Santosh Khadsare on Capacity Building in Digital Forensics

Christa Miller: Capacity building for digital forensics is defined as the development of new professionals and better equipped work environments, particularly as the digital forensics industry struggles to keep pace with the way technology and the trace evidence it creates become more ingrained in our lives.

With the Forensic Focus podcast to talk about capacity building in India is Santosh Khadsare, a career cyber forensics and security expert for the past two decades. During that time, Santosh has worked with the Indian government and law enforcement. Our longtime readers might additionally recall our printed interview with him from a little over a year ago. I’m your podcast host, Christa Miller. Welcome, Santosh.

Santosh: Thank you. Thanks for inviting me.

Christa: Of course. It’s very much a pleasure to have you. So I’m going to jump into kind of a big question here. In your interview with us last year, you talked about the need to build capacity; both in terms of personnel and the number of digital forensics labs to reduce backlog, as well of the need for enhancement of capabilities around state of the art technology; like the Internet of Things, SCADA, blockchain, and others. Could you start by telling us please, what is involved in capacity building on a national scale in such a large and culturally diverse country as India?


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Santosh: Okay. Let me start with a bit of an introduction as such, which most of us in this particular niche field are aware of. As all of us know, digital forensics is a very niche and lucrative field for those who actually have adequate knowledge and experience. The job demand globally is increasing exponentially and it’ll increase in the near future.

If you see the compound growth rate, which has been estimated by most of the agencies, that up to 2028, it is going to be at least 16% annually, and especially in the APAC region, which will lead in this particular niche domain.

So why did I say that? Because this actually points towards the capacity building aspects within this particular region and how the countries, especially India is taking a step forward, a leading step, I’ll call it, in actually achieving this particular milestone.

Now, coming onto the capacity building at a national level with such a large country like India. I would like to inform you that it can be actually split into four verticals.

For example, first is the academia where we have the students, we have the professors, the universities; then the law enforcement agencies, which are part of the government, we have numerous law enforcement agencies, where we also require capacity building in the industry as such; and the last, but not the least, the judiciary who can say whether actually our case is going to rest, or it is going to be sided.

So coming on to academia in India, a lot of steps have been taken like, we have actually two national universities for digital forensics or forensic science have been nominated. We have the Gujarat Forensic Sciences University, and the Rashtriya Raksha University which have been nominated for carrying out this particular task.

This is what you can see at the academia level, and this is by the government. There are many private institutions who are also running numerous courses in this particular niche field. And as of late, we have hundreds of students who are passing out with Masters in this particular field.

Coming onto the law enforcement agencies, capacity building is basically on the job; when you’re working on the field in the form of hands-on training, which is being conducted, or the certification processes, which are being conducted globally or at international level. So this is how capacity building is going at the law enforcement level. Most basically, as I said, it’s on-the-hands or on-the-job training as such.

Coming onto industry, industry is actually catching up with this particular field. They do have an incident response team and forensics becomes a part of that incident response team. So now you have within that particular team, a very prominent role of a forensic responder, or even an analyst who works in that particular field. So they’re also training in such as on-the-job training and a few certifications for the professionals are helping out.

Coming onto judiciary, judiciary is very important because at the end of the day, you have to go to the court and explain to them actually what the case is all about. And judiciary training is also going more on a very massive scale; awareness, seminars, lecture lectures, training sessions have been carried out. And especially with cases going to the court, on-hand experience has also been gained.

So these are things which are happening in India and they have increased in the last two to three years. And we are actually, a minister said in the next five years India will be the leading source for providing skilled human resources in all fields. And I also know, even in this digital forensics field, we’ll be the lead provider of human resources in the near future.

Christa: So across those four verticals, what are some examples of challenges that are unique to both the verticals and at the state and local levels?

Santosh: If you see challenges as such, I’d like to classify them into four types of challenges. Firstly, they are resource-based challenges where we have human resource challenges, we have tools challenges, we have training where capacity building becomes a part.

And the second challenge I would like to tell you is laboratory challenges. These are technical challenges, where there’s a case going on; it may be for example, related to damage devices, it may be related to the kind of forensics you’re carrying out; whether it’s computer forensics, cloud forensics, or any other kind of forensics with IOTs, Dark Web, deepfakes, which is the latest field which we are entering into as forensic experts.

So there are a lot of technical challenges also, which are there for everyone, especially the law enforcement agencies and the laboratories which are actually carrying out these particular kinds of tasks.

Then we also have other kinds of challenges where all of us at a global level, we are actually addressing these challenges when it comes to international cyber laws. The standards basically, we do adhere to full standards, which are by NIST or SWGDE or by some programs such as computer tool testing programs, which are being run again by NIST.

The next new challenges which I would like to refer to are regarding the GDPR in Europe and the US and when it’ll come to data privacy law, which will come to India in the near future.

So these are a few challenges, which are across the spectrum, but mostly I’ll say it is going to affect the law enforcement agencies and the judiciary as such, less so the academia and the industry, because they will not be in the forefront when it comes to pinpointing the cases, or taking the cases to the end as such.

Christa: Right. The burden of proof is less for, I mean, they don’t even really have a burden of proof, do they, at least at the academic level?

Santosh: Yes, yes.

Christa: Yeah. So how do capacity building efforts adapt for these kinds of challenges?

Santosh: Capacity building is very important because as I said, being a niche field and a field which is evolving, it’s a very new field within forensic science as such. So capacity building actually makes you ready for any kind of situation.

For example, I’ll give you, when I speak of academia, if a person is trained on a tool or a framework which is being used by law enforcement agencies or laboratories, he is a person while once he comes out, he’s ready to actually be launched or ready to do the cases immediately.

Otherwise, if you are not trained in the environment in which actual cases are handled, then it becomes difficult for them to co-op with that particular kind of scenario. Similarly, with the law enforcement agencies, everyone, as you know, due to the nature of their task, everyone is not skilled in the particular time.

So capacity building here will actually help them from the start of that cyber incident, where forensics is required, how they can actually gather the evidence in a sound forensic manner and so it can stand the legal scrutiny. So here capacity building again, matters a lot.

Coming onto the laboratories as such where the labs, where actually, the experts are so called analysts sit and do their tasks, they also are required co-op because of course in a laboratory, there are different job roles which are being performed by every individual.

It’s not only one job role. You have the first responder, a person who actually responds when the case comes to a lab, you have a lab assistant, you have a lab analyst, you have a technical manager and so on and so forth. So there’s so many job roles. So until there’s no capacity building in that particular field, you will not get that skilled manpower in a particular job role kind of scenario.

And then coming onto industry also, you know, industry is also dealing with cases, maybe in-house cases and such. That also requires this kind of training. Capacity building is a particular task or a particular requirement for everyone who actually is a part of this when a cyber incident starts and forensics carried out till a particular guilty party is punished till the end of the case.

So even the judiciary becomes a part of it. And especially, it’s the most important part of it because they are the person who understands what has actually been done. And it becomes the onus of the expert witness or the analyst who has actually done that case to explain to the court in a very simplistic manner how he has gone about that case.

So for that also for understanding those acronyms and very complex words and formulas, of course, no, no one goes into formulas as such. So the judiciary also has to be equally trained in these particular aspects. And they should be aware of the latest kinds of digital crimes happening and latest technologies, especially the converging technologies, which are coming in due to artificial intelligence or machine learning.

And due to the technological changes such as you have crypto forensics coming in because of cryptocurrencies being used widely, then you have blockchain forensics, and you have automobile forensics because of the changes in the automobile industry.

And most important, which I feel we will have to actually address is the IoT, Internet of Things and industrial Internet of Things, which we are calling Industry 4.0, which is going to be there everywhere across the globe. So that’s why everyone has to know everything. Maybe their depth may be less, but the knowledge has to be there.

Christa: Yeah, yeah, yeah. And I, that’s gotta be tough, I think. I know that a lot of the technologies that we’re talking about in dealing with are very abstract. I feel like the more they advance, the more abstract they become, the more difficult it is for lay people to understand like judges.

So, you mentioned in your interview last year an initiative called Digital India. And I wanted to find out more. I feel like that’s the backdrop to everything that we’ve discussed so far.

So looking at its website, I see the pillars, I think there’s eight of them around broadband highways, public internet access information for all e-governance, and others. What have your major milestones been in the past year and where and how do cyber forensics and security fit into this larger plan?

Santosh: You know, because of the proliferation of the internet in remote areas, especially in a vast country like us, although it has not reached 100%, it still has a long way to go. But still, due to the proliferation of the internet at various public places; whether it’s rail stations, airport, or, and small cities, or government buildings.

So it has gone, you know, penetrated a lot and the cheap technology such as devices coming in and everyone having access to that cheap technology in terms of mobiles or any smart kind of devices, even if you’re buying a television or anything which is to be used in the house or in the office, there has been an increase in digital crimes. All of us are aware of this and there’s a multifold increase in digital crime.

And every case requires digital forensics, whether it’s a small case of a kidnapping, any case, if it’s pickpocketing also whether to trace or find out the location of that particular so-called pickpocketer. So every case requires forensics.

Now it depends, and because of such a thing, there’s a huge requirement of forensic services, which are required at all levels, especially in the government and the law enforcement to curb this kind of crime.

Not only this, the other initiatives as you rightly brought out, we in India, especially the government for the last five to seven years, we have put a lot of this tasking on digitization e-commerce and other things.

Out of the important things also going on for smart cities, like a hundred smart cities have been nominated. So that’s why I mentioned IoT and IoT in the previous answer, which I gave you.

And digital economy, I believe in the last five years, it has had a total turnaround with everyone going on to ePayments, which is very unique and it has happened so rapidly that I feel that every one of us here uses the digital economy for actually doing our day-to-day tasks.

So forensic plays, and will play, a very important role, whether it has to be taken in the legal manner or in a non-legal manner in some cases when it comes to industries. And it fits everywhere because wherever there is a digital asset, there’ll be a need for forensics. Even if it’s a car accident happening at a crossing, there may be that the signal has been compromised and for that forensics is required where we’ll have to go into PLC kind of forensics and so on and so forth.

So I feel it is everywhere. Now it is time to actually prioritize whether it has to be done or not done. That will be more important, rather than asking whether it fits or not, because it has to be in every part of our day-to-day lives.

Christa: So I guess where I was going with that question was, what kinds of government initiatives are there related to addressing digital forensics challenges?

Santosh: Yeah, this is a very good question because first of all, you know, creating an economy is one thing, digital economy; having, you know, people get access to the internet and gadgets. But it’s, one good part of the Indian government is, it’s also giving the governance part to address the issues if they arise.

To start with, we have the Information Technology Act, which has been in place since 2000. And under that act, I’ll just give you an example. We have a section called the 79A section of the Information Technology Act, which gives the powers to the government to notify anyone, especially the laboratory’s examiner of electronic evidence. So any investigation carried out by that particular laboratory is actually tenable in the court of law across the country as such.

So that initiative is there. And plus, there are various skills by the government which actually notify these laboratories. As of now, there are few of them. If I’m not wrong, there are 10 of them, but they’re much less.

In the near future, they will require hundreds of laboratories to be notified because the cases, as you say in the start, you mentioned about the dependency. Dependency globally is around three to six months, same as the case in India. It may be more because of the large size population and geographical extent, the dependency is more.

But due to, again, giving the governance in the form of the IT Act means notifying various laboratories we are headed in that particular direction.

Apart from that, the government is also addressing by helping our government bodies that are involved in various indigenous forensic tool testing development programs which are running around, especially by CDAC, which is one of the globally most well known entities when it comes to IT as such. And plus,  as I mentioned, we also now have two national universities and many more in the private sector also.

We also conducted various national and international conferences and seminars at the government level. At the private level, you do have conferences, but at the government level we conducted the BRICS digital forensic workshop, which was attended by all BRICS countries and so on.

So there are many initiatives where the government is actually there to support this particular field of digital forensics, and I’m 100% sure the data protection law, it comes in place, then it’ll also be addressing the forensics issues also in the near future.

So there are a lot of things which have been happening at the government level, and of course there’s much more to be done, but as I said, in the last few years, we have sped up our activities, which we are doing in particular to assist the foreign community as such.

Christa: So across the four different verticals you mentioned earlier, what kinds of opportunities do you envision? I mean, it sounds to me based on what you’re describing that the opportunities are virtually unlimited for entrance into this career field, but what kinds of opportunities do they have in those four verticals as a result of all of these different initiatives?

Santosh: Okay, let me start with info as a forensic expert as such, I want to introduce this thing. If you see the role of a forensic expert or analyst is to carry out forensic analysis of the assets which come to his laboratory and so that he can produce it and produce an authentic, reliable, and a legally-tenable forensic report.

So the ultimate goal of anything is the tenability in the court of law. And when you stand in the courtroom, the qualifications, the courses validate that you have the requisite skill set to carry out this particular task. And one important thing is that it builds your credibility as an analyst or expert in the courtroom. So that’s where I would like to start with what are the opportunities for the new entrants in this particular field?

If you want to get into this field, there are particular skills which are required, and for the new entrants which are very important; whether they are communication skills, analytical skills, whether they’re technical aptitude which is required for them.

And in the start, I mentioned about the academy where the starting point for any new entrant is there, where they make up their mind to take this as a career option. Let me tell you, I’ve always been speaking on career options in this particular field.

And I always say you don’t have to have a MTEC or a BTEC to enter into this field. Yes, they’re very much required, they are very important, but there are many job roles which require less qualified personnel than this particular field.

If you’re a diploma holder, or if you hold some global certification, you can actually do the task of a first responder or a lab assistant, which is also a very important aspect. If you are very qualified technically, if you have a BTEC or you’ve done a Master’s in this particular field, then of course you can take a higher role such as the technical manager or the analyst, and you can move ahead in your particular hierarchy.

So it all depends on what type of education or what type of qualification you are holding. So for the new entrant, there are a lot of opportunities to come into this field. And I also say that if you want to come into this field, it’s not necessary that you have to get into law enforcement. You can do a lot of other things in this particular field and you can make your mark.

For example, even if you’re doing sales for the government, you’re actually doing some business there. If you are even teaching forensics in academia, they also require people to teach others. So there also you are contributing in this particular field by doing capacity building there.

Then also, if you are an investigating officer or you are a lawyer also for that matter. So yeah, they’re also contributing to this particular field of forensics, in your own way, by being a cyber lawyer.

So, you have a lot of options and it is not only restricted to, yes, it’s a techno-legal field, I call it, because you require technical expertise and legal knowledge when you are carrying out this task, but there are a lot of opportunities for new entrants and they should latch onto to these opportunities. And you just require a proper thought process before entering this field. And there are a plethora of opportunities which are there, I feel.

Christa: So what are some ways to explore digital forensics, especially for people that might be coming in laterally from some of these other roles that you’re describing; that they might be interested in digital forensics, but they’re not quite sure how to make that bridge from what they’re currently doing into something digital forensics-related? How would you encourage these professionals to get an understanding for digital forensics before they move into the field?

Santosh: Okay, there are two different aspects of this. When someone wants to do a lateral movement, if he is into any of the fields or in the cyber fields whether it is related to audits, risk compliance, it’ll become much easier for him to understand this topic, but of course still he’ll require some kind of training in this particular field.

Because, you know, let me tell you one thing before I go ahead, that within forensics there are many, sub-verticals also like, computer forensics, you have mobile forensics, you have cloud forensics, and everyone cannot be an expert in each and every sub subfield in forensics.

So if someone is working in the cloud industry somewhere and he wants to commit to forensics, he may be more suited to carry out cloud forensics and network forensics and he may do well in that. And he may not have much experience of other kinds of subfields, and so he can get into that field.

If someone is good in, say, network architecture and has been a system administrator, or has been a part of SAA or something, he may be good at carrying out computer forensics and you know, when it comes to device forensics, network device forensics, and where you require live forensics, memory dumping and so on and so forth.

So within the forensics domain, you can pick one of the sub verticals and do a lateral moment very easily if you are into some IT field as such, I feel so. and I’ve seen people coming and I always tell them to do so.

Now coming on to how we encourage the professional and entrants also. Firstly, whether it’s a lateral moment or a new budding aspirant in this field, mentorship is very important. So most of the students and even the professionals who are working with five to 10 years of service also, they come and ask for mentorship, which is the right thing to do because your mentor will actually tell you what to do, he’ll guide you.

And the second step, which is required I always feel, is the internship before you switch, whether laterally or this, so that you get hands-on practice on particular tools and procedures, whether it’s a laboratory or some other kind of establishment.

Now, the second point, how we encourage sharing knowledge in workshops and conferences. We get regular speakers trying to motivate creators.

You’ll see a few years back, say five years back, we never had separate forensics sessions in any of the conferences or workshops. Now, every conference, you know, they actually cash in on this particular kind of field, because it’s a niche field. And they even market in such a way that they have particular separate sessions for those training sessions out there.

So this is how the changes are taking place. Now we also provide them various platforms to spread their views, for example, their publication nationally, which I am mentoring one of the publications for digital forensics publication.

So we get, if you see it started off with the intent, because if someone wants to publish it globally and being from the APAC region, even publishing was not affordable, or even buying that magazine was not affordable if I wanted to buy a few magazines, which are good in the UK or US, they were costing me a huge amount.

So giving a platform for people to read, get their views and also express their views if they have done some small research, to whatever extent. Maybe they’re not up to the global standard, but at least they can open up to ideas, they can read, write, so giving them a voice, what I call in terms of giving them platforms.

Secondly, most of the people in this field and even the government have started incubating startups in forensics. There are huge programs run which are giving cash prizes if someone is doing well. That is done by the government, by the way, who are bringing good new ideas in startups.

And last but not least, most of the academy, as you know, nowadays, they’re running towards the professionals for if they want to introduce this forensic subject for revising that subject to have the state-of-art laboratories or have the topics which are the related. So everyone who’s in this field, people like me are trying to encourage them in various forms or various ways, as I just mentioned.

Christa: So on that note, what one piece of advice do you want to leave with our audience about being both mentors and/or interns?

Santosh: For mentors, let me tell you, the relationship with a mentor and an intern, which most of the people I feel forget to realize. A mentor is not a person who makes his intern do what he wants to do, but he’s a person who actually does what his student or intern wants. He’s a facilitator, he’s a guiding light.

So if someone comes to me with projects to do in IoT or something related, even policy, someone may not be technically sound so he says, “Okay, I want to make a cyber forensic framework or digital forensic framework.” So it’s his wish, it’s his passion. So as a mentor, we are supposed to help him out in achieving his goal.

Not trying to, if I know if something is required for the industry or in the near future futuristic thing, but the interest is not there, then I should not be pushing him toward that particular thing.

Mentors also, I feel we as mentors should be helping them in carrying out research, giving time is very important and leading from the front. Everyone is busy, but if you want this particular niche field to prosper globally, and especially in India, I know a lot of people who are helping out students by giving them time. Even if you’re able to answer the emails or blogs or any kind of communication, it’ll really help and facilitate them.

Secondly, what I would like to say to all of us; people who have been here for a decade plus or two decades, it’s payback time, I call it. We have actually enjoyed the technology the most and we have seen and we have learned the most. So it’s now we should give back to society by teaching them and mentoring them.

Regarding internships, I would like to say here one good thing which is happening in India is if it’s a private sector or government, wherever it’s possible that internships can be given, people are giving internships.

Initially, that was not the case. So now, you know, this field is again a niche field and you can’t have more interns; maximum you can have three to four interns in any kind of a setup because it brings in issues of integrity and confidentiality also there when handling cases.

But internships have started in a big way; the multinationals, the government are giving internships. And it’s required to give opportunities to the upcoming professionals so that they can make their career and you can say they have to be a step ahead of us who are actually mentoring them. So internship and mentorship I always call them, these are the pillars which will actually take this niche field forward.

Christa: Yeah, yeah. Santosh, thank you again for joining us on the Forensic Focus Podcast.

Santosh: Thanks a lot for inviting me. It was great speaking to you.

Christa: Good. I’m glad to hear that. Thanks also to our listeners. You’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. Stay safe and well.

Leave a Comment