How do you make sense of something you’ve never seen before, when gaining that understanding might uncover the final, vital piece of the puzzle that solves a crime, brings a perpetrator to justice and offers closure for a victim and their family? This is what we aim to teach students on the Cranfield Digital Forensics MSc.
As a senior lecturer in digital forensics, I have spent more than a decade equipping students with the essential understanding and ways of working to be able to interpret digital evidence and solve cyber crimes. It is both a fascinating and hugely challenging area in which to work.
A future that’s always moving
Unlike in traditional forensics, where the target evidence type (blood, DNA, hair, clothes fibres etc) has remained pretty much the same – albeit advances in technology over many decades have enabled more detailed and robust evidence-gathering and analysis techniques – working in digital forensics means chasing a target that is not only a different shape and size, but is always moving with the times as technology advances.
A lot of people think working in digital forensics is all about examining cyber crimes but, in reality, we can be called on to gather and interpret evidence in just about any crime – from traffic collisions to murders. The abundance of technology and the fact it is all around us means that, no matter where you are or what you’re doing, someone is probably watching, capturing or creating a digital trace of something you’re doing or linking you to where you are.
Think about the mobile phones we all carry around with us – the amount of passive activity they generate is phenomenal. There have been cases brought before the courts where health data apps on someone’s phone placed that person at the location at the time and date an incident occurred. CCTV, telematics in your car, your smart home alarm, your Alexa, your Google Nest, your Hive thermostat, your mobile-controlled light bulbs – we want to be more technologically connected, but the more we build our lives the bigger the digital trace we leave behind.
The indisputable truth
Digital forensics as a discipline involves gathering this digital trace data from these various sources and using it – to the best of our ability – to build up a picture of what a person has done or where they have been during a certain time frame. We don’t add to or take anything away from the data, but we ensure it is gathered in such a way that there can be no doubt about its authenticity or the fact that it belongs to that person.
It’s a technical and challenging field in which to work. You’re pushed to keep up as technology changes and develops. There will be people that engage with digital technology while committing crimes, whose digital trace will be vast, and others that have from the outset the intention to leave behind as little a trace as possible. Both pose challenges.
Developing an investigative mindset
Preparing our students to work in an ever-changing environment like this is a key area of focus for everyone in Cranfield Forensic Institute (CFI).
We have facilities that are state-of-the-art, and students on our courses get to work with the latest technologies and try out the newest techniques. But we are not about teaching specifics like these, otherwise, with the pace of technological change, there is a real risk they will find their skills outdated by the time they finish their course.
Instead, we aim to equip them with the investigative mindset. We want them to learn the skills that they will use to investigate and interpret things they’ve never seen before – that we can’t even predict right now – throughout their careers.
Take our Digital Forensics MSc, for example. Aimed at people wanting to enter the field from related disciplines like computing or law enforcement, as well as those already operating as practitioners who want to improve their skills and progress their career, it focuses on teaching people how to solve problems: how to get to grips with and make sense of the unknown.
Participants gain the ability to look at some data and work out how they go about learning what it means. They learn how to go from nothing to everything through the process of testing, evaluation and interpretation. Ultimately, what tool you use to do that doesn’t matter as long as you engage in the proper investigative process and do it robustly, accurately – be a good practitioner essentially.
In digital forensics, you’re going to encounter the unknown every day, so we can’t be comprehensive and say that we can teach them everything they will ever see and what they need to do to investigate those things. We can’t get anywhere close to that. All we can do is teach them the skills to constantly deal with the unknown.