Navigating a Shifting DFIR Landscape: Challenges, Rewards and Collaborative Learning in Mobile Forensics 

In Forensic Fix episode 6, Adam Firman is joined by Derek Frawley, a former Detective Constable with the Kingston Police. Derek was in law enforcement for almost 28 years and has been working with computer and cellphone forensics since 2009. After his retirement in January 2023, Derek continued his work in the industry, now running his own digital forensics business. From his early days as a patrol officer to his pivotal role in establishing the digital forensics unit in Kingston, Derek’s journey was marked by his unwavering commitment to justice and protecting the vulnerable. 

In a unique departure from our usual audio-only format, Episode 6 of Forensic Fix is a video podcast featuring host Adam Firman and special guest Derek Frawley. This adds an interesting element to the conversation, offering you a firsthand glimpse into the challenges, triumphs, and global nature of digital forensics. 

The pair delved deep into the challenges faced by forensic investigators in the ever-evolving landscape of digital forensics. Derek Frawley shed light on the mounting complexity of mobile forensics, emphasizing the unique obstacles presented by encryption.   

Their discussion also underscored the critical importance of collaboration and knowledge-sharing among forensic practitioners and the need for people in the field to cultivate a strong network in order to overcome the challenges that often arise in the DFIR world.  

Watch the episode below or listen on your favorite podcast platforms. 

Show Links: 

• Connect with MSAB on LinkedIn and Twitter      
• Connect with Derek Frawley on LinkedIn 

Listen to the Podcast at:  

Key Takeaways:  

Joining the podcast is Derek Frawley, a former police officer whose law enforcement career spun almost three decades. From his involvement in high-profile cases to his unwavering commitment to safeguarding children from online exploitation, this episode offers a unique insight into the challenges and successes of a dedicated officer.

[1:12] I started policing in 1995 in Peterborough, Ontario. Then in 1999, I moved to Kingston, Ontario, where I was on the road. In 2009, Kingston received a grant to be able to create their e-crime unit, and I was selected to be the member to do that.  As I was being trained up, there’s actually two very large cases that were waiting for me when I started. There was the Shafia homicide in Kingston, which was a quadruple honor-killing homicide. That was my very first case. No pressure. And then after that, there was Operation Delego, which was at that time probably the largest seizure of child exploitation material in Canada. And it just so happened that the servers were located in Kingston. And then in 2014, I became a member of the Provincial Strategy in Ontario, and that’s for the protection of child exploitation online. And I did that right till I finished my career in January of 2023. 

Inside the Life of a Forensic Investigator

The former detective constable shared his firsthand experience as the sole member of his forensic investigations team from 2009 to 2014. He highlights the changing dynamics of his work, from a continuous build-up of cases to a more planned and scripted approach. Despite the demanding nature of the job, Derek found deep fulfillment in knowing that his work directly contributed to saving lives – it doesn’t get more meaningful than this.  

[02:58] Well, obviously it changed, but I was the sole person (in my team) from 2009 to 2014. You know, I’d come in from my office and see if there’s anything waiting, whether or not people are going to write warrants. So then the work just kept building up and building up, and then there’d be a big rush.  But the normal day was, you know, it was a lot of time in the office, in the lab, whether it was taking computers apart, taking cell phones apart, doing the extractions that we could do. And then when 2014 came along, it was a little more: my day was more scripted; I knew something was going to be waiting. We knew we would plan warrants a week or two in advance, get everything set up. And it was very, it was the worst type of work you can do, but it was also the most rewarding. That type of work is rewarding because you’ve saved somebody. 

Building Bridges in Digital Forensics: On the Importance of Collaboration 

There’s an inherent collaborative nature to the field of digital forensics, as Derek Frawley mentioned. Within law enforcement and the realm of digital investigations, professionals have the ability to reach out to their counterparts for support and guidance. Networking and forging connections create a web of trusted relationships. In this mutually supportive environment, professionals rely on one another’s expertise, paying it forward by sharing their own knowledge and experiences. 

[04:43] It’s the industry and, you know, in law enforcement and this whole digital forensic thing, you could reach out to anybody. And once you made your contacts, you made your friends, whether it be from conferences or whatever, you could always call on them and say, hey, this is something new.  How are you guys approaching it?  So, you know, it’s a lot of leaning on other people.  And then you pay back the same way. 

From Hurdles to Breakthroughs: The Constant Struggle of Digital Forensics in the Age of Encryption 

Derek Frawley talks about what he considers the biggest challenge in the digital forensics field: the ever-evolving challenge of encryption, acknowledging the increasing difficulty in accessing devices. However, he emphasizes the power of collaboration and knowledge-sharing in conquering these obstacles and driving progress in the field. 

[05:47] Whether it be computers or phones, obviously the biggest challenge has been the move towards encryption and making it in. Everything’s getting harder to get into. And thank God it hasn’t taken the turn of what we thought would happen years ago. As soon as everything was encrypted, we thought then: We’ve lost everything. I’ve been very lucky with being able to bypass over the years some encryption. And once again, it’s just reaching out and leaning on everybody. 

So, you know, it’s getting into devices. That’s really the biggest hurdle. But we make steps forward. Even though we fall back, we can get back on the horse again. 

The Mounting Complexity of Mobile Forensics: On phones being more challenging 

Each phone presents unique obstacles and acquiring evidence becomes more complex with the constant evolution of new devices and acquisition methods. 

[07:53] That’s the thing.  If there was no encryption on a computer… I mean, every computer, whether it was an SSD drive or an NVME drive or an old spinning drive, you’re pretty well going to get the information. You were your own roadblock as to what you could process. But phones are obviously different. Every phone’s different. And next week, there’ll be a new phone that looks the same, but has a totally different way of acquiring the evidence. […] Now, when it comes to computers, it seems you don’t get as many bad hard drives or things that are not working. It seems you pretty well can get an acquisition, even if the drive’s ready to not be used. You still get the information. But yeah, things are obviously harder with phones. 

Insights and Advice for Newcomers to the Digital Forensics Industry

Derek’s advice is to prioritize learning the trade thoroughly, establishing a solid foundation of understanding and skills. The importance of this groundwork cannot be overstated: it directly impacts one’s ability to testify confidently in court, highlighting the value of continuous learning and expertise in the field. 

[13:55] The main thing is, I would say, don’t try to take the easy way out on things. I find the industry is sort of heading a little bit towards ‘push button forensics.’ Learn your trade or what you need to know first and then then make it easier by the push button. The biggest thing is having a solid foundation and understanding what you’re doing and how you’re doing it.  Because whether or not people like it, you will be put on the stand.  And that’s when it all comes out. It’s like: Oh, geez, I wish I had have done more learning on what I’m talking about.  [15:46] Nobody knows everything. So also don’t be afraid to reach out to people that can maybe help you understand that new thing under the hood that you’re being presented with. I would just say having a solid base knowledge helps. 

Regarding using the power of the Cloud to do your job as a forensic practitioner 

[18:50] That obviously really helps.  If you talk about Amazon services, you could potentially harness the power to help get around encryption or crack a password or something like that. The problem I find with it coming from a smaller force is that right now it’s kind of unattainable cost-wise.  But it’s definitely the potential is out there.  And I think in the future, the more players that are in it, the more competitive and the better it’ll be. A better product and a more affordable price. 

Thank you for joining us on the sixth episode of Forensic Fix.