In the 14th episode of Forensic Fix we catch up with Matthew Sorell, a digital forensics consultant for DFSA and senior lecturer. Matthew has a vast experience that spans over 26 years, he played an active part in the FORMOBILE project. Matthew is currently launching QMAP, an exciting analytical tool and the pair also discuss other topical-related subjects before discussing what Matthew gets up to in his spare time.
In this episode, Adam Firman is joined by Matthew Sorell from Digital Forensic Sciences Australia.
Matthew is also a professor at the Talinn university of Estonia and honoree consul for the Republic of Estonia in Australia.
The pair discuss what is involved in digital forensics, what is involved in lecturing and some exciting projects that Matthew has been working on.
You can connect or follow Matthew by visiting his LinkedIn page Matthew Sorell | LinkedIn
The show is finished off by hearing what Matthew gets up to with his spare time, it will certainly ring your bell!
Thank you for listening to Forensic Fix - a podcast brought to you from MSAB.
Adam Firman (00:04.558)
Okay, so welcome to episode 14 of Forensic Fix, a podcast brought to you from MSAB where we invite guests from the industry to discuss the latest news in DFIR, current issues, and a general chat about all things digital forensics and investigation. So I'm your host, Adam Firman a tech evangelist here with MSAB. So I'm delighted to announce that today we have Matthew Sorel joining us on episode 14 of Forensic Fix. Now, Matthew, you have an extremely impressive career in digital forensics,
and you've been working in the tech industry since 1998. You've been in digital investigations consultant and you're a senior lecturer on the subject for many different universities over the years. You've also been involved in the highly regarded 4Mobile projects where you acted as scientific advisor. At this present time, you are the director and CTO for DFSA, which is a digital forensic science Australia, as well as being a professor teaching students on behalf of the Republic of Estonia.
So Matthew, I've given our listeners a small insight into the history of your journey and why you're so passionate about educating people in regards to digital forensics and investigations. For those of our listeners who are not aware of the work that you've done in this space or of yourself, can you give us some more details about your past, your career path, and how you ended up being in Australia and working on behalf of the Republic of Estonia?
Matthew Sorell (01:30.82)
Yeah, well, good day, Adam. It's a bit of a long story, really. And of course, I had to get that good day in there just to emphasize that I'm actually watching the sun go down in my backyard on a nice warm, summer evening just to rub it in for the rest of you. So I've been in computers and electronics for pretty much most of my life. In fact, I was in the office today and pulled out my Xity Sorcerer, which was our first computer in 1978.
I was still in primary school, but that's how I learnt how to programme. I worked my way through an engineering degree. In fact, I even worked in radiotherapy physics and in defence before I went into the telecommunications sector in 1998. I was born and raised in Australia. Also studied, did my PhD in America at George Mason University in Virginia, which has...
some fairly good credentials now in digital forensics, so that wasn't my field at the time. And then when I was working in radar and defense, and I have to say that being a small cog in a small wheel of a small cog of a much larger American program just bored me silly. So I joined this rather risky consulting organization in telecoms and discovered that you can make quite a big difference in the telecommunications sector.
It's the same toolkit applied to a slightly different problem, radar through to telecommunications. So actually my background, although it starts in computers and software, very much goes into the telecommunications space and quite a fun multi, fun space to be in, ended up also teaching multimedia systems.
And a couple of little highlights, if you like, from the early 2000s. One was that I was approached by the film director, Rolf De Heer, who was concerned about how he was going to put microphones and a group of naked Aboriginal men in a swamp in the north of Australia to film a group of men speaking in their native Yolngu Marta dialects, with a script that was descriptive of what they were going to talk about.
Matthew Sorell (03:53.572)
in the middle of a crocodile leech and mosquito infested swamp. And that was a fun exercise to be up there in the swamp area. What we ended up doing was everybody was wearing one of these little USB battery powered microphone solid state recorders. And it came to me one day when I was teaching and a student said, can I record your lecture? This is the days before podcasts like this one.
Adam Firman (03:56.512)
So, that was fun. This is supposed to be a fun video. What we are not doing is everybody wearing a USB battery pack to a microphone so that they can come to me and teach me.
Matthew Sorell (04:21.388)
recorded my lecture. I got timid at the lecture and said, guys, I have to go. I have to write this down. So if you want to see the outcome of that film called 10 Canoes, which actually won several awards at Cannes and other festivals. Around about the same time I was approached in a fairly unpleasant case, I won't give you the details, but it involved one of these newfangled digital cameras. And I realized that no one was doing the science about.
Adam Firman (04:27.022)
So if you want to see the outcome of that, think about switching out.
Adam Firman (04:38.286)
surprised.
Matthew Sorell (04:49.604)
metadata and validation of digital images at that time. I mean, there was Jessica Friedrich's early work on PRNU fingerprinting. So that opened up a new field. And then we stepped forward to 2016 and I was approached by South Australian police because they had a murder victim who was wearing one of these very newfangled Apple watches. And they suspected that they had biometric data.
that might give us some insight into her death, which turned out to be true. And as far as we are aware, this was the first, it's certainly one of the first cases where we had Apple Watch and health data providing a compelling timeline of the series of events of essentially the lead up, the fatal assault, and then the last signs of life of a murder victim. So that was a big deal.
Adam Firman (05:18.478)
students.
Adam Firman (05:22.446)
Yeah.
Matthew Sorell (05:46.98)
And it opened up a relationship with South Australia police, opened up a relationship then with others, including Interpol and police agencies throughout that area. And at the same time, I'd started up a cybersecurity collaboration program between the Tallinn University of Technology in Estonia and here at the University of Adelaide in Australia. So I was back and forth between the countries, bringing groups of students.
Adam Firman (06:10.35)
here in the University of Bethlehem, Australia. So I'll be spending a few minutes watching the countries where there are resistance.
Matthew Sorell (06:16.184)
back and forth. So that was another interesting area to work in. And then I was approached then by the Tallinn University of Technology, or TALTECH as we call it, to teach a course on mobile phone forensics. This then coincided with about the beginning of the ForMobile project.
Adam Firman (06:20.014)
That's not like you just need to hear it.
Adam Firman (06:41.782)
Yeah.
Matthew Sorell (06:41.988)
And what I brought to the For Mobile project was first a lot of experience in teaching. So I contributed towards the education package. I also had an interest in the standards. So I was also one of the contributors to the CWA 17865, I think is the number. Somebody's got to pick me up on that on the podcast afterwards if I got the number wrong. And...
spend a bit of time working in that space. And then one of the major contributions that I then brought to that table was the mobile network data area, which is somewhat underrepresented in capability in law enforcement, but also very much my background in telecommunications and telecommunications systems. So that's an area where.
Adam Firman (07:11.982)
spent a lot of time looking at SOS and they want magical creations.
Adam Firman (07:21.71)
which is so amazing to me.
Adam Firman (07:28.586)
Yeah.
Matthew Sorell (07:39.876)
moving fast moving forward. Over the last year, we've just been swamped with requests first from law enforcement and then from prosecutors and from time to time from defense when they get in in time in our real court system to review mobile network records. And this is a specialist area that we're really unique in Australia has been the only court recognized independent experts in that.
Adam Firman (07:54.294)
Mm -hmm.
Matthew Sorell (08:08.932)
in that space.
So big, big long journey in five minutes. There you go.
Adam Firman (08:11.95)
And what do you mean by sort of mobile networks and the missing space? Is that the information provided by telecom providers?
Matthew Sorell (08:25.058)
Yeah, so we hear a lot about these days about having to do, for example, RF surveys of crime scenes, which is fine if you're there on the day. It's not so good if it's three years later, two years later, even six months later. But, you know, we see communication records, call charge records. We now get signaling records from the mobile networks. These are very, very easy to interpret, but they're very difficult to interpret correctly.
Adam Firman (08:39.406)
Yes.
Matthew Sorell (08:54.884)
And so everything from time zones to the subtleties of a data session that tells you a start time and an end time, and it gives you a start location and an end location. And so the naive approach with that is to say, well, the start time, you're at this cell and the end time you're at that cell. And you look at that and say, well, actually the start time is when the session was opened.
the start cell is the first cell where you actually transfer data during that session. So it's completely conceivable, in fact quite common, that you'll have a four hour data session and it only was actually actively used for the first three minutes. And now we can explain that. Now you've got to explain that and defend it in court.
Adam Firman (09:26.414)
Yeah.
Adam Firman (09:44.878)
Yeah. I remember vaguely back from my days in the police, one of our specialists who sort of went out and did the RF surveys and exactly as you highlighted really that it was a fact of doing it pretty much straight away because mass change and signals change and all those sort of extremities that we have to think of. But I remember him telling me a vague story about if somebody was to commit a murder, the best thing they could do.
this isn't promoting how to do it, but was almost like make a phone call as you leave and then that sort of mix it. I can't remember the full details, but he sort of said if you left that phone connected, it would really complicate matters for the investigation.
Matthew Sorell (10:30.14)
Yeah, and so in the old days, yes. So these days we get signaling records. So I've spent a bit of time today in court actually explaining the signaling records that we get from one of our telcos here in South, in Australia, and some of the limitations that that has. And of course, one of the key differences here is if we look at mobile phones, right, so we're looking at iPhones, for example. iPhones are a particular ecosystem that Apple has. They vary a bit over time as...
as the evolution of the hardware evolves, as the versions of iOS change. But largely, once you know how an iPhone X works, you can establish how an iPhone 11, how an iPhone 12 works, how iOS, once you've got iOS 15, actually iOS 14 to 15 was a bit tricky, but then after that, you get that evolution and you can see that. But that's a game really of just keeping up.
Mobile networks are bespoke systems that are cobbled together over 30 years with string and snot. And everybody does their own thing. So to give you an example, it's a very sensible thing these days for everything to be timestamped in UTC, regardless of which country you're in. Back in 1992, Vodafone's second network in the world was here in Australia. And they decided that they were going to use Vodatime.
which is Australian Eastern Standard Time, 10 hours ahead of UTC. And that is now so hardwired into everything they do that we've now got this exceptional complication with one network. The other advantage that we as a business have is that we're based in Adelaide in South Australia. We're in one of the very rare half hour time zones in the world. So as a consequence,
we're very, very finely tuned to time zone errors as they show up as half hour anomalies in our records. So it's a pain on the one hand, but it also means that we're wide awake with eyes wide open about the implications of time zones as well.
Adam Firman (12:28.846)
Mm -hmm.
Adam Firman (12:40.076)
Yeah.
Adam Firman (12:44.558)
Because I've been based in the UK during my investigations, it was very simple. It was just always UTS. The only confusion I had was when the clocks changed for summer.
Matthew Sorell (12:55.236)
Yeah, well, that's it. So, you know, technically speaking, it's UTC plus zero in the UK, because that's part of what we teach, of course. Yeah. So interestingly enough, so we're so I teach a course now on mobile phone forensics and I teach it in Australia at Adelaide University, but I actually initially set it up for the Telen University of Technology. And we run we basically have three exercises that the students have.
The first is health data. Now I mentioned the Mernor -Nielsen murder case a little earlier. The result of that is that I decided we really needed to have a good data set of health data. And I really wanted that to run over a number of years so that we could see changes and evolution in the Apple Health ecosystem. The only ethical volunteer I could find is myself. So.
If you're interested, and I presume there's some comments on this podcast down underneath, get in contact with me. That health data set is available for training and for research purposes. We actually provide it to you in the form of a CTF. So capture the flag competition, which you can register for. And it gives you the data set under some very reasonable conditions, which I'll explain in a moment.
Adam Firman (13:57.9)
Yeah.
Adam Firman (14:18.348)
Mm -hmm.
Matthew Sorell (14:19.972)
And then the CTF will scaffold your understanding of how that database is structured and what you can find there. There are some real surprises in there. The very reasonable conditions are essentially acknowledge where the data came from. Don't publish my home address and tell me what you've done with the data. And if you find a serious health condition, please tell me. So these are quite reasonable. So I currently have a master's student.
Adam Firman (14:39.438)
Yeah.
Matthew Sorell (14:48.216)
actually looking at the data to understand my body's reaction to jet lag. So it's not a direct investigative forensic problem, but she will build the tools around what we can do to evaluate health data when we're looking for evidence of fatigue, for example.
That data set, incidentally, contains all sorts of other things that we don't see in the tools. And I'm looking at you, MSAB, because there's an opportunity here. In that data set, there's a table called provenances. And if you analyze provenances properly, it will tell you every iPhone, every Apple watch, and every other Apple related device you've ever owned, and every operating system you've ever installed on them, and when you upgraded them. So my...
Adam Firman (15:36.674)
Wow.
Matthew Sorell (15:41.206)
PhD student Luke Jennings is actually presenting that at the DFWC in Zaragoza in Spain in a couple of weeks time. That's a very interesting and unexpected table in that health data. It's probably the most reliable longitudinal data set for understanding, for example, cyber hygiene behavior. And when a new version of iOS comes out, how long before you install it?
Adam Firman (15:53.548)
Yeah.
Matthew Sorell (16:09.028)
as I say, not what you'd expect to find in health data. So that's one of the exercises we do. Second exercise, right at the beginning of COVID, I've got a bunch of friends and family to each take a random phone and have a few conversations. We end up with a nice little dialogue around cats and cat pictures and a catnip distribution ring and somebody else's into ducks and...
You know, it's fun and it's funny, but there's a serious undertone to it. And what I do with the students is I put them into a pressure environment. So there's maybe a dozen students. There is such an overwhelming amount of data that you have to collaborate to be able to work through. And in that collaboration, the students learn that, you know, helping each other and explaining it to each other is a really effective way of learning. Every student then produces a
Adam Firman (16:41.646)
Yeah.
Matthew Sorell (17:05.764)
subject matter expert report that they then deliver in moot court as a little exercise. So we're the only non -law course at the University of Adelaide that has permission to use the law school's moot court, which I think is quite a good thing. The third thing we do is we then now have a scenario with a group of
Adam Firman (17:09.294)
Mm -hmm.
Matthew Sorell (17:34.436)
people who are up to no good, and we're tracking their movements through mobile phone network data. So we're able to now simulate those records so we can storyboard time and location, we can storyboard text communications and voice communications and other complexities between our suspects and create a synthetic data set that we can use for training. So over the next year, I've actually got a couple of projects associated with that, a software engineering project.
make that more user friendly and the telecoms engineering project to make it more realistic. And that's turned out to be a really interesting data set for the students to investigate little Easter eggs like somebody losing their phone and having to get a new SIM card. So now you've got to find where that occurred in the data set and what that tells you and so on. So there's lots of interesting little things we've put there, including of course, a daylight savings change, just to really annoy people as well.
Adam Firman (18:32.974)
Yeah.
Matthew Sorell (18:34.114)
It's fun.
Adam Firman (18:36.046)
No, it's a really good point about the mute court because a lot of what we do is, because we were chatting off air before we started recording it, and it is about the validation and the understanding and showing your interpretation is correct. Because I work for a tool manufacturer, but one of my signs is don't trust your tool because you should validate it. And if you've got to go to court, you need to understand because people's livelihoods are at stake.
Matthew Sorell (19:06.148)
Yeah, yeah, one of the things is sorry, go on.
Adam Firman (19:06.254)
So, and I certainly, sorry, Matthew, I certainly found that when you're stood there in court presenting evidence, explaining to the judge, well, I pressed the button and that's what the tool told me, people will soon find out there's not cut it.
Matthew Sorell (19:25.956)
No, that's right. And the other thing is being really careful about the difference between accuracy and precision. So, you know, I could tell you that the phone did a handover to this particular base station at this particular time. And if you have a sequence of those, then I can establish that there's a limited number of roads that support that sequence of handovers. But I can't tell you which road you were on.
I can't tell you if these two phones were in the same car. I could tell you that they were traveling in close proximity to each other. So getting cocky about being overly precise is a real no -no. As a business, we work with law enforcement, we work with prosecutors, we work also on the defense side from time to time. And that's really important because it gives you...
significant insight into helping the court establish the truth, which is our role. We're not there to champion the prosecution case. We're there to establish what the data says and no more.
Adam Firman (20:41.966)
Yeah. And you're right. Even when I was a police officer, and you would think that I was acting for the prosecution, that was, it was really strange that we were, we were police, but we were third party. We were impartial. That is how we had to do our job. Whether it could have meant that the suspect was actually innocent. Well, that was our job to prove those facts.
Matthew Sorell (21:08.58)
That's right. And so, you we now go to significant lengths to establish that we've minimized potential unconscious bias. So, for example, I'll be given a set of records of two, three, five suspects. And all I want from the police is give me a timeline that you're interested in. And if there's a particular location you're interested in, I want it at the
maybe the suburb of the town level, I certainly don't want the address, right? If they're having done that, there might be then a phase two of here's my first report. If you want me now to comment about the fit with these addresses, we can do that as a phase two. And sometimes sometimes that doesn't work out. Sometimes it actually contradicts the case. But that's that.
Adam Firman (21:54.252)
Mm -hmm.
Matthew Sorell (22:03.044)
That's an important way of just demonstrating that impartiality to the court. So we're at pains to do this. One of the things that bothered me, I think, in the CWA, the C &M workshop agreement that came out of FourMobile was this idea of proportionality. I like the legal concept of proportionality in theory, which is only extract the data that's relevant to your investigation. It's the reason I'm...
concerned about this is because it then means that naive processes tend to enforce bias because you then end up only extracting the data that you will end up supporting your case. Now that's even with the best intentions that happens. And it potentially means that exculpatory evidence is excluded, not necessarily deliberately, but it's a matter of a misguided process.
that supports that idea. So it's an interesting question. I don't really have a right answer to that, but it seems to me that the idea of, okay, you can only have this much evidence, you've got 10 minutes to review it and grab that, is a recipe for bias that I think is going to cause us problems down the line.
Adam Firman (23:16.654)
Yeah.
Adam Firman (23:27.374)
Yeah, it's sort of here in the UK, it's sort of being pushed for it's almost like selective extraction. It's more being pushed towards victims and witnesses who generally are not very happy at giving up their their lifeline really, which is mobile devices. So it's sort of deemed as accepted here, but I can see where you're coming from because.
six months down the line, the defense might say, well, you only extracted this application, but what would have actually shown you that my client is innocent was on an app that you didn't capture. So.
Matthew Sorell (24:05.188)
Yeah, so I had a case about a year ago actually, I was working on the defense side. And since it's now being quashed, I have to speak in very general terms, I think. But in effect, the circumstances pointed to potential fraud by my client. And as I dived further and further into the data, I realized this health data or this location data.
Adam Firman (24:17.74)
Mm -hmm.
Matthew Sorell (24:33.89)
not only doesn't support the prosecution case, it actually points to him being in an entirely different location doing something entirely else. And the problem I had was that I had an extraction by a competitor of MSABs where the analysis through the visualization tool wasn't complete. And so you end up with a very misleading idea that every
location as a GPS fix and at the time it didn't have location accuracy. And as soon as you actually dive into the database itself and extract the raw data, you suddenly realize, oh, hang on, something very different is going on here. So fortunately we had a full extraction of my client's phone that we were able to get on the defense site. But it's fairly rare.
Adam Firman (25:05.198)
Yeah.
Matthew Sorell (25:31.012)
working on the defense side that you actually get to a point where you go, I genuinely think that there's something quite wrong here. Most of the time on the defense, we get to a point where you go, hmm, this is how much trouble you're in. Occasionally, this is how much trouble you're in, but here are some of the holes in the case or in the evidence. But just occasionally you get a, hmm, yeah, this just ain't right.
Adam Firman (25:39.438)
Yeah.
Adam Firman (25:56.654)
Yeah. And is that through lack of training? Because like you say, you extract a mobile device and the amount of location data that comes off it, it doesn't actually mean that that device or that person has been to a lot of those locations because a lot of apps come with embedded locations.
Matthew Sorell (26:15.62)
Yeah, so it actually really bothers me when we start to pull location data off multiple sources and then we stick them all into the same heap and then assume they have the same provenance and the same relevance or even the same timeline. So, you know, you really need to be paying attention to the provenance of that data. So I prefer to work with, you know, just one source at a time. If it turns out to be Apple's location cache.
Adam Firman (26:22.764)
Hmm.
Matthew Sorell (26:45.156)
then so be it. If it turns out to be something else, I don't know, Google timeline, if we can still get that, then so be it. So that's, you know, it's, it's.
Adam Firman (26:52.846)
Mm -hmm.
Matthew Sorell (27:04.132)
real requirement that we think about where our data's come from and making sure that it all fits together. And you've got to balance that with finding that needle in the haystack that's going to break your case. But a lot of the tools really don't provide you with that insight. So generally speaking, I like to use tools, whether it's Xamarin or whether it's one of your competitors.
Adam Firman (27:14.03)
Yeah.
Matthew Sorell (27:32.846)
I won't mention Sutterbright if you don't. But I use that as a starting point. And after that, I want to actually dive into the database itself and see what the database has to tell me. I find that to be, no, then of course I've got to validate the BiascuLite reader is working properly and so on. But this is very much how we work.
Yeah, you've just, you've basically really got to understand what your data is, what the limitations are.
Adam Firman (28:04.142)
Yeah. And that's a really good point. And it links into a good friend of mine, Alexis Bregoni, recently has pushed out a few little digs at people who are running push button forensics with no understanding of what they're interpreting. And you referred to the competition that we won't call, but in my view, a seasoned practitioner needs access to multiple tools in order to validate.
what they're being told, but they also need access to non -mobile forensic tools that are designed for the job. So for example, in mobile forensics, we rely a lot on databases. So you should have a specialized database tool to review it, because it is the tool intended to work with that data.
Matthew Sorell (28:55.556)
Oh, yeah, quite right. Quite right. So whether it's databases, even down to hex editors, et cetera, you've got to have those tools available to you as well. But you wasn't going to have the understanding. Now, in fairness, we're asking more and more of investigators to be dealing with increasingly complex data. Now, you wouldn't dream of doing this with DNA. DNA and fingerprints, right? There's a scientific...
basis behind how we isolate extracts bring to the lab that evidence how it's then valid. Now in a way it's push button forensics because it goes into a tool that's manufactured by someone which then spits out a DNA profile and gives you a match and so on. But you're dealing with people who have a you know a degree in the appropriate biological or chemical sciences.
who are trained to be able to interpret that evidence. And occasionally things go awry and it gets pulled up as it should. You're asking investigators to be able to deal with complex evidence from a device which has a half life of 18 months. So the trick that I used for getting health data out in 2016, that's gone now. That doesn't work anymore.
Now, health data in 2016 had 18 tables in that database. That's 120 today, right? So you really need some level of specialist science to support digital evidence, because it's no longer a case of, and you know, greatest respect to investigators and seasoned investigators, but just keeping up with the tech that is out there.
that consumers are using that we're now relying on really does require a level of research and academic understanding to be able to continue to keep up to date. And that's just an understanding what we're looking at. And then there are the commercial vendors such as yourselves, just keeping up on how do I actually open up this device and how do I actually do that analysis and just report what's in there. So, you know, it's an increasingly challenging environment.
Adam Firman (31:11.18)
Yeah.
Matthew Sorell (31:18.326)
that we're dealing with.
Adam Firman (31:22.03)
Yeah, but I sort of, I saw the pendulum swing when, when I was a police officer where our forensic lab just could not cope. It just could not cope with the sheer demand of devices being submitted. And this was for, so when I started in the industry, it was like mainly child abuse material, occasional fraud, maybe trafficking, those sort of really major serious crimes. When I left the police,
It was we were having devices submitted for shoplifting for fatal car collisions, for everything where a mobile had digital evidence and we just could not cope. So we adopted a system where we've we've sort of farmed out the easy cases. So where they just wanted, but if it was a drugs case and they just wanted SMS communication between two parties, we could farm that out because the data is not very complex. They're not really dig it. But.
Initially, when we found out we had people reporting on things that we wouldn't have reported on with more experience. So we sort of went through that pain barrier of going, well, this is really great. We've found a lot of devices out, but now we're having to go to court and sort of dig ourselves back out of this hole that we've dug. And it was a real hard time finding that balance of training people to investigate on what they could comprehend. And that was the hard part.
Matthew Sorell (32:51.652)
Yeah. And so, you know, I'm not, I'm not suggesting that this is the only answer, but I think that there's a significant role for academia here to support particularly new types of evidence or evidence. And what we're now seeing on mobile phones, and this is, this is not new, but we're sort of waking up to it, is that a phone is not just a handheld, powerful computer that you carry with you that records everything. It's a suite of sensors. And so everything that is a
result of a sensor, whether that's GPS or health data or the orientation of the phone is at the end of the day, human interpretation of a record in a database, which is a summary of a record from an interpretation of a sensor. Right. And so understanding those limits. So for example, you know, the Apple health data will tell you that you walked 600 steps in six minutes. Right.
Was that a normal continuous walking gait or was it running and then pottering about and running again and pottering about? We don't know, but there are distributions that fit and there are distributions that don't. And so being able to understand what that means really requires some scientific validation, particularly when we get those those real world senses and real world behaviors.
essentially being logged in a digital format. For a long time, we focused on establishing that the records that we've got have been true and correct copies. We sign them off, we hash them and sign them off and validate that they haven't been altered. But we haven't really considered, are they actually telling you what you think they're telling you in the first place? And so...
Adam Firman (34:40.046)
Mm -hmm.
Matthew Sorell (34:46.808)
that needs to be part of the mix. Just to be able to defend and be comfortable and be able to sleep at night. So I actually got that right in court.
Adam Firman (34:58.67)
Yeah. That's why, and the amount of data that these devices are harvesting, this is a prime example. So Apple recently, as of iOS 17, have pushed out an app called Journal. So the Journal app is there for people to record their memories and it sort of gives notifications saying, hey, you've been here. Why not write a journal entry about that? And this is a prime example. So I met up with previous colleagues in the police Saturday evening. We went for a curry and
And then one of my friends who always loves a nightcap said, oh, let's go to this bar. I woke up Sunday morning, a little hazy and Apple journal popped up telling me, why don't I write an entry about visiting a Pacific public house that we went to? And it's there, that data is sat there, but it's a very hard job for tool manufacturers to keep up with passing that data. And we then need to test it and validator.
Matthew Sorell (35:57.092)
Yeah. And of course that's, I presume in the Apple iPhone ecosystem itself, as opposed to the equivalent thing in Google, which is in Google's cloud where you're sharing it with everybody. So it's, you know, the idea itself is not new, but the implementation is different. And so, yeah, you're absolutely right. You get something new. You have to be able to find out how to get into it and then you have to validate it and then it all changes. So we had some big changes with iOS.
into iOS 13 with Apple Health data. And Luke, my PhD student, will tell you that he was at the time up in Queensland with a little test rig that was mechanically simulating steps on a watch. And we had these great data of one minute of steps and 30 seconds of pause and one minute of steps. And they decided on the last day that they were gonna let it run for a couple of hours. And just before they did so, they upgraded everything.
and off they went and nothing worked because iOS 13 changed everything in the health database. So you get caught out like that. Now, one of the other, so, you know, as a business, we do a lot of consulting work, we do a lot of education and training work, we do that into universities, we're available for law enforcement, particularly around mobile network data. One of the tools that we're in the process of developing and we've been
Adam Firman (37:02.478)
Yeah.
Matthew Sorell (37:24.068)
we've just released the second prototype, is something we call a reach map. So we, I came up with this idea a couple of years ago. I get a lot of sparse location data. So we have this idea that I can track you because I can see you every six seconds on Google maps or whatever it is, right? But actually your location data is minutes apart, could be half an hour apart. It doesn't need to come off your phone. It could be eyewitnesses or CCTV or some other, you know,
piece of physical evidence is discovered of this sparse time location data. And of course, our obvious question is, well, how did you get from A to B? Which we can't answer because there's just not enough data. And then the next wrong answer is, well, show me every way you can get from A to B. And that doesn't help either. And then I realized actually the way to look at this is to say, from time, time, this time at time, location A to this time at location B, where could you reach?
Adam Firman (38:04.686)
Yeah.
Matthew Sorell (38:24.42)
And when you think about where could you reach as a different concept, it transforms your understanding of the physical environment that you're dealing with. Because then as soon as you find a third data point in between, and it might be, for example, a weapon or some clothing that you can link, right, that had to be reached. And in order to reach it, there's time limits on when it could have got there. And suddenly your reach collapses.
So we had some really good demonstrations using real data, but also some simulated case studies that we've built. We're very quickly able to bring an extraordinarily large outer cordon down to almost no options at all with perhaps 10 data points. When you think about that in the context of the UK, I don't know how many squillions of cameras you've got in London.
Lots and lots and lots and lots everywhere. You think, oh, that's great. We can track you everywhere. Well, yeah, but you've got to have some, some poor bug has got to watch every single one of them. Apply a reach map process. An event occurs, right? And I find footage or an eyewitness report 10 minutes later. So now I've got a reach that is substantial. Let's, let's, let's stay with London.
Adam Firman (39:24.526)
Mm -hmm.
Adam Firman (39:29.708)
Yeah.
Matthew Sorell (39:52.484)
It's quite a large area. There might be 5 ,000 cameras in scope. So what we can now do is we can say, well, before I go out and actually watch that footage or even seize that footage, I'm going to just test what the impact will be. So I can calculate the earliest and latest you could go past a particular camera. But more importantly, I can say, well, if I see you go past this camera, this is how much it
it reduces the reach. So if those 5 ,000 cameras, here are the four that matter. And we can calculate that within minutes at command and control before we even go out and seize and watch that footage. So the efficiencies in manpower and the potential for this tool is just extraordinary. So we're really pleased with how it's working.
Adam Firman (40:45.102)
Yeah, huge.
Matthew Sorell (40:51.396)
We already use it in Australian matters, but we're doing that deliberately in areas where it offers insight without being mission critical, because we want to put it in front of the courts, we want it tested, we want it evaluated. So we've had a number of matters where we're able to show, here are your three options that you could have used to get from here to there, but I can show you that we can get from here to there in the time that you had available.
and just an immensely powerful operational tool.
Adam Firman (41:24.11)
And is that looking to be shared globally eventually?
Matthew Sorell (41:28.068)
Yes, so we're right now we're in the prototyping stages. There is a, if you work for law enforcement, you can contact us and we'll provide you with a demo. Not in every country at this stage, we're evaluating carefully with a particular, well, primarily on the basis of just being able to verify the data that we're using for the maps. But,
Adam Firman (41:51.854)
Yeah.
Matthew Sorell (41:56.132)
That tool is available with a demo license. And we've just, we've made some huge advances in the underlying mathematics of that tool. This is the other thing, it's not AI. It's not some, oh, I pressed a button and I got a adversarial machine learning algorithm to build this for me. I don't understand how my own tool works, but I pressed a button and it's great. Right? It's a mathematically defensible algorithm.
Adam Firman (42:19.63)
Ah, but -
Matthew Sorell (42:26.782)
that we've disclosed some of that at conferences. Of course, a lot of it's proprietary, a lot of the more advanced implementation is proprietary. But it's what we can now see in visual, you know, in even high density cities like London, all the way through to a hypothetical trip across Australia over 40 hours. We calculate...
Adam Firman (42:33.548)
Mm -hmm.
Adam Firman (42:41.582)
course.
Matthew Sorell (42:55.876)
in minutes where you could have got to on that route. And of course, you play that in front of a court and the visual impact of this is possible, this is not possible really helps you to establish a clear view of what could be.
Adam Firman (43:20.718)
No, it sounds revolutionary and sort of for efficiencies and time saving, which is the biggest seller, isn't it? Anything that is time saving is huge.
Matthew Sorell (43:31.396)
I think there's a more important point. I think that we will quickly, we will find a situation soon where this tool will save a life. Because in a time critical investigation, we're quite confident this tool will turn around your capability, your ability to focus resources where they're most needed. And so it's, yes, it's efficiency. Yes, it's time saving.
Yes, it allows you to get a lot more done, but ultimately, you know, what are we here for? And we're here to deliver justice. And part of that is saving lives, getting closure, actually solving cases. So, you know, I feel driven more by that than the fact that we're able to do so much more with so much less.
Adam Firman (44:24.526)
Yeah, no, that's great. And I appreciate I've taken up most of your evening now and I can see the sun is going down. I didn't get to see the sunset because of the advances of mesh technology, but I can see the sun's going down. But I want to end on one final question, Matthew. And this is one that fascinated me from having a stalk of your LinkedIn is how did you get involved in bell ringing? And I'm sure for most of our audience, they're going to need to know what is bell ringing.
Matthew Sorell (44:53.988)
Okay, so if your audience is in England, it's the familiar English style, uh, campinology, uh, it's practiced in Australia, in the U S and a few other countries that are either Commonwealth or former Commonwealth. Um, I was at orientation week in first year university back in 1988 and someone looked up at me and said, you want to be a bell ringer, don't you? And it turned out that in 1982, uh, I went to a, uh,
Anglican school and the priest took us up on the bell tower one day. I now know how phenomenally dangerous that particular little exercise was with 25, 12 year olds, three bells that were mouth upwards and balanced quite precariously. So I had some idea of what it was about. So I started. Now what I love about that is it's a mathematical collaborative team sport. So you know your idea is not to compete and win but
to as a group effectively work through all the permutations of the bells and do that in a rhythmical way, you know, for up to three hours, even longer. Right. So, you know, there's sport, there's collaborative teamwork, there's the mathematics of it, but there's also making an enormously loud noise in public. And you've just got to love that.
Adam Firman (46:04.91)
Yeah.
Adam Firman (46:19.886)
Yeah.
Matthew Sorell (46:20.58)
So, you know, my kids now do this as well. I was in the UK around about Christmas time and I got to ring at Exeter Cathedral. Exeter has the second heaviest ring of bells in the world of English style bells. And I got to ring a three point six ton bell. Now, this is not just, you know, with a hammer. This is actually turning it full circle. Three hundred and sixty degrees. Imagine in a couple of land cruises strapped back to back.
on a nine foot diameter wheel and swinging it over your head with 20 millisecond accuracy. In my case, I only did that 15 minutes, but for up to four hours by yourself, right? But the team around you with that level of accuracy, I mean, it's just, it's just a phenomenally awesome hobby to have. And it's taken me around Australia. It's taken me around, now I've lived in North America.
I was actually in charge of the bells of the old post office, which some of you may know now as the former Trump Hotel in Washington, D .C. And made so many friends that way, visited so many places around the world through that curious little hobby. But yeah, fabulous. Lots of fun.
Adam Firman (47:40.11)
I think that's great and I think it's a really interesting and insightful way to end today's podcast. But Matthew, thank you for joining us. I'm sure our listeners will have found your journey and experiences extremely insightful. And I'll make sure I'll put a post in the notes to your LinkedIn profile so people can connect with you to speak about the technology you've discussed and also to have an insight into the bell ringing to see some more details about that. But I wish you a rep...
Wonderful rest of your evening Matthew and thank you very much for joining us on Forensic Fix.
Matthew Sorell (48:12.804)
My absolute pleasure, Adam.
Adam Firman (48:15.598)
Thank you.