ETL Blog

ETL Blog

THE CRIMINAL JUSTICE LOGJAM -DEALING WITH THE DIGITAL BACKLOG

Written by Andrew Livesley MBE

The very real advantage of triage in the Criminal Justice System

Recent press coverage and statements by senior officers have served to highlight the scarcity of forensic digital examination resources and, indeed, the impact of that scarcity on the Criminal Justice System.

“…….figures show Lancashire Constabulary seized 745 computers last year and employed three forensic examiners to extract images from them.”

Alarmingly, these figures, obtained as a result of a Freedom of Information request (FOI), the report continues:

“…….do not include other devices such as digital cameras, mobile phones, portable hard drives, CDs, gaming devices, tablets and videos. Yet such devices are routinely seized by police as part of these investigations.”

The main issues for the police and law enforcement when dealing with digital data may be seen as;* The volume of data to be seized and/or examined;* The resources available for expert examination of seized material;* The ever growing distance between the investigator and the seized data.

Such activity carries a high value to the investigating officers as stated by DAC Steven Kavanagh

"Mobile phones and other devices are increasingly being used in all levels of criminal activity," said Stephen Kavanagh, Deputy Assistant Commissioner of the Metropolitan Police Service.

HMIC stated “we have found worrying examples of cases not being prepared properly because officers, having gathered evidence, were unable to have it recovered forensically in a format that would be admissible as evidence, or there being unacceptable delays in the analysis of the evidence.”

This situation fails to serve the victim and the delays can have an adverse effect on outcomes:“There are cases and there will be cases where the delay is such it could make the difference between an immediate custodial sentence and non-custodial disposal.”Judge Clement Goldstone QC

HMIC went onto to say: “The capabilities to tackle cyber-crime should not be the preserve of the specialist officer; every police officer needs an understanding of it and the capabilities to deal with the cyber-crime they will encounter.”

In order to make the fastest assessment of, for example, a laptop, a system which uses triage is required. Such a system can limit the data recovered and analysed. The speed of examination and analysis can be accelerated by intelligence driven data selection. For example, if the suspect is suspected of holding images of child exploitation, by cutting the search of the data down to only images, the speed will increase substantially. In such a case, rapid analysis at the front line will achieve two objectives:

* Provide the investigators with the evidence they need for charging, and* Allow the images to be submitted to assist in the protection of the children from further abuse at the earliest possible juncture.

Is reticence about change a good thing?

by Elizabeth Sheldon

We human beings, generally speaking do not like change. We would rather stay in a job we do not like than risk moving to a job we might like even less. Many partners stay married even though they are unhappy, for fear of what life might bring them as a single person. The next version of Windows is released and we see in ourselves and in our colleagues a huge reluctance to move from the version we are familiar and comfortable with, to the new sparkly version that will have more functionality and probably be more efficient.

Why is this? There are many blogs out there that offer excellent reasons such a:

"When we know exactly what we are doing we just don't want that to go away. It's like running a mile every day for five years then all of a sudden being forced to run two miles. You don't know if you can do it which leads to not wanting to do it." Kevin Jacobson

"Because we're pattern seeking mammals and we constantly relate things to one another, so the second something changes it messes our balance up temporarily." Stewart Gault

"I think what they don't really like is 'to be' or 'to get' changed by the will of others." Lejan

I believe we fear change do to the proposition of a lack of control. As a principle, humans desire power and control, our routines are routines because we have accepted them and been able to derive pleasure from them in one way or another. This potential loss of pleasure and control is very scary for most." John Dunbar

Perhaps the reason for resistance are good things, as they allow us to rationalise the impending change and ensure that it is a good  thing? form the comments above though, it seems it is fear and habit that are the most likely reasons for opposing or resisting change. In the workplace we fear that adopting a new process might take away our control or worse, our job, so we put up barriers to change. I believe that Lejan (above) has identified one of the key reasons for resisting change in the workplace and that is not allowing staff to decide for themselves. Give them enough information and detail so that staff can see for themselves that this change is a benefit to them and the business and everyone will be satisfied.

In 2009 when we first released SPEKTOR Forensic Triage to the market, there was huge resistance in High Tech Crime Units to adopting Triage as a methodology. Officer in the HTCU said they would be missing information and that they would be doing themselves out of a job.It is true that some units still retain this stance, the majority however understand that triage is an enabler not a disabler and that it cannot be applied to every case. Used properly it can reduce case-load and backlogs by a significant margin.

It has only taken 5 years to get the changing methodology of Triage accepted by the majority of the UK law enforcement community. What have you developed that has taken years to be adopted and accepted by the world?

The importance of customers during product development

by Elizabeth Sheldon

How many of us have a great idea that we just know will fly off the shelves if only we could get it to market quickly? The idea is so great and so innovative that we embark on development without consultation, because we know that this idea is just right. It will be used the way we envision it because that is the most logical method and the most effective because that is how we perceive our products.

Does this sound familiar to you? I suspect that to some extent all of us have suffered the arrogance of conceiving a product and embarking on the development of that product in blissful isolation of those who will be the target users. The first product we came up with was Remote Forensics and it came into being becasue our Principal Consultant had to go to Lagos to acquire digital data for a client from a bank and he did not enjoy it so he came up with a way of acquiring that data without having to leave his office.

Very clever you might think and yes it is but spending time with our clients discussing the ways that they might use this technology has resulted in a vast range of other enhancements and features that would not have seen the light of day had we just developed in isolation and had we spoken to them during development would have resulted in shorter production time.

With our latest product SPEKTOR Drive, we set up a User Group prior to developing the product. The aim was to discuss with the group how they might use the tool and develop it along the correct path for each specific type of user. The User Group tested it for us at each development stage and reported back with comments and feature requests.

The result of this has been faster development along the right lines. SPEKTOR Drive was ready for market months ahead because the development and client testing were integrated and few post development changes were needed.

There is an article here about Incubators that reiterates the advantages of quizzing your customers before developing http://www.entrepreneur.com/article/226282

The importance of customers during product development

by Elizabeth Sheldon

How many of us have a great idea that we just know will fly off the shelves if only we could get it to market quickly? The idea is so great and so innovative that we embark on development without consultation, because we know that this idea is just right. It will be used the way we envision it because that is the most logical method and the most effective because that is how we perceive our products.

Does this sound familiar to you? I suspect that to some extent all of us have suffered the arrogance of conceiving a product and embarking on the development of that product in blissful isolation of those who will be the target users. The first product we came up with was Remote Forensics and it came into being becasue our Principal Consultant had to go to Lagos to acquire digital data for a client from a bank and he did not enjoy it so he came up with a way of acquiring that data without having to leave his office.

Very clever you might think and yes it is but spending time with our clients discussing the ways that they might use this technology has resulted in a vast range of other enhancements and features that would not have seen the light of day had we just developed in isolation and had we spoken to them during development would have resulted in shorter production time.

With our latest product SPEKTOR Drive, we set up a User Group prior to developing the product. The aim was to discuss with the group how they might use the tool and develop it along the correct path for each specific type of user. The User Group tested it for us at each development stage and reported back with comments and feature requests.

The result of this has been faster development along the right lines. SPEKTOR Drive was ready for market months ahead because the development and client testing were integrated and few post development changes were needed.

There is an article here about Incubators that reiterates the advantages of quizzing your customers before developing http://www.entrepreneur.com/article/226282

Is traditional advertising dead for Business to Business transactions?

Reading through the plethora of business magazines that come through the post, how often do you look at or read the advertisements that accompany the articles and editorial? It would surprise me if the result was more than a few percent.

What are the advertisers that continue to use this medium hoping to achieve? A direct sale is unlikely, are they wishing for brand awareness, if so what is the value of brand awareness in the market place? Has brand loyalty been diluted by the increasing need to search for the cheapest price?

All forms of advertising act as a reinforcing agent, this works especially well for B2C. For example the adverts for Persil washing powder , reinforce the view that using this product allows the user to feel smug and secure that they are doing the best for their family by maintaining their place in the social hierarchy of the middle classes. But does this reinforcement work for B2B?

So if the advertisers are not expecting a sale, are perhaps hoping to add to their brand awareness what else might they expect from traditional advertising? Perhaps they are just saying “I am still here”, is it as simple as that and what is the value or the ROI on this?

"Advertising hasn't changed, it just has more respect for the results other disciplines can deliver," says Ray Gillette, president of integrated services for DDB Needham in Chicago. "Historically, brand management managed the advertising. Today brand management looks at strategy first, then media."

Debbie Stier, SVP, Associate Publisher of Harper Studio posed an interesting question:Is Advertising Dead? Or is There a Huge Opportunity for Interesting, Innovative, and Entertaining Ads to Emerge?

…it seems to me that advertising as it exists now may be dead, because it doesn’t work, but there is room, and in fact an opportunity, for advertising to become remarkable — to entertain or inform — or as Seth Godin would say, to be a Purple Cow.

If we listen to these comments, one answer could to be to be more innovative and certainly more diverse in the mediums used. Tradition methods of measuring ROI is of course looking at the bottom line, is the business selling more. In new media is there more to consider?

…next time we will examine the use of social media in advertising for businesses. Is this the way forward?

The best ways to promote your products and services

by Elizabeth Sheldon

We all want to promote our products and services to new markets and customers. There are numerous ways that are open to us to achive exposure and publicity. Lets explore those in a little more detail.

  1. Top of the list must be face to face presentations. There is no better way to enthuse a potential client with what you have to offer than by demonstarting to them and discussing with them their own needs and how those can be addressed by the product/service you have for sale.
  2. A good source of potential customers is an exhibition or conference where you will have access to lots of people with a common interest, that of seeing and understanding new offerings.
  3. Webinars - for those of you who export then webinars are a cost effective and powerful method of delivering demonstrations of products and services.
  4. Social media is another cost effective way to desiminate messages about you and your products and services if it is done in a sensible manner. Too many messages can be counter productive.
  5. A good website is essential today if you are serious about your business.

What do all of the above methods have in common? They all rely on WORDS to wholly or in part deliver the message. Nothing wrong with that you say and in some cases it works well, except that most people understand something so much better if they can visulise in pictures.

The adage 'A picture is worth 1000 words' is so true. You could write a 4 page  datasheet about your product or service or you could show a 2 minute movie outlining all possible scenarios and uses for your product or service. Which do you think the customer would view more readily...the movie or the document?

Check out our showreel here for examples of visual imagery and product movies here that showe in sequence how a product works and it used why not contact us to ask how we can make a visually compelling movie for your business to showcase your products and services..

What is Triage-really?

by Andrew Sheldon MSc Forensic Computing

There seems to be a range of views about what "triage" really is.

For me, triage is a process, supported and enforced by technology, that allows our first responders on scene to make informed decisions about 2 things:

a) Whether the item being triaged is likely to contain data of interest/value and should be subjected to forensic examination and...

b) Whether the "suspect" user/owner of the items should be detained or released pending further examination of the items.

Like the breathalyser analogy, the triage process/technology should usable by a wider community than the expert user because, although we have our own skills and a host of technical "triage" tools, there simply will never be enough of "us" to cope with demand.

Users of triage tools should be trained in its deployment but should not necessarily need to be technically skilled because the triage technology should enforce the controls and logging necessary to ensure potential evidence/intelligence is not damaged or tainted by its use.

I believe there is a BIG difference, both technically and procedurally, between the various key stages of a digital investigation. I think these are

1) "Triage" - identifying items likely to contain evidence/intelligence and helping with prioritizing their examination.Typical location= on siteSkill level = minimal.Case knowledge level= anywhere between speculative and detailed.Process time criticality = always as fast as possible

2) "Early Case Assessment" - Processing seized items to make as much relevant information as possible available to the "case officer" as quickly as possible so that they can assist the forensic expert to extract and produce relevant evidence.Typical location= forensic labSkill level = Expert - using complex scripted tools to carve, recover, index and categorize .Case knowledge level= anywhere between minimal and detailed.Process time criticality = always as fast as possible - scripting used to limit experts time

3) "Forensic Analysis" An expert uses a combination of being guided by the case officer and guiding the case officer through the materials revealed in stage 2 so the expert can produce "evidence" using forensic techniques to the satisfaction of the court.Typical location=forensic labSkill level = Expert - uses complex tools, technical knowledge & experience.Case knowledge level= detailed.Process time criticality = will depends on the materials and the nature of the case.

So, my question is this... what are the objections to using "triage" as defined above?

 

Terminology can mean different things to us all

by Elizabeth Sheldon

Having just attended a big conference in the USA, it became even more apparent how we are separated by a common language!

The term 'triage' as applied to digital devices seems to involve quite a different process in the USA when compared to the understanding of the term here in the UK. I attended a presentation of a new ‘triage’ tool that is made available free to law enforcement and military customers and I must say it was a brilliant product.... BUT I don’t think it’s what we understand a triage tool to be. The reason? It only works on forensic images of a target device and usually runs overnight! This makes it what I would call an “Early Case Assessment” tool and not a triage solution. The two tasks are quite different for two reasons: Speed and Functionality

Out in the field, where time is of the essence, a triage process should be conducted to quickly help the first responder classify and prioritise devices that the experts need to examine. Once in the forensic lab and with the luxury of more time, an “early case assessment” process can automate many of the time consuming tasks a forensic expert would normally spend hours performing like carving file fragments, extracting and reporting relevant email, identifying event sequences, generating a standard case report etc.

The ‘early case assessment’ tool I witnessed looked very impressive and I’m sure would be of great benefit to forensic analysis in speeding up initial case reviews and I’m happy to pass on details to relevant organisations. Likewise, if your lab is already suffering long delays caused by volumes of unnecessary device seizures then I’m happy to discuss how SPEKTOR Forensic Intelligence and SPEKTOR Phone Intelligence can eliminate these delays and help you focus on what you do best. Call us now for more information. +44(0)845 125 4400

info@evidencetalks.com

The importance of specific training

by Elizabeth Sheldon

For some reason, training seems such an unattractive offering, but in reality it is essential for every company producing tools, whether in the Digital Forensic market or not, to offer good training on their kit.

Technical people love new toys. Pieces of gleaming technical kit are so appealing to them, shining in the sun, enigmatically they beckon the purchaser forward to stroke the box and entice the user to know more about it, once hooked they then want to own it. But once they have bought it would they automatically know what to do with it?

Even highly technical people cannot inherently know how to get the most from a tool without training. Should training be sold as an optional separate item or should training be bundled into the purchase price as a package offering?

As a company selling technical equipment for users, some technical and some not technical , we believe strongly in the value of concise, intelligent and interactive training. The user can then get the most from the tool in the most efficient manner. This is clearly beneficial to them and it is beneficial to us as we then have happy users who are proficient and confident in using the tool.

For the product developer, training takes time to develop and deliver and as tools are updated then updates for training have to be pushed out to users taking more time and resources. The value for the user isa) in the confidence gained in using the toolb) in knowing when to use the toolc) in saving time when using the toold) by using all of its’ featurese) in the understanding the results that the tool will give the individual or organisation.Proper training of users will make the tool a real asset to the individual or organisation. Untrained users make the tool an expensive ornament as it stands the danger of not being used or used incorrectly.

The question is should all technical kit and tools be sold with mandatory training and accreditation or should the user still have a choice whether to take this up or not?

Working smarter in these cash-strapped times

by Elizabeth Sheldon

A survey by the BBC on 'Breakfast' this morning demonstrated that 60% of the public were willing to see cuts in public services in view of the funding deficit the country is facing. This is very encouraging seeing as the public sector seems already to be implementing these cuts and reigning back heavily on any form of spending. Sensible yes, but also very difficult for UK businesses who make and sell products or deliver services to the public sector here in the UK.

I wonder how many of those 60% would still be happy if the cuts directly affected them. There were comments that education and defence should be protected. surely if cuts are to happen then they should be fair across the board, otherwise we are all going to say that our area of interest should be protected.

Hence the need for us all to be flexible and think and work smarter. Tools that save money and human resources are the order of the day. Retraining users to be adaptable and skilled in more than one area. Buy and deploy tools that can be used for multiple tasks and then in the future additional functionality can add even further value.

Everyone has a civic responsibility to encourage the country to maintain a balanced economy. Likewise the procurer's of equipment and services for the public sector need to be mindful of companies whose livelihood are resting on the fortunes of the UK economy. Let us as manufacturers, design smarter products and sell smarter tools and all of us do our bit for the good of our futures.

Login

Please login here

Newsletter

captcha 

Contact Us

Evidence Talks Ltd
Willen House
Tongwell Street
Fox Milne
Milton Keynes
MK15 0YS
UK
 
t: +44 (0)1908 597960
f: +44 (0)1908 597958