The Power Of Digital Forensics: How ADF Solutions Is Revolutionizing The Digital Forensics Industry

Si: Friends and enemies, welcome to the Forensic Focus Podcast. Today we are joined by Brittany and Ailsa from ADF and we are delighted to have them on. We’re going to talk about how ADF is actually being quite revolutionary in the industry, they’re starting to do some things which are quite interesting. And we’re going to talk about some of the problems that they’re hoping to address with their new technology and where the products are going. So if I may, I’ll hand over to you both to introduce yourselves. Brittany, do you want to go first?

Brittany: Yeah, sure. Thank you guys for having us on. Again, I’m Brittany. I’m the director of marketing with ADF. I’ve been here around three years now and I’m excited to talk more about what we do.

Ailsa: Hi, my name’s Ailsa. I’m Director of Customer Success at ADF. I’ve been here nearly 10 years. Before that I worked for a UK Police Force, private company and the Serious Fraud Office. Yes, I am very old and I have been doing digital forensics since 1995, actually, when floppy discs were a thing and I’m sure…

Si: That’s right, both of us are old enough to remember what a floppy disc is. Don’t worry. Well, at least I am. Dessi may not be. He’s youthful!

Desi: I remember what floppy discs are….I never had a computer that…yeah, I was just about to say I never had a computer that had a five and a quarter inch drive. I just had the smaller floppy disc drive. Yeah. But I do know where the save button comes from. That’s I guess my claim to fame. Right.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Si: That’s the characteristic exhibition of youth nowadays is they have no idea where these icons have come from. Embarrassing.

Desi: Yeah, for sure.

Si: So with the background in law enforcement, you must be quite well placed to a) work with…I mean, do you actually work actively with police forces now as part of your role?

Ailsa: Yes, I them using it all and assisting them to either set up specific search parameters to use it tool more effectively, or indeed sometimes advising them, “no, we can’t do this that particular way, we could try doing it this way”. There’s lots of ways to (I was going to say skin a cat, but it’s not very nice analogy to the cat lovers out there!)…there’s lots of solutions to problems in the computing world and my job is to help our customers do their job as quickly, efficiently, and painlessly as possible, really.

Si: So what sort of issues are you seeing that are facing the customers now?

Ailsa: The volume of data. The sheer volume of data, as I said, I’m old enough to remember the really old floppy discs. We used to play hard disc size bingo back in our labs. If you’ve ever got anything over 160 megabytes, you had to go and buy donuts for the team. Nowadays, people’s mobile phones, an iPhone or a Samsung can have one terabyte of data. We weren’t seeing that 15 years ago on computers. You could do a whole case for a year and it would only have a terabyte of data on it. Now it’s there in everybody’s pocket and also loads more people now use computer devices. We’ve got smart TVs, you’ve got smart fridges, you’ve got smart washing machines and tumble dryers and all this sort of stuff. Kids are now given iPads and Chromebooks at school and they’re doing their homework and all that stuff on it. I don’t know what the statistic is for mobile device ownership in the UK, but it’s got to be somewhere over the 80% I would’ve imagined.

Si: I remember looking at it a little while ago, and there’s more mobile phones than there are people, I know that much. So I’m not sure what the actual percentage of ownership is, but plenty of people have got…I mean, I’ve only got one at the moment, which is quite novel for me!

Ailsa: Most people have more than one. In the old days you would stop somebody in the street and they’d have one phone if they even had a phone. And you might go back to their house and they would have one computer, perhaps a few floppy disks, maybe a USB drive. Now if you stop someone on the street, they might have three or four phones. You could go back to their house and you could end up with 50, 60, 70 different bits of digital data. Where do you start? What if you go to a house of multiple occupation, a student hall or you’ve got visitors? Imagine if you’re staying at somebody’s house and the police come through the door at six o’clock in the morning and want to seize everything. Are you going to want to hand over your phone not to see it again, to have it examined? I wouldn’t hand my phone over unless I was arrested and compelled to. It’s got my life in it!

Si: Yeah.

Desi: You mentioned briefly there about just how all kinds of different things have storage in it, like fridges, washing machines, like, being smart devices. Have you…we’ve spoken on the podcast that people before who’ve gone down those weird routes of having to pull information from washing machines to prove that they weren’t…they were doing the washing instead of murdering someone essentially. Have you come across anything like that in the past or police requesting, “hey, we need your solution to pull stuff from the smart TV”?

Ailsa: No. VR headsets. They have asked about smart TVs, but the big thing coming is Chromebooks and by December we are going to have a solution to allow you, providing you’ve got the user credentials, we’re going to be able to connect to a Chromebook and either screen capture or take screenshots of what you can see on the Chromebook, hopefully also get some of the artifacts from it and it is going to be a very simple sling a cable between the Chromebook and your examination machine and switch it on and look at what they were looking at, because we get lots of questions about Chromebooks and currently…

Si: So what would the difference be between doing…I mean the Chromebook is a laptop effectively and one would assume it has internal storage of a SSD variety (probably given it’s a Chromebook and lightweight). What’s the advantage of doing it with a cable rather than taking the disc out and doing the traditional forensic imaging?

Ailsa: Well, if you take the disc out of a Chromebook, you kind of wipe all the data off it, because it’s one of these, they either have these little eMMC chips or these flash chips and once you disable it (I’ve done it on my own: big, big, big mistake!) nothing worked after that. It’s designed to be all cloud-based. There’s actually very little data on your Chromebook if you’re not connected to the internet. So that’s why unfortunately we are going to have to say you need the user credentials. So if you come across a user that’s refusing to hand over the password, other techniques would have to be used to persuade them to part with that, shall we say. But once you’ve got the password, you can see it as they can see it. And also you can take photographs of the screen exactly as they had it laid out, all the things that they could see. It looks like they had it and it’s the sort of thing that you can grab and say to the jury, “look, this is what it looked like. It was very obvious that that picture was in that place on the screen. It wasn’t yards down that he would’ve had to scroll to see it and that’s how he didn’t see it”. That sort of thing. A picture paints a thousand words, as they say.

Si: Yeah, no, absolutely.

Ailsa: I mean there are other Chromebook solutions I must…they’ve seemed quite complicated to me. And it’s not the sort of thing you want to do on scene, when all you are doing, ll we are trying to do is say, “has this Chromebook got some data on it that we need to recover to further the investigation?” If it hasn’t, we don’t take it. We don’t keep it. Give it back.

Desi: Right, okay.

Si: So does ADFC itself more in the role of a triage tool than a traditional forensic tool? I’m not going to say that you’re not forensically sound, I’m not going to say that you’re not. But you see yourself more as a sense of onsite, on-prem, in the hands of a trained officer at a site to triage rather than…?

Ailsa: Yes, largely. But you could also triage back in the lab if you are trying to get…basically what we want to help people do is winnow down from 50 exhibits to the 10 pertinent ones that are going to prove the case as quickly as possible, get it to the prosecutors so they can make a decision to charge. I don’t know about other jurisdictions. I know in the UK it doesn’t matter whether, let’s say, on a CSAM case if you’ve got a thousand images or 10,000 images, there’s not always a lot of difference in sentencing policy or…so surely it’s better to get to the first thousand or whatever, get that through to the CPS or the prosecutor so they can start the case and then move on your next job.

The other big problem that a lot of our customers are going to face very, very soon is backlogs, if they haven’t got them already, will be large backlogs, cases taking months before they can get examined. And the danger of that is, of course the mobile phone, if you have seized it, it might not work in six months if it’s sat in an exhibit store, not switched on, not powered on. Old fashioned spinning discs, they used to suffer from something called stiction. Basically the heads would stick onto the platters, so you couldn’t read that. So, shorter waiting times, summary justice: is this an exhibit that we have to a) seize, store, process, deal with, destroy at the end of the case if the guy’s found guilty? I mean sometimes Apple Macs, they’re my absolute bête noire, but imagine…I hate them because you always, always, always have one more screw than you started with. You take it apart, take the hard drive out, put it back together, and you’ve got an extra screw and something is rattling and a customer is…a guy is saying, “you’ve returned my computer to me and it doesn’t work”. And then it becomes your problem.

Si: Yeah. I was told a story, and I don’t know whether it’s apocryphal or not, but apparently a police department in the UK received an Apple iMac and they couldn’t figure out how to get it open. In the end they ended up pushing it off a desk to get the disc out and it was returned back to the guy who was like, “what the hell happened to my machine?” And they just went, “it was resisting arrest.” And that’s it. It’s probably apocryphal. I hope it’s apocryphal! I’d rather like the story nonetheless. And yeah, having dismantled Macs, or at least older Macs now, they’re impossible. So yeah, having said that, I do actually use them! I think they’re wonderful and I love them the bits, but that’s an old Unix background and a Unix machine as opposed to this horrible Windows stuff that…

Ailsa: Oh no, I predicted it would never catch on. Follow me for more moneymaking tips. Windows: never catch on. Novell NetWare: that’s the way it goes. That’s the future!

Si: Oh, crikey, I remember. Okay, now we are showing perhaps even more than the floppy disc conversation!

Desi: Yeah, I’m completely lost, so…

Si: So as a triage tool, what is it about ADF that means that we should be using ADF as opposed to any other product?

Ailsa: Simple to use, minimal training required, fast, tailorable (if that’s a proper word), you can specify what it is you want to look for, where you want to look for, the date and time of things that you want to look for. You can also add in your cade or your project VIX or any of your hashes of files that you’re looking for. And we can report in lots of different ways. You can…whilst the scan is running, so we’re processing, getting the data, you can actually go and review what you found so far.

The scan will carry on running in the background. We have fantastic video handling software or capability in that if you’ve got a thousand videos to look through and they’re all an hour long, you don’t have to sit there for a thousand hours watching every video from start to finish. We take the first frame, the last frame, 48 in between to give you an idea about what the video contains. And if you’ve got any question or any doubt that it isn’t actually Star Wars III or whatever it purports to be, you can go and play the video, speed it up, play excerpts of it, and then when you’re done with one video, just press the button and you go down to the next video, you see the frame, “no I don’t need to look at that”, next one very, very quick, a lot quicker than the tools that we used to have when I was in the police. So I really like that.

Screenshotting and screen recording of mobile devices is fantastic as well, particularly if you’ve got a very reluctant witness who, let’s say, perhaps her phone is her lifeline, she’s been the victim of a horrible attack. She wants to show you the particular WhatsApp messages between her and her attacker, but she doesn’t want to let go of her phone. She doesn’t want to hand it over to you, she needs it for her psychological support and all that sort of stuff.

You can say to her, “okay, you connect the cable between our computer and your phone and you just show me on the phone what it is you want me to see. You control your phone, you control the interface, you do that. I will just capture whatever is displayed on your screen. And that’s all we’ve got.” So we haven’t got all of her other chats, her 158,000 messages, all her photographs of her in her OnlyFans page or anything like that, whatever she may or may not have, you’ve just got the pertinent data. They feel safe that you are not, basically, grabbing their device and rootling all the way through their entire personal life.

Si: And that sort of recording feature is that for both iOS and Android?

Ailsa: Yes, and with Android…

Si: Amazing. Because that’s new for iOS, isn’t it?

Ailsa: Yes. We do screen mirroring with iOS. With Android, we have extra features because they’re slightly different. You can actually sit at the top of a chat or roll pages and pages of stuff. You press one button and it will auto scroll down and capture every single page in that page of chat or webpage or whatever, contacts, what have you, and it’ll just grab them all. And you can go and view them. We also OCR those too, so you can word search them afterwards.

Desi: Do you find you have any limitations in types of apps? Or is it controlled at the OS level on Android?

Ailsa: Yes. No, lot of apps. What we do is we make a logical backup of the device and then we scan that logical backup. iTunes or iOS is…basically with iOS devices, we make an iTunes backup and Apple is more prescriptive about what gets put into the backup. A lot more data gets put into the backup. Android, it’s a bit of a wild west. It’s entirely up to the app developers whether or not they want to store stuff in the backup. And very often the data isn’t there in the backup, which is why we introduced the screen recording, the screen shots with the OCR so that you could actually capture that and search for it at the same time. Apps change on a daily and weekly level.

It could be, yeah, we did WhatsApp three weeks ago and it worked, and the app developers have made a change and now it doesn’t work. It works the other way. Sometimes you can’t do Messenger, but you can now. Everything’s different and the apps are changing all the time as well. I’m really old, but I learned about an app called BeReal today. I’m like, “oh, what’s that?” I haven’t figured out how it works, but at least I’ve installed it. You never know when you look at a phone, what’s going to be on there. So if you can grab it as the person would’ve seen it…

Si: Given the pace of change, we all see it and it infuriates me when every time something updates and it breaks everything that I have been using and I have to rebuild my entire tool chain. How are you guys keeping up with it? I mean, is it just a sheer development effort or…?

Brittany: Yeah. I mean it’s a lot of research and development, and the development team is pretty much on top of anything new that comes out and we try to get that into the next release. We have a couple releases a year, sometimes even three or four, depending on if a new version just came out, has to have an update or something like that. But we closely follow trends that come out. But like I said, the dev team is really on top of that. And also we get a lot of feedback from our customers, particularly Ailsa. Ailsa talks to our customers a lot about what their issues are. And so we hear from them firsthand and what we need to do moving forward.

Si: So will you respond to a particular feature request coming in from a customer? They’ve pulled a phone, they’ve got a backup sitting there and they can’t read WhatsApp version (I’m going to pick a random number because I have no idea what version WhatsApp’s on) WhatsApp version 5 and you are still on 4. Can I come to you as a customer and say, “look, we know we’re struggling, can you help us out?”

Ailsa: We’ll do our very best. Can’t always promise that we’ll succeed, but we’ll try and we always respond to feature requests. They get discussed every week. Our business analyst team will be speaking to the requester to find out more information about what they want. We succeed by being very close to our customers and very responsive. Our customers are great. They really are. They really, really are lovely. They all want to do the job. We want to help them do the job. At the end of the day, we all want the world to be a safer place. So what’s not to like?

Desi: Is ADF’s customer base all law enforcement?

Ailsa: No, no. We have other government agencies and we also have schools, colleges, universities. We have law firms. And because some of our customers use our technologies for eDiscovery…or the…before, “is this a device that needs to go for full eDiscovery? Can we have a quick look?” “Yes, there’s stuff on it. No, there isn’t.” So again, we can be used for that. I’m trying to think who our other customers are. We have some private investigators that use us, more in America than in the UK.

Si: It’s more of the concept in America, than in the UK, isn’t it?

Ailsa: Europe is fascinating because they have investigators that are, or expert witnesses, that are appointed by the court. And a lot of them, particularly in France, for example (and I’ve got another one in Malta), they will come and use our software because they are appointed by the court or the judge to get the information. They don’t have the same sort of legal system as we do and they come to us.

Si: Yeah, it’s an interesting thing that can actually occur in this country, because I have been appointed by a court once, but it tends to be civil rather than criminal in this country. I’ve been at the conference all day and one of the things that kept coming up was…as is the way of any conference that you’re at nowadays is AI, the dreaded thing, which doesn’t exist, let’s be honest. So machine learning: are you implementing any of this or is this a feature that is…are you doing it? And if you’re not, is it of interest? How do you feel it fits into your roadmaps?

Ailsa: Yes, we do some already. It’s called the classifier. What that does is looks at all the files that it have been designated as picture and video files, it works out to within 85%, I think it has to have an 85% probability it is a picture video file, and then we classify it into, I think it’s about 13 different categories (forgive me, I ought to know this and I can’t remember), but it’s things like weapons, vehicles, pornography, portraits, all that, up-skirting, child abuse, bestiality. And then once that process is finished on the pictures and videos, we then age classify. So we try and work out whether it’s a toddler, baby, child and then adult, and we do…

Si: So not a particularly refined classifier, but a classifier nonetheless.

Ailsa: Yeah, it’s not perfect, but if you have a million pictures to look through, it’s a starter for 10. It’s also weeding out a lot of the rubbish, the little gifs and pixels and stuff like that that you get on installations of, I don’t know, Minecraft and Steam and all that sort of stuff.

Si: Windows!

Ailsa: …so yeah, I’m hip, I know Steam is! But…and we also have something else called entity extraction where we partnered with a company called Rosoka and it will go through text in about, I think it’s about 150 languages, maybe around about that. And it will pull out entities, so places, names. You can have things like drug terms. I remember doing some testing and you can put in “cocaine” in Chinese and it will pull out a document in Russian that has got that word in, or whatever, and it will gist it for you. It’s not a translation, but it allows you to look at documents in foreign languages and give you an idea about what it’s likely to contain.

Si: That sounds fascinating. Does it require that the device is connected to the internet or is that local?

Ailsa: No.

Si: So that’s a local database for that…?

Ailsa: Yes. I have to say we don’t have many…we have a few customers in the UK that require it, that use it when they deal with a lot of foreign documentation. They might be looking at phones and computers belonging to people that might have worrisome foreign documentation, shall we say, that they want to very quickly work out whether or not it’s something they need to get excited about. It is used more by one of our large American customers, but I’m not allowed to say who. Sorry!

Si: That’s all right. I think hopefully our audience is intelligent enough to string a few three letter acronyms together and come up with one. So yeah, I mean, absolutely. I’ve done cases in the UK in Arabic and I do as well. And without the use of a translator, a physical translator (and by that I mean somebody who speaks languages), you can go nowhere. The idea of being able to triage quickly without having to enlist the services of somebody who a), is quite expensive and b), usually quite hard to get hold of is a fantastic idea, it really is. So yeah, no, I think that sounds amazing.

So the AI itself, I mean is it actually (I’m going to say this sounds terrible) is it actually AI, is it actually a machine learning algorithm or is it just a simple flesh tone kind of thing for pornography?

Ailsa: You know what? To be honest, I don’t know! I know…I don’t know (isn’t that embarrassing?) I know we had to train it a lot. We trained it a lot.

Si: In which case it sounds like machine learning.

Ailsa: So yes, it’s not…we don’t just look at gun colors and skin colors and stuff like that. It was specifically trained and we can also add new…if we get enough of, let’s say, I don’t know, dodgy passports, we could, in theory, train our system to, if we had enough of the sample material to go and look for those sort of things. So that is something that we can do. We have also been dabbling with a company that match faces to…so if you’ve got, I don’t know, you’ve pulled out 100,000 portraits of people, you could then say, “I’ve got this person here, go and find me. All the people that match starting with 100% match down to 1%”. And it will also…we are still developing that, shall we say.

Si: Yeah, I mean it’s an interesting feature that we see…you see implemented in all sorts of technology. Now, I mean that certainly Lightroom, Adobe Lightroom does that for you and it gets it horribly wrong in my experience, but that’s a different conversation. But Samsung phones do that as well. They’ll do the facial recognition and categorization stuff. So that’s a reasonably well understood technology, but I imagine it’s probably quite hard to implement on a large scale speedily.

Ailsa: Yes, it isn’t speedy and our classifier sadly isn’t speedy, but that’s the sort of thing you’d want to do back in the office. You probably wouldn’t want to…whilst you could run the classifier on scene, you’re not going to get meaningful results until it finishes.

Si: And (he says picking holes in what you’ve just said, which is…I apologize), but so the classifier isn’t really useful as a triage tool because it’s not going to be operational on site?

Ailsa: It can be, but the more pictures you’ve got to look through, the more pictures it has to process and it has to work out: is it a gun, is it a car, is it a plane? So, if you’ve got a small data set, yes, it can be quick. If you have a large data set, it’s unlikely to be so quick.

Si: Well the phrase is: your mileage may vary!

Ailsa: I’m sort of stringing myself up here, really, aren’t I?! I hope my bosses aren’t going to listen.

Si: It’s alright. I mean I think honestly I have prior experience with ADF because I was fortunate enough to have one of your…

Ailsa: Yeah, you had one of our tablets, didn’t you?

Si: …field kits to play with, which I actually thought was bloody brilliant! But the classifier, I mean it pulled out all of the bestiality pictures of my cat, which I assure you there was nothing wrong with what was happening with the cat.

Ailsa: No, but it is a beast!

Si: It is a beast, indeed. So I can see how for a triage process, I think it does exactly what it says on the tin, and it is appropriate for that and given the ability to run it for longer and with more refined settings, I’m sure. And again, I only ran it with out of the box settings, which is a somewhat unfair scenario really, but it was very good and I very much did enjoy the screen capture stuff, although the iOS, when I had the opportunity to look, wasn’t yet implemented. So I imagine that’s very helpful.

Ailsa: Well, Apple keeps being beastly and changing the developer options and things like this. Don’t you just hate developers that change things? And “oh, this is great for our users”. And I just sit there thinking, “oh, it’s not great for us!”

Si: Do you think that Apple is deliberately attempting to obfuscate for…against analysis of their devices, or do you think it is just a coincidental that they keep breaking things in the way that…?

Ailsa: Oh no, they advertise it. They advertise the fact that their equipment…the advert of the woman sitting in the doctor’s surgery where everybody else’s health data is being discussed. She’s the one with the iPhone and she can shut it down. That’s an advert telling you, “if you want everybody to know your business, don’t have an iPhone”. The only one whose business wasn’t being discussed, who has piles, who has wind and all this sort of stuff. Buy an iPhone. Yes, I think they do very deliberately advertise a secure product, which is fine, they can do that, but they can’t advertise a secure product and then allow people like us and our competitors to easily open the door and go, “oh yeah, they have got piles”, or whatever.

Desi: I know you’ve had a go of the triage kit, Si, and for someone…I have used some tech in the past that is kind of similar, but I don’t come from a policing background and I’m sure the listeners would like to know, maybe you could step us through a case of what the triage kit is and then I’m assuming there’s some kind of…is it all within the triage kit where all the processing power is? Or is it something that they go back, connect to a offsite repository with more processing power that can then go through thousands more devices? Just interested to get a picture in my head of the practicality of how all this works and fits together.

Ailsa: Do you want to take that, Si? You’ve had the kit.

Si: No, I’ll take it. Yeah. Why not? So I ended up…they’d shipped me a lovely Peli case and inside was, it was actually a Dell tablet, it was a Dell…

Ailsa: 7220. We are now doing 7230, rugged tablets, droppable.

Si: But it was rugged, it was waterproof, I could take it in the bath, which was hilarious because I do all of my forensic analysis in the bath now! (It seems like a perfectly logical place.) But yeah, it’s very hardened, very ruggedized tablet. There were a few other sort of things in there. So all of the accessories, the cables. There was a USB hub in there as well to help you connect it, obviously all of the power stuff, but fundamentally you just plugged the tablet and turned it on. It was a Windows tablet connected your device, pressed the button in the software and it made the connection…well you followed if you followed the instructions correctly in the software, and this is the key part is if you actually follow…

Ailsa: Read the manual!

Si: Read the manual, it works perfectly and if you don’t, it doesn’t. Which confused me slightly. I did put in one actual feature suggestion I think from the review, which was please put a cancel button on there because some of us are too stupid to get it right and therefore canceling it would be useful to be able to go back and run it again.

Ailsa: We’re implementing that, don’t worry, you’re not the only one that got…I got caught out by that today. It’s like, “oh damn!”

Si: But essentially you plug it in, you put the device…I tested on an Android, I did test it on an iPhone, but the Android was the one that I had the most fun playing with, because it’s my device and obviously it’s got all my stuff on it so I could see what was being picked up and wasn’t. But you follow through, you put it in debug mode and allow all of the relevant permissions and then it just connects and you see your Android screen on the tablet and you can actually operate it from the touchscreen tablet and your phone just plays along in the background. It’s kind of disturbing really.

Desi: So if you were going through a thousand devices then, and then you kind of picked a few out and you wanted to take logical images, is that then tagging that device and passing that on to another tool to then go do that? And then…or if not, if ADF’s doing that, what’s the kind of capacity that you’re looking at? Are you plugging in an external SSD to put those logical images on? How is that process working?

Ailsa: You can do, yep. The Dell tablet has a one terabyte hard drive, 16 RAM, an i7 processor. So we’re not talking mega hungry, huge amounts of tech. But yes, you can plug in other SSD drives to output the scan results to in the backup images, which you probably want to do, like my iPad, my iPhone is 128 gigabytes and the backup is about 55 gig. You’re not going to do many phones on your tablet before you fill the hard drive. And the kit does come with a T7, one terabyte T7 drive.

And you would also use that…basically we put a cut down version of our software on there and you can insert that into a computer, for example. So you connect it to a computer. If the computer’s live and let’s say it’s a Windows10 machine with a TPM and BitLocker on, you are not going to want to shut that down and image it because you need the BitLocker recovery key and people will just go “what?” when you ask them for it.

So if you run it live, it opens up our program in the app and then you can scan it that way and all the results get put onto that collection key, which you can then either go and view on the suspect device or take it back to your tablet and review it there. But then you can then store that on…a lot of our customers will store their datasets on NAS and stuff like that, just for some other sort of network storage. It’s scalable. Brittany, I’m sure we’ll be able to tell you all about the web platform…and when we say web or cloud, don’t panic, it doesn’t necessarily mean to say you’re going to be connected to the internet, you can have your own cloud in your own office, siloed, fire-walled, which is very, very important for my UK customers. But yeah, that’s a new thing that we’re doing. I don’t know, Brittany if you want…

Brittany: Yeah, it’s a private cloud server and it’s an ADF cloud platform. It currently has two applications. One is a licensed server and one is audit trail, and the license server just lets agencies pretty much deploy licenses everywhere. You don’t have to have a physical dongle because a lot of agencies have global operations, so it makes it easier just to see exactly who, when and where is using an ADF license. And over time that will help them save time and money as well in terms of what they purchased in the future.

And then the audit trail combines all of the real time data that you’ve collected from a phone or a computer and you can track the different statistics that way, what devices were scanned and stuff like that. So it makes it pretty easy just to see everything in one place. And next year we’re going to have a third application which is called case review, which will pretty much add on to the capability of just seeing everything all together. But we can tell you more when we get closer to that in development.

Ailsa: Yeah, it’s basically, you can have multiple investigators working on multiple devices all in the same case all at the same time in distributed locations, you know? That sort of thing. All through a web browser.

Desi: And then you mentioned right at the beginning of the chat that it’s simple to use, but obviously everyone needs training on a new device. So, what kind of onboarding training is there? Is there ongoing as well? I guess as new features rollout, you provide training as well on new features and that, so maybe you just talk us through what ADF’s doing there.

Ailsa: Yeah, certainly. The first time a customer gets a copy of the software, they will have a technical enablement session with one of our team who will basically make sure it’s set up properly and that they’re happy using it and they understand it. We offer different sorts of training, you can either do online self-paced training that they can do that’s between 8 and 16 hours.

They can just do that, dip in as and when they’ve got time. They can come along to our classroom training that we have in various locations around the world. And they could also, if they have enough trainees, we offer training at their site. So let’s say you’ve got 10 people that you want to train. We rock up with all the kit, you provide the location and the venue and we would just train you two, two and a half days, something like that.

And it’s designed to leave everybody being able to use it all properly. And if they don’t, they will have tech support, email, phone numbers. Between us, we cover the whole world, and we manage to cover most time zones. Although Australia can be a bit problematic at times, because I’m not an early bird! Luckily I’m a night owl, so quite often I’ll be working with our Australian customers till 1 or 2 in the morning, which I don’t mind, until the UK ones start work at 7. Oh! Some of them they’re ringing me at 7 it’s like, “you’re not going to get…leave it till I’ve had enough coffee.”

Si: Yeah, no response.

Ailsa: Yeah, we want to answer. If you haven’t had a response to your tech support issue in 4 hours, I am banging a big stick at the person who isn’t giving good customer service. Because that’s my role.  Our customers are king. They’re not always right. I might tell them they’re always right, but you are still our customers. And it’s a privilege. It is a privilege to be bought by people and to be used by people. There are lots of choices out there. There are lots and lots of choices out there. There are lots of tools. Nobody has a right to be the tool of choice. “Oh you have to use this”. It’s something you have to earn and you have to keep earning. And the minute our tool stops making your life easier, you are going to stop using it, not coming to us because you find your job really, really easy and you don’t need any technology. You’re coming to us because you’ve got a problem that you want us to help you solve and that’s what we’re here for.

Si: Who is it that you actually see as your target user? Because I mean, again, having used it, whilst it is a fully comprehensive tool and it does do everything that you want it to from a forensic examiner perspective, it is really easy to use. Are you focusing more on the first responder and perhaps the less technically savvy and I don’t want to say plod, but…

Ailsa: Yeah, people with different skills. A lot of our customers have really specific skills. People who…sex offender managers for example, they have to manage very difficult people who have done really heinous things, but they have to be able to relate to them, talk to them as human beings, get information from them and satisfy themselves that this person is not a risk, or whatever their risk level is.

That’s a real skill. What our software will do, our software is designed to make…to augment that skill. If we can then make it so they can look and say, “well okay, you’ve given me this iPhone six and Robert, you’ve told me that this is your only phone, but hey, I’ve just looked there and you’ve got an iPhone 12 connected to this router” or “you’ve been to McDonald’s where you’re not supposed to go or whatever because look, network connection says you connected to McDonald’s wifi on Saturday.” It’s giving them information to ask the questions and perhaps wrong-foot this service user and have a better understanding of what the person’s doing, whether they’re a risk.

So, our user is anybody who’s got a lot of data to look at who needs to look at it fairly quickly and who doesn’t have to have a degree from Cranfield University. But if you’ve got a degree in Cranfield University, this is still a tool you could use to do the boring vanilla…or like high-tech crime analysts, they’re highly trained, they’ve got brains the size of planet, they don’t want to have to go looking through loads of stuff which aren’t going to…you want to look inside virtual machines that are inside virtual machines and you want to look at a discord server and all this sort of complicated stuff. Let…our tool will hopefully allow the right people to do the work so that everything gets done quickly, efficiently, effectively, i.e. so you’re not missing loads of data, but equally you’re not looking at the same picture of Titanic going down in 1912 or whatever.

There’s too much bad stuff going on that needs investigating to just waste time when we don’t need to, really. And with now we’ve got all this AI…and I read today how people using ChatGPT or whatever are de-aging (who knew that was a verb?) de-aging celebrities to make them look like children and then they’re taking their clothes off and creating…and you just think, “dear Lord, who even thinks of things like this?”

Si: That was mentioned to me today. I hadn’t read that article but somebody else told me about it. So that’s one I’m going to have to go and…we’ll put a link in the show notes for anybody who’s brave enough to follow up on that one. But yeah, I’m going to say the AI stuff is interesting. I wonder a lot about it. I’ll be honest. It’s a topic that we’re seeing.

Ailsa: Yeah, it’s scary because I don’t know about the rest of the world, but in the UK we have victim identification teams. What if you’re spending hours and hours trying to identify a victim who isn’t actually real? That’s a lot of time and resources that’s being wasted.

Si: I mean in that regard, are you doing anything within ADF to identify created or deepfake images? I mean there are techniques and methodologies for doing it.

Ailsa: We are at the very early stages of looking at that.

Si: It is a roadmap thing for you?

Ailsa: Yes, yes. It’s just, where do you start? It is just huge.

Si: Yes.

Ailsa: It’s a bit like, I don’t know, the genie’s been unleashed from the bottle, isn’t it?

Desi: Talking about, I guess roadmap and then the fact that people are using their mobile devices more and more. And this just popped in my mind. Because I was watching a YouTube video the other day of a guy who was testing out the new Apple Ultra Watch to see if he could literally just live his life, day-to-day, just using the watch without a phone. Is that something that’s on the…because I know you mentioned VR headsets as something that you’d pull stuff from, but are watches on the roadmap as well for ADF?

Ailsa: Yes, and I’m hoping that I get to test one! But I’m too poor to afford one. I need a pay rise guys! But yeah…

Desi: Please, ADF, buy one.

Ailsa: Watches and stuff like that. I’ve always been fascinated by these GPS trackers, Garmin, and things like that. I wear Garmin, because I’m really sporty (haha, not!), but it’s fascinating. It can tell you where you go if I take it off, all that sort of stuff. I don’t know, was a murder victim moved after they died? It wasn’t really a heart attack, was it? Because their body actually was moved a hundred yards after they were dead and all this sort of stuff. Yeah, we are looking at doing that, but as soon as you sort of get something like that nailed down, they bring out something else, or a different feature.

Si: We had an interesting conversation with Matt (sorry, I’m going to get his name wrong)…

Desi: Sural.

Si: Matt Sural who’s in University of Adelaide, is that right?

Desi: Yes.

Si: Yay! My memory is not completely shot!

Desi: You’re on fire.

Si: …about this. And he’s done a lot of research into the iWatch and stuff, but he was saying exactly the same that they basically, they’d set up an experiment, left it running, and in between going away and then coming back again, Apple had patched the iWatch, which meant that they broke the experiment, or at least it fundamentally changed the way that it was recording data. And that was just because they felt like it in that particular instance in time. So yeah, it’s definitely challenging.

Ailsa: Keeping up with stuff is hard.

Si: So, you talked about VR headsets, you’ve talked about iWatches now. We know you do phones, we know you do tablets, we know you do computers.

Ailsa: We’re going to be doing Chromebooks and PlayStations and Xboxes.

Si: Okay, drones? Are we on to drones?

Ailsa: No. We can obviously do the SD cards and we could…I have a drone, and it’s a DJI drone. Unfortunately the backup isn’t included in our backup. The app data isn’t included in the backup, but again, if you open the phone, you can go and have a look at what’s there with the SD card out of the device, if that’s all you’ve got, you might be able to identify who it belongs to or whatever. But there is special drone stuff, because there’s more to drones than people think. So, we leave that to people who specialize in it, shall we say.

Si: No, that’s fair enough. And I assume at the moment smart fridges and washing machines are probably a little esoteric as well. So that’s a very reasonable thing. Although sooner or later I think everything’s going to be running Android, so it’s going to be a…

Desi: Yeah, well, running a flavor of Unix…

Ailsa: Things like Samsung TVs have Tizen operating system, don’t they? And that’s quite painful. It’s not quite the same as Android or anything. And LG runs something completely separate.

Si: We need more Windows embedded devices, that’s what it is, isn’t it? Made life easier for everyone.

Desi: Does ADF do all types of Linux flavors?

Ailsa: Well, we can get pictures and videos. Yeah, we can get pictures and videos from Linux devices. What we specialize in is obviously knowing where all the artifacts that we are interested in collecting for you, knowing where they’re stored, their paths and locations. So we can do that on Windows devices, on mobile devices and Macs.

Linux changes flavor to flavor depending on which version, which all I would say is you could scan a hard drive that’s got Linux on it and pull out pictures and videos reliably, because we can just start at the beginning and say, pull out every picture header, pull out every video header. But we’re not always, or we’re probably very unlikely to get your emails, your artifact, your browsing history stored in so many different places.

Si: And when you’ve said “pull out”, I mean, are you doing file carving or is it just live file system?

Ailsa: No, we can do both. We can do both. Obviously file carving takes much longer because it’s going to look for all the different headers, and then it’s going to look for either a footer or a header of another file and all that. And it’s not always reliable, as you know file carving can get files within files. I’d have to go and have a look to be honest guys and double check. It’s been some time since I play with Linux. Thankfully we see so few of them. If only I could say the same about Macs!

Si: Vague sound of despair in your voice when you say that!

Desi: So, I was just interested in thinking, again, it popped in my head with more of the gaming handheld devices running full fledged Windows and you’ve got Steam Decks running Steam OS, which you could then plug into a monitor keyboard and you’ve got your own portable computer, so it’s almost like another phone. And some of these devices come with 4G as well. So yeah, it’s just a bigger phone I guess that is running weird Linux or cut down Windows or something.

Ailsa: In theory, we should be able to do something with it. Until I can actually get to practice and pull it apart and stuff like that. But at the very least what we would aim to do is do the screen recording and screenshots so you could at least capture what you can see. And that’s what we are aiming to do with Xboxes and PlayStations, because of the chat facilities that they have. Bad people use it to chat with children and things like that. So I’m told.

Desi: Yeah.

Si: So, I was going to say we’re coming to the top of the hour now. Where is the focus for ADF now? What’s coming up? What’s your main, sort of, I was going to say driver for research, but where are you taking it? What’s the next bit of interest apart from the Xbox stuff, what we were saying and the PlayStation stuff. Is there anything, I mean, I don’t want to say is there anything more than that because already that’s obviously a great thing to be doing! But is there more than that or are you actually really focused on that? Where are you going?

Brittany: I mean, we hit three of the main points here. That’s really mobile, cloud and computer. I mean, we’re really pushing mobile. The screenshot and screen recording feature especially are pretty new for us. And this year we also came out with screen recording with preserved audio so you can now collect audio as well. And then as mentioned, we’re doing Chromebooks soon here, then next year, case reviews. All in all, our main focus is making everything easier for our users and helping people solve their cases faster. And so again, all of those main features that have come up have all been from feedback and research. So, we’ll wait and see what else people have to tell us and go from there. But we’re always looking for new ways to innovate and like I said, catch the bad guys faster, I guess.

Desi: I’m sure the feature list request is never ending. It’s just “what’s the priority? What do we work on next and what does the majority of people want?”

Ailsa: There’s very animated discussions about priorities, what’s more important than what? So they’re always very lively discussions.

Si: Your customer’s priorities are more important than anybody’s ustomer’s priorities, I’m sure every time.

Ailsa: Absolutely. Absolutely. Yeah. We just try and help. We just try and do everything we can.

Desi: Well, we want to thank you for both jumping on and joining us and telling us about the product. I know Si’s a fan, he’s obviously used it before and really enjoyed it. And I love listening about this, particularly around the customer engagement and the fact that you’re pulling stuff to help the customers and help something that’s a gap in the industry and really interesting hearing about it. So yeah.

Ailsa: Our motto in customer successes, we might not have the best product out there for you, we might not be able to solve your problems, but we will make you feel better about having the problem. And we certainly have the best customer service. So, there you go.

Desi: Yeah, that’s really awesome.

Ailsa: And if anybody out there thinks they haven’t been served well, please get in touch with me directly. I’ll address your issues.

Desi: Nice, nice. Well, again, thanks so much.

Ailsa: You’re welcome.

Brittany: Thank you.

Desi: Thank you to our listeners, thank you for spending some time with us, spending the hour to listen about this new piece of technology and what…well, not new, but the new stuff that’s coming out with them. You can find us on the Forensic Focus website, under the podcast section. We’re on YouTube, we’re on all your favorite podcasts, apps, Spotify, Apple Music, Google Podcasts, anywhere else you get your podcasts from. And we’ll catch you all next time. Thank you very much.

Ailsa: Thank you.

Si: Thank you.

Brittany: Thank you.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite

Forensic Focus 20th February 2024 11:49 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles