, especially for the untrained. We all want perfect results, but perfect results take time and resources. If you’re running it on a small tablet and you want it done in 30 minutes, you’re not going to get all the answers. The person who walks in and ticks “find me everything now,” then sits there three hours later still waiting, is not in a good position. The controls from somebody making those decisions at an earlier stage is a smart choice.
Stuart: There’s also a need for confidence, both at the first responder end and at the DFU — digital forensic unit — end. A lot of our customers are doing this: the search profiles that empower first responders are being built by the digital forensics unit. We can turn off the first responder’s ability to mess with them.
The DFU is confident that when the button is pressed to scan the device, they know exactly what it’s going to do and what it’s not. If that produces a positive hit, happy days. If it doesn’t, at least we know what’s happened with that device. We’ve done the legwork for the first responder. All they’ve got to do is press the button and review the results.
I’m an ex-digital forensics officer. The last thing I wanted was a device presented to me in a bag where it was clear the phone had been examined manually, but the officer’s notes were three lines long. I’d open the phone, find the picture that’s the golden smoking gun, and it’s like — clearly you haven’t done a full manual review, because if you’ve done one to find a single picture in a gallery of 160,000 on the iPhone, you’ve done a lot more than what those notes relate to.
It’s important that when that device goes into the evidential chain, there’s a level of integrity. By giving DFUs the ability to build those profiles, that level of integrity is preserved as best as possible.
Desi: This sounds like a really positive loop where you’ve got the DFUs setting these search profiles for the initial triage and locking them down to their forward teams. But then there’s the challenge of training first responders to know the limitations. Using the CSAM example — we’re going to cut it down to just JPEGs to speed up our search time — how is ADF part of this solution to train these first responders, so that if there is suspicion, you either submit it or maybe run another search profile that searches more of the CAID database?
Stuart: Yes is the short answer. From a training point of view, my ethos has always been: I would prefer to spend more time telling you what the tool doesn’t do than what the tool does do. That’s really important.
The whole ethos within the training at ADF is — we’re privileged that you’ve chosen to use our tool to assist in your investigation, and you’re going to make a significant decision based on what we tell you. So I need you to understand exactly what we can do, and more importantly, what we can’t. If you make that decision and it’s wrong because of something we’ve told you, or something you’ve misunderstood, that’s not what we want.
What we advise for most forces is sending first responders out with three search profiles: a quick and dirty; one where okay, we need to go a bit deeper because we didn’t find anything; and one which goes considerably deeper and is really comprehensive. That empowers them at scene: “I do search profile one first. I know it’s going to take 20 minutes, and if stuff comes back, happy days. Okay, it’s come back negative. I can make an informed decision.”
“I can look at the situation, look at the suspect, and say, ‘I’m not happy with that.’ I know the next stage is going to take me an hour, but from what I’m seeing in front of me, spending another hour here is probably worthwhile. Press the button, run it again.” That’s the best way to do this — empowering that first responder.
It’s easy if you get a positive result. It’s the negative result that puts the first responder under additional pressure. “I’ve plugged it in, I’ve done what the DFU told me, and it’s come back negative. Is that because what we’re looking for isn’t on the device?”
We haven’t really spoken about triaging devices out of the process — that’s considerably more difficult than triaging stuff in. If we’re looking at, say, the child’s iPad — and if it’s anything like my kids, physically getting it off them can be a challenge. It’s easier to break a passcode on a phone than to get the iPad out of my daughter’s hands.
But if I want to leave that there, I need to be 100% sure there’s nothing on it. I can’t take the risk of leaving it if there’s inappropriate material on the device. So for the devices I want to triage out, I’m going to run a really comprehensive scan. I want to be 100% sure there’s nothing on there.
The training is important. Building confidence within first responders is equally important. From a DFU point of view, you’re inundated with iPhones and Android phones. We ran a course yesterday and the day before — you see some of their faces when you tell them, “You need to put your Android device into developer mode,” and it kind of glazes over.
A lot of the training is building confidence so they can handle those devices and aren’t afraid to physically handle them. They’re never going to be at the same level as a fully forensically certified phone examiner, but they should be able to handle that device.
Si: It’s the interesting antithesis of what they’re being taught about every other piece of evidence — which is, for God’s sake, don’t go near it, don’t touch it, keep your hands in your pockets, don’t wipe up the bloodstains. And yet you’re handing them this thing and going, “Now I want you to press this button, this button, and this button. Hold them down simultaneously for 30 seconds and see what happens.” I can appreciate the slight reticence to engage.
Stuart: It depends on the demographic. We’ve got to the stage now where, certainly with security on devices — Apple’s Stolen Device Protection — that window might shut the minute you put the phone in the bag and take it away from that location. This is what I mean: the responsibility of officers first on the scene has gone through the roof. If the smoking gun’s on that iPhone, and you’ve just stuck it in a Faraday bag and taken it off, that’s it.
Putting ADF aside for a moment — having them understand the implications of where technology is going. “I’m an iPhone user. From a personal point of view, happy days. It’s on, it’s secure, I’m happy with it.” From an investigative point of view, that’s a challenge.
If it’s a warrant and you’ve brought a technical team with you, that’s fine. They’re going to know about that. It’s when first responders are at a scene — the scene of anything: a mass shooting, a terrorist incident, a murder, a child abduction — they need to be aware their responsibilities are considerably higher. That’s what we’re trying to solve: giving them confidence and the technical tools to make that initial interaction A, evidentially sound and secure, and B, most impactful for the investigation.
Si: Obviously I would expect nothing less, but the triage is logged, audited, recorded — everything copied off safely. How does that feed into the next stage? If you do seize a device, does it automatically get carried into the case? Or is it “that’s been done, and that’s a separate thing to what comes next”?
Stuart: The most popular answer in digital forensics: it depends. We can do a certain amount of analysis within the tool itself. Some forces here in the UK are doing all of the processing within ADF, right the way through to a charge-level report. It depends on circumstances. We’ve got a logical acquisition, so that can go into other platforms if required.
Alternatively, some forces take that device and do a full file system with other vendors’ tools. We’ve done a logical acquisition — the whole point is, is there stuff on here of evidential value? Is there stuff guiding the direction of the investigation? Can we get it off quickly?
At the end of the day, if there’s more on there, the vast majority of our customer base would then use a Cellebrite or a GrayKey to do a full file system, confirm what’s been found in the logical, and then it would go into their evidential chain.
Desi: Talking about the first triage profiles — and I’m thinking more along the lines of the everyday investigation, still quite serious crimes but stuff that’s more mundane that they come across day to day — it’s probably improving their time on scene, speed of getting through it, getting out quickly once they’ve got a positive match. You’re hitting on these things much faster than doing triage another way or trying to do a full acquisition on scene. How are you seeing that when you’re talking to law enforcement?
Stuart: From their point of view, it’s beneficial insofar as they’re not having to wait. Their actions are impactful. Their actions are making a difference. The other thing we haven’t spoken about is our interactions at scenes with victims or witnesses. There’s a huge area of trust.
If I was a victim of crime — you’ve just become the victim of crime, you’ve got uniformed police officers or investigators with you, and what they want to do is take your life, because your life sits on your iPhone, and take everything off it. A full file system grab of that device.
Certainly in the victim and witness spaces, what we’re saying is, “Look, I can plug your phone in, and show you on my screen — because of the functionality within our search profiles, I’m only going to get those pictures that were taken between these two dates.” They can physically see those coming off.
From an officer’s point of view who’s there with victims and witnesses, it’s building a lot of trust. It’s giving them transparency: we’re not grabbing holiday snaps from Marbella 15 years ago or pictures of the kids. If they’re a witness and they videoed an incident, okay, show me where that is. We’ll pull that off. That’s all we’ve got. And more importantly, here’s your phone back.
Not, “Can you come to a laboratory 15 miles away in maybe two or three weeks, or two or three months?” At which point we’d have processed your device. From a law enforcement public interaction point of view, it’s really beneficial, and it allows law enforcement to build that trust up again.
Si: It makes such a difference when you get to court. The way it works now is you’re saying to a witness, “I’m not going to seize your device because that would be too intrusive. I don’t have a way of taking that video — can you email it to me?” At which point you’ve got all sorts of provenance issues. It’s been compressed, all the metadata is gone. Forget it. Going back retrospectively to try and recover that is a nightmare.
To be able to demonstrate this at an early stage in a way that says, “Yes, we have a chain of custody. Look, here’s a hash” — and when you’re handing that over to the defence going, “Look, you can compare it for yourself. This is the way it’s been done. This is the metadata. This is where it’s come from” — we’re nicely sorted with that. It makes a huge difference to the whole process.
We’ve talked loads about mobile phones, because in reality triage is like that. But when we spoke at the beginning, you said it’s not just mobile phones.
Stuart: We’ve got the same sort of capability against computers. We’ve got slightly more flexibility with computing systems, certainly on the Windows side. We can build that functionality into a piece of external media and have it plug and play. We can boot from that, or run it live on a computer system.
It’s quite useful if your investigation is on the corporate side and you’re going into an office — a normal office setup, a room with 30 cubicles and 30 systems that need doing. Go in with 30 external hard drives, plug one into each, and we can run the same process across all of them. It’s the same functionality, the same search profile setup where you can be really specific. A lot of it is about minimising collateral intrusion, making sure you’re not overstepping the mark, but getting that off as quickly and efficiently as possible.
Si: External media — is that something you can plug into a tablet?
Stuart: Absolutely. The kits we supply come with write blockers and things like that if needed. External media is fine. The difficulty comes with things like Chromebooks. They’re a joy to deal with. What we’ve got is really comprehensive screen capture functionality as well.
For something like a Chromebook, there’s not a huge amount on it. It’s difficult to get that off. What we’ve tended to find is customers are doing manual reviews of those types of devices. We’ve got really intuitive screen capture capability. You still do the manual review, but it’s recorded contemporaneously. We can video it. If you find something of note, you can grab a screenshot. All the screenshots and videos are then run through an OCR engine — at the end of the process, you’ve got searchable text, but more importantly, you’ve got a contemporaneous record of your manual interaction with that device.
For something like a Chromebook, Xbox, PlayStation — or even a mobile device. If you’ve got an Android, you’ve done one of our acquisitions with it, you have a look in the installed devices and see a couple of apps you think, “It’s a calculator app that isn’t really a calculator app — it’s an encrypted packet.” If you need to go into that, or if one of the apps isn’t one we capture as part of a logical acquisition, you could say, “Nothing’s come back on the scan. I now want to do a manual review of Signal or Telegram.”
The functionality allows them to confidently do a manual review. They don’t have to write down notes, so when it goes to the DFU, the DFU aren’t confronted with three or four lines of notes. They’re confronted with a video that shows exactly what that individual has done, exactly which apps they’ve touched. We’ve got continuity, which is hugely important, and builds confidence in the whole process.
Si: You mentioned PlayStations. You do PlayStations as well?
Stuart: Anything with HDMI out, we can do a screen capture of.
Si: Brilliant. So if they’re messaging — a lot of it on the child sexual abuse material side is messaging and grooming over gaming platforms. They’re difficult to deal with.
Stuart: It’s come up strangely often as a defence for murder — “I couldn’t possibly have killed him. I was busy playing FIFA at the time.” It’s actually come up three times as a defence. It’s astonishing. But anyway, grooming, chat, any of those things — it’s captured there and then, and can be actionable there and then. Especially if it’s a grooming issue, that can be actioned. The PlayStation’s still going to come in, still going to go into the lab, but we’ve got that information out, that intelligence out.
Si: Does the OCR work on any HDMI capture?
Stuart: Yeah. We capture it, video or stills, then it runs through the OCR engine. Then everything becomes searchable. You don’t necessarily have to go through 16,000 screens of WhatsApp messages and conversations. You can start to have a more intelligence-led approach — do some keyword searching, which brings up the relevant messages a lot quicker.
Si: Daft niche question: can it cope with foreign languages at all?
Stuart: Not as well as a native speaker would. How’s that for a fairly vague answer?
Si: It’s very reasonable. I had a wonderful case, not dissimilar to what you’re talking about, where I ended up with reams of images of a chat in Urdu, and my Urdu is not good. How on earth do you process it?
Stuart: We’ve got some technology built in which essentially — it’s not going to translate it for you, but it will give you the gist. It’s technology we’ve bought into the product. It’ll give you the general idea of what’s going on, but it’s not a full translation model.
Si: All of these things have an overhead, and the easiest way is to go out to the cloud, but that’s never an option for forensic work.
Stuart: It’s difficult. It’s trying to manage that requirement for resource against portability, speed, and things like that.
Si: As we come to the top of the hour, it’s absolutely wonderful to hear that this is something that’s been given so much constant development time. We all know we’re facing a glut of devices now. You hit a scene, and processing time is the limiting factor. The DFU labs are horribly overloaded, so anything we can do to reduce that — either by not sending them devices they don’t need to examine, or by being able to point at the ones that are the highest priority. If you’ve seized 15 things, you don’t need 15 assessed for a conviction, depending on the crime. You may be able to focus your intensity in the right direction.
It’s really good to hear. Thank you so much for coming on to talk to us today, Stuart. It’s hugely appreciated.
Stuart: Absolute pleasure, gentlemen.
Si: Would love to have you back on at some other point to hear all sorts of different things about what ADF is doing. What a fascinating career you’ve had as well, coming from your lift story to where you are now.
Stuart: Plenty of notes for my autobiography, that’s for sure.
Si: You’re going to write it yourself? Something to do when you retire — which is never allowed in this industry, I’m told.
Stuart: Tried that a few times and I always seem to be coming back, but yeah, one day. Marketing will shoot me if I don’t say this — we run weekly mini training sessions, both on the computer side and the mobile phone side. If anyone’s interested, just jump on. It’s on adfsolutions.com. They’re completely free, about 90 minutes. They’ll run you through and get you up to speed on the basics of what the tool can and can’t do.
Si: Absolutely. We’ll put the link in the show notes. Zoe, you heard it here first. Everyone, thank you very much for coming to listen to us yet again. If you keep coming back, we’re very grateful. We haven’t managed to put you off yet, which is fantastic. If this is your first time, this is highly indicative of the level of quality you can come to expect. You can read into that what you will. I thoroughly enjoyed it. I think it was good. You can make up your own minds. But thank you. As Desi said, like and subscribe. Thank you very much. Thank you again, Stuart. And hopefully your holiday will be good.
Stuart: Pleasure, gents.
