Digital Forensics: Myths, Legends and Reality

This is basically digital forensics, kind of TV forensics versus the actual forensics because the CSI effect is very real. So... Just do a hard slap, will you? So, who am I and why am I here? I am Lauren. I currently work as a digital forensics technician at West Yorkshire Police. I've been there for about a year and three months. But previously done a couple of other stuff. But outside of work, I dance twice a week. I go swimming and trying very hard to learn Italian unsuccessfully. So, first, just in case anyone hasn't seen how bad TV forensics is... Any luck ID-ing my victim? She's got a burner phone. You can get one of those at any corner store or gas station. Burner phone,

fake ID. She sure is going through a lot of trouble to stay anonymous. Well, if I were to pull a mid-air caper, I'd fly under an alias, too. She's got a Vegas number. Chances are she bought it local. Disregarding all the calls her drunken assailant made to various call girls and phone sex operators last night... Got one text outgoing at 10:48 p.m. to a local number. Landed. No registered owner. Another burner. I'll get an AT member for the detail records. Maybe she texted her bride or a getaway driver. Also, she made one phone call 13 minutes later at 11:01 to a different local number.

Nally Janitorial Services, North Las Vegas. So that clip is just under a minute and a half long. Maybe she needed someone to clean her... They extracted the phone data and analysed it. I can confirm that is not true. But he knows all the call centre, all the call girl numbers. Yeah, and he managed to look them up, which is also incredible. "I'm not wearing no black for years." Yeah. "That's why." Yeah. Maybe that's what we're doing wrong. And I don't know if anyone gets the reference, but that is Matilda. It's not right. So, what is it actually like? What do I do for a living? Unfortunately, in real life, there is legal things to consider. So, very, very quick overview of the legal stuff.

very text heavy. But basically on the left hand side before an extraction can be started I need a digital processing notice that is law that has been implemented by the Home Office. There is two different types, one for suspects, one for victims and witnesses. Between the two of them they're exactly the same apart from the one for Victims and witnesses contains a little bit of extra questions and why do we actually need it, where's the data coming from, that kind of thing. The DPNCs, DPNs in general, also include the date ranges of what we want so we don't just take everything. And then on the right, basically that section 49 form gives us the right to ask for a PIN

number If you refuse it, we can prosecute you. And if that's going to work... Ah, there we go. Do you have the right to ask for an NFB token? I don't know how far it extends, but it does extend to like Facebook passwords and things, but we can extract the tokens from the device. Am I right in thinking that level of governance relates to law enforcement or something like that? If you were doing a private, say you're a company for a forensics team and you're a company for corporate device, there's not as much. You'd ordinarily go through a particular legal process, wouldn't you, with a privacy team and that sort of thing? That's just the first

three that I got when I googled people imprisoned for failing to provide passcodes. That's impressive. Sorry, I appreciate you want to move on, but would that include, I'm assuming that would include things like encryption keys, things like that as well? Yeah, so if it was a laptop and it was BitLocker encrypted, if you failed to provide your BitLocker key, you also do the same. Cool. So, what and when? What do I do? So, there are three available extractions available. All of them are done offline, essentially like being in a fire-dig environment with Wi-Fi, Bluetooth disabled, the SIM card removed, airplane mode on. That's all because we're not allowed to use data that's received after the point of seizure.

So yeah, there's three different ones: logical, very minimalistic, file system, the most common, it's the one that we use, and a physical which, if it's available, is fantastic. Yeah, so there's three different types of extraction, but depending on whether it's a suspect or a victim or a witness, depending on which ones we use, for suspects when we want everything, a logical wouldn't be ideal because it gets very little data and you'll see that in a minute. Whereas a physical gets everything, it gets your deleted data, it gets... Whereas for a witness we would go for a logical because we only want that one message or that one conversation, that one picture. If you stood outside your bedroom window videoed a fight in

the street that's that we want. We don't care about your messages with your mum. So yeah, how long does it actually take? That clip was a minute and a half. It is hard to guess and say how long it is for any extra action because it varies so much depending on the phone. But There is more than just the extraction to consider. We do have to decode it and generate reports and then transfer it to a USB before it can be given to an officer. We're looking at better ways to do it but currently that's the way and that's the definition of a decode. So yeah, generally iPhones are quicker than Androids. and it's nothing

to do with the security of it. It is just because of the way that the software finds the data. It finds Android data all in one, it finds Android data two, three chunks at a time, so that in itself can take longer. But that's some extractions that I've done, that's how long they took to do the extraction alone. And then that's the decode. So combining both of those is the majority of one. But as you can see, two hours, two and a half hours, the 512 gig Samsung was just overnight. It was, I think, I can't remember if it was eight or nine, but it was somewhere eight, nine hours to decode. So, I mentioned that logical extractions don't get very

much, physicals get everything, but what do they actually get? The answer is that, in a simplified format, that is kind of everything that we get. And what does that include? That's what it means.

Is there any limitations to the deleted data? Just because obviously a lot of people will delete data at this point for use-based on their device. So the fact that it still technically is in there and it could be retrieved, I'm just curious at that point, is there any time limitation to retrieving the deleted chunk of data? It's not necessarily time limitation, it's how much other data you've got on your phone. It's if you... delete everything on your phone, but then fill your phone capacity up again. It overwrites the deleted. What about factory reset? Does that reset the deleted data? Yes, it does. So factory... Yeah, factory reset, we can't actually do anything with. How do you reset file case data? If you've

got access to someone's phone and in number etc, would you also then go and have a look, so say for example you're doing a search on someone's iPhone, would you then also look at their iCloud data or is that an additional request? That's an additional request and it's for a different department essentially. We as the forensics unit operate offline, so we do everything as local data, but there is a different unit who do open source data and they're the ones who would go and do cloud data for us. So yeah, myths of digital forensics. We can access every device ever made immediately. Surprising or not, it's false. Without the pin you can't get anything. Also

false. I have an iPhone, you can't get into this. Also false. The law doesn't apply to law enforcement. Unfortunately, it does. You can do as you please to get results. Unfortunately not. And digital forensics is used for major crimes. Unfortunately, we use it for everything. So, my caseload at the minute has a lot of drug cases, but it also has missing persons, it has human trafficking, there's a wide range of cases at the minute. So, how does it work? Android and iPhones work differently. As I said, iPhones are quicker, but that's because of how it works. Both extractions are done via USB and basically the software update uploads an application package to the device at the very start and

that is the gateway to the device and it sends requests via that package and the Android device will send the data back. Whereas iPhone is a little bit different. It will still upload a client, however on this one it puts it into recovery mode which is commonly used to restore a phone back to a different backup that you've had before. And again that does API requests and collects the data. I might be completely wrong in saying this, but I was doing a bit of reading and a bit of research around this topic myself. I have been reading recently a company, Celebrite, who build these extraction tools and extraction hardware and whatnot. I basically read online in in sort of like some papers that have been sort of leaked out

of that company, I'm not sure if I should say that or not, but I was reading some of those papers and they were saying in those papers that they actually had some difficulty with newer iPhones. Is that still the case at the moment? So there is always a wait for when new phones are released, there is always a wait because it's a catching up game. But we now support the iPhone 15 and 15 Pro Maxes and all that rest of it. We are still waiting for support for the 16. So I think you set up a set, so... Yeah. Is that coming from Delicato? Pardon? Is that coming from Delicato? I wish. I just wondered

because we have one person that can get it. No, unfortunately, companies like Apple, Snapchat, Facebook refuse to engage with us. So all the data that we get is from the phone itself. There's nothing that we can get from Snapchat or from Apple or... I thought they were obliged to work for the police as they're not on the case, then? They are in America. Right, okay. Because they're an American company. We had an American force in a couple of months ago, and they were saying, oh, well, we'll just take their passwords, and Apple will give us the backup. And we're like, Sorry, what? So if it was a UK-based company, would you then have the power

to go and demand the data from them in that case? Or is it purely because they're American? I think if it was a UK company, we would have a little bit more wiggle room to... use and get some data from them, but essentially all the data that we need should be on the phone anyway, unless it's a cloud-based service. So yeah, the easiest way to describe what happens with a Nokia is a photo. I can't put it into words any better than that photo does. When it says at the bottom, here's my memory, have a blast figuring it out. Genuinely. So, some cases that I've worked on and the outcomes that we've had. I... was involved in

a download in the summer of some of the Riot work. This guy was charged with inciting violence. He was posting online saying, "Oh, we're gonna smash this hotel. We're gonna..." everything. So we got his phone and did a file system extraction. He had a Samsung Galaxy A1 call, which was a year and a half backdated security-wise. That patch was January 23, we did it July 24. But we did still manage to get all that Facebook, Snapchat, GPS, WhatsApp, All of his web history was just open, readily available. And he was subsequently charged to 20 months in jail. Quite a nice outcome for us. because that one came in as an urgent, you need to do it before you go home today. And it did make

national news, so that's the link of ITVs, but the full court listing is also available on the website, so that's quite an interesting read of what he said in court and the data that we got. And just another one, this one's a lot recent, this one hasn't been to court yet, but he threatened to kill his mum. So again, we got his phone, did a file system extraction, he had an iPhone XS, I believe this guy refused his pin code. So we didn't get quite as much, but we did still get all his messages, emails, TikToks, locations. And for this one, it was quite important to get his web history because he'd actually been searching for... murder kits on Amazon and how to buy a

machete. - Oh, yes. - So he's literally lost the plot. But yeah, this one, again, understandably, came in as an urgent one to do before I left home. And he was remanded in custody within his custody clock. So he didn't go home and kill his mum. But yeah, he's awaiting sentencing at the minute. Are you required to go to court and testify or is that something the detective does? Yes, so it's just the detectives that go. Everything that I do I provide to them and then they pick and choose bits out and create their own reports of what they want to provide as evidence. Any questions? How much is an Amazon murder kit? Sorry, that's what I mean. Is

that the note off all the time? No, just the note. Sorry, what was that one? How much is an Amazon murder kit? I don't know. I didn't look for it. I just picked it up and saw the Amazon have to buy a murder kit. I don't know. Yeah, the ones with the criminal quotes. They were tough. The poems, they had a lot of parts that got criminals, they got super untraceable. Oh yeah, yeah, yeah. I haven't. Somebody else in my department did have one. And I believe we managed to get something from it. Whether we got much, I don't know. Did the terminal they were all backed up? Or was that something else? Yeah, it

was EncroChat. Was it EncroChat that was backdoor? Yeah. Yeah. Sorry, I've got two actually. So, first question would be, obviously you see phones, computers and whatnot all the time I'd imagine. What's the most unusual device that you've had to do an extraction on or analysis? And second of all, I'm a stock analyst but I am kind of potentially trying to carve a career into digital forensics. What advice would you have for someone like me who's kind of already working in cyber security to make the transition? So, first one, the weirdest phone. Well, basically, what's the most unusual device? Not necessarily phone, just device that you've had to do an extraction or an analysis on, because I'm assuming you see phones and laptops

all the time. Yeah, so we did... The weird ones for me are the Chinese phones. The Chinese, like, fake not-cookie ones. Because they're really easy to get into. But they're always covered in something sticky. They're always in a case of, like, one of the old flip phones, like flip covers. And they're just very... very strange to deal with and as a way of getting into digital forensics I would say don't be scared of the entry-level jobs because the promotions and stuff do come quite quickly well at least for us it's just a case of learning from the role but that's a lot done within the job. There isn't really much open to do. Sorry to take you to that.

Is there much work outside of the police for that? Because I was thinking more along the cut, sort of like along, well, that's my corporate forensics, you know. So there is, so you can do, there is some private companies that do prosecution work and they will do some very odd work, they don't tend to do the same jobs as us, so there is them, but there is also defence experts that the courts use and they request data all the time, two sat on my desk at the minute, and we just have to send them the raw data that we've downloaded and they'll process it, they'll analyse it, they'll do everything themselves, so that's another option if you wanted. Not law enforcement. Can

I ask, what pastoral support and so on do you get? Because it's quite a tough role. So how long are you in post and what pastoral support do you get? So we've got quite a good kind of mental health check-up system at work. We get monthly one-to-ones with my boss. and that consists of a work overview, make sure you haven't got too many horrible cases or too much work on in general, but also a walk and talk which is used for if you've got problems at work, at home, with your mom's sister's cousin, somebody, if you've got any problems, it's just like air out anything that you've got. - Because every little thing just adds to the pile, doesn't it? - Yeah. - But

what you have to deal with, what you see can be quite horrendous. - Yeah. We also have some general peer support and things, and there's a lot of them within the department, so if there was a specific case that had got really affected to me, I could request a peer supporter from within the department and then at least they could relate to the struggles with it. That's good. Thank you. Thank you so much.