Teaching two of our cell phone labs in just two weeks is Lee Reiber, owner and lead trainer with Mobile Forensics Inc. One of the pioneers of cell phone forensics – he’s been involved with mobile forensics training since 2005, and bought MFI just as the industry started to take off the following year – Reiber will be presenting two 2-part labs in Atlanta:
- Cellular phone examination fundamentals using automated tools (with Chris Sanft of AccessData)
- Beyond the tool! Do you really care? And why you should
HTCIA: What do you like best about training, and why?
LR: I like the interaction as opposed to just standing up there and talking. I like the feeling that after the day or the week is done, I have contributed something to law enforcement. When you have done the research, and you have information to share with a class, and you see the lightbulb come on and students say things like, “I never thought of it that way before!” that is very gratifying.
HTCIA: What do you like to see from your audiences?
LR: Lightheartedness. Enjoy the class, don’t take everything too seriously. This is where interaction makes a class different from a lecture!
In fact, my favorite classes are often those where students are required to be there. They have this “Why am I here?” look on their faces – so I start making fun of them. This is what cops do and what they expect!
I do think I have an advantage from having a background in law enforcement. I was a sworn Boise officer for 15 years, 10 of which I worked in digital forensics, and that perspective – my personal experiences with investigations – helps law enforcement students especially relate to me better.
The key is to get them talking about their own experiences, so that we can all learn from each other. Even so, many times students do not want to talk. Sometimes, like in a foreign country, there’s a language barrier and they’re afraid of saying something the wrong way. Other times, they don’t want to sound stupid.
But I’ve found that treating students with respect and understanding, as peers rather than students, and in a way that shows I’m learning from them too, gets us over that hurdle.
HTCIA: How long have you been an HTCIA member? What do you like best about the organization?
LR: I’ve been a member since about 2004. I like the networking and the training opportunities I get through our local chapter. The Idaho chapter is very good about getting information to those members who cannot make their meetings, which helps.
I also appreciate the opportunities I have had to travel to other chapters, especially for teaching, and the knowledgeable people I’ve been able to meet as a result. That network becomes a pool of resources that will be invaluable if you use it!
HTCIA: Tell us more about Mobile Phone Examiner Plus and how it fits in the mobile examiner’s toolbox.
LR: I have always taught [AccessData’s Forensic ToolKit] FTK in my classes, teaching students how to take the data they get from BitPim or Cellebrite UFED or Susteen SecureView and forensically analyze it.
MPE+ makes all that easier. It’s not “married” to FTK, but it allows FTK to do things with file systems that it can’t with data acquired by other tools. Because MPE+ is such an easy fit with FTK, it allows for easier evidence parsing.
That’s important because it furthers our goal of changing examiners’ view of “push button” forensics. Some “push button” is necessary to make the job easier, of course. But we want to make people look beyond automation to find artifacts on different file systems – we want to take mobile forensics to the level of computer forensics, where you’re not just dumping data but also analyzing it to nail down that “smoking gun” data.
Right now MFI is offering one-day training on MPE+, just like we do on GPS forensics, BitPim, Oxygen and other tools. But we do plan to include it in a portion of our training alongside Cellebrite UFED, Paraben Device Seizure and Susteen SecureView.