The following transcript was generated by AI and may contain inaccuracies.
Si: Hello everyone and welcome again to the Forensic Focus podcast. We have back with us our good friend Robert Fried who, as far as I can tell, doesn’t have any time in his day to sleep because he keeps generating content, he keeps winning awards, he keeps posting fascinating things on LinkedIn. So I guess the opening question is: do you actually sleep?
Rob: Given we were chatting this morning, probably at about four o’clock, that’s up for interpretation. But I do have three young kids at home, and I guess being able to close my eyes and have a little bit of silence around me is sometimes when I do my best work. So, I guess that all depends on the day and the situation.
Si: Fair enough. We haven’t spoken to you – I didn’t actually look it up before we came on, but it must be a year or so now.
Desi: Yeah.
Si: Since we last spoke. And since then you have – and this was the one that impressed me the most – and obviously you’ve got another book.
Desi: Yeah.
Si: Which we’ll talk about in a minute, but I saw on LinkedIn that you are the top professional investigator of last year.
Desi: Yes.
Si: That’s a heck of an achievement to pull off in what is probably a fairly saturated market in the US, I would have thought. How’s that come about and how do you feel about it? Tell us a bit more. And did they give you a cash prize?
Rob: No cash prize. Everything I do and everything I write is voluntary, actually. And it all came about just through contributions. I think being present is key in a lot of the things that happen in any industry. When there are activities and opportunities to sponsor events and be part of an event, I make an effort to be active there.
So I belong to Aldanese and to SPI. These are two organizations in the private investigators world that encompass membership of both private sector and also law enforcement individuals because it’s professional investigators. I’ve actively spoken at meetings, I share content, I make myself available, and I guess those types of rapport with my colleagues, with fellow members of these organizations, have allowed me to transcend from just a regular PI into somebody who’s sought after in these particular organizations.
So I help whomever wants to chat and see what we can do together to collaborate.
Si: That’s fantastic. And in an industry – it’s odd, but in an industry like ours, we see so much antagonism between the prosecution and defense and things like that. But actually, the reality of it is that the more we all help each other, the better the industry gets and the closer we get to solving crimes and improving justice and things like that. I think that’s wonderful.
Rob: And the landscape has changed. For example, I entered into the industry in about 2002 and navigating that had its own nuances and things like that, but it was relatively straightforward.
Now you have a new generation of examiners. I go to conferences and I feel like the old guy. I’m not too old, but I feel like the old guy because when you talk about the war stories and who you’ve crossed paths with, people don’t know some of these individuals. But they’re the guys that were writing the books with the NIJ, National Institute of Justice.
They were breaking down a lot of the concepts and procedures that we followed, especially when I was training law enforcement. Now it’s just a matter of how I can give back in the amount of time that I have. Then just last month I was over at my alma mater teaching law enforcement for a week with the Henry Lee Institute where I’m a fellow, and that was very rewarding for both the students and myself.
I had to lecture for about 40 hours – my voice was shot and I’m sure they got tired of hearing me talk, but it was a very rewarding experience to give back and to help the next generation of not only just examiners, but law enforcement too. Our industry transcends so many different skill sets and needs that you just meet everybody from all different walks of life and all different roles and professions.
Si: I think it’s an interesting statement of the way the world is now. It used to be that you would have your separate digital forensic examiners and you would have your crime scene guys, and they’d pick up a computer and they’d bring it over to the digital guys. But actually, everything is so integrated now, digital teams on the ground are much more necessary.
I’d like to say they’re more common. I think they are in the UK. I don’t know how it is elsewhere in the world, but I think that initial triage, that initial arriving with somebody who is digitally – maybe not technically deeply, but certainly digitally aware – is vital now, because otherwise you’re going to walk out of a room with 50 percent of the evidence missing.
Rob: And I will say that although this new generation has grown up with the technology, they’re more savvy. You have to bring them in a bit because that makes you more comfortable interacting with the technology, but you have to say, “Hold on one second, let’s think through this” and prepare yourself and not just be overly confident, because there are steps that you need to take consistently and just make sure everything is documented.
The one book that I usually give out is “If it’s not documented, it didn’t happen,” and you know that’s the key in all the things that we do. No matter what I talk about, it always goes back to that because the technology may not be there for every scenario. So we document, we know what we go back to.
Si: Yeah, there’s a phrase which is “familiarity breeds contempt,” and I’ve certainly come across it in a number of cases. And also, you see it on television, which really doesn’t help – the guy will walk into the crime scene, pick up the phone, scroll through it, and you’re like, “Oh my gosh, please don’t.”
I’ve actually done cases where it was a harassment case and the examining officer, not forensically trained, picks up her phone and then phoned the person who was being harassed from it accidentally. And you’re like, “Oh dear.” It’s a terrible breach of everything. So yeah, it is that getting that awareness and that balance is definitely a challenge.
I was flicking through the new book, because I guess that’s something that you’ve just put out – the Forensics Data Collection 2.0. And I missed 1.0, but reading through it, it definitely seems like it’s aimed at law enforcement or students to just get them into it or what to think about to go out to forensic collectors. My favorite one that I’ve read so far is the one on Alexa.
Desi: Oh yeah.
Si: So I guess from your perspective, was that the motivation to write the book? To give that insight just to law enforcement who aren’t directly involved with all the technologies?
Rob: That’s a great question. I wrote this because I saw a gap. I went to school for forensics and at the time, in 1999-2000, nobody was teaching you what you’re going to encounter when you go out to the workforce. I only got into the private sector side of things because I saw the law enforcement side, and I wasn’t sure if I’d ever get to move back to Long Island.
I was working in West Virginia, of all places, and I said, “I want to get back home to New York. How do I do this?” And then I started to see there were some opportunities to go into the private sector. But the challenge when I started doing consulting and going in and answering questions was that I had the knowledge base because I had always been exposed to law enforcement through my first job, but also in school. We had practitioners and residents who were crime lab directors, who were former detectives who were retired or active.
So I just wanted to really address that knowledge gap so the next generation of students had an understanding as to what they’re really going to encounter when they go and work at an organization or an agency, and all the things that you need to put into perspective because you have to apply your knowledge to scenarios or concepts. And I wanted to say, “Hey, if you came across an Alexa, or if you came across an Android, how do you address this stuff? Where’s the data?”
And it’s so funny because I’m not even ready to write about AI because there are so many questions rather than answers to this thing.
Desi: Yeah.
Rob: All the concepts that are covered in my books, either in cloud storage or databases or being able to acquire from devices – it all relates to how we’re going to address AI. It’s the same concepts, but I can come up with a list of 50 questions and only be able to answer a very small portion of them right now, just because of the evolving nature of all the different models out there and how people are going to encounter them, where the data is stored, how long it’s stored. It’s the same concepts, different data.
Si: It is quite fascinating because my background is computer science. I was a computer scientist and I studied AI before I got into all sorts of other weird and wonderful things. But actually, we forget that the principles of computing fundamentally were defined by Alan Turing in about 1948-49, with his paper on the computability of numbers.
Nothing’s changed since because it’s a mathematical fundamental basis. Yeah, we’ve speeded it up a bit and we’ve got some bigger bits of data, but actually the mathematical principles and what a computer is and what a computer does hasn’t changed. And I think this is one of the issues that we’re seeing with the wonderful buzzword of AI, which is fantastically non-descriptive and a complete lie.
If you turn it around and you say, “Actually, what we’re talking about is applied statistics,” people suddenly have to treat it as, “Okay, so you’ve got applied statistics, which is just maths, which is just computing.” How would we process this if it was a large financial system doing predictive stock market stuff? It’s exactly the same. It’s not actually doing anything fundamentally different to that. So yeah, to focus on the basics, to get the basics right, and the rest will come. It’s a bit Karate Kid, isn’t it? Wax on, wax off.
Rob: And I think that it’s only going to be one piece of that overall puzzle or equation that you need to solve. You may have damning evidence, but you also want to put that together in different ways. There’s not one case sometimes that only has one piece of evidence. If I’m looking at a document, I want that computer. I want the device where it was created, already thinking that there’s got to be some other data out there. There’s got to be something that is an artifact or some kind of residual type of information that also is associated with this to tie everything back.
The whole concept is to make it so that you can uniquely identify things, but also come up with a timeline of events. And again, that’s only one piece of a longer timeline. You want to look at somebody’s day activity, what got them to this point where they started to use an AI model to start typing in things. Then ultimately – is that cleared from their cache? Is it saved? How do we get access to it? Do we have credentials? Is it up on the screen?
All these things – like I said, between the three of us we can probably ramble off so many questions that we can come up with the next book, Forensics Data Collection 3.0.
Si: I look forward to collaborating with you on that, definitely. But I think it’s an interesting point. You hit the nail on the head there in what you’re saying – quite often we forget as technical people (or we shouldn’t forget, I’ve seen people forget, I try not to forget) that actually the technical part of it is possibly the smallest part of whatever the actual thing is. Because at the end of the day, someone has done something which has impacted on someone else, and you’re talking about people. You’re not talking about technology.
Until we have the day that the computer makes the decision on its own, which I sincerely hope never comes because it’ll decide that we’re not worth the effort and get rid of us all… you know, we’re actually interested in what people do because you can’t criminally prosecute a computer, yet we’re on that.
So what you said is tracking the movements of someone, what their day has been and all of this to put it together. And that’s where your conversations with law enforcement are really valuable. I see some issues in the way we teach digital forensics here in the UK, whereby they are deeply technical courses, and they’re fascinating, and they’re really good. But they forget that it actually has to come together to put evidence on the table that links an individual to something.
Rob: What I want to say to that point is, for the book that I wrote, the first one within the series is with a gentleman by the name of Ralph Friedman. He is the most decorated NYPD detective that’s on the records. One of the interesting things with him is he retired – he got hurt on the job and he retired – and there was no technology, really, when he was a police officer.
People would say, “You’re a tech guy. Why would you bring in this kind of concept? To talk to somebody who’s not a techie?” You talk to Ralph and everything’s in all caps. He’s like the epitome of the guy that gets it, he’s got his own way to do things. But it’s the human element in talking with him. And I’m not a law enforcement officer at all – I never went to the academy for auxiliary, I never was a cop – and you talk to him and he had the same level of respect that I gave him. He gave back to me because we were talking in parallel to our experiences.
“Hey, my career is all based on technology. Yours was walking the beat, getting people, doing your canvassing of neighborhoods, being able to get information out of people, not looking at cell phones – there weren’t any. How do you gather information?” And that’s really the point and the role of a detective – to gather information. How we do that is all dependent on our methods and things like that.
But the fundamental thing that most people still have to realize is that there’s still a notepad or still notes that every law enforcement officer has to abide by, that has their written word associated with that. Even now there’s apps that do that, but again, it goes back to the documentation piece.
And that’s where we said, no matter what you have as a kind of technology advancement, there’s always gonna be that human element to update it, to patch it, to do things like that. I always bring up AFIS (Automated Fingerprint Identification System) because I remember in school this was like a groundbreaking thing for me to learn about. I was like, “Wow.” But the thing is, there’s still an examiner matching up the minutia. They’re still looking with the human eye to make that judgment call.
No matter what it is, you can have all the forensic reports that you have, but you still need to tell your client, you still need to tell the prosecutor what you’re finding because you’re actually the one not only being tasked with analyzing it, but also interpreting it for them. That’s your skill set.
Let’s not forget about what that tool is showing you. And I also want to bring up the point of validation of these things. There’s going to be another examiner on the other side that you’ve got to speak to and they’re going to look at your documentation. There are so many cases now with rebuttals here that I’m working on where it’s more about documentation than the technical aspects of the case, believe it or not.
Si: Oh no, as an expert who often serves for the defense, if not usually serves for the defense, yeah, the failure to document, or the failure to do all of that, and the failure to understand what they’re doing – I find the rebuttals are significant.
Rob: Yeah, people… it’s a very emotional thing. People are willing to spend the money and invest the time, whether or not the courts want to invest the time is a different story. But it’s a very passionate thing for people when these types of challenges come up.
Is this actually the device? How can you tell that? How can you tie this back? To sign in to Desi’s computers, we look at it in several different ways. We look at their profiles, we look at their activity, we look at whether there are any accounts that are associated with it that put possession at some point in their hands, put them behind the keyboard, and that’s a big part of the work today.
But it’s also about the metadata. I wrote a very brief chapter on metadata because people don’t want to read so much today – they want information to extract it. You’re on a call, you want to learn about metadata five minutes before your call, read my chapter on metadata. I’m not going to bore you with all the binary file formats of Microsoft and how that all breaks down, because that’s going to be outdated with the next version of Windows in 2026.
Instead: what do you need to look at between application, file system? What does that tell you? How does that get modified? And what information can you bring to your case that you’re dealing with that may help you determine if this is an authentic document or if somebody modified it in some way?
Si: Yeah, absolutely. The pace of technology – it’s fascinating because on the one hand, we still have file systems that were invented 30 years ago that are still keeping the same metadata. On the other hand, Microsoft arbitrarily adds in another flipping thing whenever they feel like it with a Windows update.
So you’re right, it’s the fundamental principle of it. I think it’s a bit of a shame that the average attention span of people has decreased. I think there are two things: the amount of time people have available to spend on things, like you say – you’ve got five minutes before a meeting and it’s like “I need to know about this before I go in.” But also I think it’s the way that the internet has somewhat dumbed down our own ability to take in long-form content, which is a bit of a shame.
But the bottom line is that actually it leads to a more concise and information-dense writing style. And I think you’ve captured that perfectly with the way that you’ve done it, with good-sized chapters on a range of topics that have enough information in them to genuinely add value.
Rob: And when I’m writing things, I always think of the “what ifs,” right? I don’t just give you the scenario that’s in my head at that moment in time. These articles are really written over one or two days where I’m actually thinking about all the various scenarios that you may build upon, like a decision tree.
If not this, then that, or if this, you also should really start thinking about that, so that you’re taking down a path based on somebody’s experience, not just talking about a theoretical all the time. It’s like, how can I relate this back to reality? Hey, if you have somebody’s username and password right now, you’re going to need their two-factor authentication.
Or you’re going to need to ask about mobile device management because you’re going to get tripped up if you don’t. And that’s going to result in more time, more of a delay, all that stuff. Hey, if you’re not familiar with evidence management or evidence handling, that cell phone – one of the things that was eye-opening for me was we all have different levels of stress in our roles.
In the private sector, we may have deadlines. On the law enforcement side, that may be a little bit different. But one of the things that really resonated well with me was: “Hey, we get cases and sometimes these guys don’t go to trial two or three months down the road. I’ve got to keep that cell phone powered up at all times. I got to come in every day, make sure that stuff is good to go.”
That’s like in the back of people’s minds when they’re getting ready to go to bed or leaving for the weekend. There’s a constant concern, and that’s a really good thing, guys, because that shows that there is a conscientious person behind all this. If this was just a job to people, then it would be a different story. But in the investigative world, in the analysis world, we’re really getting into understanding, taking ownership of that case, being conscientious about all the impacts. And that’s what I’m trying to educate people on, right?
Kind of just thinking a little bit and taking this seriously, realizing that you may have to testify one day. Hey, you know what? You may be two or three levels deep in your team, but your name’s on there. And they may say, “I wanna go speak to Rob. Where’s Rob? Oh, he’s in Texas. Let’s fly him in. Let’s have a chat.”
Desi: Yeah, I am definitely like, reading some of the back end of the chapters as well. You’ve got the “remember” piece, and I think you touched on it with the human factor of all this. I guess investigation hasn’t changed since it went from no computers to now, but how do things get used? How is the human interacting and what’s the context you have behind the evidence?
From my opinion, it’s easy to teach people tools and how to pull data out and how to validate – that’s a hard skill that you can learn. It’s that investigative methodology and how to interpret and how to get to a point and go, “Oh, I’m gonna pivot here,” or “I need this piece of evidence.”
It’s good to see it in here, and I guess, talking to the detective, was that something you guys covered a lot in that first book, or something you guys just talked about?
Rob: No, we had some extensive discussions, and it was funny, because my name is Rob Fried, his name is Ralph Friedman. We had that camaraderie to kick it off. He actually invited me up to his house up in Connecticut with my kids – they always ask about him. It was such a great series of conversations – he calls me up for my birthday. This guy is legendary in the PD.
Just talking to him about this stuff, he was very giving of his time. And his war stories are pretty amazing – things that he needed to do – and it’s also being able to interact with people, knowing how to talk with people.
I wrote my last and most recent chapter on the skill sets of an examiner or a practitioner, because like we were saying when we opened up, there’s that technical piece, but then there’s the empathy piece. It’s knowing how to talk with people, right?
I could be the guy from New York coming in and saying, “Hey, I need your data, give me your data right now.” Or I can come in and say, “Hey, nice to meet you today. I really don’t want to take up a lot of your time. This is what we’re going to do. It’s going to be a couple of hours, let me help you through the process.”
Not give them so much information that it’s too much and they’re going to be like “Whoa.” But just understand that, hey, look, if I was in your shoes, I would probably be thinking about these things and let me bring some clarity for you. And if you have any questions, go speak to the lawyer, go speak to the supervising agent, whoever it is that you’re dealing with.
But understand that if you were in their shoes and somebody said, “Hey, I need to turn this over, I need you to cooperate with this,” it’s intimidating for anybody.
Desi: Yeah.
Rob: So the human element goes so far. If you stop yourself and say, “How can we all be successful today? I know you never want to see me again. I know I want to get out of here so that I’m not interrupting too much of your day. Let’s just work together.”
It’s a very difficult thing for someone to sometimes give over information, to give you access to their system. There are a lot of nuances, but being from New York helps a little bit. I’m not the guy that’s going to go knock on your door and be like, “Hey, I’m here to make it happen.” I’m going to say, “This is what’s going to happen and I hope you can help me out.”
Si: Yeah, it’s interesting because I couldn’t agree with you more – people skills. We think that digital forensics is about computers, but as we’ve said, it’s not, it’s about finding out about people. People skills are so important, everything from collecting evidence, but also standing up and giving evidence in court.
They do the courtroom skills courses about what to say and what not to say, but at the end of the day, what you’re actually trying to do is create a rapport with the 12 people sitting in the jury, so that they’re listening to what you’re saying as opposed to what the other guy is saying. It’s almost as if we need mandatory drama classes to help us enunciate better and to look people in the eye and stuff like this that really helps.
Rob: It goes even beyond that in the sense that it starts from the first interaction that you have with somebody, unless they’re a trusted repeat client or person that you’re dealing with. But it’s answering the call – it’s unbelievably satisfying to the person on the other side to say, “Hey, somebody picked up my call or responded to my email when I’m having an issue.”
Nobody’s calling us because it’s a beautiful, sunny day out, and let’s talk forensics. No, they’re calling us because there’s a job to do, there’s something to respond to, and it’s just the way that when you pick up that phone, and people are like, “You actually answered. You’re willing to travel for me on July 4th weekend to come take a trip.”
These are things that – you look at how you build a career and you build memories and experience. And it’s not always about answering the call, but it’s the opportunity that you have once you answer that call as well. You build rapport, you execute on the task, and that could be a client for life.
Si: Yeah, definitely. I mean, trust is a fascinating thing, isn’t it? Because it can be broken so easily and it takes so much to rebuild it afterwards. But actually when you’re given a blank slate to start with, you can do so much initially to create a good relationship, as long as you don’t screw it up. You’re in a fantastic role.
Rob: I’ve been taken to beautiful places over the years and they just said, “You’re in public, keep your mouth shut, you’re working on a very important case that’s all over the newspapers. Anything you say in relation, people will pick up on buzzwords, names.”
And if you respect that kind of information and you actively listen – rather than saying, “Hey, I’m in a beautiful place and I’m gonna just enjoy the moment” – yes, you want to do that, but you also have to realize that you’re on a mission to help somebody.
You’re being brought in from a long ways away sometimes, and you really have to respect the situation that they’re putting you in, and say, “Hey, this is a big responsibility.”
Even when I was training law enforcement, the fact that I was actually being taken from wherever I was in West Virginia to go fly around all over the United States to teach was a mission for me. It was like, what’s my job this week? It’s to give people that light bulb, the brightness to a light bulb that’s sitting out there right now, and just turning that on to activate people’s understanding of this stuff in certain ways.
You really have to understand that when you’re taken out of your comfort zone, so many great things can happen, but you got to pick up that first call and raise your hand.
So many times, I’m so impressed by the younger generation that really want to learn. They’re eager. And unfortunately, some of the tools are push-button in a way. But you sit down with them, you take the time, you develop those skill sets with them, and that will help you always want to be in a training position with somebody.
Shadowing is a big part of what I try to do with my team – give people the opportunity. “Hey, what are you interested in? What do you want to learn? Let’s get you on something just so you’re in the background, so at least you have that experience.” It goes a long way, even with building rapport with your teammates.
Si: I think it’s interesting that you say that the young people are so willing to learn. And I think you’re completely right. My children are older than yours but they’re not older than you. I’m taking your college dates and I’m thinking, yeah, you’re about my age, so that’s fine. But my kids are older than yours, I think. But yeah, they are so willing to teach as well.
I have discovered so much about technology that I would never have done by going to them and talking to them about some new application and they’re like, “Oh yeah, I know that. Yeah, we use that.” And I’m like, “How do you use that?” Because the way that it’s been designed is not the way that people actually use it. And to pick up on those things is just so fascinating.
Rob: And they approach it with a lot of hands-on. Even my son’s nine, he can work his way around and he’s telling me about shortcuts. I just know basic commands. But I think it’s great. Like I said, it’s a matter of kind of tempering that a little bit with the understanding that, “Hey, there’s an underlying concept or process that you really need to follow,” and documentation of that workflow, although it may change, is something that you still need to figure out.
“How can I repeat this so not only can I teach it to dad when dad comes by, but also be able to understand that the next time there’s a change, to identify that change and maybe start validating on their own? Hey, what does that do that’s different than was done before?” It’s natural progression.
Si: It is, and it’s fundamentally the basic scientific methodology of hypothesis, test, get your results, find out where you were wrong, try it again, vary… and also the other thing that I see so many people doing wrong – vary one variable at a time. Because people go in and they go, “Oh, I’ve done all this.” And then they go back and they change three things and it does something different. And I say, “So what changed it?” And they go, “I don’t know. One of these three things.”
Rob: A very good manager that I had, and now he’s a very good friend – somebody who, when we were doing comparisons, and I’ll give a shout out, Mike Weil, great friend – he basically said, “When you’re doing testing, use the same data cables. Everything is labeled down to a color so that you can identify, is this machine, is this set up working the same way it did last time?”
And that’s always stuck with me. It’s like you’re saying, change one variable at a time, get to the root of the source, document that so that you can go back and you can exactly relay that to your peers.
Even when we were doing some of the testing for the work that we did with the Tagos ballistic imagery, I did a whole write-up on it. We did everything to the T so that we figured out what was going to be the best scenario to run that tool based on the hub, the hard drive, the computer. Everything had to come together and align for us to say, “This is the best we can do at this moment in time in doing this testing.”
Desi: Yeah, I think that’s definitely a gap in not just digital forensics and all this stuff that we’re talking about, but that attention to detail with documentation and then applying the validation to your peers’ documentation.
Because we all have a lot of assumed knowledge in our head, and if you go into a process, you might miss five steps because to you that’s just like breathing air. And then I’ll come along and I’ll be like, “Oh, how did he get from C to D here? There’s a whole bunch of letters missing that I don’t understand.”
But yeah, I’ve seen that at countless organizations. There’s just, especially engineering documentation for one, but you read that and you’re just like, “How do they install this thing?” And they’re like, “Oh, you just needed this infrastructure set up in the background. I just have it running all the time.”
Rob: Yeah, it’s putting that in a way that you can teach the person. Like one of the guys that I was teaching at the Institute a few weeks ago, he said, “Look, I know nothing. I’m here. I need to be here. But I know I’m the guy that I’m lucky if I can get this machine turned on. Where’s the power button?”
And at the end of the day, you’re exactly right. It’s a science. Beyond the technology, you have to understand the science. And then once you understand and tap into the science, I am intimidated sometimes based on the scenario that we’re walking into, more so the emotions. Like I’ve walked in, there’s guns, people have guns in holsters. People are… companies are getting restructured, they’re getting laid off, bankruptcies, all this stuff.
That’s more of my focus right now, because I know at this point, no matter what anybody is going to throw at me, I’m going to start processing in my head like, “Okay, what’s the workflow?”
Desi: Right.
Rob: And you have to really be confident in the fact that you can take any technology, any situation and start thinking about how you can solve it. And you got to solve it fast because somebody will throw something at you: “Oh, what do we need to do? This is your one shot to do it.”
Step back, figure it out, however you do it. I do a lot of writing. Obviously, I try to figure out the game plan – everything I do starts off with outlines to just think through. But my goal in most anything that I’m doing is not only to preserve it and collect it, but it’s also to allow my other team members down the road to be able to use that information to do what they need to do to push it through the process.
But that’s… it starts off with the science. The science is: what steps are repeatable that I can do right now that I’m documenting for somebody else to come do that same thing at that moment in time and then put it through that same process.
Si: It’s fascinating because, obviously like you say, nobody ever calls us when it’s bright and sunny outside and things are going well. So you are walking into these scenarios where it’s high pressure, high stress. And the other thing we all know is that every scenario is completely different.
There is no… whatever you think this is going to be the same as, it’s not, it’s completely different. But having those fundamental processes and procedures documented and understood and knowing that they work in the way that they work is so liberating to allow you to think about what this scenario brings differently.
And Desi, obviously you’ll testify to this in incident response. You’ll have an incident response plan. 90 percent of it will work. The other 10 percent is complete rubbish and goes out the window because it’s not the same as the last time it was done. And yes, you’ll refine it the next time, and that’s the other thing – you’ve got to go out of whatever scenario you’ve gone into, figure out what didn’t work and reinsert it back into your learning and your process as you’re going through.
But yeah, documentation is so important and such a lost art form in so many places – in corporate industry in particular.
Rob: Just being able to find a forum right now that people are going to be comfortable talking about these challenges, right? If you say that you don’t know something or you’re not up to speed on it, it’s… you go on to some listservs. I really want to put that out there. Or you just phone a friend who I feel comfortable with.
So I’m trying to create a collaborative environment, a community right now. Because I’m posting stuff and that may go to so many different people, but I’m posting things now to people who are genuinely interested in talking about some of the things that we’re experiencing.
So what I’m doing every day now is I’m forcing myself to put out a poll of questions. Today’s question was, “Are you comfortable with cloud storage to store sensitive data out there?” And it’s just to get people thinking about things outside of the box so that we can all come together and be like, “Hey, there’s a lot of changes in our industry.”
Especially in the last 10 years, especially with the legal industry starting to pick up on this stuff as well. There’s just such a fast-paced need right now to continue to move forward, and all these providers out there – everybody’s in the same boat. They’re all trying to figure out what’s the next thing to bring to market. Who are the people that are going to be able to be our subject matter experts, our advisory board.
So I’m trying to bring together people that when we chat with each other, you can really engage and talk about topics that are difficult. The best one so far was, “What do you look for in software when you buy it?” A lot of people say training. Training is really important, and then kudos to the people that are saying that. Cost is one aspect of it. Features, you know, is another piece because you need those features. We’re the market, sometimes we’re the ones in the trenches. We’ve got to dictate a lot of that.
So people have different needs and responses and ways that they navigate this very, very interesting career path, and it’s stressful. It really is stressful, because it’s not a nine-to-five. That’s why I take the training, because it’s my alone time. And that’s where I write up a lot of this stuff.
But it’s trying to build a network of people that are in the same boat, that feel comfortable talking about topics that are really important today, to discuss with such a fast-paced landscape that we’re moving across together.
Si: Yeah, absolutely. I certainly saw the software poll. I don’t think I’ve seen the cloud one yet today, but…
Rob: Yeah, every day. And I’m going to be looking for additional admins and moderators to keep those polls going, because at the end of the day, it’s going to tell a really big picture of our community, of what people are facing – the challenges people are facing, the solutions.
And it’s really about giving people useful information, useful nuggets of information to address all the different types of data that we’re coming across and having it in a place. It’s not like a listserv, “Hey, I’m dealing with this phone right now.” It’s, “Are you dealing with this?” Even AI – as much as we talk about AI, not a lot of people are seeing it in their cases right now.
Si: I’m seeing more argument about whether or not we should be using it in the processing part of forensics than I am seeing it in any case yet. Although what I’ll tell you what I am seeing it as – I’m seeing it as a “Trojan defense,” what we used to call the Trojan defense, which was, “It wasn’t me, it was a virus.” It’s now, “It’s not me in that video, it’s a deepfake.” I’m seeing that crop up more often as a defense, which obviously clearly is a load of bullshit.
Rob: I’m seeing it like the fake images and the authentication. But again, that’s going back to the source. Where’s the source? Who put the person behind the keyboard that used that technology to build that out? And start talking about that timeline, that life cycle.
Desi: We’re seeing it in cases in corporate at the moment with people using it as an exfil vector. We’re seeing people – because if you’ve got a personal account, you can upload and then take data.
And then also people using it to create deepfakes. We’ve actually got an investigation write-up coming out. Someone created a deepfake voice audio, which was to try and do racial discrimination to get a better severance package on their way out.
So it’s understanding the technology and how it’s made to then go look for that. But it does come down to looking at the system and then going, “What was the human behind it doing? Where did this data actually come from?” rather than just taking it on face value of “This is a legitimate recording.” It’s like tracing it back.
Rob: And then where do people go? Are they going to go to the local police? Are they going to go to corporate compliance? Are they going to go look for a forensic examiner? And then who’s the forensic examiner that’s going to be confident enough to go take that to the next step? Because there’s so many… there’s a limited scope of tools out there right now and concepts of how to address it. But yeah, kudos. That’s an interesting case. That’s a good example.
Si: Because I guess if you’ve got the system then you’re falling back on traditional computer forensics then. Because you’re tracing the lineage of the file, rather than worrying about the file itself. If you can prove where it’s come from, then it’s less about what it actually is. But that’s part of your book as well, is like, collecting different sources of evidence to tell the story, not just relying on one piece and going with that.
Rob: That’s right. That’s right. And it’s people knowing to think a little bit outside the box. It’s like your job’s not done just because you processed this scene and took all these computers. Now you gotta sift through and see what else is out there.
That’s where we discover all the thumb drives, the email accounts, all the web searches, and then take that further. “Hey! You didn’t tell me about this other drive that was out there. Where is it?” “Oh, that was given back to the recycle company six months ago.” That’s a problem.
Desi: Yeah.
Rob: So there’s all these stories and it’s actually becoming more and more clear what the timeline is of things as you are able to use the dates and times. So many of my cases right now are associated with dates and times and timelines. That no matter what the technology is, we’re going to be able to bring it back to the fundamentals of forensics of being able to say, when was this put on this machine? What was done with it? Where could it have come from? What other accounts are out there?
And people need to know that we all know if you have one account, you may have – or one device, you may have data populated – it’s almost like POP reinvented, right? POP email, it gets downloaded to one machine, then it’s somewhere else. It’s the same thing that we’re thinking about in those days where people are sprinkling information all of the time.
Si: Yeah, that beautiful scenario – you do a seizure and there’s five old phones sitting in the drawer, each one has a snapshot of their phone usage at that point in time up until there, and it’s not deleted properly. Heavenly. Absolutely brilliant.
So yeah, I know exactly what you mean, but that… POP email is a concept. Oh, yeah.
Rob: It’s the same thing with these modern attachments, the hyperlinks in emails. I’m like, that’s no different than linked files. I keep saying that with everybody.
Si: I saw that you’re giving a talk on that. Is that… you either have done or are about to give a talk on that with Oxygen?
Rob: I have, I did one with Oxygen, I did one with Exterro, different kind of take on things. With Oxygen I was talking more about Oxygen Forensic. The other one for Exterro is talking about just in general, some of the concepts. And then I think I’m giving a shorter one coming up on just things to consider.
But this is like the big buzz in the e-discovery space right now, because you have to collect all the versions of the documents. But I keep saying that’s no different than the link files. Because you collect that folder, and now if there’s a shortcut in there, you didn’t go and get the shortcut. So this is… you have to review sometimes or figure out how you can triage.
But there’s always going to be these human element pieces that spot that. And you know, in a high-stakes situation when you only have one shot to get it, unless you have somebody boots on the ground that’s sifting through that stuff and exporting out the inventories, it’s going to be a very tough thing to find all the shortcut files and if you have access to all of them.
Si: Yeah, there’s… I’ve seen some interesting debate here at some higher levels of the justice system suggesting that the only way that we’re going to move forward in successfully addressing coming digital forensics problems is through automation. And you’re like, it’s not gonna work. It’s just not gonna work. You need to fund this properly, put people into it and things like that, but automation is not gonna solve your problems because it’s not simple, right?
Rob: And it also depends on that human interaction in the end, too. Are people deleting things? Are they moving things? Are permissions being changed? All this stuff that circumvents people’s ability to have unimpeded access. In a pristine world, everything is together and you can figure it all out. But that’s not the way.
And then, at the end of the day, you also have to make a judgment call. There used to be a time when we would collect data and there’d be locked files or files that we just couldn’t get. And do we want to keep hammering away at this, or do we want to move forward and keep knocking down the task list that we have that’s ever-growing?
So there are a lot of judgment calls. Like I said, I keep a very open mind, but I also am very level-headed with this stuff and say, make that judgment call. Do you need every version of the document? It really depends on the type of case. Some cases, absolutely. What are the expectations?
If you don’t communicate expectations, that’s just a big piece of success right now – keeping calm, cool, and collected, but also being able to communicate well and let people know really how long something may take. And that comes with a lot of experience, being able to feel confident in those decisions of giving people those time estimates, cost estimates, all that stuff.
It becomes more of an issue when you’re dealing with an actual crime scene, too. You don’t have that much time to get all this stuff collected. But kudos to a lot of the law enforcement recently on some of the bigger cases that we’ve had that hit the news, and the timing of everything – it’s just fascinating how quickly that mobile crime scene has become, where people are dealing with things on the fly. It’s become fascinating to watch.
Si: We’re coming to the top of the hour and I’ve actually got a whole bunch of other questions that I wanted to ask you. I’m gonna have to get… we’re gonna have to get you back again.
Rob: We’re friends, we can always…
Si: But let’s end on this question. On the back of the book, there are two quotes. One is from a guy called Frank Canova, who is the inventor of the first smartphone.
Rob: Yes.
Si: And then the other quote is from Neil Papworth, the guy who sent the first ever text message.
Rob: Yes.
Si: How on earth did you find these two people, and how do you know these two people to get them to review your book and give you a quote about it?
Rob: And the last two guys were Bob Kahan and Vince Cerf, who…
Si: Vince Cerf, of course. Yeah.
Rob: My brother’s an inventor and my brother interviewed people, the likes of Marty Cooper, and we have a sort of thing going on where I don’t interview as much, right? But it’s about finding people who can take information and kind of relate it, right?
So with the proliferation of mobile evidence these days, people don’t even think about how this technology came to be, and to start questioning – did these guys that actually thought about this stuff, did they think about how ingrained in our daily life this stuff would be?
No, they were developing it to fulfill a need. My brother always said, “You’re solving an issue when you’re inventing.” They never expected it, and of course there’s good and there’s bad, right? The internet has a lot of good, also has some negative stuff. But at the end of the day, they look at the impact on our daily lives.
And you and I, we all can’t live without our phones and without the internet. And I wanted to reach out and get somebody to really make an impact to say, “Hey, when we were dealing with this stuff, we were just designing something, we never expected all this stuff to happen, but it’s now part of cases.”
And as long as we’re able to gather information, it can be used to help bring justice. It also can help corroborate other evidence. So they look at it from the standpoint of “Hey, it’s a data source.” And although I look at it from… they look at it from the technical standpoint, I’m looking at how it’s impacting us from the investigative standpoint.
And I got Frank initially, and I said, “Wow, it would be amazing if I got the guy that…” – everybody wants text messages off phones right now – “What if I got the guy that sent the first text message?”
And they were such nice guys, they’re actually sending me back some stuff in the mail. We’ve been chatting, good friends already, exchanging messages. I also had Fred Cohen do the intro for me or the forward, who you know is one of my professors from UNH who is involved in a lot of the computer security, computer virus stuff. And Eugene Spafford, a guy I also know for 20 years.
It’s just people coming together that really wanted to contribute, and they did it really graciously and gave their time. I’m so thankful, again, to be able to put this out there to people. And I brought in copies just to actually have people doing what they’re doing online right now – showing, reading the book, taking it places. To me, it’s a great feeling to be able to send you guys a couple.
Si: I’ve got mine, I’m taking it on a trip tomorrow. It’s going somewhere special. I’ll post the picture on LinkedIn for you tomorrow night.
Rob: Next time you guys come to the States, we’ll give you some more. It’s just giving of my time, and really it’s so rewarding to be able to see the content being enjoyed and going around the world. It’s awesome.
Desi: Yeah, that’s really cool. Rob, thanks so much for joining us this week and talking through all this. It’s been super interesting, and I’m sure when you publish your next book in two months’ time, I’m expecting a 3.0 covering AI, and also wearable technology would be great if you could just chuck that in quickly. We’ll have you back on so I can ask all these questions that he was missing this time.
Rob: My nine-year-old wants to write my next book with me, and I’m saying, “Oh.” But the only motivation right now is to be able to keep my home office, where I actually do all my writing, because the third kid is actually starting to get out of the crib and needs a new room.
We got to keep… got to find a reason for me to keep writing. So just keep up the contributions and the support and I’ll do what I can do.
Desi: Nice. Nice. Awesome.
Rob: You guys are awesome. Thank you so much for all the support. My pleasure to talk to you. And I hope to see you guys soon.
Si: Thanks, mate. Absolutely, bro.
And thanks to all of our listeners. You can get this podcast or video wherever you get your podcast from. We’re also on YouTube and our website. We’re on YouTube, right? I always forget. Yeah, we are on YouTube. Yeah, we’re on YouTube and our website. We will post all the links in the show notes for the book and where to go and do the polls and anything else that we talked about in this session as always.
And we’ll catch you guys all next time. See ya.
Desi: Thank you.
