Below are some profiles from practitioner staff already working within Digital Forensics. Genie, Ben, Connor and Michael talk about their roles, what a day in the life of an Assistant or Technician looks like, and how the work they do impacts investigations.
- LDFIT Digital Forensic Assistant
Digital Forensic Assistants typically begin work within the MPS Local Digital Forensic and Investigation Teams (LDFITs) based across the twelve command units in London. These teams are comprised of a combination of officers and digital forensic staff and support local investigation teams with mobile device downloads.
Your main role working in LDFIT is to extract data needed by investigators from the devices submitted in a case. You tend to come across a wide range of problems to solve, it can be making sure that the submission forms you receive have the correct information needed for you to proceed with you examination, and communicating with the relevant people to make sure they have adhered to our standards and policies. Some submissions are time-critical, in other cases devices may need to be escalated or have a variety of reasons that may prevent you doing the examination, e.g. the device is damaged, contaminated or is a customised device intended for a user with a disability that cannot be done on the equipment in the LDFIT.
Often the work includes answering questions from officers about the forensics opportunities a device presents, for example whether particular applications are supported, and advising officers about the digital evidence that could help them in their investigation.
On a typical day you can be extracting devices for cases, maintaining and keeping check of stock and equipment in your station, updating spreadsheets and paperwork, answering officers questions, and other digital and administrative tasks.
Within the job role it is good to have the following skills: being adaptable, showing the willingness to learn, not giving up and keep on persevering, always looking at the finer details, thinking outside of the box, showing curiosity in what you do and also being approachable when people ask questions. Some days you can write a to do list and complete everything you have set out to achieve that day, other days that to do list may just have a smiley face as a reminder that you have got this.
While digital forensics staff are not public-facing, often working behind the scenes, the role is invaluable. We are contributing to an investigation, helping to find evidence that can go to prove or disprove a case, and contributing to officers to supporting victims of crime.
There have been days that I have struggled, dealing with a difficult case or coping with tools that kept throwing error codes requiring a lot of troubleshooting. It’s ok to not know the answer to a certain question or not fully understand a certain procedure, you have people within your station and the wider department who are there to support you and guide you. Sometimes a practitioner’s broader experience can be useful, there was a case in our team where my colleagues’ knowledge in online gaming helped an officer following a lead in an investigation.
Take all the opportunity you get to increase your confidence in the world of digital forensics and know that you are playing an important role.
Genie, Digital Forensic Assistant
- Hub Digital Forensic Assistant
Digital Forensic Assistants will also work within our Forensic Hubs, supporting the aquisition of mobile devices that escalated from the LDFITs where they are unable to access them or they are unsupported by the equipment there.
The primary role of the Digital Forensic Assistant in the Digital Forensic Hubs is acquiring and extracting data from exhibits, mainly mobile phones. This includes writing a forensic strategy for each device – I need to take into consideration the make, model, and security features of the device, and the data types that have been requested the officer in charge of the investigation and assess our capability to formulate my strategy. After being approved, I can use specialist forensic tools to process and extract data from the mobile devices. I have standard operating procedures (SOPs) to follow to ensure consistency for the handling and continuity of an exhibit and also the processing of exhibits which includes the verification of data. I am responsible for ensuring the software I use is kept up to date and for carrying out quality assurance checks on the completed work of my colleagues to ensure that the SOPs have been followed and the correct data has been obtained and provided.
In a typical day I would deal with submissions made to the Forensic Digital Hub, checking all the associated paperwork such as the submission forms from the officer in charge, and digital processing notices signed by the device owner. I ensure continuinty and integrity, checking the condition of the exhibits and their packaging, checking exhibit bag details against the paperwork provided. If everything is correct, it will be booked into the case management system, added to our outcome logs and then confirmation of the submission is sent to the officer in charge.
I will undertake general administrative tasks in the hub, I manage my own workload with guidance from the Digital Forensic Hub Manager and prioritise my tasks and responsibilities. As a Forensic Assistant, I am the first point of contact for submissions into the hub, dealing with enquiries on the phone and via the mailbox, e.g. responding to officers’ emails to keep them updated on the status of their cases, requesting additional paperwork, or providing advice and guidance where needed. I carry out daily checks on any exhibits we have processing, and dispatching exhibits to the central laboratory for escalation or for outsourcing. I work as part of a team and liaise with Digital Forensic Technicians regarding submissions which have been passed to them and any that need to be prioritised.
The Forensic Assistant role is really varied and priorities change, the Digital Hub environment can be fast-paced and there is always something new to learn.
Connor, Digital Forensic Assistant
The Digital Forensic Assistant role has a wide range of responsibilities in the day-to-day life of a Hub. The main role of a Digital Forensic Assistant in the hub is completing forensic examinations of mobile devices. The mobile device examinations involve using a range of specialist forensic tools which offer different techniques to gain access and acquire data from the handsets. We have to deal with devices from suspects, witness and victims, relating to a wide range of offences. Before starting an examination, a forensic strategy is written to detail what you as the examiner will do in the examination. QAs are completed after each examination to make sure the correct forensic processes have been followed. You will approve forensic strategies and QAs for your peers, and they will do the same for you. After you have completed an examination the extracted data needs to be prepared for analysis by a technician.
Each day at the Hub is different and you have to be able to prioritise work depending on operational needs. You could be just about to start an examination and an urgent submission comes in that needs to be extracted within 24 hours causing you alter your priorities to get the urgent extraction completed.
Another part of working in a Digital Forensic Hub is handling the administrative side, this can including dealing with officers’ queries and submissions. When a device is submitted to the Digital Hub it is the Forensic Assistants’ responsibility to book it in. The booking-in process involves checking that all paperwork and exhibit bags have been completed correctly. The officer will also often have questions about the process which you will need to answer. The case will need to be added to the case management system and forensic outcome logs so that its progress can be tracked and relevant deadlines can be met. We often have to respond to telephone enquiries, most involve officers asking for updates on their cases or to ask general queries about support and capabilities.
The Digital Forensic Assistant role in the hub offers exiting challenges working with digital forensic tools, liaising with officers about cases, all while working in a fast-paced environment.
Ben, Digital Forensic Assistant
- Hub Digital Forensic Technician
A Digital Forensic Technician will be involved in the extraction of data from different digital device types, and will spend much of their time involved in the analysis, review and quality assurance of data extracted from digital forensic devices.
After greeting my colleagues and sitting at my workstation, my day in the Digital Forensic Hub starts with checking my priorities for the day and reviewing my workload. If I’m starting a new submission, I will review the submission documents so I understand what is required and the circumstances of the case. I may have to request additional information from the officer in charge or, upon review of the exhibits in the case, I may need to do research on the device I need to examine. Depending on the type of crime, the case may involve a single device or ten or more devices across a range of types, the most common devices I deal with are mobile phone, laptops, desktops, USBs, memory cards and SIM cards.
After I have enough information I formulate a strategy explaining the process and tools I’m going to use. Once approved, I can start my examination. In some circumstances, a mobile phone extraction may have already been completed by a Digital Forensic Assistant, if not I will perform it myself. I collect the exhibit(s) from the secure store and update the case management system. Photographs are taken and the exhibit bag is signed with the date and time to ensure exhibit continuity and then it is removed from the exhibit bag. The device is checked for damage and contamination, if everything is fine then I can move forward with the extraction of the device. If any damage is found and it can be repaired at the Digital Forensic Hub, I can proceed with the necessary repairs before acquisition. If it cannot be repaired at the Hub then it may need to be escalated to the central laboratory if necessary and proportionate.
I have various tools and software I can use to obtain an extraction of the device. After obtaining the extraction I create a copy of the extracted data. The data is then verified and I stop working on the live exhibit. I now start using the forensic image/copy of data for the next stage of my process. The device is sealed in a new bag and returned to the exhibit secure store until it is collected.
This is where the real fun starts. I start to dig into the data, examining file systems, using my analytical skills to find the data to answer the points-to-prove requested by the officer for their case. It’s also an opportunity for me to continue learning and developing my technical skills when I come across something new or if the data isn’t quite what I’m expecting and I need to investigate further. Digital device manufacturers continually change how they store data and new apps are being created every day so there is always something new. At this stage, I get to look under the hood to understand how devices and applications truly function. Once the analysis is completed, an evidential report is prepared containing the processed data for the officer’s review. An evidential statement is provided to the officer if required in court. I have various SOPs and processes to follow throughout this process, and there is an embedded Quality Assurance process which enables me to learn from my peers and colleagues.
Sometimes our work comes in which is much more urgent, we may get a call to the Hub letting us know an urgent device is arriving in relation to a missing person and it’s all hands on deck. This is when adrenaline kicks in and I realise the significance of the job and how potentially time-critical it can be. Someone life is potentially on the line. We discuss as a team what roles we will take to ensure the case is dealt with as quickly and efficiently as possible while maintaining forensic integrity. The device arrives at the hub and the Digital Forensic Assistant starts the extraction process while I begin to create my analysis strategy, all while assisting if any problems arise.
We are in constant communication with the OIC, updating as we can. I proceed with the analysis of the mobile device and provide the data for the officer’s review, hoping that this report can assist in the investigation. The job takes all day, it’s a pressurised environment. Every day brings a different challenge and you never know which scenario you will face, some days it is a digging data day while others demand urgent action and occasionally, it’s a combination of both.
Michael, Digital Forensic Technician