Bridging Technology and Law for Effective Justice

Show Notes

Explore the world of digital forensics in South Africa alongside Jason Jordan, a seasoned expert at T-Fair Labs, in conversation with Dr. Ingrid Borárosová from the Bratislava Policy Institute. In this insightful podcast, we delve into the evolution of digital forensics from its beginnings in the '90s to its current role in tackling cybercrimes. Jason's transition from law enforcement to the private sector and academia sheds light on the field's advancements and the importance of aligning with global standards.

Through discussions on South Africa's legal frameworks and linguistic diversity, we examine how they influence digital evidence handling and cybercrime investigations. Clear communication strategies, including relatable analogies, are highlighted to ensure understanding among judges and lawyers of varying technical backgrounds.

The podcast concludes with a discussion on the challenges organizations face in navigating political influences when employing digital analysts. Lastly, we emphasize the significance of collaboration between legal and digital forensic communities for a more effective pursuit of justice.

This podcast concludes our series of expert talks as part of the INNOCENT project funded by the European Union under Grant Agreement 101056685.

Chapters

• 0:00: Digital Forensics Landscape in South Africa
• 14:01: Effective Communication in Digital Forensics
• 18:41: Digital Forensics in South Africa
• 24:47: Challenges and Trends in Digital Forensics
• 35:00: Considerations for Choosing Digital Forensic Analyst
• 42:18: The Importance of Collaboration in Forensics

Transcript

Speaker 1: 0:00

So okay, so good afternoon everyone, and welcome to our podcast. This podcast is a part of the webinars prepared for the project focusing on improving the application of the presumption of innocence when applying electronic evidence. In short, we call this project Innocent and it's supported by EU Justice Program. My name is Ingrid Borárosová and today we have the privilege of speaking with Jason Jordan, who is the Principal Forensic Scientist and the founder of T-Fair Labs. So welcome, jason. We are very happy to have you here to discuss this important topic with you. Can I please ask you, can you tell us something about yourself and about your job and what you do?

Speaker 2: 0:47

Thanks, Ingrid. So I kind of feel like I'm the old fossil dinosaur in digital forensics sometimes. I got started in digital forensics in the early 1990s when I was a detective in the South African police. When I was a detective in the South African police and I suppose as a kid of the 80s growing up, I sort of got introduced to personal computers at a young age and kind of fell in love with them and did all the cool techie nerd things I suppose that you could do back in those days. And then you know, when I joined the police well, this was kind of roundabout way in South Africa we still had mandatory military service I chose to do my service in the police service and I kind of found out I was a pretty good investigator when I joined. So I ended up becoming a detective and I kind of liked it. So I decided to stay Instead of just doing my one sort of two years national service and um so so as a detective, working mostly fraud cases and things along those lines, because I I was comfortable with computers, any cases and sort of to come into our unit that almost looked like there was a computer involved.

Speaker 2: 1:58

I was the guy that ended up being asked to investigate it because I was literally the only person who knew how to use a computer and and that kind of you know was really in the early stages of digital forensics. You know, we were still kind of figuring it out as we went along. There was a few of us in South Africa, there was people in Europe, Australia, you know, United States, Canada, a few places around the world that were kind of getting our feet wet into this new type of investigation. I mean, back in those days we didn't even call it digital forensics. It was just, you know, cop nerds with guns trying to catch bad guys doing stuff on their computers. But fast forward a couple of years.

Speaker 2: 2:40

I retired from law enforcement in 2014 as the national head of the Cyber Forensics Laboratory of the Special Investigating Unit in South Africa, which was principally our national government anti-corruption agency, and I basically then moved into the private sector to found DFIR Labs. At the same time, I started teaching for the SANS Institute internationally and now I've kind of split my time 50-50 between teaching and research and actually doing digital forensics work for governments and clients and court cases and things like that all around the world, and I'm very privileged, especially through the work that I do with the SANS Institute, I get to travel around the world teaching digital forensics. So I spend a significant time in Europe, Middle East, North America, Asia Pacific region, you know, teaching law enforcement agencies, government departments, private sector businesses and that. So this is something that I'm super, super, super passionate about. I always want you know.

Speaker 2: 3:42

A lot of people say that if you find something you love, you never work a day in your life. And apparently I've never worked a day in my life because what I'm doing is what I love. So, yeah, so that's a bit of my background. You know, obviously, besides just being a practitioner, I'm also very involved with academic research. I've written books on the field of digital forensics. I'm still, you know, actively doing um, academic research as well in the field and sharing that where I can. So I just, I just love this field and, uh, now, I'm very grateful for the opportunity to to chat with you guys that's, that's really nice.

Speaker 1: 4:15

Uh, it can be. Anything is more rewarding than if you do something. Would you actually really enjoy, like you say? Exactly uh, so uh about the topic now. Can you provide us an overview of the current landscape of digital forensics in the south african region?

Speaker 2: 4:31

so so it's still somewhat of a small discipline in south africa.

Speaker 2: 4:37

I mean obviously, with the growth of electronic evidence in cases around the world same as in south africa we have seen an increase in the number of people doing digital forensics. You know we have several police units you know that are engaged in working digital forensics cases. You know there's some government departments you know which have their own digital forensics units. So, for example, in our revenue service they have their own units. My old unit, the Special Investigating Unit, still has its digital forensics laboratory. And then there's also a growing number of private sector organisations doing digital forensics work. Some are in the consulting space you think of the big four consulting companies Some of them are more in the incident response space. Some of them are doing fraud cases and sort of doing a mix of everything in between.

Speaker 2: 5:28

When I did my master's research a couple of years ago, I think we were probably looking at about 150 people no more than 150 people in the country doing digital forensics. I think that number has jumped up quite significantly. At the moment I think just within law enforcement alone there's probably in excess of 150 people doing the work. So we're probably looking at a much bigger scope of practitioners. But if you look at the size of the country and the size of the different investigation capacities. It's still very, very, very small compared to comparable countries overseas. So it's still an area of growth. It's still an area that we are developing in the country, but at the same time, it's also especially if you look at some of the earlier pioneers in the field we've got a lot of really good expertise in the field as well, because we were just one of those countries that started out in the beginning as well. So people persons like myself and a few of my peers that probably stand toe to toe with the best of the best internationally, which is quite nice.

Speaker 1: 6:31

What are the common challenges or trends that digital forensics analysts can face in your region?

Speaker 2: 6:37

So there's a lot of challenges, and I don't think the challenges are necessarily specific to South Africa. I think a lot of countries face the challenges. So probably one of the first challenges and I'll kind of break it down into sections so the first challenge is probably the legal environment itself. So, even though we've been using digital evidence in South Africa for many, many years, digital evidence was only formally recognised in. I'm trying to think now. I think around about 2000 or so, with the Electronic Communications and Transactions Act I might have got the year wrong, but it's round about there 2000, 2002, somewhat and that basically created some legal issues around the ease at which we could introduce digital evidence in court. Previously it was a court by court decision, but what we find, though, is that there's still a lot of people in the legal fields prosecutors, judges, magistrates, lawyers that don't realistically understand digital forensics.

Speaker 2: 7:42

So we often talk about the CSI effect. They watch one too many episodes of CSI. They think digital forensics, you know. So we often talk about the CSI effect. They watch one too many episodes of CSI. They think digital forensics is just pushing a button and all the results happen. You know, they don't necessarily appreciate the length of time that it takes to do copper digital forensics, or they don't understand what it is that we do. So that is still a very big challenge, I think, for us. Legally Coupled with that, we also have investigators, you know, within our police service and other law enforcement agencies that don't necessarily understand what we do either. You know, some people look at what we do and think it's some kind of magic stuff that we pull off. So that's a big challenge is getting people to understand what digital forensics is and what it does. You know, realistically versus unrealistically.

Speaker 2: 8:29

Another big challenge, I think for digital forensics in south africa is is an issue of training. A lot of organizations don't budget effectively for training, so we do have a lot of people practicing in the area of digital forensics in South Africa that, if you look at it objectively, are probably not qualified to actually do the job, and that was a big issue, as part of my master's and PhD research was around that particular area. So that is problematic because we're seeing a lot of people going to court now, where they're now coming up against defence experts that are properly qualified, and that's leading to, you know, cases where bad guys are getting off. We've had cases where innocent people have actually been prosecuted. So there's some challenges, especially around the training area.

Speaker 2: 9:23

Another big challenge, I think, also is just one around resources. A lot of the digital forensics tools that are available the commercial tools are very cost prohibitive. So a lot of agencies don't have more than one tool at their disposal and the old adage of if all you have is a hammer, then everything looks like a nail starts to apply. So you know, for efficient digital forensics you need to have access to multiple tools and multiple tool sets. Because of costs, that's also not a problem, or that sorry, that is a problem. Now you could basically at a practical level circumvent that by using more open source tools and capabilities. But there is a lot of reluctance in some organizations to actually use open source tools because they bought into this narrative that only commercial tools are court accepted, which is which is actually a really bad narrative position to take. So I think those are probably some of the biggest challenges that we have would be training, the resources and the legal issues.

Speaker 1: 10:30

How can organizations improve their digital forensic capabilities?

Speaker 2: 10:36

Well, I think you know, when we talk about organizations, I'm going to kind of split it into three sort of broad categories. So if I think about law enforcement agencies that have a primary mission to enforce the law and investigate crimes, they do need to take it somewhat more seriously. They need to invest in the capacity. Now, if I look in South Africa, in terms of our police rank structure, effectively the head of cybercrime is a significantly lower ranked person compared to some of the other units and unfortunately, in a quasi-rank based structure, the lower you are down the food chain, the less importance you seem to have, unfortunately. So I think, strategically you've got to elevate digital forensics and digital evidence to a point where we realise that the majority of cases that you investigate these days will have some form of digital evidence in it and you need to invest in the capacities to actually make that possible. So most cases will involve mobile evidence these days will involve potentially CCTV, camera footage, gps devices, all this type of thing which is a potentially valuable source of evidence in a case that's often not even considered or utilized. So I think in law enforcement they need to make a significant investment and upskill people to basically work in those environments. Then in the private sector. Obviously, a lot of people doing digital forensics in the private sector are usually using it either to support internal operations or from a cybersecurity perspective, where they're responding to security incidents. Again, one of the things I think one of the biggest challenges there is that if you choose to have an internal digital forensics capacity within your organization, you need to make sure you capacitate and you need to make sure you train your people. And again, that's something I've seen in the private sector, where an organization will stand up a digital forensics unit to do work and then they never train them, they never give them the resources that they need to do the job. And then, on the sort of third side, which would be the external service providers, which would be a category that I fit in people that are providing those external services need to also make sure properly trained, properly competent and also making sure that they have adequate resources.

Speaker 2: 13:06

I think the common theme that spreads through all of the terms of improving the capacity of digital forensics is firstly, it always comes down to training and competency Are you actually qualified and trained to be a digital forensics practitioner? And what we need to do to achieve that is. We need to create the situation where people move beyond the concept of I learned how to use a tool. So If you talk to most people in digital forensics, they're probably using one of the big commercial tools, whether it be FTK or NCASE or Magnet Axiom or X-Ways or you know, insert any sort of tool here. But digital forensics is more just have to buy a tool, send them on a two-day training course on how to use the tool and now they're a competent, qualified digital forensics practitioner.

Speaker 2: 14:01

And I've always used this analogy that I like to think I'm pretty proficient in using Excel.

Speaker 2: 14:07

Most of us that have done any kind of academic research are probably pretty decent at using Excel for data analytics and things like that.

Speaker 2: 14:15

But then you can ask yourself well, if I'm competent in using Excel, does that make me an accountant? And the logic is well, an accountant uses Excel, so surely if I'm qualified to do Excel, I can become an accountant. And that doesn't fly, because we know that accountants have a special set of skills, a special set of competencies and training that they require to become accountants. But when it comes to digital forensics, we've kind of flipped the narrative where we say, if we focus on the tools. We say use this tool and now you become a digital forensics practitioner, where it should be the other way around, like the accountants, learn to become a digital forensics practitioner and then learn to use the different tools that we have available for us to do the job. And I think that is one of the big things that all organizations have to be able to do is switch that mindset from buy a tool, send somebody on a short course and now they're qualified to realize that this is actually a specific profession with specific requirements that need to be made for somebody to be competent.

Speaker 1: 15:20

I would like to ask you as well how is the communication with like lawyers or judges? Do they understand the digital forensics the same way how you, as an expert, understand it?

Speaker 2: 15:31

So sometimes yes and sometimes no. So I've worked with a lot of older lawyers, advocates and judges who sometimes struggle with some of the technical concepts. You know they may not be as familiar or comfortable with technology as as we are, but then sometimes I've dealt with younger judges and younger lawyers and advocates who who've grown up more accustomed to technology you know who who grew up with smartphones and grew up with the internet and things of those lines, and they seem to be a lot more open to understanding the concept of digital evidence and how digital forensics works. But regardless of those two caps whether it be the sort of older guard or the sort of younger generation, whether it be the sort of older guard or the sort of younger generation we still need to be able to communicate effective technical competencies in a way that they understand. So even though you might say, okay, he has a judge, he's in his mid-30s or early 40s, he must know about technology and they certainly might be quite comfortable with technology. But there's still a lot of very technically intricate things we talk about in digital forensics that even if you were like, even if you had a degree in computer science, for example, you might struggle with because it's not something you would have basically dealt with in that qualification. So I think what we need to be able to do and I don't think this is to apply to digital forensics, I think it applies to all forensic sciences we need to have that ability to communicate with our audience effectively, in a way that they understand, by reaching them at a middle ground. So using things like storytelling, using analogies, using better explanations.

Speaker 2: 17:10

Now, I'm always and I don't know if this quote is true or just another internet meme that popped up, but you hear this quote from time to time where Albert Einstein was basically saying if you can't explain your concept to a five-year-old, to a child, then obviously you don't know your topic well enough. And I think that's kind of what it comes down to is that you have to understand your concept well enough that you can educate people at different levels on what it means. So I'll use a simple example to kind of illustrate what I'm talking about. So one of the concepts we talk about in digital forensics is the concept of cluster slack or slack space within a file, and you know, for a lot of people that can be quite a complex issue to wrap your hands around.

Speaker 2: 17:56

But you know I've gone to all the judges and magistrates and said well, look, you know, with no disrespect, judge, you look like you come from a generation where you used to record programs on your TV on a VHS recorder. You know, and you know, one day you record an hour-long program, the next day you record an hour-long program, the next day you record like a half-an-hour program on the same tape. You know, on top of the program that you've already just recorded, well, what happens when you get to the end of that new recording? And they'll usually say something like well, you know, there's static on the screen and then there's the leftover bit of the previous day's recording, that's Slack space. And when you can explain those concepts in terms that they understand, then it makes sense to them.

Speaker 2: 18:36

So that use of analogy, that ability to communicate, I think is absolutely critical. And of course we are challenged in South Africa because we also have 11 official languages, which also does complicate matters a lot because you've got to deal sometimes with people where English is not their first language. So there's always that challenge as well. So most of our official communication is generally done in English these days, even though we have 11 official languages. But a lot of the times, the people that we're talking to, or even us that are communicating to people. English may not be our first language, and that introduces its own challenges as well.

Speaker 1: 19:14

What are some of the best practices for conducting digital foresting investigations in South African contexts?

Speaker 2: 19:23

So this is kind of where it gets a little bit challenging in terms of best practices. So you'll have some of the older, experienced persons you know, people like myself that have kind of been up from the beginning and we've understood how things have evolved and we will use things like the ISO standards so 27037 and the various different ISO standards for doing digital forensics. Some of us will use the scientific working group for digital evidence standards. Those are good standards that are internationally recognized standards. You know, those are good standards that are internationally recognized, but then there are also those that believe that those standards apply to them because there's no official South African standards that have been propagated. So, as a matter of principle, there is no official, mandatory South African set of standards that have to be followed in the practice of digital forensics. A lot of us do, however, use the ISO standards, which in South Africa are considered guidelines rather than prescriptive standards. But generally, from a best practice point of view, those are the standards that we're going to follow.

Speaker 1: 20:31

How does the legal framework in South Africa impact digital forensic analysis and investigation.

Speaker 2: 20:38

So well from a practical point of view, if you look at section 53 of our Electronic Communications and Transaction Act, which deals with digital evidence, essentially it created a set of requirements for what has to be proven for digital evidence to be admitted into court, and some of the requirements were that you had to prove where the evidence came from, you had to authenticate the evidence, you had to prove the reliability of the evidence, and key aspects of digital forensics is to actually do that prove where the evidence comes from, prove that it's reliable, prove that the system that the evidence came from was operating and functioning correctly. So our law actually supports the requirement for digital forensics to actually be applied when it comes to digital evidence, and some of our very esteemed legal scholars have actually written textbooks where they've addressed this. So I think from a legal point of view, our law of evidence actually supports the need for digital forensics to meet those different mandates within the Electronic Communications and Transactions Act. But then the other aspect where the law impacts on the practice of digital forensics is the way our cybercrime laws have actually been written of. Digital forensics is the way our cyber crime laws have actually been written.

Speaker 2: 21:58

A lot of typical digital forensics work might actually constitute a criminal offense unless you follow the correct legal protocols. So, especially applicable in the private sector, where somebody goes and acquires evidence from a computer without the appropriate legal authorizations and permissions, they actually commit to criminal offense. So on the one hand, we've got the law that supports the use of digital forensics. On the other hand, in our criminal law we've got laws that, unless you follow the correct procedures, your actions would potentially violate the law. When you were doing digital forensics and you know I've mentioned this with a lot of digital forensics practitioners in South Africa they're like what do you mean? I'm breaking the law, I'm just going to hack somebody's phone to get the evidence from it. So it's not your phone, you don't have permission, you don't have a court order Sorry, you can't touch the device. And they get kind of shocked about that. But that is the legal position that impacts on digital forensics practically.

Speaker 1: 22:54

Can you share any recent case studies or examples of successful digital forensic investigation?

Speaker 2: 23:01

Oh, there's lots I should talk about to pick one. You know, I mean I can talk, I mean I literally could probably talk for hours just about successful cases when it comes to digital forensics is just about successful cases when it comes to digital forensics, and, you know, obviously this spans both criminal and civil legal applications. Probably one that I think is worth talking about, because it actually is in the public domain, was a big hacking case that happened. I'm trying to remember this was about 2013, 2012, when the crimes actually took place.

Speaker 2: 23:40

But the investigation we did basically led to the main suspect being apprehended, prosecuted and receiving a jail sentence of 25 years, direct imprisonment without the option of parole, and effectively what this guy had done is he'd corroborate or he'd collaborated with organized crime elements to effectively hack into our major government financial systems and procurement systems and stole millions and millions over the course of a couple of days, which ended leading to him being apprehended. But the forensic investigation itself took almost about six months and we examined many, many, many, many, many computers and mainframe systems to actually prove the case. But what, for me, was quite nice about this particular investigation is the judge specifically said in passing down sentences that the forensic analysis was so critical in him actually understanding what had happened, because we were able to reconstruct every single step of what the attackers had done during that that incident. So that's one that just comes off the top of my head, um, but there's, there's hundreds and hundreds.

Speaker 2: 24:47

Uh, we could probably talk about and unsuccessful there's a lot of cases that are unsuccessful, and let me sort of explain what I mean by unsuccessful.

Speaker 2: 25:00

It's cases where the attacker has gone in and they've wiped everything, so in other words, you know a crime has been committed but there's not enough evidence left over to effectively find the bad guy or convict him. And then some of the other ones that I would say are unsuccessful and this happens way more often than I think we care to admit is where the attackers are actually not located in South Africa but in another country, so they're moving their attacks from a different country. A classic example we look at countries like China and North Korea and things along those lines that are involved in cyber attacks and things along those lines where we can trace the evidence to a particular point, and then we hit a brick wall because the person that we're looking for is now sitting in a country that's not willing to extradite them to South Africa to stay in trial and the investigation just dies. So I'm going to classify those as unsuccessful investigations, because we never get to get the bad guy in prison, if that makes sense, and that happens a lot, and I don't think that's just a South African problem.

Speaker 2: 26:07

I think that is an everywhere-in-the-world problem at the moment when it comes to cybercrime. I mean, even in Europe, where there's a lot of cooperation between law enforcement agencies through Europol, it still happens in Europe even so. I think that is a horrible challenge and it's a frustrating challenge when you know you're so close to getting the bad guy and you just can't get them because they're not in a country that you can extradite them from. So that can be quite frustrating.

Speaker 1: 26:39

What are the emerging technologies or tools that are being used in digital forensic analysis now?

Speaker 2: 26:46

I think, some of the emerging tools. So you know, most times when we think about digital forensics, we think about computers and mobile devices, for example, and those are obviously still very relevant. But we are seeing some really interesting emerging technologies or techniques. So, as cars are becoming smarter and smarter, we're seeing a lot more digital forensics applied to motor vehicles, you know, whether it be engine systems and telemetry systems and tracking systems, not just the cars in-house mobile entertainment systems. So there's vehicle forensics that's becoming a big issue. More and more drones are being used, so we're looking at drone forensics and things like that.

Speaker 2: 27:29

You know the whole concept of internet of things. You know smart watches and sensors and alarm systems. You know the whole concept of Internet of Things. You know smartwatches and sensors and alarm systems. You know that's also becoming a big issue, as well as things like the use of operational technologies and industrial technologies, like you know doing forensics on oil pipelines and refineries and big mining sectors, where you have that interface between physical and cyber systems effectively. So those, I think, are some of the interesting trends and obviously we can't talk about all of this without talking about the new I suppose the new hot thing that's out there at the moment talking about this whole concept of artificial intelligence and machine learning and things along those lines.

Speaker 2: 28:12

Now we see more and more research where machine learning, large language models, generative AI and that has actually been used both by the bad guys to commit crimes but also by investigators to actually facilitate and enhance their investigative capabilities.

Speaker 2: 28:28

So you know, sans actually did a seminar a few weeks ago actually looking at the use of emerging AI technologies in forensics and cybersecurity and you know, some of the stuff that's been developed is absolutely phenomenal. So I think that's probably a big emerging trend that we're sort of focusing on at the moment is that automation process, and I know a lot of people have turned around and said well, if you automate the investigations, the analysts are all going to be out of work, and I think the reality is we're not going to lose our jobs. I think we've still got to be part of the system, because AI is great but it hasn't got the ability to replace human intuition and the human's ability of intuitively seeing links between things based on the evidence that we have. But those systems will definitely support us in our investigations. We will be able to do more quicker, I think, than we've been able to do in the past.

Speaker 1: 29:25

Is there some tool that you are just waiting to get your hands on what you didn't use yet?

Speaker 2: 29:32

So there's no real tools yet that I suppose I haven't got my hands on. So you know my friend Jess Garcia, who's a fellow SANS instructor. He's been developing a lot of AI forensic tools and obviously I've got access to those and they're really, really awesome. There's probably some super secret tools out there in some government agency somewhere that I haven't heard about. That I wouldn't mind getting my hands on at some point, but yeah, I don't know. I think I'm pretty good when it comes to getting access to tools.

Speaker 1: 30:07

Are there any specific skills or certifications that are particularly valuable for digital forensic analysts?

Speaker 2: 30:16

that are particularly valuable for digital forensic analysts. So this is always going to be a bit of a challenging one to answer. So I think when it comes to, if you think about core skills, it kind of breaks down to three broad knowledge areas. You need to have good knowledge of technology, computing, it, engineering all of those areas. You need to have good knowledge of technology, computing, it, engineering all of those areas. You need to have a really good grasp of the law, so you have to have good legal knowledge as well. And then you also need to have exceptionally good investigation abilities and analytical abilities. So you have to kind of combine all of those three skill sets and knowledge sets together and then kind of supporting all of them as really good written and verbal communication skills, because it doesn't help if you can do the best analysis on the planet, but if you can't communicate it to a judge or a prosecutor to, then it doesn't really matter. So those, I think, would be the core skill areas.

Speaker 2: 31:12

In terms of certifications, that's always an it depends topic because you know, I find that there are certifications and there are certifications. So for me, if a certification is properly accredited so if you look at ISO 17024, which is the ISO certification for accrediting bodies. If the certification body is ISO 1704 accredited, then I would think they're pretty good If they're accredited. So one certification I'm aware of is accredited by the Forensic Specialities Accreditation Board in the United States. That would also be a level of external accreditation for the program. So I would look for certifications that have where the certifying bodies are accredited. And then I would look at certifications that are not necessarily tool-based, they are vendor agnostic. They're certifications that talk about the actual doing of the digital forensics techniques, whether it be computers, mobile phones, you know things along those lines. I would also say that certifications do need a practical component, so it can't just all be theoretical, and then the certification should also require mandatory continuing professional education, and I think, though, if you look at any certification, so long as it fits in that category, the certification could be valuable to you.

Speaker 2: 32:47

There's a few certifications that I know we use internally within work. There's two bodies that we really trust their certifications, and I suppose, for disclosure purposes, I'm involved with both of the bodies. So take my opinion with a pinch of salt. It might be conceived as being biased, but the first set of certifications are those provided by the International Association of Computer Investigative Specialists. Their focus is predominantly on law enforcement, but they have some really really good certifications. The first one that they have is their Certified Frenzy Computer Examiner, which is basically a year-long certification program. It's very practical, very intense, in-depth program and I consider that probably to be the gold standard entry-level certification in digital forensics.

Speaker 2: 33:45

Then they have some other certifications, two ones in particular. They have an advanced Windows forensic certification and an advanced mobile forensic certification, one focusing specifically on Microsoft Windows, one focusing on both iOS and Android devices, again both very, very good. And then the other body that does certifications, the GIAC or the Global Information Assurance Certification body, which is affiliated with SANS. They have a number of digital forensic certifications as well, like the GCFA, gcfe, gbfa and so on. They're also really really good certifications. But there are other bodies out there that also do certifications. But I know those are ones that internally we've looked at, we've studied, we like what they do. But again, they are also two bodies that fit into the categories that I mentioned a few minutes ago. The bodies are accredited, the certifications have practical applications. There's mandatory examinations, there's mandatory CPE requirements. They're not lifetime certifications. So it does force the practitioner to continually be learning and evolving, to stay up to date, which I think is the key part of any certification.

Speaker 1: 35:00

What are the key considerations for organizations in South Africa when choosing a digital forensic analyst service provider?

Speaker 2: 35:09

I would like to say competence. But unfortunately South Africa has a bit of a unique environment at this point in time. There's a lot of, shall we say, political I think that's the right word Sort of political I don't want to say interference, interference would be the right word Sort of political I don't want to say interference, interference would be the wrong word but political involvement in a lot of procurement processes and unfortunately that means that a lot of times organizations are making their decisions on who their digital forensic service providers should be on criteria. That is not competency of the practitioners. So we've had a case that we came in as the second party where a digital forensic service provider was appointed on the basis of non-proficiency criteria and they completely messed up the investigation. And you know, the company approached us and said well, you know, we hired this other company because they met the government requirements and they messed everything up. Can you fix this case for us? It was like, well, well, you know, we're going to come in and do it. It's going to cost you a lot more money now because they messed up and we've got to try and fix it. And they were like, well, we should have just appointed you in the first place, and I said, well, that's part of the problem. So we see a lot of that aspect happening.

Speaker 2: 36:39

Then, also, the other aspect that we see happening when it comes to organizations making these decisions is it comes down to price, which is, I suppose, not uncommon in the rest of the world which is, I suppose, not uncommon in the rest of the world, but because we have such a low level of understanding about digital forensics.

Speaker 2: 36:55

So you might have two people going to a company looking for somebody to do digital forensics for them, as an example, and they will get quotations, and one or two of the companies they get quotations from are not necessarily digital forensic specialists, but it might be an IT company that's on their website says they do digital forensics, and because they're not doing digital forensics, their quotations actually come in really, really cheap because they don't use the specialized equipment or training or things along those lines, and then those people get the job.

Speaker 2: 37:28

So those are probably your two big considerations that are happening in South Africa at the moment. It's appointment based on price, appointment based on government procurement laws, effectively. But the interesting thing, though, is that when we look at cases going to court, then the lawyers they want people who are proficient, then they're less worried about pricing and less worried about government regulations, as opposed to saying we need the most competent, qualified people to do the job. So it's a very interesting dynamic. On one hand, the general forensic workers is largely being driven by that versus competency, but when it comes to court everybody wants competency. So it's an interesting dynamic.

Speaker 1: 38:16

You told me that you used to work in Central Europe as well, if I understood correctly.

Speaker 2: 38:24

So I do a lot of work in Europe with work that I obviously now Europe, Middle East and Asia. So that's quite nice. I get to see how it works in different countries as well.

Speaker 1: 38:36

Can you maybe compare what's the state of digital forensics in Africa and in Europe?

Speaker 2: 38:43

If I look at certain countries in Europe well, okay, I'll use Europe in general, so I'm even going to go back to the former Baltic states the level of digital forensics is actually pretty decent. Some of the states have smaller capacities like I was in Estonia a few years ago, just shortly after Russia invaded the Ukraine and they have a small component, but a very passionate, dynamic and driven component that they're building up and the skill levels are definitely there and I think a lot of that is largely driven by things like Europol, with the Europol Cybercrime Center and things along those lines, which is pretty cool. You know countries like Germany, the Netherlands I was in Italy last week. They have robust capacities when it comes to doing digital forensics and there is a better understanding, I think, of the role of digital forensics.

Speaker 2: 39:40

There's a big emphasis on the proficiency and competency of the people actually doing digital forensics, especially in Europe you know what I see versus in Africa, where it well, specifically South Africa it hasn't been the most driving narrative, unfortunately, but there are some places in Africa, I think, that have really been trying really, really hard. I know Kenya has been spending a huge amount of money in investing in their digital forensics capacity. Malawi has been working on their capacity, so there are countries in Africa that are getting to that point where they're starting to move into a level of competency that matches some of the other countries around the world.

Speaker 1: 40:26

Okay, and maybe one last question for you. We are working in the project especially with target group lawyers, judges, advocates and I would like to ask you what they should do in their field to actually understand digital forensics better and to help them with the job to actually use it and be able to wrap around the idea of what is happening actually in digital forensic.

Speaker 2: 40:51

So one of the things that I've often advocated think of it as a bit of a cross-sharing platform. I think what makes me a good digital forensics practitioner is I understand law. How did I understand law? I spoke to lawyers. I spoke to judges. I tried to get from their perspective what do they need from me? How do I put things together? So I would encourage judges, lawyers, magistrates all those kind of people to actually research themselves. Go and speak to people who do digital frenzy. Don't just see them in the courtroom. Go and have a cup of coffee with them and say I'm really interested in what you do. Can you help me understand this thing better? And that sharing of information from digital frenzy to the legal practitioners, I think cuts both ways, because if I better understand the law, I'm better able to serve the court and ultimately, as a digital frenzy practitioner, that's what I'm doing. I'm there to serve the court and, ultimately, as a digital forensic practitioner, that's what I'm doing. I'm there to serve the court.

Speaker 2: 41:53

The project that you guys are working on around the whole issue of innocence, the presumption of innocence that is what a digital forensics practitioner should be doing. I'm not there to advocate for one side or the other. I'm not there to prove guilt or innocence. My job is simply to find the evidence, preserve the evidence and interpret the evidence for the court to make the decision. So I should be neutral in the work that I do. So it's important if I, as a digital forensics practitioner, understand that that's really the role of law is balancing and judging and weighing up the scales, so to speak then I become a better forensic practitioner. At the same time, when I'm learning that from the judges and lawyers and they share it with me I'm also sharing with them about what we do and how I can assist them with their investigations and, ironically, even being able to help them, sometimes with the legal interpretations, even been able to help them sometimes with the legal interpretations.

Speaker 2: 42:54

So those are the things that I think have just come down to sharing and realizing we're part of a broader grouping, a broader community, if I can put it that way. It's all about justice not saying, well, I'm just digital forensics and I'm just a lawyer and I'm just a police detective. We all have a role to play, and understanding where everybody's role fits in, I think is very important, and that's how I would achieve it, and how I have achieved in the past is literally by showing an interest in the other person's discipline and learning a bit more about it.

Speaker 1: 43:23

Okay, Thank you very much for this sharing all your knowledge and information. It's an absolute pleasure. Ingrid I hope that we will have you soon, maybe in person, for the continuation of the discussion.

Speaker 2: 43:34

That would be awesome.

Speaker 1: 43:35

So thank you very much again.

Speaker 2: 43:37

Awesome. Thanks, Ingrid.