Digital Forensics

On this episode, host Olivia Neal speaks to Detective Sergeant John Price from the West Midlands Police Force in the United Kingdom. He shares insights from the world of digital forensics and how investigators are using technology to help victims more effectively in the modern age.

---

---

What is digital forensics?

John Price is Detective Sergeant for West Midlands Police Force in the UK. He says “We’re made up of around about 10,000 police officers and police staff. We currently police a community of around three million people. We also provide a digital forensics division for Warwickshire Police, and they have about a thousand police officers, and about a half-million population.”

Digital Forensics is a branch of forensic science that focuses on identifying, acquiring, processing, and the reporting of data stored electronically.

“That data covers almost all criminal activities, digital forensics support, crucial law enforcement investigations. It’s estimated around the United Kingdom, that around 90% of crimes have some form of digital footprint, either that’ll be computers, mobile phones, CCTV, drones, internet of things in the house, and we report upon that, so there’s a lot of data there.”

Price added, “Our main goal with digital forensics is to extract data from electronic devices, processing into actionable intelligence, and produce that back for courts. But there’s also a world of digital forensics, outside of policing, which is more around digital forensics incident response, which is identifying and investigating incidents within corporate environments, for example, cybersecurity incidents. And that can be anything from looking at dead-box forensics, which is devices that switched off, anywhere from looking at security information, event monitoring logs, firewall routers, overlaying all of that data to look at that security incident, and how do we deal with it, and look at what data systems processes are being impacted.”

Technology is increasing challenges, and also opportunities

“I look back to when I joined the police, and if you’d go into a house search or a premises search, you would probably go there and you’d be lucky to find a computer in one room of the house and a mobile phone. And that wasn’t a smartphone. It was just a normal conventional, old style Nokia phone, for example. Whereas when we go into a house nowadays, we’ve got Ring doorbell systems, for example, which is capturing people’s movements. We’ve got so many Internet of Things devices, you’ve got smart TVs.”

Price continued, “We can capture now so much more data around people, incidents, profiling, compared to 10 to 20 years ago. And we don’t ever see any of this getting dis-invented. All we ever see is that this is going to continue; that innovation cycle is going to get more and more… I think this is one area that’s just getting bigger and bigger around digital investigations.”

Having so much new technology to work with opens up a lot of possibilities in Price’s line of work, but it also creates a lot of data.

“I look back around about 2010, and we were dealing with hard drives, for example, where the average size of the drive was around about 500 gigabytes, where we’re seeing now devices coming in of about 1.5 terabytes. An average case, for us, for example, is probably around about four terabytes. So dealing with that sheer volume of data coming in, we have to look at ways of how can we innovate to deal with these; the amount of devices coming into us, but also that sheer volume of data that we’re having to go through to make sure that we’re not missing anything of real keen interest.”

The UK’s Digital Forensic Science Strategy

“Back in July 2020, there was a national digital forensic science strategy that was released. And that sets out the goal for the United Kingdom digital forensics between 2020 and 2030. And there were three core challenges that were really identified within that. And that was dealing with the volume of data and devices that we’re seeing coming in. Dealing with the complexities of that data would be around, encryption, different types of devices, the legitimacy that even though we’ve got those devices, does it make it right, for example, is it lawful, proportionate? Once we’ve got that data, how do we lawfully deal with that?”

Price added, “And then there were other pressing issues around that, that were linked to those core challenges, which were the sheer volume of data, the competency of staff. How do we deal with the quality? So it was encapsulating all those areas and saying to senior leaders in place in the UK and the government, we’ve got to start acting upon all these areas, to start making a big impact around digital investigations.”

“So back around 2020, we commenced work looking at how we implemented a Digital Review Tool into West Midlands policing. And from that, we worked with three partners. One of those partners was Microsoft. A second partner was a company called Exterro, and a company called Risual, a managed service provider for us.”

“What we wanted to do with all that data we capture within the digital forensic lab, we wanted a way of allowing officers, investigators out there to remotely be able to review the data we hold in the DF lab, therefore reducing the amount of time it takes for staff to review that data, dealing with the issues where they may not have CD burners, Blu-ray discs, DVDs, on the laptops, for example. They may not have the right codex; they may not have the right skill level. So it’s something really simplistic for staff to use. In May 2022, we went live with our review tool for certain elements of West Midlands Police, to how we can deal with some of that volume of cases coming in.”

Different types of online crimes

“Within West Midlands Police originally, it was going be just a proof of concept. We then put this into an operational production model from May last year. So our phase one has taken, you know, what we call our OCSET team, and that’s our Online Child Sexual Exploitation Team, and it’s taken on a few more sensitive teams in full. If we just deal with the OCSET team, first, what’s been quite interesting is, for the vast majority of offending, we’ve seen devices coming in – they’re mainly computer-oriented exhibits, and computers by sheer nature have that larger increase in volume of storage.”

Price continued, “If we were to look across the rest of the force, the different top crime types like murders, homicides, kidnapping you don’t really see that activity taking place in the computer world, it’s more mobile based. So even from phase one, I think what’s been really sort of satisfying for us is to think we’ve automatically encapsulated a massive piece of that storage data requirements, even from phase one alone, And I think also knowing the teams that it’s gone to, as part of that phase one, around the sensitivity of data, you know, to go through all those security hurdles, vetting, and all that pen testing has given us the confidence we know what we’re doing is the right thing.”

Supporting positive outcomes for victims of crime

“On the whole, this project, and the delivery of this, it is solely around our victims, nothing more, nothing less. It’s solely around our victims, and unfortunately, there are really sad occasions, when we were working, if a device coming in submission and it’s said to us, for example, the report is a person is downloading indecent images on the internet, we would go into that with low risk of score, and that data would have been acquired. It would have been processed. It then would have sat on our server storage for a minimum of six months downstairs until a report writer becomes free, and then they pick it up. But within that six months, realistically, no one is looking at that data due to the sheer volume size and the amount of jobs.”

Priced added, “However, what we found in the Review Tool is because we put that information across one of our databases called CAID, which in the UK is our child abuse imagery database, we’re able to recognize and pre-categorize any indecent images that are flagged whilst it’s processing on the fly. So, it can be instantaneous, but it’s also flagging up, for example, any indications of what we call live abuse, where those images haven’t been seen before, and children are at risk. So, we have been able, through this tool, to identify children at risk a lot sooner, to take that safeguarding and deal with those offenders a lot quicker than we have done previously, using our old methods.”

Using cloud to manage volume increases

“From May 2022, when we went operationally live, until December of last year, we’ve processed over 70 cases in the review tool, and this is equated to 120 mobile devices, 135 computers, but also what’s been really good from that is, as a byproduct of hosting the review tool within Azure, we’ve been able to leverage further storage now for our evidential data.”

Price continued, “And since August of last year, we’ve pushed up over 400 cases, into Azure, which is, you know, pretty groundbreaking, really, and – and the benefits of that, around management of policing information, how can we securely deal with that, how can we control how long we can keep that data for, which has been a really good byproduct of that. So we’ve been really, really impressed with that, and also, it makes us more compliant to the forensic science regulator codes, which we’re governed by within the UK. So where they’re saying you must have an offline/off-site backup, we’ve been able to do that with Azure by hosting that data off site in a secure environment.”

Price reflected on the complexities of managing on-prem storage in the past “it’s a lot of pressure, and it takes us away from our day job of being police officers, police staff and investigators doing digital forensics… And even what we do finally, you can have more server storage, but then it’s the associated have we got the physical racking space available in the server room? Have we got all that power? Have we got that air conditioning? So all those hidden costs.”

“So, the benefits for us [of hosting data within Azure], within our digital forensics unit, has been that scalability of flexing that processing power on demand, the ability to scale up our storage within a very short period of time.”

Questions around appropriate storage of data have been carefully considered and evaluated during this process. Price elaborated “I think one of the big things at the moment around police and in the cloud, is that ethical question of can we store data in the cloud? The process for us was before we done this, we took it to our legal services. They fully went through, can we do this? We then thought, right, we know legally we can do it, that ethical question is it the right thing to do? And I think it’s a really good question, really.”

“So, the issue for us is, do we just stay static and keep trying to buy more and more on-prem servers, more and more on-prem storage or do we look at a more positive way of saying, right, let’s try and deal with this more effectively, by scaling that process in a way to enable us to get through that data quicker?”

Price added, “So, we went through that legal journey with getting the sign offs. And it makes me feel comfortable with the fact of we’re holding true to our beliefs, our values, and the fact of we are massively trying to make a difference.”

Evolution, inspiration, and staying up to date

“For us, it’s always about continuous improvement. And that continuous improvement doesn’t just mean spending money to purchase more systems or more services. It can be your own internal working practices that you tweak, for example. We encourage our staff to regularly present to the rest of the team around up and coming technologies. And we’re finding that works quite well, because then we create small subject matter experts who can understand those new technologies coming in.”

“One thing we’re always doing is, we’re one of the leading forces in the UK around cloud use, for policing at the moment in the digital forensics world. But that doesn’t mean we can just stop and be static. It’s always looking to our left, always looking to our right, what are others doing, what’s good practice, what can we take away? Not just, you know, nationally, looking internationally around what’s sort of coming through and where can we do that?”

Price concluded, “For the UK, most police forces that come to us and asked us for detail, we’ve been quite accommodating and shared what we’ve done with it. And the reason being is, if we’ve gone through that original bit of work to deliver that, it doesn’t make any sense in another 43 other forces trying to replicate that, whatever those services are. So, we’ve shared a lot of our documents around how we got there, because we think that’s really quite key.”

To find out more:

• Learn more about how Microsoft can support digital transformation in Public Safety and Justice

Follow Microsoft

• 
• 
•