You just must read this both extremely interesting and funny interview with Harry Parsonage, digital forensics investigator in his past and currently expert at ADF Solutions!
Prior to joining ADF Solutions Harry Parsonage was a police officer for nearly 31 years in the UK. He spent 23 years as a detective sergeant managing and investigating the full range of crime from rape, robbery, child abuse, homicide, to corruption and serious fraud. For the last 11 years of his service he managed a police digital forensic unit and at the same time was a hands-on forensic practitioner. In 2007 he introduced a triage process to his DFU which reduced the backlog from 12 months to less than 6 months over a period of just 9 months. Harry is well known in the forensic community for his papers on MSN Artifacts, Windows Link Files, and Web Browser Session Restore Forensics and is on the editorial panel for the UK’s ACPO (Association of Chief Police Officers) Good Practice Guide for Computer-Based Electronic Evidence and also the ACPO Guide for Managers of eCrime Units.
Yuri: Please briefly describe your current occupation.
Harry: I currently work for ADF Solutions Inc. “The Forensic Triage Company”, a US company based in Bethesda MD, but I work from the UK leading on digital forensics and providing support to users and agencies in the use of our tools and the implementation of triage strategies.
I was not a model student
Yuri: How did you become involved in the computer forensic field?
Harry: My first foray into computing was in 1972 at university when I did some programming courses in ALGOL and FORTRAN. We submitted our programs on punched paper cards stacked several feet high, well perhaps mine was just a couple of inches, but it was a pain waiting for the print-out to find a syntax error which meant you had to redo some cards, resubmit and wait another couple of hours for the next run.
I studied Metallurgy and Materials Science at university, using the term study in the very loosest possible way as I was not a model student. I went on to work as a Cathodic Protection Engineer which was never much good as a chat up line, but I did manage the project to prevent corrosion on the internal surfaces of the Thames Flood Barrier in London which is still there thirty-odd years later.
I managed the half-man unit
In 1980 I joined the police and served nearly 31 years with 28 as a detective. In 1998 I joined the Fraud Squad as a Detective Sergeant and that was the unit that examined computers. At the time there was one Fraud Squad officer working part time doing computers, just 12 jobs in the first year and a couple of those were looking at only one floppy disk. One day I made an executive decision and said to the part time examiner the next time you answer that phone call yourself the Hi Tech Crime Unit and so that’s how the Notts Police Hi Tech Crime Unit was set up. I managed the half-man unit which developed over 11 years to include both computer and mobile phone forensics with a total of 11 technical staff.
Yuri: What do you like about your job most? Less?
Harry: When I managed the police unit the worst part was trying to get the senior managers to take an interest and responsibility for our work and help to manage our resources to deal with the excess demand. This is a very common issue with UK law enforcement and is partly because digital forensics is black magic to a lot of senior managers who have difficulty managing the risks as they don’t understand the issues well enough.
The best part is trying to solve the many challenging puzzles that investigation and digital forensics present, when you solve something it’s the same feeling as when the ball hits the back of the net.
It was at a time when digital forensic software was in its infancy…
Yuri: In 1999 you prosecuted the first ever worldwide reported SMS spammer. What tools have you used? Have it been really challenging? How have you managed to convince the court that your evidence is reliable, if it was the first case of a kind?
Harry: As well as managing the unit I was a hands-on examiner and this was one of my earliest cases. It was at a time when digital forensic software was in its infancy and the investigation was done mainly with Norton Disk Doctor. So a lot of it was using search strings to identify useful pieces of evidence and slogging through each hit, carving pictures amounted to identifying a header, manually selecting a block of data and then saving it. It was a really interesting case to investigate, SMS messages as they were then known were nothing like as commonplace as “text” messages are today, so when the offender sent out a message to 36,000 users on one network it crashed their SMS server. Steve Gold, famous for hacking Prince Philip’s Prestel account in the ‘80’s, reported the case as the first ever worldwide SMS spamming. The suspect had also created a virus which he circulated damaging computers around the world and when presented with the strong evidence I had recovered he admitted responsibility and pleaded guilty.
Yuri: How have you moved to ADF from your job at police? Why?
Harry: Nothing of note really, my force were making officers with 30 years service retire as we were too expensive at a time of serious public spending cuts.
I searched him and found a thin razor blade tucked under his tongue
Yuri: What was the most challenging in your police days?
Harry: Well, there was the time I was sent into a rough bar on my own to arrest a madman who had raped his sister-in-law and killed a police dog the last time he was arrested. Several drinks later, I managed to talk him to the police station where I searched him and found he had a garrote secreted under his shirt, a half of a broken pair of scissors tucked in each boot, and a thin razor blade folded and tucked under his tongue.
However that was easy compared to managing the HTCU and trying to meet the massive demand for our services with insufficient resources, and trying to explain to investigators that you couldn’t print out everything from a computer so they could look at it just in case there might be something of interest.
Yuri: What is the most challenging now?
Harry: Getting my head around the fact I am in a business as opposed to a public service and the different demands that brings.
Yuri: What is the most interesting for you in computer forensics?
Harry: Finding some new artifact and putting together some good information to help other investigators, for example I came across Mozilla session restore artifacts in an investigation and I believe I was the first person to write about browser restore artifacts and their value to investigations.
Initially, the officer said “I would trust him with my own kids” after interviewing the suspect
Yuri: What is the most interesting/unusual/complex case you or your colleagues have ever been involved in?
Harry: There was a standing joke in my office that nobody should ever ask that question as one of the team would start on a long story that had been told many times. The officer in question came back after interviewing the suspect in an indecent image case saying “I would trust him with my own kids” to which I said something unprintable and set him on his way to examining 20-odd items from the suspect’s home. It was a fascinating investigation as the suspect was highly technical, most of his computers ran a Linux OS and he used Windows virtual machines to surf for indecent images. He pointed his Mozilla cache to a folder on a Truecrypt volume, and had another Truecrypt volume which stored his indecent pictures. The volume with his pictures was a hidden volume so he could use plausible deniability. We had the password to the outer volume which was of no interest and he denied knowledge of a hidden volume so we had to use special police powers to demand the encryption key which he refused to give as he denied any knowledge of the volume. The Truecrypt key was eventually cracked by a national UK specialist unit and so we had access to all his pictures. Despite denying everything when it came to court we had such good evidence that he had to plead guilty and go to jail.
The examiner did the best computer investigation I had seen in ten years managing the unit, but we never let him forget his initial assessment of the suspect .
The home user will always leave artifacts on their computer
Yuri: Cloud computing is becoming very popular now. Do you think that forensic investigation is going to be much more difficult due to the cloud idea implementation?
Harry: I am not a great follower of the soothsayers predicting gloom; in that respect cloud computing falls into the same category as encrypted files, everybody using a Mac, and BitLocker. Yes there is a continuing move towards the cloud, particularly in business but also in the general population, nonetheless from a general law enforcement perspective, at least for a couple more years, the home user will always leave artifacts on their computer which will form the basis of most convictions regardless of whether or not they keep data in the cloud. The law on how the police agencies gain access to information in the cloud could do with some clarification and modernising.
Yuri: What do you think on social networks and forensic investigations?
Harry: In 2010 I gave an interview to a local newspaper about the frequency of Facebook being used in crime as it was reported that in 11 months we had seen a 346% rise in cases (from 13 to 58 – not very large figures really). The report went almost viral with it being reproduced all around the world but my view was that Facebook was no different than any other social media which was the trend in communication and so would naturally see an increase in crimes reported to the police. Social networks are a major method of communication and so will feature heavily in forensic examinations; the difficulty for examiners is keeping up with the changing trends of the users, the coding changes to the sites and consequently the artifacts, and the fact that a lot of the artifacts are volatile.
Yuri: What forensic resources do you regularly read? What would you recommend to others?
Harry: I have a list of 60 web sites or blogs and I use Update Scanner, a Mozilla add-on, to scan the sites for updates automatically. Whenever I come across a new site or blog I just add it to the list. I would recommend starting with Harlan Carvey’s blog and then check out his blog roll and see what else is available then repeat the process and it becomes an almost never ending trail.
Digital forensics is no different than any other area of police investigation
Yuri: What do you think every computer forensic investigator should know about triage? What is the most important difference between triage and normal investigation? I mean process and tools point of view.
Harry: That would take a long time to answer properly so here’s the short version – the key to triage is that it should be devolved to investigators to conduct outside the forensic lab but be managed and controlled by the digital forensic unit who define procedures, provide the expert knowledge and monitor standards. There has been a prevailing attitude amongst forensic examiners that every item should be investigated just in case anything is missed but this is unrealistic and untenable. Digital forensics is no different than any other area of police investigation and must be subject to risk management decisions during an investigation. Triage is a process to assist in the management of the risks and if decisions are made taking into account the context of the case, the initial intelligence, and the extent and technical viability of the triage they will generally be sound decisions and assist in good management of resources.
Yuri: Give some predictions on what we will see in 5 years perspective.
Harry: Every single mobile phone will be a smart phone, i.e. computer and all data will be sync’d between desktop, mobile and cloud. The largest proportion of digital investigations will be carried out by staff with basic training using automated tools and only the most serious cases will be dealt with by trained forensic examiners.
Yuri: Can you tell any funny story related to computer forensics?
Harry: Most of the funny stuff is too risqué for public exposure but I will offer this toned-down version of one case.
We used to deliver training to the cops on digital crime scene preservation and “STOP & don’t touch” was a key part of this. We had a great example to give them of how an officer had been caught out not doing this. The case was where a priest had been run over by a bus and when they took him to the mortuary they found some unexpected equipment inside the man’s underpants. The cops concluded they should go to the man’s home and check it out. Once there, one of them decided he would sit down, put his sandwich on the desk, have a cup of tea and switch on and take a look at the man’s computer. We later got to examine the computer and found that there was a webcam fitted and the priest liked to use it to record himself undertaking some therapeutic relaxation at the desk, well, all over the desk as it happened. We also found pictures from the webcam recording the cop undertaking his amateur computer examination and eating his sandwiches at the same desk. We had a great laugh showing the cop both sets of pictures and used them (appropriately edited and anonymised) as an example of what not to do at a digital crime scene.
Yuri: How old are you?
Harry: Late forties, very late actually, forty-eighteen.
Yuri: How many kids do you have?
Harry: Three, one university lay-about, one mental health worker, and one doctor.
Yuri: How do you spend your free time?
Harry: I am usually out every weekend mountain biking with my wife; we live on the edge of the city and can ride a short way up the road and then go for 30 miles off-road across the countryside. We sometimes take the day out and drive to a MTB venue in the UK and in the last couple of years we have also been to Sardinia and Spain mountain biking. We’ve enjoyed a few adventure holidays in France and Italy as a family doing a range of outdoor activities like abseiling, kayaking, windsurfing, land yachting, etc.
“DO NOT TOUCH LIABLE TO BITE”
Yuri: How many hours of sleep do you usually have?
Harry: “DO NOT TOUCH LIABLE TO BITE” sign is displayed if I have less than 7.
Yuri: What is your favorite vacation spot? What is the most unusual place you have ever been to?
Harry: I don’t have a favourite spot as I would rarely go to the same place twice, I would prefer to go somewhere new as there are so many places to see. Unusual place – Mansfield town centre has some pretty strange sights at times.
Next time I will make an effort not to check the emails
Yuri: When did you have your last vacation? A real vacation, without any Internet and calls from your colleagues or customers?
Harry: This was never a problem working in the public sector but I can see it is very different now in the private sector. I think it is difficult to get away and not check your email. I almost did this late last year when I went on a cruise in the Mediterranean and the Internet service was not very good so I only checked my emails intermittently. It was actually the most relaxing holiday I have ever been on and I think next time I will make an effort not to check the emails at all if I can get away with it.
Yuri: Do you have a dream?
Harry: Nothing esoteric, win the lottery and retire would do just fine.
Yuri: Thank you for your extremely interesting and funny interview, Harry!