Digital Forensics Capability Analysis

The ICT KTN, on behalf of the Forensic Science Special Interest Group (FSSIG), is conducting a survey of the UK’s Digital Forensics Capability. This work is being managed by Angus Marshall, of n-gate ltd., to whom any initial queries should be directed. The project team also includes the CyberSecurity Centre at De Montfort University.

To download this survey please visit the following links:

Word format
PDF format


Traditional Digital Forensics activities involve the recovery and investigation of material found in digital devices. Such data is at rest on static devices such as hard drives and in solid-state memory on camcorders, mobile phones, GPS navigation devices etc. The market for this activity was driven by Law Enforcement and other public sector organisations, hence it was necessary for all activities to be conducted in line with UK evidential criteria so that it was admissible in a court of law.

Our digital age has seen requirements evolve. With the ubiquitous use of email came a requirement for a new field of expertise – that known as “e-discovery”. E-discovery refers to discovery in civil litigation, which deals with the exchange of information in electronic format (electronically stored information or ESI). This data is subject to local rules and processes and is often reviewed for privilege and relevance before being turned over to opposing counsel, where the burden of proof rests on the balance of probability.

However our digital evolution has not remained static. The growth of cyberspace, the trend towards mobile devices (BYOD) and cloud services has seen data take on a far more transitory nature, and the physical location of data at rest can be difficult if not impossible to determine. Data is versioned, distributed and stored across differing networks, devices, borders and boundaries.

The traditional digital forensics practice of imaging and extracting information from disparate physical devices no longer suffices for incident investigation in cyberspace. There is an increasing requirement from businesses in the private sector, and emerging capabilities are required to keep pace so that these requirements can be met.

The team will produce a report detailing the current stakeholders, existing capabilities and challenges. This will enable the identification of areas in which there are capability gaps. Attention will then be paid to how these gaps may be reduced and any specific challenges which will need to be overcome in order to do so. Further, a glossary of terms of key digital forensics concepts with simple definitions will be produced to assist with knowledge transfer both within and outside of the FoSci community.

Your involvement

You can assist with this first stage of the survey by completing the attached questionnaire and returning it to no later than Monday, 4th March please. All responses will be treated in strictest confidence and your answers will be anonymised before they are included in the report(s).

Digital Forensics Capability Analysis – Questionnaire

If you are willing to assist with this phase of the project, please complete and return to by Monday 4th March 2013

1) What do you understand by the term “Digital Forensics”. (one or two sentence answer)

2) In which context do you use digital forensics (e.g. law enforcement, civil law, criminal law, private sector, internal investigation, information security)

3) What types of technology do you deal with in the context of digital forensics ?

4a) What is the single greatest DF challenge you, personally,  face in your everyday activities ?

4b) How do you think this challenge could be addressed ?

4c) What is the single greatest DF challenge that your organisation faces in its everyday activities ?

4d) How do you think this challenge could be addressed ?

5a ) What challenges do you think you will face in the near (1-2 years) and medium-term (2-5 years) future ?

5b) How do you think these challenges could be addressed ?

6) When you are looking for solution to digital forensics problems, who do you turn to for

a) off-the shelf solutions ?

b) bespoke solutions/product customisation ?

7) Who would you consider to be the key people or organisations relevant to your experience and usage of digital forensics ?

8) What other innovations, relating to technology, services or any other issues affecting digital forensics, do you think would be beneficial ?

9) May we contact you again for more information ?

(If “Yes”, please also provide your name and a contact phone number or email)


SIG Forensic Science

Forensic Science Special Interest Group

For more information about the FSSIG, and to get involved in the community, please see




Facebook & Social Engineering

On Thursday, March 18th, 2010 at 8:00 PM GMT the UK’s Tonight with Trevor McDonald investigated “Facing Up to Facebook”. The Tonight program is a news magazine produced by the UK’s Granada Television for the ITV network since 1999 and covers the full range of human interest led current affairs.

In this episode the program investigated the subject of social engineering and the concerns that surround the social networking site Facebook. Following on from the widely covered so-called “Facebook Murder” much in the news in the UK we have this investigative report into the dangers of online social networking and Facebook in particular.

For me this brings a couple of thoughts to my mind. The first is that this is just another electronic extension to the well-known practice of Social Engineering. The rise in social media sites such as Facebook, LinkedIn, Twitter etc. provide a wealth of information to those who want to delve in and find out more about you and has simplified much of the work involved. It was interesting that the representative from Facebook (name escapes me) talked about the 50% who had managed to configure their security settings correctly almost ignoring the other 50% who had not, until he was challenged by the reporter. Have we learned nothing from the past and the history of firewalls where we have a default of “DENY” and the user has to actively engage in what is allowed. Surely if we did this we might have more than 50% of people on Facebook configured better?

If you interested how you can investigate Facebook you can have a look at “Diary of a PDFBook” which was in Issue 1 of DFMag, this looks at a tool to investigate Facebook using a browser. You can also read John Olssen’s article on Forensic Linguistics in Issue 3 of DFMag and how this technique was used in the “Facebook” murder investigation.

Tony Campbell



Digital Forensics crossing into other specialisms

I’ve been working at editing a book review for Issue 3: and what an excellent book it is (the review is pretty good too, I may add). The reviewer could not have praised this book any more than he did and there is good reason for this. Dr John Olsson’s latest book on Forensic Linguistics is a fantastic read and really open up your eyes on what’s possible through the study of words alone. To be able to point the finger at a culprit on nothing more than the phrasing in a fake suicide note takes a lot of skill and experience, but also the understanding of the linguistic formulation of the prose, which is where John’s book really wins, is vital. John has done an article on the role of forensic linguistics in convicting the culprit in the recent terrible events that led to the death of a young girl using Facebook. He discusses the dialogue used between murderer and victim and how, with careful screening, we can discover the motivations of unseen people at the other end of a virtual connection in cyberspace. What intrigues me is the crossover here. SMS, for example, has created the need for a new language and cryptic annotation that is used mostly by teenagers today. When we, the mobile forensic examiners, extract this information, we need to make sense of it to help with the overall investigation. And how can we determine is the suspect is actually the person who sent the incriminating text? This is exactly where Dr Olsson’s skill comes in, and he’s finding himself more and more involved in computer crime investigation. We know that the Forensic Science Regulator in the UK is focusing on integrating digital forensics into the mainstream role of other forensic sciences, which I believe is a great move, allowing a lot tighter collaboration between the various branches of our profession. Dr Olsson shows the benefits in terms of this one case realating to Facebook, but I feel we need to start looking for other such stories in DFM to really show the importance of cross-field collaboration.

Tony Campbell



Another Murder Linked to Facebook – Should We / Can We Do Something


This is the second case that I am aware off that involved using Facebook to develop a relationship that ended up in the murder of a young female. The first case, which was in the UK ( and discussed by John Ollson in issue 3 of DFM relates to the use of Facebook by a known sex offender. Whilst the second case ( took place in Sydney, Australia and concerns a young lady who went to meet someone after being promised a job working with Animals.

You cannot help consider if this is just the tip of the iceberg and that many more inappropriate contacts are happening everyday but go unreported, is it Facebook and the online social networking phenomena that is to blame? or is it the fact that Facebook was used that makes it newsworthy and gets it reported?

Is it possible to draw some parallels with the online dating agencies? Now I can accept that there are a lot more barriers and checks in place in establishing that the person who you are going to meet is someone real who is looking for a relationship; however just as it is easy to be invisible on Facebook until the day you meet so to is it possible on a dating site. How many times have you heard that a false photograph has been used? I also wonder if or how many murders have been committed following a meeting via an online dating agency, but because it is accepted that these sites exist and are mainly for adults that they do not get reported in the same way that murders that have a Facebook connection do, especially where children are involved.

For the online digital investigator of such crimes, as with most crimes of this nature the investigation is post event and entails looking at the computers and mobile phones of the victim and possibly the accused. In issue 1 of DFM we had an article written by Jeff Bryner who developed a tool for Facebook Memory Forensics (, so we have post event tools, but how do we get proactive, is it purely down to awareness and simple precautions by users of the social networks or do those who provide the facility have a responsibility to police the online service; even if it were feasible the ethics and scale would make the task almost impossible.

So what do we do, wait until enough crimes have been reported that the message finally gets through to users of the service, increase third party awareness campaigns or challenge Facebook to provide an online induction training session that has to be gone through before access is granted (a bit late for that I think).

One thing is certain; I do not think that this is the last incident that will be reported.