Interview with Digital Forensics Expert Angus Marshall

marshall

What is your current job role and what does this typically involve?

I’m an independent forensic computing consultant. Some people would sum it up as “gun for hire”, but the reality is that I get involved in a range of casework for law enforcement, defence solicitors and many types of organisation. Most commonly, I get called in after the standard digital investigation work has been done, so computers & handsets have been imaged and data extracted, but someone is needed to provide expert testimony or to help interpret what’s been recovered. My background in Internet computing is proving more and more useful as most devices now contain data which relates to online activities and working out what’s happened at the other end of the connection is often more important than what’s been found.

Of course, I still get situations where I am, effectively, the first responder and have to do the data capture myself too. Fortunately, I have a good selection of tools and techniques available. My links to academia and DEVCE are a big help there too, as it means I’m able to keep abreast of new ideas.

I also advise on policy matters and help set standards through my membership of the BSI Information Security group and the Forensic Science Regulator’s working group on digital evidence, and am involved with the KTN’s Forensic Science Steering Group where we advise on research topics in Forensic Science.

How did you come to be involved in this area of work?

Largely by accident. I used to be a full-time academic at the Centre for Internet Computing. One of our servers was hacked and it fell to me to investigate it. I was persuaded to write that experience up and present it at a conference. One of the audience put me forward for inclusion on a national database of advisers for the police and a few weeks after that, I found myself helping with a missing persons case which turned out to be a pretty nasty murder. The evidence in that cases involved working out a suspect’s normal pattern of activities and showing that the pattern broke on the day the murder happened, amongst other things.

What do you think are some of the most challenging aspects of your line of work?

Understanding what the real requirements are. Pretty much everyone uses a computer in some form these days so they tend to ask for specific things to be done, often what they think they’d do themselves, rather than asking for help to solve the real problems. My usual approach is to start with something like “OK, I can do that, but tell me why you think it needs to be done” and moving on from there. We often end up doing something totally different which provides a much better answer to the question that needs to be addressed.

How has the field of digital forensics changed during the time you have been involved?

Handhelds have to be the answer to that. There’s been such an explosion in the adoption of smartphones and other personal technology. Everyone has at least one, and frequently several, devices which can tell us a lot about them and their behaviours. It means we have a lot more data to try to extract and process in the limited time available.

We aren’t seeing the predicted downturn in use of conventional computers, though – so we’re dealing with increased data storage on them, and more use of the “cloud” to share data between devices as well.

Has the field of digital forensics been affected by the major changes to forensic science services in the UK in recent years?

To be honest, the digital field was never as centralised as some of the disciplines were. Most, if not all, police forces had, and still have, their own labs, backed up by a few large private sector organisations and lots more smaller providers. What we are seeing is increased pressure due to falling budgets and increasing amounts of data. The other thing that’s causing problems is the regulatory framework. There’s an inherent resistance to taking on the perceived “extra work” required to achieve accreditation and if labs don’t act now they’re going to be in trouble. Having been close to the work, and editing a couple of related ISO standards, I know that it looks bad, but the actions required can result in significant efficiency gains, cost savings and improvements in the quality of evidence.

Do you have any advice for those seeking a career in digital forensic science?

If you enjoy a challenge – go for it! But don’t get fixated on law enforcement as the only option. Our methods are used widely in corporate environments too, especially in dealing with fraud, employee misconduct, network attacks, e-discovery for civil litigation and a whole range of other activities. The law enforcement side of things is really quite a small sector and others could be easier to get into and more rewarding in the long run.

Website: http://www.n-gate.net and http://www.devce.org

Twitter: https://twitter.com/marshalla99

Angus’ book, Digital Forensics: Digital Evidence in Criminal Investigations, is available on Amazon.

 

If you’re a forensic scientist (academic or industry) or a crime scene investigator and would like to be part of this series of interviews, get in touch by emailing locardslabblog[at]gmail.com.

Advertisements