Training, Digital Strategies, and … Onions? Unveiling the World of Digital Forensics with Jason Cullum
In today’s day and age, digital investigations are no longer an outlier. Since people everywhere in the world are carrying and using all sorts of mobile digital devices all the time, digital investigations are steadfastly becoming the norm. But how to achieve successful digital investigations? What importance does training and education bear for digital forensic investigators and law enforcement? What role does mental health play in all of it?
In this episode, Adam Firman is joined by Jason Cullum, Detective Sgt in the Digital Forensics Unit and digital media investigator with Northamptonshire Police in the UK, to discuss current trends in the mobile forensics industry and how to ensure successful digital investigations in this ever-evolving field.
With over 14 years’ worth of experience in law enforcement and digital investigations, Jason Cullum is an expert on all things mobile forensics. No wonder he was nicknamed the “Phone Man” in Northamptonshire Police circles.
Jason started his career in law enforcement as an Emergency Response officer. Soon after, he realized the importance and reach of mobile phone extractions as part of the investigation team covering pedophile online investigations. Once he “fell in love” with mobile phone extractions, and after realizing the sparsity of training opportunities in the field, he became self-taught as an investigator with phone extractions. Now, Jason advocates for the importance of training in digital forensics and the need to address mental health issues among digital investigators and law enforcement, in general. He’s equally passionate about designing effective digital strategies that allow digital forensics practitioners to make the most out of their investigations.
In this episode, Jason also shares insightful advice for law enforcement officers and digital investigators. Drawing from his own extensive experience in the mobile forensics space, he talks about how training is key to successful investigations and shares practical advice on issues as varied as defining a digital strategy to having a fluid timeline or conducting multiple phone extractions at a time.
- The importance of training in digital forensics
- Mental health concerns and advice for people working with digital forensics
- The need to plan your phone extractions
- Keyword searches
- Fluid timelines
- The importance and benefits of conducting multiple phone extractions at a time
- Selective extractions and the right to privacy
- Attribution concerns
- Keeping it simple when presenting your evidence in court
- Why it’s imperative for digital forensic investigators to remain impartial
Connect with MSAB on LinkedIn and Twitter
Listen to the Podcast at:
Mobile forensics tools, as crucial as they are for your digital investigations, don’t replace the need to be a detective. They complement it.
Even with access to the most cutting-edge mobile forensics tools, you still need to do the investigation at hand. Tools don’t take the investigation away; they just enhance it. As Adam insightfully shared: you can learn how to use the tool, but you still need to apply the basics of being a detective. It’s paramount for digital forensic investigators to do their investigative due diligence when working on a case. Jason approaches every phone investigation almost like an interview.
Conducting a phone investigation is much like interviewing
06:00 I think a lot of the times, especially officers that start looking at phone extractions for the first time, that they don’t really plan what they’re going to be doing with a phone extraction. So, I always say this is like interviewing. You wouldn’t go into an interview and just start asking random questions. You would plan for it. And I would always plan my strategy of what I was going to look at in that phone extraction and why. I would take into account things like: what was said on interview, what nicknames have they got, what their date of birth is, what their telephone numbers are, because they are all relevant material. You can then follow your CPIA rules and follow a reasonable line of inquiry. and then it’s not some fishing trip where you’re just basically randomly looking at things and it’s not relevant to the case.
Keep fluid timelines and let your data findings dictate your time parameters
07:07 I think naturally in the policing service, we’re scared to stick to a time parameter [when conducting a phone investigation]. I always talk about the fluid timeline. Because, for example, if I said, I’m only going to look at material between the 1st of February onwards, but on the 2nd of February, I find a message that’s relevant, I’d sometimes need to follow it back before the 1st of February, since the content might be completely different to what that message actually means.
On the challenges of using keyword searches in your digital investigations and how to overcome them
08:36 I know it’s highly regarded now that we can’t go through every single message, and sometimes we have to use some form of word searches. But it does come with challenges. For example, people don’t use the word knife in a drug dealing world as such, really. And sometimes if you use the word knife, you’ll completely miss the context with it. Or depending on where you live or work, the use of drug lingo differs. So, I sometimes will read the context of the messages to start with, to understand what words they are using. And then sometimes I have to tweak my word list to tailor what the actual person is using. Because if I was to use a phone extraction from London, it would be completely different to someone in, say Scotland, where the terminology is completely different.
Conducting multiple phone extractions at the same time should be the norm for digital forensics investigators
11:28 My very first case was 90 phones seized and I had to investigate all of them. And this is when I initially came across this ludicrous idea that you have to look at one phone at a time. And I wanted tools that allowed me to look at multiple phones at the same time or import call data, as well. So, I did find it frustrating. And I’ve since been to other forces. I went to Hampshire, and I spoke to some person who was doing phone extraction reviews. He’d done 300 phones for the same case. And I said to him: What sort of training or tools do you use? He said: I just use a basic reader. I review one phone at a time, and I’ve had no training. And I really struggle with that.
Don’t let this be the case in your organization. With XRY, you can extract data from multiple phones at a time, leading to faster and more efficient investigations.
Learn more about XRY and its numerous unique capabilities.
Preparing your evidence and keeping things clear and simple
14:04 I will always write what I call a digital strategy. And I will talk about what the case is, who’s involved in that case, and what my strategy is. If I intend to look at material between a certain time parameter. If I intend to use a word list of importing that into a phone extraction for a wild card search. And what I’m intending to do really. But I think that with digital forensics, we tend to overcomplicate it. At the end of the day, wherever you are there, the decision is made is made by the jury. And I think sometimes we can overcomplicate it for them. I prefer sometimes just to take pictures of what I’m seeing, and basically indicate to someone reading my report, what this could relate to in terms of my strategy and apply it to my strategy. […] 15:12 I’ve always tended to do reports which are more visual than they are by written word. My job is to present evidence to a layman to understand what I’m seeing. […] 16:08 I keep it really, really simple. I sometimes will put what time I started my report. CPS wants to know: is it a logical or is it a physical extraction? They want to know what kind of extraction have you obtained? Is there a less intrusive way to obtain the data? And obviously now with changing legislation in the UK as well, sometimes we’ve got to try and get it in the most minimalistic way that we can, protecting people’s rights to privacy. But it’s just about, can you keep it simple and not go too far advanced really and have a named search of what you’re going for.
Attribution in digital investigations
25:27 Attribution is a massive subject for us. Sometimes even if you’ve got pictures on a phone, which is looking at drug dealing, that doesn’t necessarily mean that they’re a drug dealer. And sometimes you have to do some work to prove who was using that phone at the time. And that can be a challenge, especially if it’s a phone that’s been found in a car, because then your attribution is a little bit more difficult. But if you’ve got a pin on the phone, and it’s in their pocket, that’s a lot better for you. Again, it comes down to a good interview. Have you asked that suspect? Have you asked them if anyone else is with them? If they’re going to give you that defense, get it from them.
Training – or rather lack thereof – is one of the biggest challenges of law enforcement at the moment:
27:53 Every year, as a police officer, you will do refresher training of your Officer Safety Training. But we don’t do ongoing training as a refresher for digital investigations. And that is almost more relevant now for investigators than doing officer safety training is. It’s difficult for forces to be able to constantly keep training everyone. There comes a limit: How much training can you give? I know that sometimes, I train officers to use phone extraction software. And they probably won’t look at a phone for six months. And then all of a sudden, they’ll have forgotten everything I’ve shown them. And that’s a difficulty with being a police officer to have that ability to do that, as well.
We all want data from phones downloaded fast. But what happens after you’ve extracted the data?
29:00 Basically at the moment, we’ve got this obsession – obsession is not the right word, but… – with getting a phone extracted within 24 hours or getting this or that material. But we don’t think about what happens when we’ve extracted the phone – what do we do with the data? That is the biggest problem we’ve got. And if you’ve got multiple devices, are you looking at them as a combined effort? Or are you looking at them individually? If you are, you’re going to be missing things. Because sometimes when you look at them as a caseload, you’ll see in a completely different world than what you would be if you’re individually going through one phone at a time, because you’ll miss connections. And I think that’s probably the biggest challenge that UK policing has got. 29:52 And the vast amounts of data, we’ve also got the challenges with encrypted messages. Again, it comes back to privacy. Everyone wants encrypted phones and secure phones, because we want to maintain our privacy. But from a policing point of view, they are your challenges as well.
Advice for people who just started their careers in the digital forensics world or are considering joining this profession
At the end of the day, the work you’ll be doing is going to be given to someone who’s got to make a decision that could affect the rest of someone’s life. That’s a really, really heavy weight to carry.
That’s why Jason advises all aspiring digital forensic investigators to:
Maintain their impartiality:
31:12 Maintain your impartiality because your job isn’t to be judge and jury. Your job is to be impartial and just present what that device, extraction, or computer has on it. If it supports what they’re trying to say, then do that and just try and remove the emotion from it. And I think, sometimes, we do get sucked into emotion because you see that this is a really tragic case, and you want them to be found guilty. As soon as you think: I want them to be found guilty, then you know that you’re not impartial. And it’s all about education. It’s such a big thing, really. So, it’s about sticking to your guns in terms of what you’re looking at and why you’re looking at it – and do you need to do it to start with? Just follow your relevant and appropriate strategy of what you’re going to be looking at.
Know their onions
32:00 And just remember that at the end of the day, you want to be giving that material in the easiest way to understand. We use a saying: know your onions. Digital forensics is always going to change. You’ve constantly got to be looking at what’s going on. You look in the news and there’ll be a new smartphone feature that’s coming out. It’s an ongoing profession where you’ve got to constantly keep aware of changes in the industry. Basically, it’s just a big investment, really, in terms of your career, in terms of education, whether you decide to go to university to learn or you want to learn on the job.
Don’t be afraid when you present your evidence in court. Just reveal in simple terms what the data is telling you.
33:13 This is one of the fears that a lot of police officers have. When I teach them, they say: I’m really worried that if I go in to be cross examined and they’ll ask me a question – a technical question – I don’t know what to say. What if they say: What does this file path mean and all that sort of stuff? I always give this example: sometimes we will have to go through people’s medical records, and we have to look through the medical records to see if there’s anything in there that would undermine or assist the defense. You’re reading all these medical jargon words and you don’t have a clue what they mean. Yet I’m still expected to disclose them. I basically say: all you’re doing is just revealing what you see. And with phone extractions or computers, you’re just revealing what you see. Sometimes you can’t answer the questions that they’re asking. You just say: “This is what it said. It could suggest this, or it could suggest this.” And it’s important not being scared to say: I can’t answer that question.
On mental health and the need to “switch off” once the working day is over
35:42 Mental health is a massive problem in digital forensics, and I think it’s quite right to highlight that in this podcast. I remember once upon a time, I literally lived opposite the police station so by the time I walked home, I hadn’t switched off. I eventually moved and my drive then became an hour drive which is brilliant because I then had that time to basically think about what I dealt with before I got home and then it was quite good then because I was able to shut off. If you’re going home and you’re talking about something on and on, then that has affected you. That’s something that you should recognize as a trigger: if I’m going home and I’m talking about this job and then I talk about this job again, you’ve got to accept this job has actually affected you and you’ve got to seek some form of support. […] 37:41 But understand that sometimes, you need to talk about what you’re going through. I think males in particular, we’re quite terrible at talking about how we feel. I don’t know why that is and there’s a stigmatism about being able to talk about how you feel. But there’s nothing wrong with it. If you’re going to be going into digital forensics, or even if you join the police service, you’re basically submerging yourself in trauma on a day-to-day basis. That is the crux of the matter. And you’ve just got to understand that everyone has their own threshold of what you can cope with. […] 39:05 There will always be risks around being in trauma. Every day you see trauma, you listen to trauma and your world becomes murky. You basically become mistrusting. I think one other risk is becoming desensitized. I remember in Polit, I was given an online team, I was given this job and they said to me, this is a really horrific case. I read the conversations and I thought: actually, this is quite mild. Then I realized I had become desensitized to what I was doing and nothing shocked me anymore. Sometimes that is a risk that you’ve got to be on the lookout for.
Thank you for joining us on the first episode of Forensic Fix.
Get more useful digital forensics content by signing up for our monthly newsletter!
Join our mailing list
Stay up to date
Want to receive the MSAB blog posts straight to your inbox? Sign up for our newsletter and join our community.
If you would like to request a quote or learn more about our products, contact sales
If you have a general question, let us know here and we will reach out to you as soon as possible.
"*" indicates required fields