The world of Digital Forensics
Retrieving, securing, extracting, and analysing data in a forensically responsible manner, aka Digital Forensics. The investigators, digital detectives and first responders working in this field face many different digital forensic challenges every day. For instance, the big variety of data carriers, the immense amount of data they retrieve and the different data formats.
We interviewed three of our Digital Forensics Advisors from DataExpert Sweden, Denmark and the Netherlands. We discussed the challenges and opportunities they see and hear in the Digital Forensic work field. Let’s start by introducing the interviewees:
André Hakkers: responsible for the Forensic Unit at DataExpert in Veenendaal, the Netherlands, for over 20 years. Received many different certifications over the years like ISC2-CISSP and different tool training courses.
Jesper Eirup Sielemann: lives in Copenhagen, Denmark, and has been working in the Forensic industry for about 10 years. He has his degree in computer sciences from the Danish Technical University and spent 3 ½ years as a battlefield medic in the Royal Danish Medical Corps before going into sales. He joined DataExpert Denmark in September 2021 when DataExpert acquired Hammerich IT Forensic dept.
Christian Almstedt: lives and works in Linköping, Sweden. He has a Master of Science degree and has also studied for Internet Security at university level.
Now, let’s read what the world of Digital Forensics looks like in Denmark, Sweden, and the Netherlands.
Who are the Digital Forensic customers?
DataExpert offers a very broad mix of products and therefore we are able to serve a broad mix of customers. The majority of Digital Forensic products we provide in all three countries end up within different Law Enforcement organisations like the National Police, local Police districts, Defence and Tax Offices. Besides Law Enforcement both André and Christian mention they see a rise of usage of forensic tools within the corporate, insurance and banking industry. Jesper added to the list organisations in telecommunication, auditing, and the private security industry.
What types of forensic investigation are most common?
“When I first started in Forensics, computers were the main targets for investigations. They still are important today, but mobile devices are nowadays the first thing that detectives look for”, André says. Jesper and Christian both agree with André that mobile devices and computers are the most sought, because there is almost always interesting data inside the devices. For example, GPS records, images, videos, chat conversations etc.
Furthermore, they all mention Cloud Forensics as an upcoming area in Forensics because more and more information can be found in the cloud. Jesper: “Cloud Forensics is not a new trend but, in some cases, the scope of the investigation is still limited to onsite data. This is something that investigators have to navigate from case to case and laws are different from country to country. In Denmark, the cloud is an integral part of any investigation – at least for law enforcement”. Christian adds: “In Sweden there are a lot of regulations still regarding investigating in the cloud, therefore Cloud Forensics is probably the smallest part of the Swedish forensic business”. So even though the three of them all emphasised the importance of the cloud, regulations and the focus on onsite data means it isn’t the type of forensics which is used the most.
Furthermore, André emphasised that CCTV is also an increasingly important part of investigations in the Netherlands: “These days, cameras are everywhere, recording incidents that might be looked at a later date. It’s becoming increasingly important and tooling like Amped FIVE can help investigators find the right information in video materials”. Besides this, André also noted that Automotive or Car Forensics is becoming increasingly important since cars contain more and more intelligent technology.
What are the most popular Forensic solutions?
Due to the broad variety of data carriers, investigators need more than just one forensic tool. This is also to ensure a result that cannot be questioned in court. Christian: “Most customers use 2-3 tools for verification of the results and also because every tool has its own special strength”. One very popular software solution in the Netherlands, Denmark and Sweden is Magnet AXIOM. Jesper: “The broad range of functionality combined with the ease of use and a vigorous dedication to finding all evidence is the reason law enforcement customers choose AXIOM”. Besides AXIOM Jesper named EnCase to be one of the facto standards with Law Enforcement in Denmark. Both André and Christian added Oxygen Forensic Detective to the popular solutions list. Next to the much-appreciated MSAB’s XRY and Cellebrite’s UFED, Oxygen Forensic Detective is becoming more and more popular for Mobile Forensics and Cloud investigations.
Apart from the above mentioned, FTK and Intella are often used for intense e-mail analysis.
What has changed in Digital Forensic field?
All three agreed that the most important change in Digital Investigations is the switch from searching evidence solely on hard drives to including mobile devices, the cloud, app data, social media, GPS, cell phone tower data, ANPR data and more different data carriers. Jesper: “This means that the investigator will not only have to know digital forensics in a very basic way but needs tools and training to conduct complex investigations across many different platforms and have the analytic capabilities and tools to extract the evidence and present it in a report that can be used in court”.
Besides the variety of data carriers, the amount of it is also a real shift. There are huge amounts of data everywhere. Christian: “This shift makes it more important for investigators to have the proper tools so they can get help quickly in how they should prioritise their work”.
“Besides the variety and amount of data, we also see that data is more encrypted. Luckily there are many different mobile forensics software and hardware solutions to bypass the encryption”, adds André.
What is unique about the Digital Forensics working method in your country?
Both André and Jesper answered that the Dutch and the Scandinavian way of working and practical approach are quite similar. This makes cooperation between the countries smoother and easier. The only difference Jesper emphasised was that the Danish Police does not always prioritise training and certification. Something that does happen in Sweden and the Netherlands.
Christian acknowledged the similarities, but also mentions the following: “Swedish people are considered to be very early adopters of new technology. That forces the investigators to make sure they always have the latest releases of their tools, and it emphasises the importance of choosing tools where the manufacturer quickly updates their tools with new functionalities”.
What can we learn from each other?
Even though customers are already really experienced in what they are doing, one of the improvements that Christian put forward is sharing knowledge and experience. Of course, sharing information is often sensitive, but methodology and experiences are also important. Jesper and André were both like-minded. It is a small world, and they can always look to other organisations in the IT-Forensic field to see how they conduct investigations over multiple devices and platforms. Jesper: “Forensic investigators will have to master all aspects of an investigation with help of specialists in different areas”.
In addition to the answer of the previous question, Jesper also stated that in Denmark training and certifications would be something they can learn from other countries. “By training the investigators, they will be able to work faster, more accurate and efficient. This will help with case backlogs which is an increasing problem”, says Jesper.
What does the future bring?
Due to the increasing amount of data and the trend that investigators need to handle more and more cases, all interviewees answered that Artificial Intelligence will become an important part of forensics. It will help prioritise work, search data, correlate data and interpret data. Additional to AI the need for automation and standardisation of the work processes will increase due to the high workload.
Conclusion
Digital Forensics is changing. The main challenges are the variety of data formats and data carriers and the immense amount of it. To retrieve, extract, secure and analyse the data different tools are needed. Popular tools are Magnet AXIOM, EnCase and Oxygen Forensics because of their innovation and broad variety of functionalities. Furthermore, we can conclude all three countries have a lot of similarities: their customers, the way of working and the used tooling. The one thing that should be improved in the Netherlands, Denmark and Sweden is the exchange of knowledge and experiences.
The common goals of Christian, André and Jesper will always be to help our customers conquer the challenges of the dynamic world of Digital Forensics and to connect and build a Forensic community.
Would you like to discuss your challenges with our Forensic Advisors? Feel free to contact us.