AFoD Interview with Mike Swindells

Flag of Calgary, Alberta

I met Mike Swindells through Shafik Punja and it was Shafik who had the capital idea of doing an AFoD blog interview with Mike so that AFoD readers could get an idea of what it's like for someone from a non-technical law enforcement background to takeover leadership of a digital forensics team. My career puts me into contact with many law enforcement leaders who find themselves in similar positions where they decided to take a risk with their careers and do something very difficult, but very rewarding. Many of these units focus exclusively or in part with combatting child exploitation and human trafficking so they make tremendous and life-altering differences in the lives of victims by identifying and rescuing them from further abuse. I have an immense amount of respect for people like Mike who decide to take the path less traveled in their law enforcement careers and to do something as difficult as conducting, supporting, or leading these  investigations.

Mike Swindell's Professional (Auto)biography

I’m currently a Sergeant with the Calgary Police Service and since December 2017 I have been the supervisor of our Digital Forensics Team. I have a little over 16 years experience with the CPS and have worked a combined 11 years in a front line patrol capacity both as a Constable responding to calls for service and as a Sergeant supervising various teams.  I spent 5 years working in an undercover surveillance unit where most of our targets belonged to organized crime groups, were homicide suspects or responsible for other violent crimes.

1. How did you get involved in law enforcement?

I originally worked as a Paramedic for 3 years close to Toronto prior to moving to Calgary in the summer of 2000.  When I got to Calgary I had trouble finding a job in EMS so I started looking into the other emergency services for work.  After attending some information sessions hosted by the Calgary Police Service I was interested enough to apply.  Fortunately for me, my previous work and life experience was a  great asset and I was hired by the CPS and started recruit class in November 2001.  My initial interest in joining the CPS was to have the ability to help people and make their lives better.  I really had no idea where my policing career would take me but over the past 16 years I’ve been lucky enough to work in a variety of different areas exposing me to many different sides of policing. 

2. How did your law enforcement career develop once you joined the Calgary Police Service?

From talking with colleagues and friends over the years I think my experience and career development has been very similar to other police officers.  I left recruit classes full of confidence and knowledge of what I had learned and hoped to apply my new skills in real life scenarios.  However I quickly learned that classroom policing is much different than policing in the real world!  The first team I joined had a very experienced group of officers and a Sgt with over 30 years of policing.  I would say my first officer coach was very intense, had high expectations of any recruit and was very good at her job.  I learned a lot from my first officer coaches and was exposed to many different scenarios.  I quickly learned that I enjoyed being what I refer to as a ‘calls for service’ police officer.  I liked attending calls, dealing with them at the time and moving on to the next call.  I think with most police officers you become very proficient and capable of attending any type of call within your first 3-5 years of policing.  I enjoyed working in a front line patrol capacity, but as I got more experience and exposure to the different units we have I began thinking of what I wanted to do next.

So after spending the first 6 years of my career as a front line patrol officer working in 2 different Districts I applied to work in an undercover surveillance unit.  At the time, it was the only dedicated surveillance unit in the service and it was highly sought after and very well respected within the CPS.  Lucky for me, I applied and was successful and began a new chapter in my career.  In order to work in surveillance I had to pass a very intense 3 week surveillance course which was very challenging but fun at the same time.  I spent a little over 5 years working in surveillance and I had some fantastic experiences and learned a whole new skillset.  When new members joined our team I began to enjoy mentoring and helping them become proficient at surveillance.  I also had the opportunity to fill in for my supervisor in an Acting Sgt capacity, something I really enjoyed doing.  The extra responsibility of running a team, dealing with any issues that would come up was challenging but rewarding at the same time.  Eventually I decided that applying for promotion to the rank of Sgt was what I wanted to do.  I enjoyed supervising people and was at a point in my career where I wanted a new challenge and opportunity.  Unfortunately the first time I applied for promotion I was unsuccessful but I didn’t let that stop me from continuing my personal growth and development.  I returned to patrol and was promoted 18 months later and began supervising front line patrol members.   One of the best things about our job is that constant opportunity to try new things and work in different areas.  So after almost 4 years of being a front line patrol supervisor I began looking at where my career would take me next.  Enter the wonderful world of Digital Forensics!  I had heard rumours that a Sgt position within our Cyber/Forensics Unit was going to become available so I reached out to former colleagues and friends who currently worked in that area.  Not knowing a thing about Digital Forensics I began asking questions and visited our lab a few times.  Still, with very little knowledge I applied and got the job, which is where I find myself now.  The past few months have been very challenging at times however when it comes right down to it, I still supervise people and manage calls.  I don’t need to know how the guys do what they do, I just need to know what they are capable of doing.  And I must give credit to the group of police officers that I supervise now, they have all been excellent and patient when explaining things to me and when I ask ‘simple’ questions about forensics!

3. So you’ve entered this wild and wonderful world of digital forensics.  As you have settled into your new role leading a digital forensics team, what are some of the things that surprised you about the digital forensics world?

I think the biggest surprise was how much information and data is actually contained within digital devices and how much critical evidence can be found.  Coming in to this world I thought it would all be about recovering deleted texts, emails and call logs from devices by simply plugging them in to a computer.  Not so simple as it turns out and so much more information can be found.  Not being exposed to digital forensics before I never really thought about how much data can be found on devices.

Next was the cost of running a digital forensics lab.  Software renewals and equipment are not cheap, and when certain companies are the only ones who can provide their service they can set their price wherever the like.  We all know that technology is always evolving and becoming better so new tools, software and training are required to keep up with change.  Courses are also so expensive!  When our members have completed their ‘basic’ courses at the Canadian Police College and are looking at maintaining and increasing their skillset we (in Canada) generally have to send our members to courses in the US.  Factor in the cost of travel, the exchange rate and the cost of courses we can only afford to send our examiners on 1 course a year.  We are very lucky though, as the CPS has committed to giving us a healthy yearly training budget so our examiners do have the opportunity to attend various training courses.  (generally in very nice warm places J)    

Another pleasant surprise, which in hindsight is not surprising at all is the level of commitment and knowledge that our examiners have.  All our examiners have such a passion for their jobs and really enjoy doing what they do.  Much like other specialty areas within our police service, our digital forensic examiners are just as passionate about their jobs as the members of K9, Tactical Team, homicide investigators or any other specialty area are.  They train and work just as hard as anyone else, they just happen to do it from behind a keyboard as opposed to a Glock.  If someone recognizes that we could be doing something better or that an app can be created to make our end product better, they will.  Everything our examiners do on a day to day basis is in an effort to make our lab more efficient and be better than the day before. 

As the months go by I’m still amazed by the work our examiners do but as I get to know them better and how smart they actually are I will be less and less ‘surprised’ with their brilliance!   

4. What does an average week look like for you in leading your team? What do you find yourself spending the most time on?

The majority of my time is focused around managing our Intake Queue and deciding which files should be assigned next.  When I first started back in December 2017 we had around 20 files waiting to be assigned, currently we’re at 45 with close to 100 exhibits requiring our attention.  The majority of our files come from our Major Crimes Section, those being Homicide, Sex Crimes and Child Abuse.  Some files only have 1 or 2 exhibits while others can have anywhere from 10-15.  Our in house Intake Queue was designed by one our tech’s and provides a lot of information that helps me decide which files are assigned next.  One of the biggest factors involved in deciding when a file is assigned is if there is a search warrant attached to it and when it expires.  More than 50% our of files have search warrant time frames so I always have to be aware of when they expire so that I don’t have to tell the investigator that they need to request an extension if we are unable to examine their device within the initial time frame requested.  Crimes against people often take priority over property or drug related files, however I still thinks it’s important to have those files/devices examined so I try to alternate assigning major crimes files with the other ones that come in.  I also feel strongly about assigning files from our front line patrol members as quickly as I can.  Our front line officers are so busy and overworked that if one of them has taken the time to seize a device and write a search warrant then I think it’s very important to show them that we are willing and capable of helping them out when they need it.

Another big part of my job is offering advice when it comes to safely seizing, storing  and how to write a search warrant for an electronic device prior to it coming to our office for examination.  I also find myself having to  explain to investigators why it takes so long to examine and extract data from devices.  Currently we ask for a 6 month time frame to examine devices, which can be frustrating for investigators especially if they need evidence from a device prior to laying charges.  Everyone’s file is very important to them and want as much information or evidence that is available to them and sometimes having to wait months isn’t what they want to hear.

When I first started in DFT I wanted to expand my technical knowledge base around computers and cell phones but I had no idea where to turn.  Thankfully I was directed to your organization and I started taking the on-line courses that NW3C provides to the LE community.  So the first few weeks of supervising the members of DFT I completed at least one or two on-line courses so I had a better understanding of what they guys were talking about!  Since then I’ve moved on to taking on-line Comptia A+ courses to expand my limited knowledge base further.  I have to admit that even though I was never close to being a ‘computer geek’ or even interested in the internal workings of computers I’m really enjoying learning about these things and think I’ll continue taking courses and seminars when time permits.  With my increased knowledge base I also like shadowing the guys in the lab and watching them work and have them explain what and how they are doing things.  Lately I’ve been trying to help out by starting the initial exam process by doing the relatively simple things like photographing the exhibit and extracting the SIM card information so when the file is assigned the guys can get straight to the examination process.  

Other typical supervisor things I do on a weekly basis include managing time off, vacation requests, approving time sheets and advocating to my bosses that we are working at over- capacity and need more tech’s.  I hope this gives a brief glimpse into our lab in Calgary and what my typical work week looks like.

5. What sort of cases does your team get involved with?  

Our team examines devices from almost any criminal offence you can think of.  The files that take up our most time however are generally homicide files that can have anywhere from between 1-15 exhibits that require examination.  Currently our intake queue has 45 files waiting to be assigned and they include homicides, sexual assaults, aggravated assaults, child abuse, fraud, criminal harassment (stalking), drugs, voyeurism, extortion, stolen property and break and enter files.  Occasionally we are asked to attend crime scene locations to examine devices on site or attend search warrants for the same reasons.  When time permits some of our techs also get involved in R&D to create app’s or trouble shoot problems that come up.  One recent example of this is one of our tech has written a script to help decrypt secure notes found on an iPhone that were extracted by our Graykey for another local police agency.  The app he created is now being shared with a Detective from Nashville investigating a child abuse case where potential evidence is located in the secure notes feature of an iPhone.  Unfortunately our guys are so busy that not enough time can be dedicated to R&D which is unfortunate since they create very useful app’s that make their jobs easier and more efficient.  Historically they have also been asked by other work areas within the CPS to create databases to help those areas track their files.  For now though, until our work area is better staffed the R&D work they do has to take a back seat so that we can keep up the work we get on a daily basis. 

6. What advice would you give someone else who found themselves in charge of a similar unit without having done digital forensics work prior to that assignment?

Good question.  I think the biggest thing to remember is to not get to hung up on the technology side of things and remember that you are first and foremost a supervisor and not a digital forensics tech.  For me it was very important to begin by understanding what the tech’s on our team are capable of doing but not necessarily understanding how they do it.  This is still a work in progress but they guys are very supportive and patient with my questions.  I know that I will never come close to having the same level of computer/technical knowledge or experience the guys have and I accept that, which goes back to my first point of realizing that I’m a supervisor and my job is very different than theirs.  I would encourage anyone thinking of taking on this role to attend their lab, speak with the techs and actually see what their jobs are all about, it might surprise you.  Be prepared to say ‘no’ as well.  Software, hardware and training are all very expensive, and as nice as it is to have every tool at your disposal it’s just not financially feasible for tech’s to have everything they want, not necessarily need, especially for a municipal police service like ours.  Looking back I would also consider completing the Comptia A+ course prior to managing a lab.  Although it’s not necessary, and I still firmly believe a supervisor does not need previous computer or tech experience, it would definitely help especially if you could speak a little bit of computer language with your techs.  Not to belabour my first point but I think the most important thing to remember is that you are a supervisor and it’s your job to supervisor the people in your lab.  Everything else will fall in to place if you keep that your priority.  The past 6 months have definitely been eye opening for me, especially on the technical side of things, but overall supervising a digital forensics lab with no previous experience has had its challenges however is very rewarding and enjoyable. 

Blockchain and Digital Forensics

The page view metrics for the blog are starting to come back and I’m starting to see more engagement on what I’m writing because of that. You can follow and communicate with me in public on Twitter, Facebook, and LinkedIn, but I’m finding that most people are comfortable just talking in private.  Twitter direct messages have been quite popular, for example, and I’m fine with however people like to talk. Semper Gumby. 

It turns out I have a bit of a Paul Revere thing going on when it comes to the convergence of blockchain and digital forensics given that I’ve been yelling “The blockchains are coming! The blockchains are coming!” for several posts now that I’ve returned to blogging. Okay, fine, they’ve already been here for years, but I don’t think enough people understand that in the digital forensics world. 

The responses that I’ve gotten from my blockchain posts have ranged from dismissive to agreement that blockchain is here to stay and the law enforcement and digital forensic communities needs to get ramped up on this much quicker.  The responses that spurred me to write this post were the ones that essentially said, “Fine, Eric, I believe you.  What exactly do I need to know?” as wells ones that roughly said, “I’m not saying you’re smoking your socks, but I remain skeptical.”

I think the best place to start is to explain how I tend to view computer crime investigations from a larger conceptual standpoint. There are a variety of models for how both public and private organizations can structure their investigative teams.  Back in the early days of the blog when I was working in northern New Jersey, I got to know some of the members of the NYPD Computer Crime Squad. They were nice enough to invite me to visit them from time to time at 1 Police Plaza which was - at least at the time - their home.  I don’t think I know anyone on the squad these days because given their in-demand skill set and way their retirement program worked, the people on that squad tended to have a Logan’s Run thing going on where they’d “renew” into the private sector pretty quickly after their twenty year seniority mark.

Obscure [ed. note: but clever, darn it] 1970’s 23^rd century dystopian science fiction movie references aside, the NYPD Computer Crime Squad at the time had two main components. There were the detectives who did the computer crime work dealing with investigations like online account compromises, web site defacements, computer tampering, as well as providing computer crime support to traditional NYPD investigations.  The other component were the detectives who did the hands on digital forensic examination work.  The computer crimes people were the first people I saw when I entered their work space so I think of them as the front of the office people and the digital forensics detectives were in the back of the office in a secured lab.

From a front office perspective, computer crimes investigators have to learn blockchain at least at a conceptual level so that they can explain it to the public, judges, juries, prosecutors, and other law enforcement officers.  They’re going to be seen as subject matter experts on this whether they like it or not.  At some point, for example, they’ll be getting a phone call in the middle of the night from a major crimes team saying they have a kidnapping and the bad guys want the ransom paid in Monero….and what the heck is that? They’re also going to have to understand blockchain at enough of a technical level to understand how value is traded using various blockchains so that they can be effective investigators who can also communicate and educate others. For example, they’ll need to explain concepts such as how people can use online digital currency exchanges, how blockchain wallets work, and concepts such as mining and proof of work. 

Basically, the people who investigate computer crime need to learn it well enough to teach others and I’ve found that’s one of the best ways to learn something.  I forgot who told me this first, but if you want to learn something put yourself in a position where you have to teach it.  I find blockchain gloriously frustrating in that respect. Rob Lee injected more than a few things into my vocabulary over the years. I’ll never forget him telling the students in a digital forensics class that he was teaching that being frustrated was good because it meant that they were eager to learn.  He said if they weren’t frustrated, they either already knew the material or they didn’t care.

The back of the house people have the same problem set as the front of the house people (and in some departments, it’s the same people doing everything), but they also have to understand how to do blockchain investigations through the digital forensics process.

So, what does blockchain look like on the digital forensics end of things?

One of the key elements of blockchain technology is the use of wallets.  The wallets can take the forms such as hardware wallets, desktop wallets, mobile phone wallets, and web wallets.  So, you have all of the standard digital forensics artifacts that you could get when you have someone interacting with software on a device or, in the case of the web wallet, interacting with the wallet using a web browser. 

Michael Doran did a fantastic white paper entitled “A Forensic Look at Bitcoin Cryptocurrency” on Bitcoin forensics back in 2015. His paper has a nice introductory portion about Bitcoin and cryptocurrency and then dives into his research on the forensic examination of a desktop wallet. He’s a great example of a sharp digital forensics person who saw a trend early, dug into it, and share his knowledge with the rest of us.  I expect we’ll see someone do something similar down the road on a server set up for blockchain mining.

One the web wallet side of things, most of my research into blockchain has utilized web-based wallets so that I can do research pretty much anywhere I have the time and Internet access. I’ve found the URLs to be really chatty when it comes to things like transaction data.  You can see this transaction as an example of one that I did awhile back.  Thus, you’ll see useful information in your web browser forensic tool and then you would get more information about the transaction when you went to the link yourself.

There is, of course, always going to be the eternal malware issue. Blockchain mining malware analysis is already a thing, of course, which shouldn’t be a surprise to anyone. What I’m really curious about is just how chatty the mining malware is in regards to giving clues on to “who is getting happy” due to the malware.  I had a really great former investigative leader that I worked for who was a former Chicago police officer. He mentored me in investigations and used to tell me one of the things you wanted to know was who was getting happy from a criminal scheme whether it was financial or otherwise.  In other words, who is getting a positive benefit from this malware?

There is also the blockchain tracking aspect of doing these investigations.  I’m a bit ambivalent about that right now in regards to how that is going to play out in the investigative world.  I think it will ultimately be increasingly difficult to do as we see the rise of blockchains that are specifically designed to prevent that from happening. Bitcoin lends itself well to tracking transactions since it’s a pretty open system even if there are ways to obfuscate what is going on. There are firms that offer up software to help the tracking process and there have been people like Kevin Perlow who have done good work educating people on the topic of tracking. Kevin did a presentation awhile back on “Tracking Bitcoin Transactions on the Blockchain” and you can find the slides are here and the presentation here.

I’ll leave you with a quote from blockchain luminare Preethi Kasireddy that we all should be taking to heart when it comes to our responsibilities to learn and educate in the digital forensics world.

“I have a passion for understanding things at a fundamental level and sharing it as clearly as possible.” - @iam_preethi (I *love* this)

— Eric Huber (@ericjhuber) December 30, 2017

  

Additional Thoughts on Kindle Forensics

We're in an exciting time in digital forensics. It seems like each week we have a sharp digital forensic researcher discovering some new method or creating a new tool for us. We have seen incredible advances in traditional hard drive forensics and we have the wonderful and relatively new world of mobile device forensics to explore.

I've been doing digital forensics many years now and one of the things I've noticed about digital forensics people is that we sometimes tend to engage in catastrophic thinking when it comes to advances in technology and the future of digital forensics. We've all seen the various predictions that hard drive sizes, thin clients, encryption and other advances would spell the end for digital forensics. In fact, these advances show that our skills will become more in demand. However, we will have to constantly keep our edge sharp or we will fall behind. There will always be some sort of digital technology that will require a digital forensics practitioner to examine. Digital forensics will no more fade way than will technology or law, but it will be a constantly changing field.

The Kindle is a great example of how technological advances will provide examiners new opportunities for their examinations, but why examiners need to invest a considerable amount of time keeping their technological edge. The Kindle isn't a computer and it's not a cell phone, but it has qualities of both.

I recently received an Amazon gift certificate from a friend of mine. Amazon can distribute their gift certificates through email. In this case, the gift certificate was sent to my email address and included a code that I could enter into my Amazon profile to credit my account for the proper amount. Of course, I used that amount to purchase several books for my Kindle.

The Kindle book store can be accessed by the Kindle itself through the device's 3G network connection. There isn't any need to connect the device to a computer to download purchased content like you would for something like iTunes. You merely access the Kindle store via your Kindle device and you can purchase your books using your Amazon account. Another option is that you can log onto the Kindle bookstore on a computer using the Amazon website. You can then shop for Kindle books, purchase them through the website and have the content delivered to your Kindle via the wireless network. This is what I did with my gift certificate and after I had made my purchase, I picked up my Kindle and the books were on my device.

Great stuff for the consumer, but something that a forensic examiner would need to be very aware of when dealing with the Kindle as evidence. The last thing you want is to have a Kindle sitting in your evidence room waiting to be examined and to have additional content land on the machine and potentially overwrite existing evidence.

My advice is to treat the Kindle like you would any other mobile device examination up to and including using a shielded environment where the device can't phone home. A good research project for someone would be to determine whether or not it's safe to keep the device outside of a shielded environment if the 3G network is disabled by the examiner.

A Cursory Look at Kindle Forensics

I recently purchased a Kindle which I have come to adore. It's one of those devices make it hard imagine what life was like before you purchased it. However, being the hopeless forensic geek that I am, I had to figure out what sort of forensics could be performed on the device. (No, I have no idea how I got someone to marry me. I really don't.)

I purchased the current generation Kindle with the 6" screen. This model provides the user the ability to plug the device into a computer via a USB port to interact with the device. Amazon accomplishes this ability by creating a 1.5GB portion of the device that is visible and accessible to the user as if it were a standard USB storage device.

From the research that I have conducted so far, it appears that you can treat the Kindle as you would any other USB storage device for imaging purposes. The best way to do it is to use the USB cable that Amazon provides for connecting the Kindle to a computer. You can then write block a Kindle like you would any USB device. For my research, I used a Tableau T8 USB Forensic Bridge and was able to make the image using EnCase without any problems.

I haven't spent much time on the analysis portion of this research. However, I can report that a Kindle USB Drive shows up as an mkdosfs\FAT32 situation. This makes sense given that the Kindle runs some sort of Linux OS that we can't see via this USB capture process.

There are some interesting artifacts of the low hanging fruit variety. For example, "userannotlog" file located in the system folder. It lists the last book that I read, what my position was in the book and it also includes clear text time stamp information that correlates with when I know I was reading the book in question. Very cool.

The "documents" folder, as you might expect, contains the actual content that I have on my Kindle. I don't have much on it right now, but each book has an .azw file which is the actual content of the book in a proprietary format and a .mdp file that...well, I don't know what it does at this point.

There is a "search indexes" folder in the system\search indexes folder path that, one assumes, keeps track of searching done on the device. I bought a wine book that I did a search for the word "Pinotage" (Sigh. Yes, add "wine geek" to my list of vices...) and I used that as a keyword for a search...and came up with nothing eventful. There were about 20 hits on the word, but all of them in the context of other words in that alphabetical range so nothing that would show that I searched for that word.

You'll find a lot of indexed words in the system\search indexes\Index.db What I'm seeing already is that there are three bytes before each word that are clearly meaningful. For example, the word "pinewood" is preceded by 0x740008. So what we have is the word "pinetorch" and then 0x740008 and then the word "Pinewood". I don't know what the 0x74 means or if it's associated with the word "pinetorch" or "pinewood", but the 0x08 is the length of the pinewood entry. It's probable that this length indicator actually uses two bytes which would make 0x0008 the bytes that indicate length. I'm seeing this behavior consistently in this index file where a word is preceded by byte(s) whose hex value correlates with the length of the word that comes after the byte(s). Interestingly, I'll see a block of words pretty close together and then one word will end with 0x7A instead of 0x74 and then there won't be anymore words until a new block starts again about 900 or so bytes later. Towards the end of this file, there is a listing of the books on the Kindle and the paths to their associated files.

There is also a reader preferences file in the system\com.amazon.ebook.booklet.reader\reader.pref location. It has a clear text time stamp that appears to correlate with the last time I used the Kindle. It also declares what preferences I'm using for a dictionary, the type of justification I'm using and the last book I read.

There's a white paper in here for someone somewhere.