Does Justice Depend on How Forensically Curious You Are?

When introducing our white paper on Android Marshmallow forensics, we talked about the importance of being curious—to find ways to identify what you don’t know, to fill in the gaps through training and self-teaching, to understand market trends and how developers respond, and to get out of your comfort zone by using tools that may not be as intuitive as your go-to forensic software.

Our founder and CTO, Jad Saliba, talked about that in his recent appearance on the Cyber Security Interviews podcast. Asked what skill he thought forensic examiners needed most, Jad replied:

“I think that thirst for knowledge and to always be learning is super important, that curiosity and wanting to understand how things work and the underpinnings of the different types of data that you’re looking at….

“Things change so quickly in our industry and you can either look at that in an exciting way or a dreadful way, and I think people that do well in this industry are interested in the technology [and] the investigation side of things and they want to be able to figure out these different challenges and stay up to date with the developments and the trends that we’re seeing change in technology.”

Being forensically curious: Making the time for deep forensic work isn’t optional

As Magnet AXIOM evolves into a mature digital forensic tool, we’ll be offering multiple ways for you to take advantage of its many features. Yet, at the core of this largely automated, simplified process remains the need for investigators who have enough of a sense of what’s going on “under the hood” that they can validate what they think—and describe why in court.

The time it takes to do the research, though, can often take a forensic examiner past regular working hours, long into nights and on weekends. You can justify research and hard work when a high-pressure case puts a lot on the line—like trying to save a child, catch a homicide suspect, or stop a terrorist attack—but it’s important to remember that not every case will require the same degree of dedication.

At that point, forensic research may be not so much about a single device and/or app, but instead about keeping up with the times so that when you do encounter “that” device and/or app on a big case, you’ll be better prepared to handle it—to know just what tools to use, where to look first for the data, and how to overcome any obstacles to acquiring it.

Arguably, this is like taking the time for tactical training beyond the minimum annual requirements. Just as you need a range of less lethal options to choose from in a volatile situation, you also need a wide range of forensic tools to deal with the volatility of technology. Being limited to just one option, in either situation, could be disastrous—for your case if not someone’s life.

Being forensically curious: The big picture extends beyond your caseload

“But my department has a mandatory rotation policy,” you may be thinking. “By the time I learn all I need, I’ll have to go to a different assignment, and I’ll never use this stuff again.”

This is certainly true for a lot of agencies, but it doesn’t make deep work any less necessary. Consider:

• What if saving one or more victims hinged on whether you could dive deep into the unallocated space of a mobile device—but you were the only one who could do it in the limited amount of time you had? These cases are rare, but because forensic examiner resources are stretched thin nationwide, better skills on your part can only improve the situation—for everyone.
• The “low hanging fruit” evidence you find may not be all there is to build your case. Digital data is easy to manipulate—to add, change, or delete to make events fit a particular narrative. This can work for or against the suspect and/or the victim, so consider: would you be able to show, and explain, the differences?
• At some point, it’s likely you’ll have to testify in court as to your process. Digital forensics can be tough to explain to nontechnical juries and judges. The better you are at the processes and tools, the easier they will become to explain—and the stronger your case will look.
• The skills you develop now will make it easier for you to communicate with future forensic examiners about what you need to build future cases. If you’re on a command track, you’ll also be better equipped to make well-balanced budgetary decisions about all your agency’s needs.

Being forensically curious: Growing forensic skills takes baby steps

Some aspects of curiosity, like writing your own scripts, might be considered optional; you certainly aren’t required to do them. Because learning skills like programming often happens on investigators’ free time, it should be something you are truly interested in.

Other skills aren’t so optional, and it’s these we’ll be focusing on as part of an upcoming series. Over the next few months, we’ll be delving into what’s involved with growing your forensic expertise. Through interviews and observation, we’ll show you how to:

• Use everyday tools like the Google Play Store to research new apps and device capabilities.
• Make research part of your regular forensic routine.
• Use your research, combined with your casework, to test your hunches about how devices and apps behave—and what this might mean for your cases.

In upcoming weeks, we’ll show that making just a small investment of time to dig deeper, to learn to look at evidence in new ways or to try new ways to obtain it, could be a lifesaver later on as you apply your learnings to build stronger cases.

Get your tips by email: Subscribe to our blog today!