Digital Forensic Ninjas Shouldn’t Fear Nintendo Forensics: A Closer Look at the Present & Future of the DFIR Field with Andrew Lister
A successful career in digital forensics, an impressive background in the military, and an incessant drive to see the field advancing and digital investigations improving. Put those three together and you have a unique perspective on the DFIR industry – from its current challenges to future opportunities.
Which brings us to the second episode of Forensic Fix.
Where do computer forensics and mobile forensics intertwine and how can they work together for the benefit of the end user? How can freeing up time for the highly qualified experts working in forensic labs streamline investigations and help solve more crimes? In an industry that develops at the speed of light, it’s crucial to drive innovation, develop solutions and form partnerships that ensure digital investigators can keep up with the tsunami of data, devices, encryption, and technological advancements.
In this episode, Adam Firman is joined by Andrew Lister, Managing Director of Detego Global. Detego is a leading UK company that offers digital forensics, case management, and endpoint monitoring solutions trusted by the military, law enforcement teams, and intelligence agencies around the world.
Andrew Lister is an ex Royal Marine️, ex UK Special Forces team leader, who has now amassed over a decade worth of experience in the corporate space. At Detego, Andrew leads his team in providing critical technology that is paramount for countering terrorism, child abuse, narcotics, human trafficking, blackmail, war crimes, gang crime, and much more.
In an insightful conversation, the pair covers everything from Andy’s extensive military career, his transition into the digital forensic world, and thoughts on the challenges and opportunities of the industry. They also touched upon some of the best practices for frontline personnel as well as lab-based forensic experts, exciting new partnerships, and advice for up-and-coming DFIR practitioners.
There was also talk of ninjas, Nintendo, slight coffee addictions, fantasy novels, and a whole lot of words of wisdom.
It’s definitely a podcast that’s got it all! Give it a listen.
Topics:
- How a military background opened the path for a career in Digital Forensics
- Making sure forensic investigators have access to all the tools they need
- The tsunami of challenges facing the industry today
- The need to have an intelligently led triage methodology
- The importance of selective extractions for victims already undergoing an emotional overload
- The potential of combining Selective Extraction with the “Get Everything” mentality
- The interconnectedness of computer forensics and mobile forensics
- Freeing up time for Forensic Experts to focus on complex tasks by delegating parts of the forensic process
- Interoperability between field and lab
- Advice for people who want to make their way into DFIR careers
- Mental health considerations and strategies to ‘switch off’ at the end of the working day.
Connect with MSAB on LinkedIn and Twitter
Connect with Andrew Lister on LinkedIn
Learn more about Detego Global on their website
Listen to the Podcast at:
On Andrew Lister’s Military Career: From the Royal Marines to the UK Special Forces and Beyond
On Andrew Lister’s Military Career: From the Royal Marines to the UK Special Forces and Beyond With almost two decades of military experience and over eight years in the corporate digital forensics space, Andrew Lister is uniquely positioned to discuss all things DFIR and the intersection between military careers, forensics, and best practices for digital investigations.
If you ask the Paras to take a hill, they could take it in two days. If you ask the Marines, they’ll take it in seven.
01:37 I started in the Royal Marines at eighteen. I chose the Royal Marines because I thought it was the thinking man soldier. Back then I was looking at elite forces and thinking what could I go into that took a lot of effort? And it was Paras or Marines – that was the typical sort of split. […] I leant towards the Marines. I got told by a Marine that if you ask the Paras to take a hill, they could take it in two days. You ask the Marines, they’ll take it seven. They will take the riskier option. We’ll take the time, we’ll think about it. So it was that kind of general thinking that led me to the court, apart from the fact that my brother was serving as well, so that probably had a little bit of a bit of an influence.
I had a blessed time there. I went to reconnaissance troop a couple of years after getting in. That’s all the surveillance, and counter surveillance. Then, J Company as a Junior Commander. And then 2005 was the key demarcation line into UK Special Forces. I joined the SPS, the equivalent of, I guess, SEAL Team Six. […] Joined the M squadron and went through the black role. That’s the counter terrorism role in domestic and abroad. Then into the more conventional roles, deployment across my career from Northern Ireland, Columbia, Afghanistan.
And then Digital Forensics got in the mix
3:33 And then, where do we really get into digital forensics? I became the subject matter expert in the Joint Effort. So that was where we kind of decided as a group. We saw the way technology was going. […] 4:11 The workload had gone up for everybody, so we needed organic capability to be able to do a lot of this kind of stuff ourselves, and at the end of the day […] gone are the days where you’re in through the windows. You are a super professional, effective individual, that can do difficult things when they’re needed. But it’s the learning curve and skill set. Now that is one of the biggest pieces for the groups, and to that we added in Digital forensics.
Where digital forensics meets military practice
05:18 So we created this course that includes management, collection of evidence, the photographing, the fingerprints of both visible and non-visible, taking usable prints of suspects, matching those in an extremely fast time using various methods including satellite communication and other sensitive pieces, DNA collection, matching, evidential and technical collection, and what’s called Dom X, MED X, SEL X – anything with an “x” on the end, in the military world for document exploitation, media exploitation, material and personnel. That kind of systematic collection of processes in the dissemination of intelligence that we might get through, debriefings, but also interrogation. And then combine all that together: how do we use that live time there and then to affect the Grand commander’s decision on the ground? […] But the critical piece, the gap that was missing was: What are we missing right now?
On giving investigators access to whatever tools they need in order to conduct their investigations
07:45 This is part of our mantra as a company. It’s not dictating to any one particular group how you must do forensics. It’s about giving you all the options in your tool box with Detego and the likes of MSAB, to say: “Hey, I’m a frontline operator who needs information right now because it’s critically important trying to find a hostage and I don’t know how much time that is” or from the police point of view : “I’m interviewing or I’m pulling data from a potential pedophile’s handset computer. There’s still that time-risk analysis of ‘the longer it takes to find that piece of evidence and if they are guilty, they could be out there doing more damage to more children, or you’ve got more victims running around’”. What we were very conscious of is not upsetting other agencies as well. We don’t want to take away what you’re doing. So, we’re still going to send everything back to you. But that normal gap that we’d normally have, like flights into other countries. We can utilize that time effectively and professionally now to find evidence or intelligence or intelligence that becomes evidence.
On the switch from a military career to a career in digital forensics
9:14 I’ve been using Detego and other tools, in fact MSAB as well. […] But as I was going through my career, I got badly blown up on an operation. Sadly, I lost a friend on that job as well. It was an unusual hit for the UK SF. […] 10:44 At that point I got blown up and that kind of took me out of the game. Twenty-four operations to fix me. Thank you, NHS. I’ve always got to put a shout-out because they were unbelievably phenomenal. My group was phenomenal looking after me. But as I had some of these skill sets and I’ve been using Detego and other technologies down range, it seemed a really easy and natural step.
On the biggest challenges facing the industry today
14:34 There’s just so many, aren’t there? Too many devices, too much data, encryption, training, skill, training burden, all those pieces, all top up to make a tsunami of issues for police, military, digital investigators, that kind of stuff.
Read more about why investing in training is of utmost relevance for digital forensic investigators.
I think one of the big issues that I’ve seen a lot – and it does feel like it’s getting better – are things like outdated policy. So, quite often groups and big organizations are trying to play catch up with technology that moves at a synaptic level and they’re struggling to do that. So, you kind of find that there’s a lot of investigators that may be hamstrung by some of that.
On flexibility in the investigative process and having an intelligently-led triage methodology
17:12 I listened to the podcast from Jason Cullum, the other day when I was driving back. I liked the piece in there about flexibility going you’ve got to triage; you’ve got to have flexibility. If you went into a home, there would be twenty devices and you know most of them are somewhere from half terabyte to a terabyte in size. How on earth are you going look at every bit and byte of data on every single piece of those?
Check out the first episode of Forensic Fix with Jason Cullum.
You have to have a kind of intelligently led triage methodology of doing that. Whether that’s by time like he [Jason] was mentioning going go between these two dates – but not being so rigid in that that if you see something, within one of the messages that relates to the month before or has an indication towards that, that you can’t then expand that out. If they don’t have the flexibility, you’re just putting handcuffs on your investigators and that’s not good for anybody.
Multi-tool, multi-purpose approach
21:16 I think there’s a combination here [file selection vs taking everything] If you look at it purely from one user’s perspective, then yes, that is exactly right. But looking at massive use groups out there, from corporate to military to other government departments, leads to different areas of police that need to do different things. […] 21:45 I think it’s important to have that multi-tool, multi-purpose effect in your approach, and in what you’re capable of doing – while being cognizant of people’s personal protection, especially around rape and serious sexual offenses, and so on.
Victims go through massive emotional overload, and you don’t want to add on
22:12 I sat in a talk with a survivor, and it was pretty eye opening, to be honest. More so not in the incident and what happened, but in her particular feelings and responses around what then happened with the police and her digital device and her internal feelings about that. She’s going: “Hang on a minute. I’m not sure if I’ve got something on there and I’ll make this up a little bit. Whereas my last boyfriend or I don’t think I paid my tax properly the other year and I think I messaged a mate going: I managed to get a grand off. I don’t want to submit this to the police now. But that means I’m not going to get justice for this horrendous incident that goes way beyond.” And it’s all those things battling within someone that’s under stress.
And add to that the time factor to get devices, do the analytics – it starts to make that person back off. And if you look at the percentages of crimes that go through from that, it is absolutely horrendous. So, ways to protect that, ways to be able to go specifically after data, hold the victim’s and witnesses’ hand and making sure that it’s laymen terms that you can understand what’s going on, that you’re not speaking in high tech, going to someone who’s under stress and just nodding, that cognitive overload and the emotional overload is massive. So, all of us in this industry need to protect those individuals, but also encourage them to have the bravery to let you investigate that device and pull it back. The more we can show that we’re protecting their data, the better.
About combining the potential of Selective Extraction and Getting Everything
24:00 The gold standard is: get everything. And what I think has changed over the years, triage is obviously massive, super effective. But you can kind of combine their potential: Have protective data extraction of all of the information, but it’s encrypted and untouched by anybody, not accessible by the police or anybody else. But the victim has that securely held, maybe by a third party. And then the triage is done there and then to get the pieces. Things can evolve over the next few months. New information comes. They’d broken the phone. Now they’ve lost their device. They’ve been mugged, whatever has been going on, and all the other evidence that is now really critical to that case is gone. But I’ve got an encrypted image back up, and with the request of that individual we can come back in and re-select the data that is now relevant. But no one is looking elsewhere, and no one’s gone elsewhere.
On the interconnectedness of computer forensics and mobile forensics
The fields of computer forensics and mobile forensics are very closely connected. They share a similar intent: in both cases investigators attempt to accurately capture and analyze data from a digital device. And more often than not, digital investigators will have to deal with both.
Necessity is the mother of invention
26:17 We actually all met up many, many years ago, and we thought we saw the way that the client base and the market was going, and how we could maybe come together to give this all in one, best in breed effect, best of computer, best phones, best for the end users. It wasn’t the time. The industry wasn’t ready for it. And necessity is the mother of invention, and I think just the sheer number of devices, the number of individuals we talked to that were computer specialists, and now, all of a sudden, the boss’s is saying: “Hang on a minute. You also now need to do the phones” or “I do the phones, and I’ve had five computers this week. What do I do with them? It’s all similar, but I’m not comfortable or confident or I don’t have the technology.”
DO MORE WITH LESS: On partnerships that make life and work easier and more efficient for the end user, be it law enforcement, forensic investigators, and so on.
26:42 So that’s where this combination is perfect. I think also as groups we work really well together. We go over and above all the time at the Detego for our end users. We listen all the time, we change pieces of our technology. You guys have that same feel. So, that synergy for the end users – we’re taking that to a whole another level because it’s an agreed partnership between us. What that means is our technology individuals can share information and data quickly. So now in the Detego, there’s an MSAB button where we can import your extractions into Detego. We can utilize some of our analytics and other pieces inside MSAB. In your next version, you’re going to have an import button for our pieces. So do the fast imaging with us – all these kinds of bits.
Don’t waste the talents of Digital Forensic Ninjas
31:43 Another thing that I find really frustrating is people who stagnate in the industry. Sometimes, it’s not their fault. They’ve been in digital friends for so long, and maybe they’ve been beaten down by the amount of work they have to do.
But then, I have also bumped into people who have been in digital forensics for 25 years; they’re digital forensics ninjas, they are experts, they walk in, and the room heats up because of their IQ. And they’re imaging stuff. That’s their day job. And in my head, I’m exploding. We could train the juniors. Get the juniors in. Get them doing the imaging. Get them doing the small parts. Free you up for all the good stuff.
Automated Forensics Solutions are NOT a threat.
“Nintendo Forensics” will not take away the jobs of forensic experts. It frees up time for them to focus on the skills and knowledge that are not accessible by pressing one button.
33:28 It’s almost like: let’s be cynical. I can go to a Digital Friend Specialist in a lab, and I see technology that – let’s call it Nintendo forensics, PlayStation forensics, Xbox Forensics – you press the button, and off you go and it will do a lot of that heavy lifting for you. And you think: Well, hang on. That’s not great. In that cynical side, you’re thinking: “It took me twenty years to learn how to do some of those bits. That’s going to take my job.” Wrong answer.
Because most [investigators] are sat there with backlogs of hundreds, if not thousands of devices across multiple forces. And this isn’t just the police. This is all sorts of different groups out there.
Even if those processes that we can help with do the vast majority of the work really well for you, there’s still going to be an overwhelming tide of ones that need that expert attention, processes that need that knowledge, that experience that you just can’t teach. All it would do is reduce the other stress on you where you’re looking at pieces and you’re maybe feeling guilty because you’re thinking: I’m not getting to serve justice or protect those children quicker.
Triage intelligently: going after the data in a smart and efficient manner can save more lives
34:40 Because that’s the other argument. I’ve had this before. It’s an older argument now. People go: But if I triage, I’m going to miss something. Of course, there’s always the chance of you missing something. But it’s about trying to be intelligent and smart about how do I go after the data with the knowledge I have right now in the best manner that I can. As I find new knowledge, I go after new data rather than going on a fishing trip and looking for something and hoping that it pops up. Because the whole time you’re doing that – if that’s your argument – you’ve now got ten devices, 20, 30, 40 building up, and within those devices there’s a terrorist plot. Within those devices there’s a kid being abused, or there’s now another child being beaten. All those kinds of things. How do you weigh that? It’s really difficult. And that’s why things are progressing how they are. It’s not taking one from the other. It’s finding ways to do that and freeing up time.
On the interoperability between lab and frontline and freeing up time for complex tasks
35:35 Like going in and triaging as a frontline individual. You start looking at a device. You know you’ve got no chance. You’re not going to spend all your time on that device. You’re going to bag that up. You’re gonna mark it. You’re going to send it back if there’s if there’s reason for you to do so to the lab for them to work on the hard piece. You’re there, and you open a drawer and there’s loads of thumb sticks, and you’re thinking: Hey, great! I can just look across this data really easy. I’ve got automated processes to search for pedophile keywords, and CAID and Project VIC hash data sets. You know, the lab individual shouldn’t be going. “Oh, I want all those devices.” You’re already drowning in devices! We’re just trying to help.
Advice for newcomers to the industry
Going after a career in digital forensics can be quite overwhelming. Getting some advice from one the industry’s best will make things easier. Here are some tips that Andy Lister has for aspiring digital forensic investigators, analysts, examiners , or anyone else interested in breaching their way into the DFIR world.
Pick the route that works best for you
36:35 It depends what route you take to this career. So, instantly when you say that everybody thinks: brand new person going to university or college. Absolutely, if you know from day one that you’re technical, and you’re interested, go along that route.
But there’s other routes. Like Jason [Jason Cullum, guest on episode 1], there’s self-teaching on all the pieces to build up, and then qualifying and doing more.
Learn more about the route Jason Cullum took to becoming a Digital Media Investigator.
Reach out to organizations in the industry
If you’re lucky enough to reach out to organizations like MSAB, like myself, like other users in the industry that generally want to help people. And you can’t always do it for everybody. But the door swings both ways. If you show drive, passion, you can teach them the rest. The ability, and the drive, and the passion is the hard piece to find. So, find a passion, not a job. That makes everything significantly easier. When it’s a bit hard, the job is easier because you’ve got that passion for it.
Find a mentor
37:33 Find a mentor if you can. If you’re lucky enough to get a mentor to get into the group. Where we benefit massively in Detego: we select from police from law enforcement, other government departments, commercial, corporate, all those kinds of pieces, so that we can put everybody in a melting pot, come up with some great ideas and have that kind of mixed experience. And that’s all levels of experience.
Believe in yourself
37:55 So, you might be sitting there right now and you’re in a role where you’ve got a little bit of digital forensics knowledge and you’re thinking: How can I get into this?
You’ve got unique experience from organizations that you’re in. There’s always bigger fish in the sea. There’s always someone smarter, someone brighter. But you don’t know more than I do in that particular field that needs digital forensics. For somewhere that needs digital forensic right now – you’ve seen it. You can be bridging that divide. But you’ve got to approach companies. You’ve got to do that.
On how to switch off and take care of your mental help
39:28 I also love just sitting down in a room with a massive TV and a tsunami creating surround sounds. Switch off. Turn a movie on, crank up the volume. Lock my brain out because it runs a million miles an hour.
What I’ve also found great is if I’m driving somewhere, I normally try and catch up on calls, but then I’ll put a podcast on or I’ll put an audio book on. I’ll normally alternate between something that I feel is helping me grow, and all that good stuff and what I call junk food for the brain. I put on my kind of fighting fantasy, David Gemmell, tainted warrior kind of fantasy novels and stuff like that. And if I can’t switch my head off at night, I quite often just put an earbud in with just an audio book on low, and, before you know it, I’m asleep. And it’s not because the book is boring, but because I’ve listened to it. It’s taking my focus away.
I tend to find I don’t break away fully [from the stresses of the job] and that is a problem sometimes for people working from home a lot or hybrid. You sit there with your computer on the lap, and you’re having dinner and you’re going: Oh, I’m on the phone doing my work. That is difficult and you’ve got to find ways around it. Things like getting out with the dog occasionally is pretty good. I need to get back into my fitness, so going to the gym, training. That waxes and wanes depending on how busy you are and how many fires there are to put out.
Last notes from Andrew Lister:
Genuinely thanks to everybody out there who works in this industry, be it police, be government, other departments, military, the intelligence groups, even the corporate people. It is sometimes an unthankful role. Thanks for your service, and if we can help you, reach out.
