Presenter: Tom Cross (Technical Sales Manager, UK)
In today’s digital-first world, investigators are facing an uphill battle – vast volumes of data spread across countless devices, tighter turnaround times, and rising expectations for privacy-conscious, evidence-led investigations.
Digital triage and targeted extraction are no longer “nice to have” – they’re essential for tackling the realities of modern investigations. Frontline and lab-based teams need tools that offer speed, precision, and ethical rigour. That’s exactly what Detego Global delivers.
Hosted by digital forensics tech specialist Tom Cross, this live, UK-focused webinar will demonstrate how Detego Global’s award-winning triage and selective extraction solutions are empowering investigators to rapidly locate case-critical data while protecting victim privacy.
This session is an opportunity to:
See how key digital forensics tools such as Field Triage, MD-LIVE and Media Acquisition can cut investigation times without compromising integrity
Learn how to protect privacy by targeting only investigation-relevant data
Gain insights from a specialist who works directly with digital forensics teams across the UK
Experience the tools yourself with a complimentary post-event trial licence
Whether you’re a law enforcement officer, intelligence analyst, or part of an in-house investigations team, this webinar will show you how Detego Global’s tools can make a real-world impact.
All attendees will receive a 30-day evaluation licence to experience first-hand how Detego Global’s solutions can drive efficiency and accuracy in digital investigations.
My time as a senior detective in charge of a specialist unit has taught me that successful investigations often require swift and precise action. When it comes to investigating Internet Crimes Against Children (ICAC), Indecent Images of Children (IIOC) and Child Sexual Abuse Material (CSAM), time is a luxury you can’t afford. That’s why tool a like Detego Field Triage is perfect for these investigations.
With the explosion of data volumes and the sheer number of devices awaiting examination, the ability to swiftly identify devices harbouring critical information is more vital than ever. The traditional, time-intensive methods of shipping devices off for specialist analysis, coupled with the uncertainty of whether they contain pertinent data, present significant hurdles. Moreover, the relentless evolution of digital threats adds another layer of complexity to our work.
This is where Field Triage can help. Field Triage isn’t just another tool in the digital forensics arsenal; it’s a lifeline for frontline and lab-based investigators.
This highly portable solution doesn’t waste time with unnecessary complexities. Instead, it gets straight to the heart of the matter, utilising keywords and hash-matching to swiftly pinpoint relevant data without the tedious wait or the need for lengthy extractions and analysis.
Addressing Investigative Pain Points with Field Triage
Rapid Access to Crucial Data
Time is of the essence, especially when dealing with child-related crimes. This is why Field Triage comes with an all-new Xpress HashScan Mode to pinpoint pictures and videos relevant to investigations up to 6x faster. This mode swiftly identifies and drills down into media content and provides real-time alerts as and when matches are found. The tool also includes an all-files mode and customisable options to provide investigators with the flexibility and granularity they need to target different file types during investigations.
Field Triage doesn’t just identify data; it helps you rapidly acquire usernames, passwords and critical information needed for a swift investigation.
Visual Alerts for Swift Decisions
Field Triage’s patented red-amber-green alert system is a game-changer. These real-time visual cues can empower you to make split-second decisions in critical moments, be it during a sting operation, while managing offenders or while inspecting a suspicious device submitted for further investigation.
Deploy Anywhere, Anytime
A detective’s work is unpredictable, and so is the crime scene. Field Triage’s portable deployment ensures you can set it up and run it from anywhere, at a suspect’s location or in the field. You only need a removable USB device or an external hard drive to house Field Triage.
Tailored for Diverse Investigations
Child exploitation comes in many forms. Field Triage’s adaptability allows users to customise it for different investigation types – from modern slavery to indecent images of children – ensuring it’s a versatile tool in your investigative toolkit.
Automation for Efficiency
Investigating digital crimes can be overwhelming. Field Triage steps in with advanced automation, minimising manual efforts and giving investigators the speed needed to stay ahead while making sure forensically sound processes are followed and the chain of custody is maintained at each step.
Integration with CAID and Project VIC
The integration with the Child Abuse Image Database (CAID) and Project VIC is a godsend. It streamlines the process, allowing you to fast-track investigations related to indecent images, sexual abuse material and ICAC cases by providing rapid access to information on millions of known child abuse images that have previously been detected around the world.
User-Friendly for Every Detective
Not all of us are tech gurus, and that’s fine. Field Triage’s user-friendly interface means that non-technical investigators can get up and running in minutes without extensive training.
In a profession where every second counts, Field Triage understands the challenges you face and provides you with the critical insights you need every step of the way.
As a former investigator, I can attest that in the ever-evolving landscape of digital crime, having Detego Field Triage on your side is like having a seasoned partner who knows the terrain – and knows it well.
Written byMike Bates – Technical Sales Engineer: North America
With nearly 30 years of experience in law enforcement, Mike Bates has a proven track record of success. He most recently served as a Sergeant overseeing a detective unit, leading a team of investigators conducting digital forensics investigations to uncover crucial evidence to solve serious crimes including homicides and Internet Crimes Against Children (ICAC).
Mike currently works as a technical sales engineer at Detego Global, where he is dedicated to providing exceptional customer service and support. He offers comprehensive product training and support to ensure customers have the resources they need to succeed. He also conducts demos and presentations for potential clients to showcase Detego Global’s innovative solutions.
Detego Global, a provider of digital forensics, case management and endpoint monitoring solutions, has announced the launch of its revolutionary Xpress HashScan Mode, a feature designed to dramatically enhance digital forensic triage capabilities and swift decision making during on-scene and lab-based investigations. Included as a part of Detego Global’s acclaimed Field Triage module, this innovative mode helps teams identify investigation-critical data up to six times faster.
Crafted by incorporating insights from military and law enforcement experts, the Xpress HashScan Mode streamlines the evidence discovery process, ensuring the rapid identification of key images and videos across a range of investigations, including Internet Crimes Against Children (ICAC), Child Sexual Abuse Material (CSAM), and Indecent Images of Children (IIOC), as well as cases involving human trafficking and terrorism. This mode not only preserves the forensic integrity of evidence but also delivers unmatched accuracy levels by using universally recognised, court approved hash sets such MD5, SHA-1 and SHA-256.
Sharing his thoughts on this new feature, the company’s technical sales engineer for North America and former senior law enforcement official, Mike Bates, said:
“This mode transforms investigations by enabling the immediate discovery of crucial evidence through a simple plug-and-play USB drive. It helps investigators narrow down the devices that need deeper examination, and empowers teams to speed up case resolution. I know, from my experience in law enforcement, that this capability is ideal for the ICAC, IIOC and CSAM investigations.”
The introduction of Xpress HashScan further bolsters Detego Field Triage’s capabilities, which include unrivalled keyword and hash matching capabilities, a globally patented visual alert system that provides real-time alerts, automation, and the ability to swiftly extract usernames and passwords.
Andy Lister, Managing Director of Detego Global, emphasised the importance of such innovations in today’s fast-evolving digital landscape:
“Investigators need every advantage they can get in the field and in the lab. The Xpress HashScan Mode addresses the demand for rapid insights from data on computers, laptops, servers and loose media. It enhances the efficiency and precision of investigations, even under the most time-sensitive and high-pressure conditions. This innovation is a testament to our commitment to working with professionals within the digital forensics and incident response space to create easy-to-use solutions that provide impactful insights.”
Designed for versatility and ease of deployment, Field Triage offers customisable keyword and hash options to suit a broad spectrum of investigations, from terrorism and financial crime to human trafficking and ICAC, IIOC, CSAM. This adaptability ensures that Field Triage remains an essential tool in combating a wide range of crimes. Field Triage also provides investigators with access to crucial databases like the Child Abuse Image Database (CAID) and Project VIC to easily pinpoint millions of previously identified ICAC, CSAM and IIOC material.
The solution is designed to evolve with changing data landscapes, device technologies and encryption methods, all while minimising the need for additional training and reducing skill fade among users. It also helps bridge the critical gap between the rapid proliferation of digital devices and the slower growth of digital forensics expertise.
The Xpress HashScan Mode is only part of the extensive product roadmap planned out by Detego Global in its bid to empower investigators in the military, law enforcement and corporate sectors with cutting-edge solutions that eliminate backlogs and accelerate the delivery of justice.
To learn more about this feature, or to get a first-hand look at its capabilities with a fully-functional, 30-day trial, visit www.detegoglobal.com
Magnet Forensics is excited to announce that Magnet OUTRIDER now supports triage of iOS devices! This is in addition to already existing triage support of Windows, Macs, and external drives, as well as Android mobile devices.
Also with Magnet OUTRIDER 4.0, you can now use MD5 hash matching to locate files on a device using hashsets like VICS or CAID.
Whether you’re using OUTRIDER in the field or in the lab, you often need to know what you’re getting into before you do a full collection of a device. OUTRIDER is perfect for consent-based triage of iOS devices so you can quickly understand what’s on the phone.
Use OUTRIDER 4.0 to perform logical scans of decrypted and encrypted backups in minutes. With iOS support, you get artifacts for:
iMessages
SMS
MMS Media
Contacts
Device information
Account information (names & email addresses)
Call logs
Browser history
Third-party apps
MD5 Hash Matching
We know that many customers want to use OUTRIDER to scan their VICS or CAID hashsets, or even their own agency hashset including NCMEC CyberTips. The challenge has been that, using alternative methods, scanning against millions of hashes can take time…time that OUTRIDER can’t afford to spend.
This is where MD5 hash matching comes in. It’s an ideal way to scan against millions of hashes in a short period of time to give you enough certainty that you can move forward with your investigation in the right direction.
With OUTRIDER 4.0, you can locate files of interest using MD5 hashes matching the source hashes. Once files are found using MD5 hash matching, they’ll be displayed as Critical Hits under Hash Set Matches where you’ll see a thumbnail preview of the file found, the hash found, the location of the file as well as the hashset source.
There’s More!
In addition to iOS triage support and MD5 hash matching, we’ve added a few other features to round out the release of OUTRIDER 4.0 including:
Triaging MMS data for Android devices along with options to speed up scanning
Scraping of NCMEC pdf reports for keywords
Getting more detailed information about scan status to make immediate decisions
Watch Magnet OUTRIDER 4.0 in Action
On September 20 at 1:00PM, check out “Using OUTRIDER’s New Features to Create Your Own Triage Workflows”, a new webinar with two of Magnet Forensics’ forensic experts, Chris Vance & Chris Cone, to learn more about how you can incorporate mobile devices into your triage workflows.
Request a quote and pricing information for Magnet OUTRIDER today by reaching out to us at sales@magnetforensics.com. As always feel free to reach out to us at outrider@magnetforensics.com if you’re having any issues or if you’d like to provide feedback. We’d love to hear from you!
Organizations of all sizes are at constant risk of data breaches and security incidents that could disrupt business operations from a variety of malicious actors. Whether these risks come from insider threats, malware, or ransomware, corporate investigators and IT administrators need actionable intelligence to mitigate risks swiftly and efficiently.
According to the 2022 Cost of a Data Breach report from IBM, 83% of companies will be victims of a data breach. The global average cost of a data breach is $4.35 Million.
Is your company properly equipped with an incident response plan to mitigate these threats and recover from incidents as quickly as possible?
Register now for this webinar with Joshua Barone, Senior Developer at Cellebrite, as he showcases:
How Endpoint Inspector can be leveraged in an incident response process to quickly respond
How Endpoint Inspector can quickly gather sensitive and volatile data to identify what might be at risk
Possible incidents that could impact your organization
How to triage an incident to help minimize disruption to your organization
Date: Thursday, March 30, 2023
Time: 2:00 PM (SGT | GMT | EST)
Speaker: Joshua Barone, Senior Developer at Cellebrite
Can’t join us live? Register for the webinar and an on-demand version will be sent to you upon completion.
Andreas Arbogast: Well good morning, everybody. Everybody is online? Well, I’m looking into the faces, more or less, coffee was successful. I’m more than delighted to be here this morning.
As you see, due to our international customers and international people over here and international police forces and other forces who are going to do that keynote in English, I hope everybody will understand I’m going to do my very best. My English is not the very best, so be patient with me. My head is always translating and telling you the story.
So, what’s the matter? We’re going to start at the bottom. I’m still more than delighted that we are not only having the opportunity to present what we are doing; we are customers as well. We bought in 2021 the Paladin forensic lab and we started to work.
And for us it was changing a complete process because what we all know when we are working on forensic topics elsewhere, it was, child abuse was everything that you can imagine. It was always kind of dirty, nerdy work, sitting on the knees with a laptop and trying to figure out the evidence.
Most of you or some of you can imagine how it is working in a special field like that and so we decided to be more professional. We got into contact with mhService and I’d like to show you how we are processing today, how we are working today and how Paladin and every, well, product from your vendors even too, is helping us to assist in our tasks.
The case “Rainbowboy” is a little funny because well, things are happening with police forces too. A little bit embarrassing maybe even, but it was happening just three, four weeks ago and I’d like to know what we did at this crime scene.
First of all, who am I? My name is First Lieutenant Andreas Arbogast. I’m working at the State Bureau of Crime, North-Rhine Westphalia. Well, you can say for everybody who is not here from Germany, it is like a little FBI.
So we are just representing one state in Dusseldorf. Exactly, representing 17 million people, the biggest state here in Germany. And well, our unit, our department has at the moment, 300, 320 people just working there as cybercrime specialists and me and my team, we’re here to enjoy these days with you together.
Well, I don’t want to leave you there with some technical topics, or I’d like to start easy today in the morning because I think you guys are, or most of you have even an idea what we’re talking about when we have artifacts and evidence. I think this is something for later.
What was happening with us is just a process and the result, what we have. The process was we had to change our complete IT enrollment when we were thinking to use the Paladin, because the Paladin is staying downstairs the whole day in the garage and none of us were interested in working in the garage.
So we had to fix the system around and we had to do that in advance before we were able to start with our work. So we needed about, let’s say, half a year to prepare us, to prepare our group, and to build a group to educate people that are able to work with this special equipment.
The first output was that we created a group, the name is DIT, Digital Intervention Team or Digitale Einsatzgruppe in German, just to make sure that you have people there knowing what they’re doing there.
The first idea was to take the key, to give it to anybody else and say, okay, we are renting that car to anybody who needs it. Forget it. It’s not possible. That was even another three months of working with us to educate us to work with and on the car.
Our car’s name is not Paladin anymore, the name is MODAL, it is the Mobile Data Analytic Laboratory. It is a kind of toolbox. So as you see, you need three things; the process, the staff and the tools, and when these things are together you are able to start to work and that’s what we did.
Well, when we had our first missions with that car, it was even a kind of surprise for us what was waiting for us. Yeah, I don’t know if you behind can see the picture. This is an agricultural company in the middle of nowhere with 1,200 cows.
So, we were there and thinking, “Is it possible that we are on the wrong mission? Why the heck should we go to that agricultural company to count 1,200 cows?” Because, let’s think. Everybody’s thinking about cybercrime, which means hacking, like DDOS-ing, like ransomware.
But no, IT crime and digital crime is everywhere. Even on that field as you can see, and what was happening, we had these fellas over there and they were counting the cows.
So at the end of the day it was an economic offender. He was having cows and meat and milk and was selling it as a special biological food. Very expensive, but it was rubbish and of course they had a complete IT surrounding where they were producing and everything was kind of IT-controlled.
Of course, if you have colleagues from regular police forces, they are confronted with these things, they have no chance. So it was our task and our duty to go to this crime scene and even work with our colleagues in this, for us, very, very far away topic.
But at the end of the day, without Paladin and without our work, we were not able to solve this in a really proper way. It was the usual things we were doing at the end. We had artifacts, we were analyzing them, we were seeing evidence and seeing what the company was doing, where the offenses were happening.
So we decided at that point, okay, we have to offer our service to let’s say, everybody in police forces. That’s what we did. We did a kind of roadshow. We were going into even the little police stations and telling them, “Hey, we are there to assist you in whatever offense you have and it needs not be cybercrime or child abuse, child porn, whatever you have, what you regularly think why this car could be used.”
But what is a police officer’s main goal? At the end of the day, there’s one point where they’re really, really happy. You can imagine that’s what we want to do. We want to see the handcuffs, we want to see somebody lying on the ground, he’s guilty and then we are happy.
Of course, in areas of ransomware well, it’ll be a little bit difficult. Flight tickets to Russia are not so available at the moment. But anyway, I’m going to show you that that really was happening and that we really were able to do that. I have to leave you with some words depending on the group, on the DEG.
So we have combined types of cybercrime or other crime, let’s say, that require that we have good, really proper experience in our police processing. This is not only to see the artifacts.
As you know yourselves who are working at police forces, we have special programs, our own office programs where we have to transfer all these things, all that what we have in evidence has to be transferred to our systems.
Sometimes it needs a little time to start working on this process. It is not possible just to do it and push on the button and do it and everything is working. No, we have to learn and to produce our own processes. We have a high level of knowhow and creativity.
Of course, we are all here, we are all interested in these new products. I can tell you it was a long way to tell our decision makers what we want to do and why we need the Paladin. It was a really, really hard and long way, but at the end of the day everybody is happy because of course the last point is the most intensive one. It is the rapid response.
As police officers, I was working in this old town and we are used to, somebody is fighting with each other. We are seeing the crime scene. We can take that guy, we can put him into jail, we can write our report, we have everything we need; we have the offender, we have the evidence, we can write the report, we can give it to the public prosecutor and everything is finished.
Are we used to doing that with cyber crime or IT-related crimes? No. It is taking weeks, it is taking months. Already our offender is back home. Maybe he’s not even sitting in prison because we have more evidence that takes days and days to extract everything and the rapid response will make us real police officers again.
Well, what we were imagining at the beginning to find was of course that one. Yeah, Munster, exactly. It was a guy that was hosting child porn and child abuse videos, everything. And that was a situation we were confronted with where we did not have our MODAL laboratory.
So, who of you guys is able to store 200 or 300 terabytes of data elsewhere on a storage infield? Yes, you’re laughing. Are you? No. But yes, we are. We are now able to do, and we are more than happy because that was a hard learning process for us and for our decision makers too that it was not possible.
And still, after two years of selecting the data, it is not quite clear in that case what was happening in this crime scene. It still takes time and we have at the beginning no idea what we had on this IT system.
I already asked this question, just for having it in mind again, who is able to secure 200 terabytes of data on-field? So if we look at several missions we are able to fulfill now, of course everybody is thinking about “Okay, we are doing forensic things, yeah?”
No, no, no, no, no. It is a lot more. Outstanding extortions and kidnappings. Well, why not to use that car as a single point of contact for police forces when they’re directly in the field to connect us with the people that may recognize these crime scenes.
You are remembering at the Christmas market when this truck was driven into the crowd, of course the people were making videos, the people were taking photos, and how were police able to get that days or weeks later?
But here it is possible we are going into the field with our mobile truck and we are giving them a QR code to scan, to do swiping and giving everything to the police on scene.
This is, as I described before, the thing we need as police officers to work as real police officers again, with the evidence now. IT-related attacks, of course, DDOS-ing, ransomware, no question. High-skilled perpetrators.
We have IT everywhere, especially in economical crimes where are really this is a big task for us. Major incidents like a truck driver going into the crowd, for example. Notice portal, that’s what I describe to you now.
So we have the possibility to tell the people, “Hey, we are there. We are your single point and you can swipe your data just with the sum to the police.”
Well, this is what our single point of contact, by the way, is looking like. We don’t need 200 terabytes of data there. Now, this is not the point we are needing. We need little data.
Anis Amri, I don’t know if you guys know him, was the guy who was driving into the crowd. He was able to go to Italy four, five days later. When was his photo online? I have no idea.
But, if the people would had the opportunity to send us the picture immediately and we can put it through this car into our police structure with 1,200 police officers around, everybody, his iPhone in the pocket and we can send this picture there, we are talking about 500 kilobytes, not 200 terabytes.
But, we are able to deliver that service now and it was kind of impossible before and we had not even an idea that we would like to do that. So we were seeing before, we need a kind of creativity to work in that topic and that’s what we of course were doing with mhService.
(Dick is there. So if you need to talk with him today, he will be available.)
This is our car. Well, what we’re doing here is an important thing: transferring data to the decision makers. We have a video conferencing system here. It is online here.
So what did we do? We have an IP cam and just when the special forces were going into the offender’s house, we can video the scenery, we can transfer it in our war room 200 kilometers away and let the decision makers be part of our mission.
Dick was able to transfer the data immediately, some taken photos, some evidence, even into that video conference system even to show the decision makers again, “Hey, this is the evidence we got immediately here on scene.”
And then they have the opportunity to say, “Okay, this guy is now going into handcuffs.” We were never able to do that in IT-related crime scenes before. If anybody did, I want to talk with you a little later to inform me how you were able to do that. In Nordrhein-Westfalen this is here now the first opportunity.
Let’s talk about Rainbowboy just shortly. It is a little bit embarrassing. How much time is left? Well, okay, sounds good. Rainbowboy is a 17-year-old script kid. He called himself on the internet like that. We did not know him, but what was happening, we had a police front end webpage of a little police station and it was attacked through Rainbowboy.
Not that Rainbowboy was a kind of hardy expert. Yeah, he was not, definitely not. But he was kind of mad, because he was caught by police some days before and he was locking himself in his room at his parent’s home and figuring out what to do, how to penetrate police forces, and he hacked our website. He was choosing one of these well known DDoS apps and regularly you should think, well, it should not work. It worked. Website was down.
Of course, I don’t know if some of you guys here are from the Ministry of Inner Security or something like that. I know if this information goes to the Ministry, well it is kind of spooky because they want to know exactly what is up there today and we are still not talking about 200 terabytes of data, another idea of a mission, another idea of a topic, what we are able to solve now.
So what was the result for Rainbowboy? Of course, he had some visitors at six o’clock in the morning. For him quite uncomfortable, for us quite good because for the first time we were able with our MODAL truck to set up the IP cam on the scene and give all this information into the war room as I told you before.
Rainbowboy was not at home. He was at a friend’s home. We did know the friend’s home address and the same scene; he had visitors, us, at 10 minutes past six. But then Rainbowboy was caught, but Rainbowboy did not want to talk with us and he did not want to tell us what he did. Even he had the idea, “No, no, I don’t know anything.” What a surprise. What a surprise.
Well, let’s see from the forensic point, what we did and what were our tasks. Of course, we transferred the situation by IP cam. We got his PC, we got his HDD, we had some artifacts, we had his mobile phone. We were not quite sure what kind of techniques he additionally had in his house.
So that means at the first time we had to use nearly all our techniques we have stored in MODAL. Of course, I think you will discuss later what it is. I don’t want to tell you now. So even I think Dmitri and all the others at mhService, they can tell you exactly what we have.
We check the network. So we used Wi-Fi Hunter and other products to see what kind of mobile phones, what kind of access points, everything he has in his house. We used the analyzer to take the stored data and analyze it rapidly. We used Axiom and all these things as you might know to figure out what was happening with Rainbowboy.
Yeah, but the main thing was, of course, with Axiom you have the possibility to get Rainbowboy’s browser history, and with that browser history we could immediately see what kind of service he was using, what kind of DDoS attacks he was performing.
And while he was questioned, we were at a little police station and we were able to put our MODAL directly in front of it. The analyzing process was still ongoing but after a few minutes our result was there and we were able to inform the offender of what kind of knowledge we have.
And that was the point when he was breaking down. Suddenly he changed his mind and he was talking with us and suddenly of course he was telling us, “Okay, it was me. It was a DDoS attack and I was mad at the police because they caught me some days before when I was fighting with a friend on the street.”
It was just a little case, I know, and it was not the big thing we were waiting for. But for police forces when they get hacked themselves it is a kind of big thing because we were learning more about our own IT structure and that we have to fix here and there some things. Anyway, but it was another topic for us to know, “Okay, this is another scene to work with.”
Let’s see what we have. I don’t know if you can see it from last places regularly. We have police forces like Polizei on our sites. In this case we were using Baustellenfahrzeug. What is the translation of Baustellenfahrzeug? Construction worker’s vehicle?
Exactly. Thanks a lot. Not really to be like 100% invisible, but as you can imagine, when it is six o’clock and special forces are going in, well, you don’t like to be visible in the first second. If they identify us a little later, so what?
But we were like 100 meters away and you can see here was the IP cam and we were waiting with three officers in the lab to have the first artifacts coming in and it was really like that nobody on the street was really recognizing, who was it? Was it police? What were they doing there?
From inside it’s looking like an office. So for us working on the scene in the field was really, really, really comfortable. The first time, no laptop on the knees, no dirty enrollment, we had our coffee machine. Well it was quite important by the way, and we were really, really happy.
Well, let’s see. No wasted time in transferring data, I told you already. Securing evidence immediately. Handling big data if necessary.
Well, another point is I just want to let you know, we have now the opportunity to store a lot of terabytes in our car, but to be forensic-correct, if you have a case that is big like this. what is happening when you are coming home to your station? What to do with this information with this data?
You have to think about that before. In our case it was, let’s say, likely no problem because our car is a part of our own police cloud infrastructure. The infrastructure is containing about 22-25 petabytes of data capacity and we are storing all the child abuse data and all capital things directly in that cloud and the people all over Nordrhein-Westfalen working at police forces can use this data everywhere.
So for us it is no problem to drive home in our car, to put the car into the garage and to pump the data into the cloud. We have 10G, it is working with a 6,800 megabytes per second maximum. But our MODAL is doing likely like 900 megabytes per second.
It still takes a longer time if you have 200 terabytes, but we have the capacity to clean our car. I recommend you really intensively think about that if you are working with this kind of big data and if you try to work with Paladin. You need the infrastructure around.
Well, I think we were using nearly everything we had on the car. Some little things. Some of you have seen that with Wi-Fi Pineapple, with a Wi-Fi hunter.
We were more satisfied with the Wi-Fi Hunter by the way. It’s from Switzerland. We were really, really happy to buy that little device and of course you all know the products you might have at your house too.
So here we have Cellebrite UFED Touch. We know that it is difficult to open phones directly on site. In this case it was working, and in this case we just needed the browser history. That was kind of easy. But as you can see from network scanning techniques, to mobile phones, to Axiom where you can analyze it to other products, we needed the complete portfolio to see what Rainbowboy was doing.
So at the end of the day, it was a small case, for us it was a big impact and a big work until we were at that point where we can tell him, “Hey boy, that’s what you did and now it’s your time to talk with us.”
Well, some additional benefits. I have to tell you that because my boss was creating these sentences. We have the expansion of the range of the services.
Of course, it’s clear all these things we are doing now with Paladin and the products on this car are enabling us to offer this wide range of services now to all police stations. Before, yes, we were kind of assistants, we had all these luggage boxes and we were throwing that into a car and driving to the crime scene, but this is what everybody was doing and that was not the kind of help our police stations were waiting for.
Triage is a big point for us. Let’s say these cars are always only ready for 90%. The last 10% is always evaluation and a kind of process of how we handle new kinds of modus operandi, whatever.
For us, triage at the moment is one of the main points because it makes it possible to figure out what is happening on the crime scene immediately. Some products really need hours to figure out what’s up, especially when we are going deeper into crawling, into parsing of evidence, it really needs a long time because they are always doing the full scan.
The triage products are offering us, let’s say, some spot-wise ideas. Is this the right offender? Is this the one we’d like to catch? More professional handling of missions is clear and, well, we have set up a kind of cooperation now.
At the moment the idea is that our DEG, our rapid intervention team, is now seven people with this car and it is not enough. So we have had a lot of bookings in the last month.
And it is going upwards because the police stations are now knowing what kind of service we are offering and we figured out that for us we need maybe a second dessert. Well, at the end we will have seven of these groups in Nordrhein-Westfalen at the start of next year.
Well, we are proud to work with one of these tools mhService is offering us. We are always happy to be here. We are always happy to be served here. We never had any issues, never any problems. We had a straight working process and learning process even all together with Martin Herrmann and his team because it was a kind of thing that was really invented by creativity.
And still we have the next appointment next week because we want to improve something, so the contact will stay. For me and my group, we are really happy to be here today again, and we are really excited by what you guys are telling us about your experiences you have had in the field.
And well, if you have questions, please right now. Thank you so much.
Cyacomb and the Northeast Ohio Regional Fusion Center (NEORFC) partner in the first terrorism fighting efforts in the United States
Today, October 25, 2022, Cyacomb welcomes the Northeast Ohio Regional Fusion Center (NEORFC) as their newest partner to the Cyacomb Forensics Pathfinder Program. The NEORFC joins agencies from California, Washington, Ohio, Scotland, and Germany in this program.
The Pathfinder Program is a collaboration between select law enforcement partners and Cyacomb, to provide lessons learned, data and best practices related to Cyacomb Forensics tools. In this partnership, the NEORFC will use their subject matter expertise to assess, and advance Cyacomb Forensics’ fast forensic digital triage technology as it relates to terrorism activities. The NEORFC is one of eighty fusion centers designated and recognized by the United States Department of Homeland Security (DHS). The mission of the NEORFC is to facilitate and enhance the level of inter-agency communications, criminal and intelligence analysis, and information sharing among federal, state, and local stakeholders, and the public and private sectors in order to anticipate and counter criminal activity, terrorism, and other hazards in coordination with the Ohio Fusion Center Network and the Intelligence Community.
“Speed is at the core of our mission to keep Ohioans safe, and we are thrilled to partner with Cyacomb Forensics in their efforts to advance their forensic digital triage technology into the terrorism/all-hazards space. We are excited to join agencies from across the world in assessing and improving this technology.”
– Director Michael Herb, NEORFC
Cyacomb Forensics offers a new generation of digital forensics triage tools for law enforcement, finding evidence of child sexual abuse or terrorist material in minutes. Finding digital evidence fast empowers law enforcement to make decisions earlier, enables devices to be eliminated on scene, significantly reduces risk during investigations, and allows devices and case backlogs to be cleared quicker.
Cyacomb Forensics tools are already trusted by major UK and USA law enforcement agencies, and their tools are proven to deliver results.
Ian Stevenson, CEO, and founder of Cyacomb, said: “We are excited to be working with NEORFC and Director Michael Herb on this pathfinder project. Understanding exactly how our technology is used, where it delivers value, and what limitations customers experience is at the heart of our culture of continuous improvement and building a strong evidence base around our technology. Terrorism knows no borders, and collective effort in the development of new tools and approaches is vital to reducing the volume and minimising the effect of terrorist activity. “
Notes to Editors
For media enquiries and further information please contact Rachel Goddard at Cyacomb:
Cyacomb harnesses the power of data and technology to help law enforcement, social media and cloud companies find and flag harmful content while protecting database security and user privacy.
Cyacomb Forensics’ tools help law enforcement find evidence 100x faster than traditional techniques, empowering them to make quick decisions on scene, replacing processes that take weeks or months in forensic labs. Customers include US and UK law enforcement.
Cyacomb Forensics’ tools were developed from university research, rooted in scientific methods, to provide unique highly secure block level hashing contraband filter technology to quickly scan suspect devices for known harmful and illegal files.
Cyacomb is headquartered in Edinburgh, Scotland and has a U.S. office in California. Cyacomb employs 45 people and plans to increase in the next year to support its growth.
You invest in our technology – we invest in you. In summer 2022, we at Oxygen Forensics added 4 new courses and in January 2023 we plan on adding a 2-day course. These new courses give users the opportunity to expand their knowledge, enhance their skills, and stay up to date on all the features and tools offered in Oxygen Forensic® Detective.
We continuously expand our course offerings based on the needs of our customers and the updates that are made to our solution. With a variety of courses to choose from, our unlimited annual membership, All-Access Pass, gives members access to every training course, at a fixed low price. And for a limited time, users can get 10% off any course or our All-Access Pass.
OFBC is geared toward students that have a working familiarity with mobile device extraction and analysis. This course focuses on the extraction, use-case, and reporting capabilities of Oxygen Forensic® Detective. Learn more.
OFAA is a follow-up course to OFBC, and continues with deep dives into Oxygen Forensic® Detective analytics, database parsing, lost data recovery, alternate data sets, and advanced tools, such as the Call Data Expert, the SQLite and PList viewers, and Oxygen Maps. Learn more.
OFCE is geared toward students that have a working familiarity with Oxygen Forensic® Detective and have the desire to integrate cloud-based data into their investigation. Learn more.
XiB is geared toward students entering the mobile forensic arena ready to learn the art and science of extracting data from phones, as well as broaden their knowledge of Oxygen Forensic® Extractor, a component of Oxygen Forensic® Detective. Learn more.
OFDV centers on education for non-technical investigation review of collected mobile device and computer data using an interface modeled on Oxygen Forensic® Detective. Learn more.
OFKC is geared toward students that have a working familiarity with mobile device extraction and analysis, and focuses on extraction, use case, and reporting capabilities of Oxygen Forensic® Detective. Learn more.
OFAT is geared toward students that have a working familiarity with Oxygen Forensic® Detective and are ready to execute on-scene warrants, knock-and-talks, consents to search, or roadside interrogation. Learn more.
OFSA is geared toward students that have a working familiarity with Oxygen Forensic® Detective. With tens of thousands of applications made for a variety of mobile operating systems, keeping ahead of rapid updates and new application debuts is a seemingly impossible task for any investigator. The solution is the SQLite database. Learn more.
All-Access Pass
All-Access Pass offers unlimited annual access to all training courses, at a fixed low price.
Some of the benefits of Oxygen Forensics All-Access Pass include:
Pay 1 price to attend all courses – Fixed low price for unlimited annual access.
Stay up to date on new tools and features – Stay up to date on new tools and features available in the Oxygen Forensic® Detective suite, which is updated 8 times per year.
New courses are added frequently – Courses are added based on the needs of our customers and the updates that are made to our solution.
Multiple learning options – Instructor-led, online training, webinar, and classes offered by our trusted training providers – multiple options are available.
Gain your Oxygen Forensic® Detective Certification – The Oxygen Forensic® Certification (OFC) is designed to validate the knowledge, skills, and competence of the Oxygen Forensic® Detective suite.
Includes eManual Annual Subscription
Want to learn more about All-Access Pass? Learn more about it here.
Get 10% Off Today!
If you are wanting to gain expertise with innovative digital forensic tools, right now is a perfect time because we are offering 10% off any course or All-Access Pass. Learn more about how to get 10% off here.
Our customers need these answers as quickly as possible to minimize business interruption and Magnet IGNITE has enabled us to provide them hours—and sometimes days—earlier.”
—Michael Nelson, Managing Partner , CYBIR
CYBIR is a cybersecurity, digital forensics & incident response consulting firm serving clients across the United States.
HEADQUARTERS: Philadelphia, PA
SPECIALTIES:
Breach Response
Digital Forensics, eDiscovery, & Data Recovery
Data Security and Privacy Compliance
Penetration Testing and Managed Security Services
THE CHALLENGE
When a business suffers a breach, they turn to CYBIR to investigate the incident. CYBIR needs to be able to move quickly and gather insights on the breach and determine the course of action required to guide the company through the incident.
With time in short supply, CYBIR needs to identify which endpoints were affected quickly. They also need to provide answers to the business and legal counsel on how the attack occurred and what data was accessed or exfiltrated. To ensure the speed and efficiency of their triage, CYBIR uses Magnet IGNITE, a cloud-based tool that enables concurrent, targeted collections from remote endpoints.
Prior to using IGNITE, a breach required CYBIR to travel to the client site, send drives overnight to and from the client to gather full disk images, or use various scripts to extract data. Between transportation timelines and the volume of data that needed to be processed and investigated, it could take days or weeks to reach the required answers.
With the constantly evolving nature of breach investigations, speed is important not only at the onset of the investigation but also when a development takes the case in an entirely new direction. The efficiency of IGNITE allows CYBIR to deploy additional agents and review evidence at speed—maintaining the momentum and progress of their investigation.
HOW MAGNET IGNITE HELPS
Speed and Efficiency
Magnet IGNITE enables the rapid triage of remote client endpoints to identify where malicious activity has taken place so examiners can determine the required next steps. Using a single agent configuration, examiners can triage multiple endpoints at the same time to quickly gather insights into an incident and determine where a full forensic analysis is needed.
Initial Analysis to Deep Dive Forensics Tools
Triage results are presented in IGNITE’s intuitive interface to allow for preliminary analysis of artifacts, as they are being collected. Keyword searches and time filters can be applied to the results to provide many of the answers that are required in data breach cases. Where a deep forensic analysis of an endpoint is required, IGNITE can export evidence in a file format that can be ingested into Magnet AXIOM Cyber.
Cloud-Based Benefits
With teams and projects geographically spread across multiple states or internationally, IGNITE provides hybrid teams with access to the data no matter where they are located. As a cloud-based tool, IGNITE can be accessed from any location with an internet connection to quickly triage endpoints. And because IGNITE operates completely in the Cloud, it doesn’t require processing time or additional hardware in your forensics lab.
“Data breaches can happen anywhere in the world and one of the most powerful features of Magnet IGNITE is that it allows us to investigate how they happened, actions the threat actors took and what data was exfiltrated, from any remote location.”
“Magnet AXIOM is a great tool when it comes to filtering in and filtering out the important data that investigators need to review, which really reduces the overall time to evidence.”
— Detective Chad Gish, CID, SISU, Metropolitan Nashville Police Department
CASE OVERVIEW:
Detective Chad Gish, CID, SISU
Metropolitan Nashville Police Department
PRODUCTS:
Magnet AXIOM
Magnet OUTRIDER
Magnet DVR Examiner
SPECIALTIES:
Grayshift
Berla
How Chad Gish Uses Magnet Forensics’ Tools
Magnet AXIOM is one of Detective Gish’s go-to tools and it’s part of what allows him to create the story of what has happened based on the data collected from digital devices. Today, it’s rare, according to Gish, that “we see a crime committed by someone without a computer in their pocket.”
With Magnet AXIOM, Gish is able to collect data from multiple sources all-in-one case file, whether it be data from mobile extractions from Grayshift’s GrayKey, cloud data from an iCloud backup or a Google warrant return, or vehicle data from Berla iVe. With the geolocation data reviewed in AXIOM, it can also be used to locate likely locations to acquire CCTV footage with Magnet DVR Examiner.
Things Were Simpler in the Good Old Days, Except When it Comes to Digital Forensics
Detective Chad Gish of the Metropolitan Nashville Police Department, digital forensics veteran of 17+ years – with total service time of more than 24 years – has been working cases with digital evidence before the boom of modern digital forensic investigations.
When Gish first joined the Cybercrime and Digital Forensics (CID) unit, building a case that included digital evidence with the tools at the time was challenging, even though the devices under investigation were much simpler.
Gish remembers how difficult it was to determine where specific image files came from before forensic tools were able to acquire extended attribute and spotlight metadata.
When that data wasn’t available, all that could be proven was that a suspect possessed an illicit image. Examiners couldn’t always prove how the picture ended up on the device, show how it was airdropped onto that device, or attribute the image to the suspect’s account. In some scenarios, this could be the difference between conviction and acquittal based on lack of evidence.
Now, digital forensic tools are benefitting from broader advancements in technology, allowing examiners to streamline their workflows and cut through the digital noise to locate, recover, and collect evidence faster. During the transition from largely computer-based to mobile-first investigations, Gish has witnessed the way officers investigate digital evidence has changed. The advancements in technology have afforded examiners like him new tools to reduce the time it takes examiners and investigators to uncover evidence on digital devices.
“We need ways to recover data quickly, especially for those high-profile, priority cases, and the technology needs to evolve to allow us to do so.”
— Detective Chad Gish, CID, SISU, Metropolitan Nashville Police Department
“Even though phones used to be a lot smaller and store less data, it could take 2 or 3 months sometimes to get access to the data,” said Gish. “With today’s tools, often times we can get the data we need in less than a day. We need ways to recover data quickly, especially for those high-profile, priority cases, and the technology needs to evolve to allow us to do so.”
Computer forensics experts have formally been a part of law enforcement agencies for over 40 years. Specialized computer forensic groups were established in the mid-1980s, such as the FBI’s Computer Analysis and Response team and the London Met’s Computer Crime Department, but the rise of the modern digital forensics lab can be more closely aligned with the emergence of the smart phone. The landscape of policing changed with the launch of the first iPhone in January 2007 and the first Android device, the HTC Dream in 2008. Now, some 15 years later, about 90% of devices entering digital forensics labs are smart phones according to digital examiners.
Adapting to Change
Adapting to changing technology has more or less been a mandate of the role for Detective Gish, necessitated in large part by the need to reduce time to evidence, while leveraging technology to bridge the gap between demand for and the shortage of digital forensic examiners. With today’s case backlogs, it’s unrealistic to expect that examiners could go through every single detail of every single device on every case.
“Even though there’s way more data these days, I only need a small amount of it. Today’s tools allow me to go get that data much more easily.”
— Detective Chad Gish, CID, SISU, Metropolitan Nashville Police Department
“Just this year, we’ve probably investigated 500 cases, and I’m currently working on one case that has about 50 phones that need to be processed,” said Gish.
The storage capacity of mobile devices has also grown exponentially with each passing year and device security has grown in complexity posing significant challenges to investigators. In a recent case, Gish processed two phones that had over 250 gigabytes of data each for a single suspect.
“This is becoming common for almost every case now,” said Gish. “It’s a lot. Even though there’s way more data these days, I only need a small amount of it. Today’s tools allow me to go get that data much more easily.”
Advancing the capabilities of new tools also helps to offset the experience gap. Gish points out that a lot of the new examiners haven’t necessarily grown up in digital forensics or don’t have a lot of experience yet, so if the tools can be designed to pick up some of the slack, to be easy to use, and to be reliable now and into the future, it helps to overcome the experience gap as new examiners are onboarded.
For Gish, it’s especially important that digital forensic tools continue to develop new solutions to reduce time to evidence, because in the backlog there’s evidence that can save a life, that can protect a child. It’s even more important when evidence is received for a high priority case and digital forensic examiners are already stretched thin. When the pace of the clock marches forward incessantly, being able to get any advantage is necessary.
How Triaging Tools Reduce the Overall Time to Evidence
“Triage is another tool we have, where we can quickly scan a device before breaking it down,” Detective Gish said. “We can review triage reports, so we know where the needle in the haystack is before we even start the search.”
Triage reports, provided by tools like Magnet OUTRIDER, become a starting line for Gish, especially when it comes to CSAM cases. When the case includes multiple devices, Magnet OUTRIDER helps to identify some basic but very useful things to reduce the overall time to evidence, such as which device was used most recently and what cloud accounts have been accessed from that device.
Once some of this information has been uncovered, it’s easier to prioritize which of those devices to analyze first and then search warrants can also be written right away for the specific cloud accounts identified.
Emerging Data Sources
Not only are new tools changing the way that Detective Gish approaches cases, but so too are emerging sources of data.
“If someone said to me, you could have five unlocked iPhones or you could have the cloud data associated with those phones, if this were 2013, I’d have taken the phones hands down. But, now, I’d have to really think about that. It’s a much tougher decision today.”
In the last 7 or 8 years, as more data has moved to the cloud, Gish has been impressed by the amount of evidence you can collect from cloud packages that are acquired with a warrant return or things like iOS backups from iCloud. In some cases, Gish suggested, albeit rather facetiously, that if you hand that data to an investigator, they may think they have the data from the phone itself.
“The case came together by using data from different sources to layer the evidence together, which gave us the story of what was happening.”
— Detective Chad Gish, CID, SISU, Metropolitan Nashville Police Department
Nevertheless, with the data that’s being stored by cloud service providers, such as Google, WhatsApp, Microsoft O365, etc., not only can you get data from the different messaging apps, but you can also get additional data for the user, like waypoint data.
Gish shared an example where in one homicide investigation he could see the exact moment the trigger was pulled. The victim was murdered while driving, so Gish was able to see waypoint data that was registering consistent speed until the time the victim was shot and then he could see the speed immediately drop until the car stopped where it was found on the side of the highway.
Leveraging cloud data to identify the moment that the car began to slow was a critical discovery for Gish. Doing so allowed him to quickly establish time of death, expediting the investigative process, and reducing the overall time to evidence.
In this case, it allowed Gish to quickly understand that by the time he had arrived at the scene, the victim had already been there for a few hours. In turn, this afforded his team more information for when they were canvassing the area for witnesses.
As new data sources become available, being able to correlate data between sources becomes increasingly important, as is capitalizing on new data sources that become available to find not only more evidence, but also more pertinent evidence.
According to Gish, on one case where there were several carjackings, he and his team we were able to acquire data from the vehicles once they were recovered, plus they were able to recover the phones from the suspects.
What they did to piece the sequence of events together was acquire the waypoint data from the suspect’s cloud accounts, correlate that with the route data from the vehicles, and then they used that to identify where the best locations would be to recover video from CCTV.
“The case came together by using data from different sources to layer the evidence together, which gave us the story of what was happening.”
Turning Data into a Cohesive Story
Magnet AXIOM is one of Detective Gish’s go-to tools and it’s part of what allows him to create the story of what has happened based on the data collected from digital devices. Today, it’s rare, according to Gish, that “we see a crime committed by someone without a computer in their pocket.”
With AXIOM, Gish is able to collect data from multiple sources all-in-one case file, whether it be data from mobile extractions from Grayshift’s GrayKey, cloud data from an iCloud backup or a Google warrant return, or vehicle data from Berla iVe. With the geolocation data reviewed in AXIOM, it can also be used to locate likely locations acquire CCTV footage with Magnet DVR Examiner.
According to Gish, “Magnet AXIOM is a great tool when it comes to filtering in and filtering out the important data that investigators need to review, which really reduces the overall time to evidence.”
Some Final Notes
As technology evolves, investigators must adapt to get the best data possible to conduct efficient investigations and to reduce the overall time to evidence. The next stage of technological advancement is underway as cloud infrastructure is offering examiners and investigators automated workflows to churn through backlogs of digital evidence and new tools to share evidence between the lab and non-technical stakeholders.
“If you can get to the evidence quickly, and reduce the time it takes to get there, it just makes sense.”
— Detective Chad Gish, CID, SISU, Metropolitan Nashville Police Department
While Detective Gish notes that these new technologies certainly require updated regulatory oversight and new legal precedents to be set, given the option to return to the ‘good ol’ days’ of digital forensics or to press forward with new tools, he’ll take the latter.
“If you can get to the evidence quickly, and reduce the time it takes to get there, it just makes sense,” said Gish.
It’s no secret that the rapid pace of digital transformation is placing increasing pressure on digital forensic investigators. For years, the technology landscape has been introducing new devices capable of holding and managing larger amounts of data, from tablets and smartphones, to drones and smart IoT devices.
Since the pandemic, the pace at which communities have been adopting these devices has increased significantly, to the point where around 6,648 billion people own smartphones, and countless others use laptops, tablets, and connected tools. With more data to manage than ever before, police forces and investigative teams are forced to evolve beyond traditional forensics tools.
While in-lab forensics investigations tools and software still have a role to play in the investigative landscape, reliance on traditional tools alone can lead to significant backlogs. These backlogs not only cause frustration, but they can also lead to the disruption of justice.
Fortunately, flexible deployment options available from companies like Detego with the Detego Unified Investigations platform could offer a solution.
Making Digital Forensics Accessible
Today’s influx of ultra-fast and intelligent devices is pushing investigators to explore more flexible forensic investigation methodologies for handling digital evidence on-scene, as well as in the lab. Detego’s Unified Investigations platform – an award-winning, and globally recognised solution for investigations – brings accurate forensic technology where users need it most.
In any deployment mode, Detego’s Unified Investigations platform features state-of-the-art tools trusted by countless investigators around the world. The platform includes:
Ballistic Imager: The world’s fastest forensic imaging tool, equipped with patented technology enabling investigators to capture 1TB of data from in less than 8 minutes.
Field Triage: A portable tool capable of rapidly identifying and alerting users of data related to investigations while eliminating the need for time-consuming data extraction and analysis.
Media Acquisition: A tool that fast-tracks investigations by simultaneously analysing and securing data from various removable devices, while providing live views of the data being
Detego MD: Unlocks and extracts data from tens of thousands of mobile phone models (including burner phones), as well as a host of drones, IoT devices, wearables and thousands of apps.
Remote Acquisition: Enables rapid imaging across networked environments, while providing the added convenience of being able to resume extractions from previous cut-off points in the event of network failures/drops.
Fusion: Builds intelligent cases based on accurate data analysis and identifies hidden links, to streamline investigations.
Detego Analyse: Integrates all forensic acquisitions and delivers AI-driven automation features to promptly enable in-depth intelligence, analysis, and court-ready reporting.
Detego’s Multiple Deployment Options
The state-of-the-art technology, leveraged by military personnel, enterprises, and law enforcement groups worldwide, can be deployed in a traditional lab setting, as well as a multitude of other settings.
In the lab, the solutions can be used at the highest capacity to accelerate data extraction, analysis, and reporting, helping reduce backlogs and close cases faster.
Detego’s Unified Investigations Platform also brings incident response and digital forensics investigations to the frontlines. With this technology, investigators can extract data from devices safely, and even analyse the data gathered without the need for specialist teams and labs. Detego’s field-based solutions require absolutely minimal training and are capable of rapidly identifying data related to investigations with instant alerts.
In the field, Detego users can receive instant insights into devices without time-consuming data extraction processes, determining which devices need to be passed on to the lab. Detego’s deployment options include:
Kiosks: Powerful kiosk technology comes equipped with all the software and hardware needed to carry out rapid yet comprehensive investigations anywhere. These kiosks can be implemented at airports, police stations, and various other environments.
Mobile deployment kiosks: Designed with mobility in mind, the mobile deployment kiosks are ready to be implemented on police cars, vans, and other moving assets. This ensures the investigation can continue when users are on the road.
Field deployment packs: Specialist equipment designed for durability and rapid performance enabling field-based agents in the army, police, and intelligence agencies to carry out the forensically sound investigations even when deployed in the harshest of conditions.
The Power of Mobile and Flexible Investigations
With around 2.5 quintillion bytes of data produced every day, investigators are dealing with an ever-increasing tidal wave of information, causing backlogs, delays, and disruptions.
Thanks to the multiple deployment options offered with Detego’s Unified Investigation platforms, investigators can achieve higher levels of productivity and efficiency without compromising on accuracy. The use of mobile deployment and field triage solutions allows investigators to quickly determine which data is top priority for an investigation, and even analyse evidence on-scene.
With Detego’s Unified Investigation platform, departments and agencies can even deploy triage software to non-technical investigators, while trained experts maintain continued control over compliant investigative processes.
In today’s rapidly evolving digital world, a mobile, flexible, and versatile solution for investigations keeps teams one step ahead in the fight for justice.
Christa: Time is of the essence when field extractions of mobile devices are needed, but so are forensically sound extractions as strong links along the chain of custody. Today the Forensic Focus podcast welcomes Simon Crawley, a senior consultant with MSAB. I’m your podcast host, Christa Miller. Welcome, Simon.
Simon: Hi, welcome.
Christa: So before coming to MSAB, you worked at the London Metropolitan Police as a digital forensics lead, focusing on Specialist Operations Directorate work. Tell us about how that experience informed your approach to frontline acquisitions.
Simon: Well, at a very early stage, way back in 2010, my work recognized the value of mobile phone extractions and the data mobile phones contained and how useful that data was in informing decision making for investigating crimes.
And we were spread over a geographical area, which meant that when I went to the digital forensics lab, we said, “Well, we need your assistance, but we need you 24/7 (because we run operations 24/7), we need technicians across this geographical area, and we need resilience to do it 24/7/365.”
And they of course looked at me and said, “No, we can’t do that. We don’t have enough people to run our own lab.” So that was when we pitched the idea of saying, “Well, how about frontline users? How about our frontline cops doing extractions? Why not?”
And the original response was, “Oh, but this is technical, this is specialist, this requires years of training.” I said, “Okay, well, I come back to my original point then: you provide me with your experienced and skilled technicians, 24/7/365 over a number of sites across a geographical area.”
“Oh, we can’t do that.” — “So the option is I train (we train) frontline cops to do this. And we understand there are risks involved but that’s the way of getting the data quickly, effectively and efficiently.” And so eventually the idea was approved and that’s what we did. We trained all of our (I think we had at one point over 200 frontline cops) trained to do extractions.
And of course what that meant was we were getting great data for our customers and they were loving it because they were suddenly getting this real wealth of rich, deep data that the extractions were providing.
We deliberately designed it so that there was training for the user. We deliberately trained it so it was forensically sound. So, even though we were intelligence gathering, it could be used in court at a later stage.
But we — it wasn’t without its difficulties at the beginning. But the big step forward for me personally was the introduction by MSAB of their Kiosk system. Because that really tied down the computer system, the operating system, and removed that away from the frontline user.
And that meant that the user didn’t have to think about what they named the file, where they put the file, because those were mistakes that people were making, and the process that the user followed was designed by myself.
And in fact, I taught myself how to write the code in order to make sure that I got the process that I wanted. I worked with MSAB very closely on that, and I wrote the code and I wrote the process that our users, they still follow it to this day.
And that was a massive step forward. Mainly for the confidence of the frontline user. Because they were following a process. They didn’t have to keep stopping and asking, “What do I do now? Where do I go next? What do I call it? Where do I save it?”
That was removed from them and they were then able just to follow the process as laid out on the steps on the screen, connect the phone when they’re told to connect the phone, and follow the steps, end up with a forensically sound extraction at the end of the day.
And other things followed on from that was: a), we started doing more downloads, at that time after the Kiosk had been introduced, because user confidence had improved. Because user confidence had improved we were able to redesign our training to forget about the policy procedure and legal side of stuff, because that’s already in the workflow, so they see that every time.
But what we were able to do was focus more on connecting the phone to the Kiosk, especially with Android phones, because every Android phone is different in the way that it does the same thing. So we were able to focus on training I use on how to do the actual extraction rather than the legality and the proportionality and the processes that was all part of the original training, because that’s all in the workflow.
And of course that then also freed up my time and my small team’s time, because we were no longer having to firefight and problem solve and answer calls. Because user confidence had improved, and at the end of the day, what we were getting was a lot more downloads that were error free for our customers, which has got to be a good thing.
Christa: I’m wondering — it sounds like there’s been a certain evolution of this. Because what I’ve been hearing from a lot of labs over across countries and over time is that the backlog problem is just getting worse. That problem that you described earlier of not having that 24/7/365 availability. How is this continuing to evolve?
I’m thinking as you’re talking of the backdrop of standardisation in the UK, efforts to make sure that everybody’s following the same process. What s the balance, or how have you been able to achieve the balance between these custom needs of different forces and workflows per operational requirements, and then the quality standards that can withstand scrutiny and increase confidence?
Simon: Yes. The aim of our ecosystem is to have an integrated approach, and so you have the Kiosk, you have the tablet, you have a centralised management system, and the aim is to try and alleviate some of the pressure on the labs.
Because the way that I think, is that if you have an experienced lab technician that you’ve invested a huge amount of time, effort and money training, they’ve developed themselves, they’ve got the experience, and then you go to them, “Well, I’m investigating a drug dealer, could you just get calls, contacts, SMS out of this phone for me please?”
And they’re going to look at you and go, “Thanks, I did five years training to do this.” And as an agency that’s dealing with these you’re gonna say, “Well, is that the best use of that highly experienced, highly trained technician’s time? Is that the best use for our money, our investing?”
So if we can train frontline users to do the vast majority of phone extractions, because it’s the old 80/20 rule: probably 80% of the extractions only really require pictures, calls, contacts, SMS, chat. They don’t require a deep dive, you don’t need file carving, they don’t need to go into deleted SQL databases.
They don’t need any of that sort of thing. So if you can prevent those phones getting to the lab in the first place, and you have a process that the user follows so that the agency knows that that extraction has followed their process, followed their policies, followed the legal requirements, then you can be fairly certain that that extraction is forensically sound.
And you can use that extraction in a court of law. But what it does mean is that you free up your investment in your lab technicians (your highly trained officers) that they then can do the murder, the rape, the terrorism all the really important things that require a lot more time, effort, and energy and money to get that data out.
And so if you free them up to do that, they can use all those great skills they’ve got of recreating deleted databases and getting out that data that was deleted and the user thought they’d foil the police and stop them getting our data. But you know, it’s a computer: once it’s there, it’s there. It’s just a question of getting at it.
So our approach has been (and certainly my approach has been) is to work with our customers when designing a frontline ecosystem. So one of the things that I do, I invest a lot of my time in consulting with the customer about their processes.
Even within the UK (obviously the UK is following all the same laws), but there’s always a slightly different approach to implementing those policies and having those procedures written down. There’s 43+ forces in the UK and they all do something slightly different, which is absolutely fine, that works for them.
And so, I spent time discussing with them what works for them and how would they like that represented on a screen for the user who may not have five years experience, they may only have a basic two day training course? So how are you going to get that across them in the simplest way that they can just read the information on the screen, press button next, make an option about what they’re doing, and that leads them down a slightly different path?
But at the end of the day, they still end up with the same thing: a forensically sound extraction that can be used in court and hasn’t needed to tie up the lab with a basic extraction, really. And there’s nothing basic about it, but you understand that a frontline officer doing calls, content and SMS is slightly less time consuming for a frontline officer than it is for a lab person to go and do.
And that’s really been our whole approach, is we work with the customer to build that. And so every workflow I’ve done has been different from the next one. And that works really quite well because we will work with and sometimes I can advise, and sometimes I learn something new from the customers about how the approach is and why they do things in a certain way.
And I can propagate the good practice when I’m having further discussions with the next agency. If I like something I hear from a police service, I ll say, that’s a good idea actually. Yes, I’ll move that, and I’ll suggest that to the next people.
And equally, if I’m asked for some really complicated code from one customer, I can then reuse that for the next customer. Say, “Look, we’ve done this for customer A and we think that works really quite well. Would you like that in your code?”
And so we try to propagate good practice. We try to, as a development of the workflow goes on, we try to make sure that the forces get the best as we move forward.
Christa: And you’re — sorry, you’re having to do this within, I imagine, the remit of the Forensic Science Regulator and those efforts to use ISO 17020, I think, for field forensics. How are you able to make sure that the forces are doing what they need to within their own workflow, but still within the sort of broader umbrella of the Regulator’s work?
Simon: Yeah, the regulatory environment in the UK is challenging, and rightly so. It is incumbent on police to act lawfully and proportionally at all times. And do we work with — we ask them what, if they’re following 17025, what is it they’ve written down? What is their process and how can we make sure that that does apply and works for them?
And it is a consultancy. I sit and talk with people and just discuss the options that they have. Say, “If you want to do this, then you have option A, B and C. A will work for you, but it may not fit in quite so nicely into 17025. B works not so well, but it actually fits better with the Information Commissioner’s Office and the limiting of the data.”
And it is a process that I will offer the options available to the customer and sit and discuss them. And we have developed iterations of trying to fit in with the proportionality of data.
Our first iteration we did about five years ago now, so we were quite ahead of the game in terms of what we call dynamic triage, where the user selected the artefacts that were then presented in the final extraction file.
But we’ve recently (working with the ICO’s office) sat with them and tried to make it quite clear that getting artefacts out of a mobile phone isn’t a surgical process. There is bound to be a small amount of collateral intrusion, but we’ll do what we can to limit that collateral intrusion.
And we’ve developed a new extraction profile which is available, which is much more in line with the ICO’s office and their aspiration to only pick out certain bits of data. So we now can select the artefacts to be extracted within a time scale, whether that be 24 hours, one week, one month, or a custom time profile that they set themselves.
And we can also select the apps that you get that data from, and that data’s recorded. What the user selected is recorded in the extraction log. So it shows that they were doing their best within the confines of the software available to them at the time, they were doing their best to limit that data.
And of course, if you’re dealing with pictures and videos, then we already have file selection, so you can be surgical and pick a picture out or a video out.
But it’s more about the app, the messaging, the chat messages, they are very difficult to be surgical about because they’re stored all over the place in phones. And it’s difficult and challenging, but it’s one of the things that MSAB has stepped up to. Just dealing with mobile phones is challenging. The apps change every day, so it’s challenging!
But we have a very good team of developers that have helped us with the extraction profiles and helped us with the workflow code to make it much more adaptable. So I can now do quite a lot to fit in with the customer’s needs and requirements.
And I think it’s a really good product now. I liked it when I started looking at the code back in 2014, 15 (whenever it was). And I think it’s a good — it’s a key component of why MSAB is so successful in frontline forensics in the UK, is because we will work with a customer. We will adapt, we can make changes and we welcome feedback to help make that development more in tune with what customers want. And that’s, I think, really quite important.
Christa: I want to back up a minute. You were talking about the processes that the frontline personnel have, and proportionality in particular. And I’m wondering what the balance is, again with confidence, in terms of making sure that crucial data isn’t being missed. When you’re selecting the apps or looking for the chats, especially if there’s an unsupported app, for instance, how can those frontline personnel be sure that they’re not missing something?
Simon: That’s the “you don’t know what you don’t know” type question, isn’t it! It is about the agency actually recording down their rationale for deciding to limit extractions and their rationale for their investigation, proportional intrusion based on their current investigation, based on what they know about that suspect and recording all of that in some way for the hindsight police to come in 10 years later and say, “You should have known about that.”
It’s a very difficult one for everybody involved. But I do agree that there needs to be some proportionality. We can’t just go taking everybody’s data here, there, willy nilly, like we used to.
But it is about the agency having a process and training their officers about: what is an SMS? Is it a chat? Is it an SMS? Is it an MMS? Because the actual artefact changes its state depending on the operating system and depending on the network coverage and depending on who it’s talking to.
So it’s training those frontline users and giving them enough information for them to make an informed decision based on what they know about the investigation to then be able to apply proportionality to the extraction that they’re conducting.
It’s not easy, and it will never be perfect. But it is about the agencies training their officers, recording stuff down, following their process. If you have a written process and you deviate from it, then you need to record that justification. Otherwise you follow the process.
If the process is wrong, that’s a different question to, is the user wrong? But you’ll never know what you don’t know. So you’ll never know if there’s data.
The other thing is to have a procedure whereby if you believe there’s data on this phone, and you’re not getting it through the frontline method, then either you’ve allowed the user to conduct more intrusive extractions on that Kiosk (because you can do full physicals on that Kiosk, you can do app downgrades on that Kiosk), but you need to ensure that the user is doing full physicals and doing app downgrades know what they’re doing and the organisation is aware of the risk involved in those procedures.
Or you ask them to say, “Well, no, we’ll finish off this extraction, we didn’t get the data we want, we’re going to send it into the lab to ask them for a deeper dive.” That’s always got to be an option. Or you’ve got the option of just taking a screenshot. But I don’t think that that’s the best way forward, but it is an option. You’ve got some sort of data.
Christa: So we’ve talked fairly broadly about some of the major challenges that you’re seeing across customers. In the past four years, as you’ve worked in this consulting role, what are some of the biggest challenges that you’ve found and help customers to overcome? And then how do you see these challenges evolving in the coming years?
Simon: My initial role, I was a global consultant, so I was travelling around the world. And this is — there are three main, but this first one, isn’t so much for the UK. But it’s about resistance to change and labs protecting their environment and saying, “Hold on a minute, you are taking away my job. I’ve trained for five years, I don’t want to lose my job.”
And really, it takes a lot of time to overcome that fear, and that resistance to change, because humans are humans all over the world and they don’t like change and they protect their own. They ring fence their little environment, but I try to show them that actually by allowing change to happen in a controlled way, that they actually increase their importance within an organisation rather than decrease it.
And that’s just time and revisiting and answering questions and showing and demonstrating the value of allowing users to do certain extractions. It’s difficult, but the UK already has that mindset of, we have gone down the frontline forensics path. The UK has embraced it wholeheartedly, and I think the UK is years ahead of everywhere else in the world in terms of this adoption of ecosystem approach. And I think they’re the leaders in the world for mobile phone extractions on the frontline.
But that leads me onto one of the big problems for the UK in particular, as many forces are now doing this approach of having Kiosk tablet in the hands of frontline officers, what do they do with the data? How do they store that data? Where do they store that data? Because there’s a vast amount of data.
Even by limiting extractions, you’re still getting lots of data and how do you get that to the investigators? And so the investigators are investigating (if they’re not the extractors) how do they deal with that data?
And there are many aspirations amongst many forces to move wholesale to a network solution, which is by far the best way of being cost effective in these ecosystems.
But there are many now, and there’s a couple of progressive forces, that are now moving wholesale to our software on Kiosks and tablet in the frontline, they’re centrally managed and that platform is a cloud based platform and all of their data is going to a cloud central storage.
And that is challenging to set up, but once it’s set up and running effectively they will see cost-efficiency benefits from not having to maintain vast repositories of onsite servers for data.
There are still some forces who are burning files using optical disc, which needs to be — but the reason they’re doing it is they don’t have the network infrastructure to actually move it around. Because even with limiting extractions, you’re going to see some lumps of data gigabytes in size.
Christa: The video evidence, I can imagine!
Simon: Absolutely. Yeah. My team had an iPhone extraction that was 360 gigs in size. That’s a logical extraction that was that size. That’s very hard to move across PNN infrastructure.
So that’s the biggest challenge for the UK is networking, having a digital forensics network that’s isolated and separated from the normal PNN network, so that there’s no risk of contamination or malware, having data dumps for that data, allowing user access, so investigators can pop in and, “Oh, I’ve been told that my file’s now ready. I can just log in to a central data dump, there’s my case, open it up and hey presto, I can start doing the filtering and checking and finding out and doing my investigating.”
That I see as one of the biggest challenges for the UK ahead, is upgrading its network infrastructure and overcoming the security challenges of going to cloud, because that is a big factor that’s limiting and holding back UK law enforcement at the moment.
Christa: Are there privacy law implications? I’m not familiar enough with privacy laws to know, but I’m curious about that.
Simon: There may well be, but when you’re dealing with cloud infrastructure, you can obviously set up your cloud storage or your cloud server to be only based within the UK. So no data ever leaves the UK.
And then it’s about securing that data and all cloud offer encryption in transit and encryption at rest. You can have the keys so that only the force who want to manage it can have the keys to it. And they hold the encryption keys to it.
So personally I suggest that actually moving to cloud is cheaper in the long run and actually more secure in the long run, because if you have it on site then you: a) have to keep upgrading those servers, keep on increasing the data storage dump. That costs, that takes time, procurement processes to go through.
Whereas increasing your cloud storage is almost as quick as a mouse click (and it can be that quick). But it’s more that there’s no human interaction. There’s no individuals who can access that and go to it and start reading the data off the server because it’s impossible to find in these massive data storage hubs. You’re not going to know where it is, where it’s stored.
Whereas your onsite requires staff 24/7 to actually go in and there’s, as with every human element involved in a security chain, the human is always the weakest link. So in my opinion, moving to cloud in the long run will be more cost effective and more secure, but there are challenges to get there.
And the other big challenge that I see is a constant change of the topography. Your apps updating, your encryption updating, your operating systems updating, but that’s always been the case and will always be the case.
But equally the regulatory topology of the requirements at the moment we had, then we had 17025, then we had the ICO office about restricting data. Once we’ve done as best we can to overcome those challenges, I’m sure there’ll be further challenges down the line that will come along.
And that’s just policing. Policing has always had challenges and police officers overcome them and work within the regulated framework to do the best they possibly can.
And that’s what MSAB set up to do, is to help the police do that. And that’s where we work awfully hard behind the scenes to do that. And I know that our development team has put a huge amount of effort in making sure that I can offer the customers options and choices within the workflow for their Kiosk or tablet. It’s now pretty good. I quite like it.
Christa: I want to flip a little bit. We’ve been focusing mainly on technical challenges, but as we’re talking about those challenges and the rate of change, I wanna talk a little bit about the less predictable, more chaotic forms of change as the world is continuing to witness historic inflection points along the borders of many countries, people fleeing war, genocide, climate catastrophes etc. How is MSAB currently consulting those customers along the border and within interiors of countries on the balance between national security and human rights?
Simon: It’s a very good question. As you know our vision is to make the world a safer place and work in partnership with our customers. But we do work very, very closely (and we have to work very, very closely) with the Swedish authorities, the EU regulations and the international initiatives around the world to ensure that countries and people we work with don’t overstep the mark.
But equally we do have to work with countries to try to protect their borders from infiltration by terrorists. Terrorists are moving around the world, freely, and we have to work with them to try to prevent that. There are many, many migrations of refugees because of circumstances around the world. In amongst those refugees, maybe people that aren’t entitled to claiming asylum.
And so we have to work with the border authorities in order to help provide them with tools to help them weed out those that are entitled to help and support, and those that are not. So we work with countries that we make sure they have their lawful authorities to do that.
They’re not just targeting anybody they don’t like. We provide them with tools and training. We will, I sit and consult with them and talk to them about, what is it you want to get out of this? And how can this extraction actually help you?
So, we work with third party tools. We will extract the data and we’ll pass them the data, and they do fast time analysis on things such as: where was the phone bought? Where are the user’s contacts? Where are they all from?
So for example, if they say they’re from country A, but all of the contacts are from country B and all of the and the phone is bought in country B, and all the networks are in country B, and all the calls and the country codes are to country B, then there’s a good chance that person isn’t from country A, as they say.
We are not gonna say it’s definite, but we’re gonna say, this is the analysis. This is the tools that we’ve provided you with. We’ve given you this, you make your decision based on what you know and all the other factors that you pull into the case. Such as most people trying to cross borders either lawfully or unlawfully will ditch their ID documents, so it’s very difficult.
But we will provide them with the tools that we can to do fast time extractions. And we’ll work with third party systems to help the deep analysis of that, to help give them the information to make an informed decision.
Christa: At the field level of this question, I wanna go back to something you said earlier about making sure that the frontline personnel are trained properly. Front lines in these kinds of situations are high pressure environments. How do you adapt the training, I guess, to make the kinds of decisions that reflect that delicate balance between security and human rights?
Simon: It’s difficult. It’s about… we will work with the agency involved and say, “Well, you need to train people on this, this and this. If you’ve built your workflow correctly, then the proportionality side, there should be information screen to direct the user about what to do.”
It’s more about ensuring that you connect the phone correctly to make sure you do get the right data, and you don’t end up with an officer that just says, “The phone won’t connect, therefore I can’t do a download.”
And there could be something on that phone that supports that person’s case, because it’s not always about disproving that somebody it’s not all about proving that somebody isn’t entitled, it can also be used to prove that that person is entitled.
So it’s a two edged — It’s also about training people to understand the data they see. Once that extraction has taken place and it’s presented to you on a screen, understanding that data. Understanding things like timestamps are malleable, they’re moveable. Understanding when something says it was created just before the extractions start, it doesn’t actually mean that it was created then, because you’ll find that timestamps are all over the place.
And so training officers not to jump to conclusions based on little bits of information, they need to understand what this extraction is in the whole, understand how these bits fit into it, understand that they then move it all together and join it with other information that they have.
And each bit of the jigsaw helps them build up a fuller jigsaw. They may never ever have a complete jigsaw, but the more bits you have, the better it is. But it’s about training is the key, to be honest, and documenting what you’re doing.
And that’s certainly what our Kiosk and tablets do. We can document the steps. We log every single step, so we can rebuild what a user has done throughout when they followed the workflow, we can show what the user has done, because there’s a mutable log that’s kept in the background about what they did what, what data they entered, and what screen they saw and what they did.
And then I guess the extraction and that records what they did for the extraction. And then it’s about showing that they’ve followed and understood the data they’ve been presented with to make a decision that they can then act upon. It’s a very difficult process. It really is.
Christa: Oh, I can imagine!
Simon: Logging, training: they are key.
Christa: Yeah. Well, Simon, thank you again for those insights and joining this on the Forensic Focus podcast.
Simon: No, thank you very much for inviting me. It’s been great.
Christa: Thanks also to our listeners, you’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. Stay safe and well.
Detego Global, the creators of the acclaimed unified digital investigations platform, has been selected as a finalist for the ADS Security Innovation Award. This prestigious award recognises the innovative capabilities and services developed by UK security companies, and is designed to identify capabilities that have caused a step change in the effectiveness of the UK’s ability to prevent, respond to, and reduce the impact of or investigate risks and incidents.
Detego’s Field Triage solution is the only digital forensics solution to be shortlisted for this prestigious award. Selected by a panel comprising government officials and senior industry representatives, Field Triage was chosen due to its ability to empower investigation teams across the UK and beyond with cutting-edge technology that enables snap decision-making.
Field Triage empowers investigators in both lab and field-based environments to rapidly scan devices for suspicious material without running expansive data extraction processes. The solution’s intuitive design and industry-leading Red Amber Green triage feature, which has secured a patent in the United States, reduces the strain on senior investigators and specialist labs by enabling team members with little-to-no technical experience to carry out procedurally sound first-level investigations on computers, laptops, servers and loose media devices.
This solution aids teams to adapt to changes in data, devices and encryption technologies without an additional training burden and ensures there is minimal skill fade among users –helping bridge the gap between the rapid growth in digital devices and a much slower paced increase in digital forensic expertise.
Field Triage’s lightweight footprint means it can be deployed anywhere using USB sticks and other types of loose media. Detego’s Field Triage allows users to customise keywords based on the type of investigation, enabling the solution to be deployed across a wide range of investigations relating to terrorism, Child Sexual Abuse Material (CSAM), Child Sexual Abuse and Exploitation (CSAE), Indecent Images Of Children (IIOC)/Internet Crimes Against Children (ICAC), human trafficking, financial crime and insider threats, while supporting the Child Abuse Image Database (CAID) and Project VIC. With its ability to make matches rapidly, an entire computer can be scanned in under 15 minutes.
Find out more about Field Triage or get a first-hand experience of the solution at www.detegoglobal.com
Detego’s customer* is a tier 1 bank in Africa which employs over 12,000 agents and supports customers through an extensive network of more than 200 branches. Faced with the constant risk of fraud, data breaches, money laundering and insider trading, the bank was looking to upgrade policies and procedures to improve its line of defence against these threats.
The compliance and fraud investigation teams already had a backlog of cases stemming from legacy data extraction processes and depended on multiple systems to extract data from different types of devices. The teams were also met with the added complexity of having to forensically secure data from non-brand mobile devices which weren’t supported by existing forensic tools.
*This case study was anonymised due to the sensitive nature of the investigations carried out by the customer.
The Solution
After carefully reviewing the digital forensics tools in the market, the bank selected Detego’s Unified Digital Forensics Platform. Ease of deployment, advanced capabilities and the intuitive design, which enabled it to be used by team members with little to no technical knowledge, were among the standout features of Detego’s solution.
The Result
Detego’s Digital Forensics Platform presented the bank’s compliance and fraud teams with a single platform to forensically extract data from a range of devices including non-brand phones — saving them the hassle of switching systems to gather data from different sources. The platform’s ballistic imaging technology saw the teams forensically securing data up to 4 times faster, enabling them to improve case turnaround times.
The platform significantly improved the bank’s ability to pre-empt data breaches, fraud and insider trading with Detego’s Field Triage tool. It enabled teams to stealthily scan devices used by suspects for pre-configured search terms, files and activity that could result in potential threats.
In the last two years, the solution has helped the bank’s teams successfully identify and neutralise over 900 internal fraud attempts, helping the bank safeguard its customers, employees and reputation.
The bank’s proactive approach to handling fraud has been applauded by the international banking community. These measures have helped the bank climb nearly 200 places in The Banker’s Top 1,000 World Banks list in a little over two years.
Key Deliverables
Forensic data capture speeds that are 4 times faster
Prevention of more than 900 internal fraud cases in the past 2 years
Visit Detegoglobal.com to find out how Detego’s solutions can help.
Law enforcement agencies worldwide are struggling to contend with increasing quantities of crimes connected to digital devices. Rising levels of cyber and digital crime are estimated to cost the world $6 trillion annually as of 2022, and the number of digital devices used to facilitate criminal activities is accelerating at an incredible pace.
To pursue justice in this digital-first environment, law enforcement teams must be able to swiftly gather and analyse evidence from a range of devices including computers, laptops, smartphones, IoT-connected devices, drones, smart speakers and loose media.
Fortunately, the Detego Digital Forensics ecosystem is built from the ground up to accelerate and enhance investigations in this increasingly complex space. From record-setting acquisition times when it comes to retrieving critical data through Detego’s patented Ballistic Imager technology (the world’s fastest imaging tool), to powerful AI-driven analytics and advanced automation features, Detego is empowering police forces to do their crucial work more effectively in the field as well as in lab-based settings.
Enabling End-to-End Investigation
Comprehensive digital forensic analysis tools are critical for allowing fast, accurate and efficient data extraction from the countless digital devices now present in criminal investigations.
An all-in-one environment for digital investigations offers crucial benefits to time-short professionals, who need to minimise the risk of data gaps and increased security issues when switching between multiple apps. By providing a one-stop solution for rapid data extraction, preconfigured job queues, AI-first analytics and court-ready reporting, Detego is solving many of the problems modern police officers face.
Detego’s end-to-end ecosystem allows data to be extracted from a vast range of devices, including computers and laptops, loose media, smart devices, more than 2,000 apps, and over 15,000 mobile phone models. Law enforcement units can then analyse the data gathered from different devices in the same central environment to build court-ready reports.
The all-in-one approach to data collection, management and consolidation provides a valuable alternative to historical workflows, wherein police units had to depend on disparate systems to collect and analyse data. Detego can help law enforcement agencies to replace manual and time-consuming processes with ultra-fast and efficient practices, minimising backlogs.
Powerful, Yet Simple Extraction Technology
As the number of cases law enforcement agencies handle on a consistent basis continue to skyrocket, tools like Detego are essential for ensuring the super-fast acquisition, and management of data. Pre-built and configurable crime profiles allow teams to launch just the analytics relevant to their investigations. Users can even access one-click generation of insightful reports.
With artificial intelligence as an added partner for data discovery and investigation, law enforcement groups can uncover patterns and links between data, devices and suspects at speed. By tapping into Detego’s easy-to-use interface and flexible deployment options, law enforcement teams can even enjoy the benefits of comprehensive digital forensics on-scene. Detego’s Field-Triage solution comes complete with a red-amber-green visual triage system that has been patented in the US and UK, and allows team members with minimal technical experience to scan devices for suspicious material without running comprehensive data extraction and analysis – saving time while reducing the burden on specialist labs and experienced team members. Field Triage’s easy-to-customise interface means that it can be used across a range of investigations covering fraud, terrorism, human trafficking and even indecent images of children. With its integrations with the Child Abuse Image Database (CAID) and Project VIC, it has become a go-to tool for investigators requiring to run frequent checks on devices owned by offenders.
Detego’s all-in-one digital forensics platform is already transforming the way investigations are carried out at Police units across the UK, USA and Sweden, by providing granular control and in-depth oversight teams need to propel an investigation forward at exceptional speed, without compromising on accuracy.
Industry-leading analytics, such as hash matching, keyword search and integrated photo DNA, makes capturing essential pieces of information easier than ever.
To further ensure the success of every law enforcement team in this complex investigation arena, Detego also offers a wide range of specialist technologies for boosting productivity and efficiency. The Detego Case Manager, customised to suit the needs of police units, can automate workflow elements of investigations while ensuring that due process is followed at each stage.
Working hand-in-hand with Detego’s digital forensics platform, Case Manager helps teams manage all aspects of investigations, incidents, risk and compliance. Ready to be tailored to meet the needs of your law enforcement units’ policies and procedures, Case Manager can give your teams the tools and insights needed to manage investigations better.
Supporting the Entire Law Enforcement Team
As cases involving digital technology become increasingly complex, Detego taps into rapid data extraction, automation, artificial intelligence and a suite of powerful analytical tools to empower law enforcement teams. The simple but powerful technology requires minimal training, so even non-technical staff can get up and running fast. What’s more, Detego offers a range of deployment options for different teams.
The same Detego technology can be deployed in the field through Digital Forensics kiosks. Law enforcement teams can choose from mobile deployment kiosks for vehicles, field-ready systems and kiosks designed specifically for police stations. The patented technology comes with quick and insightful training, to ensure every team member is ready for action when digital investigations are necessary.
Because Detego Digital Forensics is custom-made to address the unique needs of law enforcement professionals, it’s especially suited to address the unique challenges these teams face on a daily basis. Patented technology combined with lower training overheads keeps law enforcement groups ahead of the curve, while regular updates promise a future-proof approach to technology.
With digital forensics from Detego and access to advanced tools like Detego Case Manager, some of the world’s biggest enterprises, elite military units, and law enforcement professionals have achieved incredible results.
Request a free trial to get a first-hand experience of Detego’s cutting-edge technology and find out about the special discounts on offer for law enforcement teams: https://www.mcmsolutions.co.uk/request-a-trial/
Christa: Memory forensics is a mainstay of incident response. Its relevance and necessity only growing with time, as encryption technology has become more integrated, especially in consumer devices. Yet memory forensics is neither intuitive nor simple.
Looking to change that is a new startup, Trufflepig Forensics, founded by a team of ethical hackers in Pfaffenhofen an der Ilm, Germany. Co-founders Aaron Hartel and Christian Müller are with us today to talk more about it. I’m your podcast host, Christa Miller, and welcome Aaron and Christian.
Aaron: Hi Christa.
Christian: Hi Christa.
Aaron: Thanks for having us.
Christa: Of course, it’s a pleasure, likewise. So let’s start with a bit of an introduction. Since your company is a startup and you’re so new, Christian and your third co-founder, Olli, are ethical hackers, is that correct?
Christian: Yeah exactly. So what we mean by that is that we basically use hacking techniques but in a way that is legal and OK from a moral perspective, and we try to basically develop technologies for the blue team, if you want to call it that.
Christa: Of course. And Christian your college thesis formed the basis for Trufflepig’s Nexus product, and Aaron, your background is in business. So I wanted to find out more about how you got started in this industry and what has led you down this path?
Aaron: Yeah I think I might start, my story’s a bit shorter here. Basically I just met Chris and Olli at some point, approximately, was it three years ago now?
Christian: Yeah.
Aaron: It was three years ago when I still was in my Master’s. I was doing business, always with the dream in mind to start and own [a] company at some point. I didn’t really have any strong technical background at this point, I was basically introduced to those two guys, they were participating in a business plan competition and needed some assistance from a business perspective, first only on paper, because they thought maybe the team looks a bit more complete.
So I got introduced to them and didn’t really understand much of what they were talking, to be honest, because it’s such a technical and difficult topic to get into if you’re not really…if you don’t really have a informatics background. Still, of course I understood quickly that those guys are good at what they are doing (or that’s what I assumed, well we’ll assume it).
So I understood very quickly that they are very deep in a very technical topic, I found that fascinating, and decided to basically stick with them since we also understood that the team not only on paper, but also in reality, is probably a bit more complete if we not only have the the tech nerds, so to say, in there but also someone who might have an idea of how to also scale a business: you have to start a business and scale it.
So that’s my role now. I’m far from being able to call myself an expert in forensic technologies. I’m still learning every day. I think of course I understand more now with those three, or two years of full-time experience. But still I’m learning every day and my understanding for the market and for the different customer segments, of course, and for the technologies, is developing with every day here, and still a long and very interesting journey, and of course you’ll never really stop learning in such a fastly — rapidly developing field.
Christian: Yeah, so from my side, I was always interested in programming and learning new things. I think I learned the first little programming skills in C with 8, because I, of course, I wanted to implement a game. So my dad taught me. And when I was 15, I learned PHP, and with 19, I think, I got a job programming a backend for a company. They wanted to digitize basically their whole infrastructure.
And then with 21, 22 (something like that, I think), I got back to game programming, and I wanted to implement a multiplayer for a single player only game. And that was pretty hard. And I got to know Olli, and he knew reverse engineering and exploitation and stuff like that. So he taught me how to reverse engineer a game, and understand the concepts there and manipulate it to do what you want it to do. So that was basically the background for what we are still doing today, just understanding the concepts of huge projects and getting information out of them.
Christa: OK.
Christian: In 2016 then I was still doing my Bachelor thesis, and had some lack of motivation because game programming was more interesting! So I was looking for some motivation source, and I applied for a internship at the German Federal Police, and the forensics department accepted me, and I got into memory forensics there, and learned the concepts, and also problems they have with the current state of the art in that field. And basically I decided that I want to improve the technologies in that field, and get really deep into it, and that was basically the fundamental idea for the company.
Christa: I think that was what caught my eye about your value proposition, which includes incident response, but also law enforcement. That’s not something that I’ve seen extensively before in memory forensics, so I wanted to find out more about that. In particular your website describes some cumbersome technical challenges with memory forensics. Is this a problem for security operation centers and first responders, lab personnel, or both and why?
Aaron: I think as Chris said, our background is really the law enforcement sector, where Chris had to work with those tools that were available, which are also good (I mean we like the tools that are out there, we think they are grown by the community, they have a place and they’re good, they did a lot of good).
It’s just that I think in law enforcement specifically, it can be challenging, and that’s also the experience that we had when we talked to people in the field, to even do memory forensics with what is out there, because it requires you to have such a good understanding already of basically working with Linux based systems to even run those tools sometimes.
And also in general, how to process data when you just have a command line interface maybe, to work with other…And even of course you can maybe build in front-end, or or get a front-end open source and build an own system. But it’s all rather manual, you have to do a lot of manual work there.
And I would say for someone that is maybe new to law enforcement, or forensics in law enforcement, which is the case at least in Germany to for a lot of people that work there (they were basically doing something else before, then they got training and kind of started like that), it can be pretty hard, and so currently memory forensics is only being done in, say, the most sophisticated law enforcement agencies in Germany, because they have the people that are skilled enough to do it.
And this is, I think, something that should change, because memory is such a rich source of data (of course if you can get it, you cannot always get it, and of course computers will be running or just shortly being shut down), but if you can get it, you can get lots of value out of it, more value than probably from any other source of data and that’s what made it really interesting for us to to make it more accessible to make it more user friendly to use, also faster.
We think there’s a lot of potential to implement memory analysis technologies faster way than what is currently out there. And those were kind of the initial motivations. So having a fast tool, or fast technology, one that is (of course always depending on the product that you build on top of it, but the user interface) that is easy to use that is automated, and of course also forensically sound, this is something what we were really chasing after with our technology development when we started back in 2019.
I think I should…You asked about also other segments of incident response. There probably the challenges are a bit…in memory forensics are a bit different, being that you’re not only looking at maybe one laptop, one machine, that you want to analyze and that you really want to go on a deep dive in, but you’re looking at potentially hundreds of thousands of machines.
And when you’re facing such a challenge, it’s just not practical to do, or with the current setup of tools and what is out there, you have to focus on maybe individual machines, one or two machines that you that you are analyzing at a time. You cannot just screen maybe a whole network with forensic integrity in a fast way, and then assess whether or where to conduct or to continue with the investigation, which is something that optimally from our perspective should be done. So fast triage of as many machines as possible, fast results and then a decision on where to go further.
So to do that with the current tooling is a challenge. Of course you can script stuff, you can use some of the open source scripts also that are out there, but still it’s error-prone, in some sense. And building a stable solution that is able to screen potentially thousands of endpoints, this is something that we think would be of high value for many incident response teams.
So the challenges are a bit different, we started with the basic technology, so with this memory analysis technology, implementing our own heuristics, our own algorithms there, so we haven’t copied anything there, just built everything ourselves, because we want to make the core of the technology our own.
And then from this point on we want to publish different products for different sectors: so for law enforcement, something that helps them really focus on maybe the analysis of individual machines in-depth; for incident response teams, that will take it some more time (we can go into that in a bit).
But we want to really focus on delivering solutions for fast initial triage of lots of machines, so deployment of some data collection tool, and then aggregation of data and analysis of data. And for the fraud sector, which for us is the kind of newest use case that we are still kind of getting into, of course we will be more about analyzing user behavior data that can be found in memory.
Christa: OK.
Aaron: And maybe, I want to say that right now already, we don’t want to only focus on memory of course we see memory as a core source of data, but we know that of course it’s not always available so we want to integrate also other sources of data. And we are working on that already even though we started with memory.
Christa: So, such as what other kinds of data…or can you not say that yet?
Aaron: I think Chris, maybe you want to elaborate a bit on that.
Christian: Yeah, of course. So we already have kind of a disk integration, actually with SleuthKit.
Christa: OK, yep.
Christian: At the moment, we have some problems with that, but in general it works. And we want to add sources from disk as well. So right now, for example, we have our registry parser to get an artifact from memory, and the structure on disk is a bit different, but a very tiny bit.
So we can relatively easily change our algorithms to also be able to get that data from disk to have more registry keys that might not be in memory at the moment, and also see differences. So, just as an example, there are some malware strains who change registry keys in memory but don’t flush them back to disk, things like that.
The same is valid for other data sources, so for example, event logs. We just had a Master’s thesis on event logs, so that will be in the product relatively soon hopefully. So we want to add those, and later down the road, we also want to add online sources. So, for example, if we find access keys for cloud storage and things like that in any of our other data sources, that we can access them and also integrate them into the analysis workflow.
Christa: With that in mind I wanted to focus on one particular subset in the law enforcement use case, which is encryption. So I know that you’ve been working on this product for a few years now, but in July this year, the German Federal Police announced more than 750 arrests along with seizures of drugs, weapons and other assets associated with the mobile EncroChat platform.
So I don’t know whether Nexus was used in that case, or whether it’s still too soon, or you can’t talk about it, but I did want to find out more about how the solution would be valuable for similar kinds of cases with those kinds of encrypted mobile platforms.
Christian: OK, so our current focus is disk encryption, actually. So we don’t support mobile yet.
Christa: Gotcha.
Christian: That’s not really a focus, so EncroChat is a bit too early, maybe in a few years! So the current focus, as I said, like containers like VeraCrypt, TrueCrypt, and also BitLocker. That’s one thing that I’ve learned also in the Federal Police: they often have the case that they have such a container and the computer is running, but they can’t access it. And that was the main idea of the product, that it should be really easy to just click and decrypt the device because the key is in memory, if you get the memory it should be really easy to decrypt the device.
Christa: I see.
Christian: Yeah, and that was my initial idea.
Christa: OK. Thank you for clarifying that.
Aaron: I think we need to say…I mean, while we speak at this point, we still are re-implementing or implementing some of those encryption features. I mean, we had it at some point as a work proof of concept already in there since our launch. We took it out for stability reasons, but we are working on adding it back in a more stable state.
Christa: OK. Are you able to share what kind of feedback that you’ve received about Nexus and its usefulness for law enforcement in particular, but any other user groups that are working with it?
Aaron: I think we can say that the most amount of feedback in general we got from the law enforcement sector so far (since we started with the law enforcement sector in mind when we developed the product), I think it’s clear that the usefulness is probably at the highest at the moment for the law enforcement sector. Not saying that anyone else might not be interested in that, but definitely the most feedback we got from law enforcement.
We had some initial problems, to be honest, with the Windows version of our product because we are… Chris in particular is a Linux developer, we are general Linux developers. Some of our initial pilot projects that we ran with with first partners (or some of the initial feedback that we got) was that we wanted to build, or should build, maybe a Linux based application for bigger server setups, so for bigger corporation that would maybe… or also an agency, they should be able to use our product on their Linux server, and then access the user interface on some endpoint.
So that’s how we designed the whole thing. Then kind of the majority of the initial parties that were interested wanted some Windows version, so Chris started working on that, but some things are a bit different there, so we had some initial stability problems on Windows, had to extend…or we also extended, then some of the early trials for that.
Christian: By the way that’s also the problem with the disk image stuff right now. So that’s still a Windows problem. So on Linux everything works, but on Windows it’s still kind of not that stable.
Aaron: So we focused now in the past couple of months on really stabilizing the Windows version. On getting also the the last pieces of the product together, which is mainly the proper database for filtering and searching results in the tables. So this is also something that is being added now very soon after the recording of this podcast, or hopefully, it’s very likely that it’s out when this podcast gets published.
Christa: OK.
Aaron: But apart from that, most of the people we talked to were, I would say, excited about the product. Still saw that there needed to be some more features maybe in some areas, so some of them wanted, for example, a hibernation reader, which is also currently being (a combination file reader), which is currently being finalized.
So I would say the early feedback, apart from the stability problems with Windows, was good, and something we can build on. We are also seeing the first commercial results now so I think this direction is right. We generally try to be as transparent and open about what we are doing and where we are going as we can. Also speaking with potential users, or customers, as much as we can to really go into the right direction.
And so for that, I would also encourage everyone who sees this podcast, of course, always check out our webpage, go to the roadmap (we have a roadmap there), which gets updated with every of our product updates, and it should give you a good idea of where we’re going, where we are at the moment. And of course if in doubt, always just download the product and test it out. It’s available with a limited image size for free on the website.
Christa: Good to know. It sounds like you’re very, very deeply focused on development. I was curious about whether you’ve given any thought to various EU initiatives. We’ve been covering some of those this year. There’s Hansken at the Netherlands Forensics Institute, the FORMOBILE and LOCARD projects on an international level, the CASE Ontology. Are you looking to integrate your product with any of those, or thinking about that just at a very basic level at this point?
Christian: Yeah, so first of all, we are not affiliated with them, or we are not actively working on any integration so far. But in general, of course, it looks interesting, especially the LOCARD project. I’ve taken a look at that a bit more in depth, and it seems to align with what we envisioned for our product. So from my perspective, it looks really interesting, but of course, as Aaron already said, we are really focused on feedback. And actually we got zero feedback that anyone would be interested in an integration so far in any of these projects.
Aaron: It might be because they’re a bit too early, they are still being developed, some of them.
Christa: Right.
Christian: And also we are really early, so I guess those questions will come at some point, and then we will probably also work towards an integration.
Christa: OK.
Aaron: So in general we like, of course, integrating other concepts that are out there, other frameworks. This is definitely something that we are looking into. Of course it has to make sense, it has to serve a purpose for certain customer groups. But, I also want to say that some of the European funding projects: I mean it’s great that they exist, and it’s good that there is European funding because it’s such a technical area that it’s hard to explain to anyone quite frankly. Also to investors or whoever wants to get active, like they need to hire experts to even understand the basics.
Christian: Try to tell an investor that you need, like, five years of development before you can start making revenue!
Aaron: So it’s great that they’re out there, and we’re also looking into cooperating with other partners and apply for some of those calls that are out there. I think those programs were still under Horizon 2020, which was a big funding scheme, which ended in 2020.
Now there’s Horizon Europe which is for the next seven years, until 2027. I think it got even bigger, the deep tech funding in there. So we’re also looking into that. And we already connected with some universities in Germany at least that form consortium that can participate in those things. So could be that you hear from us in that regard as well, but can’t make any promises yet.
Christa: Yeah, no, of course. So as you’re bringing more, I guess, users on board, more potential customers, what kind of background or training should the users have to be able to use Nexus successfully?
Christian: Yeah, that is also one thing that we want to improve in the field of memory forensics, because right now you need a pretty deep understanding of the technology, of course. And that’s also the case with Nexus. I mean it’s simpler to get started in general because it’s pretty simple to set up, and then just add an image and you can analyze it.
So right now the difference is not that big, so you need a background in, at least IT security and understand malware concepts, depending on the use case of course, if it’s more law enforcement or more incident response. But we want to work on that, and integrate a very…or deeply integrate a knowledge base that you can basically click on any artifact type and any indicator of compromise or whatever we display in the front end, and you get additional information to that and can read up what’s going on there, what what does it mean.
But that’s as you can imagine, pretty a lot of work, so we are just getting started with that. It will probably take a while, but it’s one of our focused topics that we want to give memory forensics, or the possibility to do successful memory forensics, to more people.
Christa: OK. I have a final question… oh, go ahead.
Aaron: Sorry, just just one addition to that. I think it’s, as Chris said, easy to get some initial data, just to see results, not interpreting the results of course still remains some issue that also probably can never be fully solved. I mean you always have to be able to understand some of the process information that you get from looking at the memory dump. This is something we cannot take away at any point, but the hurdle should be lower, the entry point should be… it should be easier to familiarize with those topics, and that’s what we try to achieve.
Christa: OK. That makes sense. So I have a final question for you. The name Trufflepig is very distinctive. Where does it come from?
Christian: Yeah so, that is actually a story that comes from Oli. So, he was working in a IT security startup before. I think it was at an incident, and so they were also handling some incidents, mostly Linux systems. And he was looking for some stuff, or a team member of his was looking for things, and he didn’t find it within like two hours or so. And he was sitting down and “yea, what’s the problem?” and like five minutes later, “yeah here it is!” And he was like “OK, yeah you’re a truffle pig, you find the truffles.” And that somehow stuck with us.
Christa: I like it!
Aaron: We think it describes what we try to do, of course very well. Looking for the truffles and in the vast amount of data out there.
Christa: Exactly, yeah. Well, Aaron and Chris, thank you again for joining us on the Forensic Focus podcast.
Aaron/Christian: Thank you, Christa.
Christa: Thanks also to our listeners. You’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. Stay safe and well.
