Reviewed by Scar de Courcier, Forensic Focus.
MSAB was founded in 1984 and originally focused on helping the police to solve cases. Over the years the company has pioneered mobile forensics, with their flagship XRY product paving the way for new developments in the field.
The past decade has seen new challenges arising in digital forensics, not least of which is the question of triage. This is particularly pertinent in cases where several people are working on the same investigation, for example in law enforcement agencies or during collaborative efforts. And of course this isn’t just an issue for those who are doing the actual extraction and analysis; it’s also a management challenge. This is where XEC Director comes in.
XEC Director runs on the same XRY engine as all of MSAB’s other products, so there’s no difference in its core capabilities. The main difference comes into play with permissions: in XEC Director, managers can define different permission levels for different groups. So for example, you may only want to allow your frontline officers to do logical, not physical, extractions; this is easy to set up.XEC Director allows you to manage any number of MSAB products at once, with updates automatically being pushed out to users when you add them to the system. Kiosk itself is an easy to use system with a straightforward GUI that’s perfect for frontline officers with limited forensic training.
Updates can be quite a challenge for forensic software in general; when a new update is rolled out, often a manager will have to physically go around visiting each machine, ensuring everything is correctly installed and running smoothly. XEC Director’s remote abilities mean that updates can be sent out to Kiosks without managers needing to be physically in the same location, making it far less of a challenge for agencies who have workers spread across several sites. This is also helpful when it comes to updating licenses; when a new annual license is issued, management can easily push out this update to their Kiosks, rather than having to physically add it.
When a new update is available, the most sensible thing may be to download it first, put it on one unit, and test it there before rolling it out. Director makes this easy to do, and means you can view how the new update is being used even if you’re not in the same physical location as the device itself.
When you do come to roll out updates to all machines, it is possible to postpone the updates to certain Kiosks if necessary, for example if people are in the middle of working on a large case.
One advantage of this method is that it fits in very nicely with the recent ISO 17025 accreditation requirement. Since standardised procedures are now necessary across your whole forensic business, it is important to ensure that all of your teams are using the same software in the same way. XEC Director allows this to be done quickly and seamlessly.
The way permissions are set up also helps with accreditation. Each user can be allowed to do different things, so for example you can set up one team or individual to focus on physical extractions, while others perform logical imaging, and so on.
When a user first logs in to their Kiosk, they are shown a set of screens which take them through a step-by-step guide. Each step must be completed before they move on to the next one; this is another great help when it comes to accreditation, since you are able to verify that each user took each step in your standardised process, thus ensuring consistency throughout the organisation.
These screens are run by an XML script which MSAB provide free of charge with the product, so it’s possible to customise this to your own requirements.
Users identifying themselves when they log in is helpful for a number of reasons, the primary one being that it allows management to set different permission levels for different users, as we have already discussed. However using login credentials also allows for better audit log creation, which means management can see how often their Kiosks are being utilised, how the users are doing, which phones are most popular, and so on. It is also easy to see which team members may not be using the technology very effectively, and which of them may therefore need refresher training. Again this helps organisations to keep in line with ISO 17025 accreditation, which requires standardisation of methodology and usage across the board.
In terms of storing data once it’s been collected, this can be set up in any number of ways. Each forensic agency has a different way of doing things, and this is reflected in XEC Director’s setup. You can store data locally and archive it within a specified timeframe; you can download it locally to CDs or USBs; or you could push data back across the network, either to a central location which contains all your XRY files, or to different divisions that send data to different servers. Director and Kiosk can manage those uploads based either on global product configuration or on an individual contextual configuration.
One of the main advantages of XEC Director is how customisable it is; MSAB’s team are happy to help with setup and can make sure everything suits each customer’s unique needs. Storage is one such example: typically everything is stored on a server, which many organisations will already have in place. The modular nature of XEC Director means you can break this up: you don’t need to buy a dedicated server for XRY and store everything there, instead you can put it on different servers based on your own requirements.
Ultimately this is not just a piece of forensic software, but a solution that should be integrated into the overall organisational infrastructure, so when you’re first getting set up it’s worth sitting down with your forensic staff and your IT department, as well as a representative from MSAB, to make sure you create a solution that works for you. MSAB’s professional services department is specifically set up for this purpose and can help to smooth the partnership between forensics and IT.
What you see on the front end is very simple. Project managers won’t need to use XEC Director all day every day; maybe once a week, depending on the project. In the meantime the software will be sitting in the background managing users and data all the time.
When you log in you’ll see a screen that shows all registered systems: Kiosks, Tablets, and XEC Express. In the next release XRY will also be supported, so all MSAB products will be able to be managed from Director.
The live status dashboard is a quick way to identify any potential problems, and also shows when the licenses are due to expire. Here you can see the status of individual users and of groups – for example, which hard drives are almost full – and it’s from this screen that you can push out updates either universally or to specific individuals or groups.
On the Users screen you can manage users within the groups you have set up. Most organisations have a minimum of two groups: Basic, whose users have one workflow that provides them with step-by-step reminders of what to do in each case; and Advanced, who see a reduced sequence that still shows critical information, but doesn’t have so many screens to click through. You can set up an unlimited number of groups within your organisation.
In terms of credentials, you can either use an MSAB login, which is proprietary to the system; or you can connect to an active directory, which will then synchronise with the system so that those details can be used to log into a Kiosk. If you manage your own organisation but also have guests who need to be able to work on certain cases, you can run both concurrently by creating visitor accounts – again, this gives a very granular level of control over users, workflows, permissions, data flows and more.
The Logs page gives you the ability to see logs for the entire estate; you can then drill down to a more granular level if required. The filter settings on the left-hand side give you the power to specify timelines, user groups and so on.
The logs include every single event, including successes and failures of reads, allowing you to see which devices have been successfully extracted and which still need to be worked on.
The forensic data itself isn’t included with the logs; instead the logs provide an overall picture of the project which can feed back to main management. You can see which kinds of phones are most commonly extracted, how much work is being done, and how much data is being processed at any given time. You will also be able to see how often the Kiosks are being used; so for example, if you have a limited number of Kiosks and several departments requesting them, you’ll be able to work out which departments aren’t using them very often, and you can use this data to make an executive decision about where your Kiosks are best deployed.
Most senior leaders don’t want to look all through the logs, as this is time-consuming and may seem complex; for this reason, Management Information Reports are available in PDF format, including pie charts and bar graphs that make data easy to interpret and analyse.
Custom reports can also be created if there are specific things you want to include. Typically this would include case references, ID numbers, region, crime type, examiner names, case statuses and case priorities, but you can customise it however you desire. Once you’ve created your reporting profile, you can set it up so that a report is automatically created and emailed to a department head, CEO or chief on a monthly basis, for example.
Should any of your users encounter difficulties, you can also set up remote assistance, which means you are able to see their desktop on your machine and talk them through what to do. You can also request permission to control their screen, thus limiting the likelihood of mistakes.
If your team members need to work offline in the field, there is an offline mode which saves the extraction to the local device, then when the users return they can upload data to the system and resync workflows if necessary. If the network goes down, systems will revert to local mode and pause extractions; when the network comes back up again they will automatically start resyncing.
XEC Director is an easy-to-use management tool that is fully integratable into an organisation’s unique workflow. It allows control at overall and granular levels, creates custom reporting options, and automates several aspects of management that are otherwise time-consuming and generally challenging. For large organisations, particularly those working within law enforcement and those who may need to collaborate often with outside agencies, XEC Director seems like the perfect all-in-one solution.
About XEC Director
XEC Director 2.0 is a centralized management solution that lets you connect your agency’s mobile forensics extraction tools into a single network so you can easily manage all teams and individuals from a central location.