Forensic Focus Blog

UK Criminal Justice Bill - Clause 62 (or is it 63, or 64?)

admin — Tue, 06 May 2008 18:41:00 +0000

Although it hasn't yet caused much of a public stir, Clause 62 in the UK Criminal Justice Bill certainly hasn't gone unnoticed in the forensics community (judging by the number of news submissions received at Forensic Focus). There's also plenty of debate at various general IT sites such as The Register.

So, what is the clause? Well, the entire Criminal Justice and Immigration Bill is covered in some detail here but the relevant clause can be found here (and I apologise for the confusion over the numbering of the clause, I've seen it specified as variously 62, 63 and 64).

In a nutshell, the clause seeks to shift criminal responsibility from the producer (as specified in the existing Obscene Publications Act, although this will remain in force) to the person who possesses the image(s) in question.

The background to the Bill is a tragic one, involving the murder of Jane Longhurst five years ago at the hands of a man addicted to violent pornography. Liz Longhurst, Jane's mother, then began to campaign against such images and was supported by the Home Secretary at the time.

The proposed new laws are, however, controversial with campaigners fighting against their introduction primarily citing concerns over the (lack of) evidence linking pornography with violence, the vagueness of the offence and the risk that a large number of people will be criminalised unfairly.

Regardless of what we might think of the clause on a personal level, it's clear that its introduction will have consequences for some forensic examiners in the UK. Only time will tell what impact, if any, it has on violent sex crime.

Interview with David Sullivan, Appointments-UK

admin — Thu, 01 May 2008 16:00:00 +0000

Forensic Focus: Can you tell us something about your background? How did Appointments-UK come into being?

David Sullivan: I’ve enjoyed over twelve years in recruitment, starting out in the city [London] specialising in IT within Investment Banking.

The area that really interested me was Information Security, and after a successful period in this sector, I further refined my focus into computer forensics. Then, in 2003, I decided to take the plunge and set up Appointments-UK.

My reasons were simple and remain the underlying vision for my company today: when contacting a recruiter you want them to demonstrate good market knowledge and a genuine understanding of the companies, personalities, trends, conditions and pressures that impact your sector. At Appointments-UK all our people offer this.

It has been a tremendous challenge and I’m pleased that organic growth has enabled me to develop a team of specialist recruiters in related areas: however, my personal operational focus remains in the computer forensics/electronic discovery market.

Forensic Focus: You operate in a dynamic, changing market place; what are the main challenges you face and what are your strategies to tackle these?

David Sullivan: The single biggest challenge I face is identifying suitably talented and skilled candidates. Advertising on specialist sites such as Forensic Focus produces results, but the niche nature of this sector means using generalist job sites (Monster, Jobsite etc) offers limited success. Recommendation remains the cornerstone in identifying suitable talent; in fact, well over three-quarters of our placements are due to networking.

After five years in this sector I have a fantastic network of key people – many of whom I now know both socially as well as professionally – and this makes my job much simpler! I can rely on this group to keep me updated with what is really going on and who may be open to making a move.

Another challenge we face is managing expectations. There is much hype around computer forensics as a growth area suffering from a shortage of candidates. This often leads to unrealistic expectations – especially around salaries -which needs to be tackled.

This is particularly common with people moving to the Private Sector from Law Enforcement/Public Sector organisations. With earnings between £35 and 40k they often ‘need’ to realise a package of around £65k to compensate the loss of other benefits. In the majority of cases this is unlikely, and, in reality, when they first move the pay increase is likely to be minimal. However, based on performance the strong performers will soon see substantial increases in both salary and bonuses. As a benchmark, when somebody changes jobs it is very rare to see a basic salary increase by more than 20%.

We don’t make promises where we cannot deliver and I often tell prospective candidates that they are, in my opinion, unrealistic in their salary expectations. Although I don’t pretend to always get it right, more often than not we see these people again when, after searching the market, it is our honest and informed service that they really need – once more, back to the very essence of what we provide; an honest assessment of the opportunities available based on a real understanding of the market.

Forensic Focus: What do you think of the rising number of educational courses in computer forensics? Is there a genuine demand from employers for an increased number of students?

David Sullivan: I enjoy playing my part in raising awareness of the opportunities available by speaking annually at a number of Universities that run Computer Forensic courses. It is vital that we reach and develop relationships with tomorrows talent today.

The standard of courses is certainly mixed but there are some outstanding, inspiring people running excellent courses and being incredibly innovative (particularly, in my experience, Vasilios Katos and Cheryl Hennell at Portsmouth University and Angus Marshall at Teeside University).

However, it remains clear that there will not be positions in Forensics for all the graduates, which is why it is so vital for them to be thinking seriously about their careers from Year One, and what they can do to give them an edge. I try to emphasise to the students that it is not necessarily the brightest who get the plum jobs, but those who prepare and position themselves correctly.

Graduate vacancies do exist and as a company we placed 14 computer forensic graduates in a variety of companies last year. It is also worth noting that salaries vary tremendously: in my experience in 2007 new graduate salaries varied from £16k - £34k, but in terms of long-term careers, I don’t think it is necessarily always correct to go for the highest salaried position as some of those organisations paying less offer outstanding training and exposure which can be very beneficial in the longer term.

Forensic Focus: How can people break into computer forensics and is it a ‘career’?

David Sullivan: Here on Forensic Focus lots of people who are currently working in IT related roles ask how to get into Computer Forensics and I get numerous calls asking the same question. I think it is a difficult area as it is not like becoming a Doctor where the career path is structured and you know what you need to do. My advice is usually that they need to personally contact every Computer Forensics Manager in the UK, be persistent, happen to be in the right place at the right time and get lucky. Oh yes, and be willing to take a pay cut.

Once you are in Computer Forensics there are some outstanding opportunities and if you are good, you can reach Senior Manager level very quickly. In my experience, the one thing that distinguishes those people who reach the very top is purely their ability to build relationships and develop new business. Technical expertise is important, but in the end, to reach the highest levels, it comes down to the ability to enable an organisation to sell the service.

However, I should add that I do appreciate that lots of outstanding Public Sector/Law Enforcement Computer Forensic Practitioners have no interest in following this path working for Private Sector organisations.

Forensic Focus: What changes have you seen in the computer forensics recruitment market over the past 5 years? What trends do you see in the future?

David Sullivan: Five years ago, nearly all recruitment was word of mouth between people working in the area and potential candidates I called had often never spoken to a recruiter before. Today, there are a number of specialist recruiters of varying quality operating in this market. There are some very good ones (such as Mark Woodward, who also advertises on this forum) but – and this is a general problem in recruitment - there are others who don’t provide such a high quality service, make false promises etc and this can make it harder for us to gain the trust of potential candidates.

As the sector continues to expand and mature, I think we will continue to see an increase in the more general positions being filled by advertising on specialist forums like Forensic Focus and Digital Detective. Companies will do much of this recruitment directly rather than via recruiters (the adverts on Forensic Focus show this happening).

However, for bulk recruiting, very specialist or senior roles, we will continue to see increased demand for pure headhunting and/or working exclusively with one Recruitment Company, which really has an understanding of the recruiting organisation. We have this relationship with some companies in the sector already and, it is not surprising, that we find the very best people for these organisations. As recruiters, if we can really get to know a company culture and work as a genuine Partner, it is so much easier to find the very best and most suitable people in the market, as opposed to currently on the market.

The only Public Sector/Law Enforcement organisation we currently recruit for in this area is the Metropolitan Police. I would anticipate that more Public Sector organisations will realise the cost-savings they can make by using external recruiters.

Forensic Focus: What do you do to relax when you're not working?

David Sullivan: I sail competitively, surf whenever I can and have developed a (healthy!) love of live poker.

--
David Sullivan specialises in Computer Forensics recruitment at Appointments-UK and can be contacted at David @ appointments-uk.co.uk or on 01787 461082

Reporting (again) and interviews

admin — Thu, 24 Apr 2008 11:18:00 +0000

Some very interesting opinions have been raised in the "Reporting - time for standardization?" thread and I'd like to give people some more time to add their own thoughts before moving the discussion on. It's a somewhat more emotive topic than I might have expected but that's no bad thing, I suppose!

On another matter entirely, I've got a couple of good interviews lined up for publication shortly but again I'd like to encourage more suggestions for interviewees. Input from experienced professionals is always welcome but I also think it's useful to talk to those new to the profession - and yes, you can suggest yourself.

Well, it's lunchtime and a beautiful day outside so time to drag myself away from the computer. Bye for now!

Reporting - time for standardization?

admin — Tue, 22 Apr 2008 16:54:00 +0000

[This is a repost of my forum post here. Comments welcome but perhaps most usefully posted as replies in the forum. Also, a tip of the hat to forum members BitHead and kovar for providing the impetus.]

I'd like to pick up on one or two comments from an earlier thread and bring the subject of report standardization into the spotlight.

This is a subject area which has cropped up before (in these forums and elsewhere) and also one which has given me pause for thought in practice - in common with most of us here, I imagine. I think the time is right to give some serious consideration as to whether the standard of reporting delivered by computer forensics practitioners is all that it could be and, more specifically, is the introduction of a suitably structured and widely accepted model a worthwhile goal to aim for.

A number of benefits have already been suggested for such a model, some of these being increased efficiency, increased accuracy, improvements in communicating with other parties and an increase in professional credibility. In addition, two paths have been suggested for achieving this goal - one, get the major computer forensic groups and organisations to agree on such a model and push it out to their members, the other, develop a model at a grass roots level and grow support and acceptance for it amongst members of the various computer forensics forums.

I'd like to request further comments from all of us here. Do you think there's anything wrong in principle with a standardized reporting model? If not, could such a model be developed which serves to provide the benefits mentioned above without undue restriction being placed on the report writer? What would be the best way of creating such a model? Would the time and effort spent developing a suitable model be worthwhile?

All thoughts welcome!

Posts from the blogoshpere

admin — Fri, 18 Apr 2008 16:56:00 +0000

Not much time today, just enough to link to a few interesting blog posts elsewhere (some old, some new):

Reflections of a computer forensics blogger

FTK 2.0 performance

Ghost as a forensic tool

Admissibility vs weight of digital evidence

OK, gotta run. Have a great weekend everyone!

Site stats

admin — Mon, 14 Apr 2008 12:22:00 +0000

One of the things I forget to do for long periods (the last time I did it was over a year ago!) is to update the stats page to show how many people are visiting Forensic Focus. The figures for last month break down like this:

Unique visitors 20995
Number of visits 74665
Pages 218510

The full list of stats for each month since January 2004 can be viewed here. Although I do a little bit in the way of advertising and many pages have been picked up by Google, I'm convinced that a lot of the site's continued growth is due to word of mouth. Many of those who sign up for new accounts tell me that Forensic Focus was mentioned by someone they work with or by a teacher on a training course.

So, a big thank you is due to all those who have helped the site grow and I hope it continues to be a source worthy of recommendation. Like the old saying goes, if you're happy with it - tell someone else. If you're not - tell me!

Why the hell is everything so expensive?

admin — Tue, 08 Apr 2008 13:34:00 +0000

I don't usually rant, possibly because I'm not sure I'd be able to stop, but one thing I've noticed is just how incredibly expensive everything is in the world of computer forensics. Not just the usual wallet-draining culprits like high end hardware but other stuff too - software, training, books, software, training... (sorry, I'm starting to repeat myself, I knew this would happen).

I once tried to explain computer forensics to a good friend of mine with little knowledge of technical matters. They said something rather insightful: "So, it's basically just copying stuff and looking at it?" Now, we all know there's more to it than that, but there's a kernel of truth in that statement which leads me to wonder about at least some of the pricing structures out there.

OK, rant over, and to some degree this is an "Aunt Sally". But not entirely...

The problem with power

admin — Mon, 07 Apr 2008 16:56:00 +0000

Perhaps unusually for someone with an interest in computing, my knowledge of electricity - the driving power behind computers the world over - is sketchy to say the least. Beyond remembering which way to twist a light bulb and avoiding the temptation to stick a fork in the toaster, I'm something of a novice in understanding how this mysterious force actually works.

As a result, I was mightily impressed by Wiebetech's HotPlug device which Paul Mah recently blogged about at TechRepublic. Here's the YouTube video where James Wiebe explains how the system works:

Clever, huh? The downside is it's yet another box to drag along with you but, hey, us IT guys have got to get our exercise somewhere.

And for anyone else struggling to replace a light bulb (I'm sure there's a joke here somewhere) just remember: "lefty loosy, righty tighty". It even works with taps...in the Northern Hemisphere anyway :-)

Licensing

admin — Thu, 03 Apr 2008 20:06:00 +0000

Ah, back in the blogging seat at long last!

Keen forumites will have noticed my recent post in the Legal forum asking for a little help in putting together some resources on licensing issues for computer forensics practitioners (tip of the hat to David for the suggestion).

There have already been a few very useful suggestions, in particular the map at www.investigation.com/surveymap/surveymap.html would seem to be a very handy reference for investigators in the US. I want to stress that I'd like to include as many other countries as possible though, so if you're familiar with the relevant licensing procedures in your neck of the woods please reply to the forum post or PM me (note: I'm also including formal vetting procedures and the like under the heading of "licensing" where these are required in order to carry out forensic work - in other words the end result may not necessarily be termed a license in your local lingo).

On the subject of licensing, I have the impression it's (perhaps unsurprisingly) about as popular as a root canal in some places. Got a strong feeling about it? Post a comment and get it off your chest :-)

Computer forensics podcasts

admin — Tue, 26 Feb 2008 20:58:00 +0000

While computer forensics blogs are quite easy to find, podcasts are somewhat conspicuous by their absence - not altogether surprising, of course, given the effort required to produce something worth listening to. In fact, the only one I listen to anything like regularly is Bret and Ovie's CyberSpeak, and despite being very enjoyable, even that doesn't always concentrate on purely forensic issues.

Does anyone have any other recommendations for computer forensic podcasts? Please leave a comment and I'll add them to the relevant links page for others to see.

Cold Boot Attacks on Encryption Keys

admin — Fri, 22 Feb 2008 14:31:00 +0000

Already generating some discussion in the forums and elsewhere on the web is the recently released paper "Lest We Remember: Cold Boot Attacks on Encryption Keys" from researchers at Princeton University. The researchers' main finding is that data remains in DRAM for longer than generally expected. Furthermore, this period can be extended significantly by cooling the memory chips in question (a somewhat unsophisticated but effective methodology of achieving this cooling effect being the use of an inverted "canned air" canister!)

In addition to the paper, there is also a YouTube video:

In terms of the underlying principles involved, there's nothing particularly new here. Data retention in memory has been known about and discussed for a number of years. The paper is interesting, perhaps even important, for a number of reasons though. Firstly, the extent to which data remains available and the ease with which the window of recovery can be extended will be surprising to many. Secondly, in addition to the main finding the paper also discusses techniques used to reconstruct data where some amount of decay has occurred - potentially crucial in the recovery of encryption keys. Thirdly, it addresses one of the key challenges facing forensic examiners as the use of BitLocker and products such as TrueCrypt continues to grow.

As many commentators have already mentioned on news sites or blogs (including the researchers' own blog) the threats to security or opportunities for forensic analysis are highly dependent on a variety of factors - the state of a machine, the particular implementation of BitLocker in use, the speed with which cooling can be applied etc. In the real world, this would seem to represent a fairly limited threat to anyone who has had their laptop stolen by an opportunist thief, although situations where a device has been specifically targeted for the data it may contain are a different matter. I think it's much more interesting to consider the forensic possibilities and implications. How long will it be before this type of consideration becomes an integral part of our thought processes when preparing to seize a suspect device? What effect will existing legislation have on your actions? Why didn't I invent this technique when I cleaned my keyboard after having that sandwich for lunch?

Food for thought indeed...

YouTube and the power of the dark side

admin — Thu, 21 Feb 2008 18:24:00 +0000

Sharp eyed visitors may have noticed the addition of a Videos link to the Resources menu on the left hand side at Forensic Focus. The link is to a page of YouTube videos related to computer forensics - some instructional, some news reports and some...um...other (such as "Cat Fancy".) I hope they're somewhat educational or at least mildly diverting. Needless to say please feel free to recommend further additions to the page.

You may notice that the top video is slightly larger than the rest. In theory this should be a sort of automated player which delivers a selection of computer forensics related videos by itself without needing me to specify them individually (the basic idea being that it picks up on keywords supplied when I set it up.) Well, that's the theory. In practice it doesn't seem to work too well - either it displays no videos at all or the ones it does show are unrelated to the subject area. Maybe the technology will improve, though, so I'll leave it in place for the time being.

An unexpected benefit of the poor targeting, though, is that it's introduced me to Chad Vader. I'm sure most of you cool cats have already seen this successful viral video series but for those who haven't, here's episode 1.

May the force be with you!

Lance Mueller's blog...and funny T-Shirt quotes!

admin — Fri, 01 Feb 2008 15:04:00 +0000

Lance Mueller's blog - Computer Forensics, Malware Analysis & Digital Investigations - is definitely one of the better ones out there. Updated frequently, highly detailed, nicely illustrated (i.e. lots of pretty pictures) and with some newly posted forensic practicals it's a great resource to add to your blog tracker, especially if you're an EnCase user.

On a less serious note, don't miss this thread in the forums where we've been trying to come up with some suitably amusing quotes for a CF club fundraiser. I have to admit I like Harlan's suggestion, despite the somewhat disturbing imagery it conjurs up ;-)

Validating write blockers

admin — Wed, 23 Jan 2008 14:30:00 +0000

In the Recommended forensic hardware thread in the Hardware forum I recently wrote the following about a hardware write blocker I'd just come across which I hadn't seen before:

I think this brings up the interesting question of how we (as practitioners) test the write blocking capability of new devices both to satisfy ourselves that they work as advertised and to be able to show that in court.

For the sake of argument, let's imagine that we *need* to use one of these IOI products (if we want to be specific we'll say it's the FW2ATA525-MR1-WP already mentioned) but it's not a device you've used or tested before, it hasn't been used in a court case in your area and you have only the manufacturer's word that it works properly. What methodology are you going to employ to test it in some formal sense?

In practice, I suspect most of us use write blockers which are seen as industry standards and have already gone through some form of validation procedure. Typical choices would be Guidance Software's FastBloc devices or something from the Tableau product line, both examples of items from well respected specialist companies. Not only have these devices presumably undergone extensive testing by manufacturers concerned to protect their reputation as industry leaders but we also have the results of independent testing to refer to, perhaps the best well known being the NIST hardware write block testing program.

What of new devices from relatively unknown manufacturers though? How do we reassure ourselves and the courts that they work as advertised? The obvious answer is that we test them ourselves but how exactly do we do that, what methodology do we use?

In theory, write blocking is easy to understand: we want to prevent any alterations to the attached evidence device while allowing all data to be retrieved. In practice the situation is more complex, there are many different commands which can be sent to a storage device from a variety of different components in a host computer (BIOS, OS, application software, etc.) and we need to satisfy ourselves that a write blocking device operates as expected (preventing alteration/allowing retrieval) under all circumstances. Similarly, testing methodologies can be either straightforward or complex. For example, compare the validation methodology suggested in the Helix manual:

This process is based on the National Center for Forensic Science (NCFS) 5 step validation process for testing write protection devices (Erickson, 2004). It was originally designed to test the Windows XP SP2 USB software write blocker, but has been adapted to test any hardware and/or software write blockers.

Step #1 – Prepare the media

a) Attach the storage media you will be testing with to your forensic workstation
in write-enabled mode.
b) Wipe the media - validate that this has been successful.
c) Format the media with a file format of your choosing.
d) Copy an amount of data to the media.
e) Delete a selection of this data from the media.
f) On the desktop of your forensic workstation create 3 folders. Call these Step-1, Step-2 and Step-5.
g) Image the media into the Step-1 folder and note the MD5 hash.

Step #2 – Testing the media

a) Remove and then replace the testing media into your forensic workstation.
b) Copy some data to the media.
c) Deleted a selection of this data from the media.
d) Image the media into the Step-2 folder and note the MD5 hash.
e) Validate that this hash value is ''different'' to that produced in Step #1.

Step #3 – Activate the write blocking device

a) Remove the media from your forensic workstation.
b) Attach and/or activate the write protection device.
c) Follow any specific activation procedures for the specific blocker.

Step #4 – Test the write blocking device

a) Insert the media into your forensic workstation.
b) Attempt to copy files onto the media.
c) Attempt to delete files from the media.
d) Attempt to format the media.

Step #5 – Check for any changes to the media

a) Image the media into the Step-3 folder and note the MD5 hash.
b) Validate that this MD5 hash is the ''same'' as the MD5 hash from Step #2.

with the methodology outlined by NIST in their test plan available at http://www.cftt.nist.gov/hardware_write_block.htm.

If you're thinking the easy way round this is just to avoid the issue and buy one of the well known write blockers instead, the bad news is that testing your device (regardless of manufacturer) is almost certainly something you should be doing anyway. There's a good thread here in the forums discussing when and why write blockers should be tested.

Of course, we need to see validation within the wider context of the entire forensic process which involves, potentially at least, presenting evidence in court. As a result, there may be certain testing methodologies which are already specified or recommended wherever we find ourselves working.

I think I'm going to dig a little further into this and see what various agencies have to say. I'll report back when I have some news but in the meantime any thoughts or comments would be very welcome. How would you validate a new write blocker? Do you regularly test your existing device? How reliable are hardware write blockers (have you had one fail on you)? Let me know.

Events calendar updated

admin — Tue, 15 Jan 2008 14:17:00 +0000

Just a quick note to say that the events calendar has now been updated with relevant events covering the rest of the year. If anyone know of other events which should be included (primarily conferences) please add them to the calendar by going to the appropriate day/days and clicking the "Add Event" button (I'll then review/approve the new addition). Thanks!

Computer forensics around the world

admin — Wed, 09 Jan 2008 14:51:00 +0000

One of the interesting things about running Forensic Focus is seeing which countries our visitors are coming from. Of course, as an English language site it's not particularly surprising to note that a significant number of visitors come from the US and the UK. However, I'm always delighted to see just how many visitors come from other countries - not just other English speaking or Western European countries, but countries from every corner of the globe. Interest in computer forensics is certainly a worldwide phenomenon.

From some of the emails I've received over the past few years and posts to the forums (not to mention news items posted to the homepage) it's clear that the state of computer forensics differs widely from one country to another. What do I mean by "state"? A number of things, touching upon but not limited to issues surrounding: legislation, awareness, training, best practice, job opportunities, etc. It's also clear that things are changing and progress is being made in many places.

An opportunity exists for those of us in countries with more fully developed computer forensics infrastructures to assist newcomers to the field and, from what I understand, a number of countries are actively seeking experienced practitioners from outside their borders to assist with this process. That's not to say that building awareness and implementing change is a straightforward process, and no one knows a country better than its own citizens, but lessons learned elsewhere can often save valuable time and effort. Ultimately, though, computer forensics exists within a larger framework built around the use of and access to technology, the political climate, even social norms and values. The shape of forensic computing in one country may differ from that seen in other areas of the globe.

I'd be interested to hear what others think of the global state of our profession. Which countries are world leaders in computer forensics and why? Which countries are furthest behind? Is the development and use of high tech investigative powers always a positive thing? Please leave a comment!

Training and education links page updated

admin — Sat, 05 Jan 2008 16:27:00 +0000

The training and education links page at

http://www.forensicfocus.com/computer-forensics-training-education

has been updated. Links are now listed by country on separate pages and non-working links have been removed.

The procedure for adding a new link has also been simplified, just click here.

X-Ways interview and a few other items

admin — Fri, 04 Jan 2008 13:43:00 +0000

For those who didn't catch last month's newsletter a quick note to say that Stefan Fleischmann has very kindly agreed to answer interview questions this month. If you have any questions about Stefan's X-Ways range of software products please feel free to post them to this forum topic. Alternatively, if you prefer, you can always drop me a line privately (email, PM or contact form). The X-Ways lineup includes not only X-Ways Forensics but also X-Ways Capture for live analysis and I for one am certainly looking forward to speaking to Stefan and learning more about both of these products. If there's anything you'd like to ask please don't let this opportunity go by!

In other news the forum discussion of recommended forensic hardware now finally has a summary page to go with it at

http://www.forensicfocus.com/recommended-hardware

This should be very much a "living document" with updates and additions strongly encouraged - please use the forum topic mentioned above to continue the discussion.

Another topic which came up quite recently in the forums is that of report writing. This too now has a dedicated page at

http://www.forensicfocus.com/computer-forensics-reports

and again I'd like to encourage further additions to this page (sample reports, relevant links and articles on CF report writing).

Finally, a quick plug for this post by kovar concerning terms of engagement. It seems to me this is another useful area for discussion, in particular for those in private practice, and at some stage will probably also warrant a separate page as a quick reference. Please help if you can!

Happy New Year!

admin — Tue, 01 Jan 2008 14:50:00 +0000

A very happy New Year to all readers and all the best for 2008!

I'm looking forward to getting back in the saddle this month after the usual craziness of December. Hope everyone enjoyed themselves...see you soon in the forums!

Merry Christmas!

admin — Mon, 24 Dec 2007 17:41:00 +0000

A very merry Christmas to all!

Hope you have a great time over the festive period.

Drive carefully, stay safe and see you after Boxing Day...

Document & Media Exploitation - more interesting than it sounds!

admin — Mon, 17 Dec 2007 13:53:00 +0000

There's an article from Simson Garfinkel at the ACM Queue website here which I think many will find interesting (don't let the rather dull title put you off, it's a great read). It covers something called DOMEX which we're told is defined by the US Intelligence community as "the processing, translation, analysis, and dissemination of collected hard-copy documents and electronic media, which are under the U.S. government's physical control and are not publicly available". Essentially it's about the challenge of bringing relevant information or evidence to light in the face of various obstructions (large disk sizes, encryption, time constraints etc.) Simson calls for more work to be done with a view to improving or automating many of the processes currently carried out by forensic examiners and ends by discussing the wider implications of such improvements.

Oh, and there's another good article at the same website here about hard disk reliability. Both articles are well worth a read!

Forensic workstation recommendations

admin — Mon, 10 Dec 2007 10:11:00 +0000

Just a quick note to highlight this thread in the forums where we're trying to put together a list of hardware suggestions/recommendations for anyone considering building or buying a forensic workstation for imaging and analysis.

Do please chime in with any thoughts, not just for the main components (motherboard, chip etc.) but also for the less "sexy" items. Can you recommend a particular case, for example, which you've found has worked well - perhaps due to it's connection possibilities or some ergonomic feature which you particularly liked? What about a particular brand or type of hard drives - are some more reliable than others in your experience?

The focus of the recommendations is on hardware which gets the job done but also represents value for money. Hopefully once complete it will serve as a useful reference for new practitioners entering the field or anyone upgrading from an older system.

Sharing knowledge (part three)

admin — Thu, 06 Dec 2007 11:26:00 +0000

All good things come in threes (apart from Star Wars, of course, as I may have mentioned previously) so here's the last part of this "sharing knowledge" trilogy.

We talked earlier about asking and responding to questions as they arise, the type of situation you see in the forums or our - very quiet! - email discussion list. I'd like to wrap up by encouraging everyone to share their knowledge in a more proactive fashion, either in the form of articles or papers (which I'm very happy to publish at the Forensic Focus site and in the monthly newsletter) or by contributing to one of the forensic wikis which are out there.

Let me be the first to admit - if it isn't already blindingly obvious - I'm not a great writer. I also find it hard going at times. I don't always find it particularly easy to express myself and the process of editing and revising what I do put together can be time consuming (I'm not just referring to contributing to the this site, I'm speaking more generally in this case). With that being said, though, with a little bit of planning and enough effort to actually get started I have found that it is possible to put something together which has some value.

It's clear to anyone who browses the Forensic Focus forums, or those of other computer forensics sites, that there are many very experienced members and there are also those who can write very well (some of the more lengthy and detailed posts are almost full articles in their own right). There are also some who have the ability to share their knowledge by putting pen to paper but don't do so, often through lack of time but also because they're concerned about how what they've written will be received - the fear of criticism holds back many people I've spoken to privately over the past few years. This latter point is a great pity, many of those same people are those with very useful information and interesting perspectives. Whether held back by lack of time or lack of confidence, I really do want to encourage everyone to think again about writing something for the wider forensic community.

The obvious question which remains is what to write? The answer, I think, is simply anything which might be useful to someone else (and I often think the easiest way to judge that is to ask yourself if you would find it useful, or would have done so at some stage in the past). I also want to stress that, at Forensic Focus at least, basic forensics or discussion of fundamental principles is also very much on topic, just as much as advanced techniques. In addition, aspects of computer forensic work outside the purely technical are very welcome - examples might be professional challenges, career development, legal issues, even just personal thoughts and reflections. In essence, if it's a topic which interests you then it will probably be of interest to someone else.

If you'd like to share your knowledge and experience then I encourage you to write something and send it through either to me, for Forensic Focus, or consider submitting to one of the wikis. The ultimate goal is to expand the list of useful resources available to anyone with an interest in this field, from those just thinking about it as a career to those who've seen and done almost (but not quite) everything. I hope you'll decide to help.

Sharing knowledge (part two)

admin — Fri, 30 Nov 2007 12:38:00 +0000

I talked briefly last time about the difference between those who enjoy sharing their knowledge and those who prefer to keep things to themselves. I feel strongly that the vast majority of members at Forensic Focus (and similar sites) fall into the former camp which means we have a tremendous resource at our disposal. Like anything of value, though, it needs careful handling. Just as those who are in a position to help may feel a responsibility to provide accurate information (and don't forget that many answers provided in the forums are highly detailed and have involved considerable time and effort to compose), so those who are seeking answers have an obligation to frame their questions appropriately and do what they can to help themselves before seeking advice.

Forensic Focus is openly and unashamedly a site for both old hands and newcomers to the field, it's certainly not just a site for experienced practitioners. One of the reasons behind that is a focus not just on today's challenges but on tomorrow's too, and more specifically on those members who, although they may be new to computer forensics right now, will be the ones who drive it forward in 5, 10, or 20 years from now (by which time the only computer I'll be using will be one of those gadgets you get at Christmas to keep track of your golf score). So if you're a beginner and there's something you don't understand, what should you do? Here are some thoughts, and I encourage others to add theirs:

- Before even going online, think about the resources you already have to hand. Books and training course notes are often excellent reference sources. If you have neither, now might be a good time to consider laying down some sound fundamentals. Computer forensics courses (both academic or commercial, classroom based or distance learning) have experienced tremendous growth in the past few years. If a course is not appropriate, at the very least read as much as you can. I often still refer to books I've purchased over the years and building a library of the best reference works should be a priority. Subscribe to news feeds and blogs too so you're up to date with general developments.

- Whether your question is general or specific, try a little hands on research and testing yourself. Often, putting together a small network or even a single PC for testing purposes can be achieved at little expense. Want to know what happens to the registry when an external disk has been used and removed? Give it a go and try for yourself. Many useful forensic tools are open source and freely available and in the course of using them you will often build your knowledge in other areas.

- If you have a question about a particular item of hardware or software, consider trying the manufacturer's support site or forum first before looking in a forensic forum for someone with relevant experience. The same applies to forensic hardware and software, often the manufacturer's own web site or forum will get you the answer you need quicker.

- Some software packages come in for particular scrutiny during an investigation of course, primarily those developed by Microsoft due to their dominance in the OS and browser markets. Fortunately Microsoft makes a lot of information available through its own web site (you can search through it here).

- It almost goes without saying, but Google really is your friend. If you don't find what you're looking for immediately, though, don't give up. Read some of the advanced search tips for other ways of searching.

- Before posting in the forums, have a good search of the existing posts. As you're doing so you'll probably ask yourself why there aren't many stickied posts or FAQs and I think you'd be right. It's something I intend to improve next year.

- If you've done all the above (with a particular emphasis on a solid Google and forum search) but haven't found what you're after PLEASE DO ask in the forums - that's what they're there for and I'm certainly not trying to put anyone off from posting. However, there are a few important points to keep in mind when you do post, namely:

1. Always post in the most appropriate forum (yes, there's more than one!)

2. Give as much information as you can about the problem straight away. Most people are very willing to help but it can be frustrating if there are obvious gaps which need to be filled before they can do so. Describe the general context of the situation, explain something about your own background or experience if you're new to the board, describe any hardware or software in detail (including version numbers) etc. The more information you can give, the more likely you are to get a useful reply.

3. Say what you've already done to answer the question or solve the problem. Don't be afraid to admit your own limitations. This has two benefits. Firstly, it prevents other from going over the same ground but perhaps more importantly it shows that you've already put your own effort in and just can't get any further. In that case most people will be only too happy to help and you'll get the result you're looking for.

I hope the above is useful and helps us build our friendly community still further.

Have I missed something? Would you like to add your own tip for making the most of our shared knowledge pool? Don't hesitate to comment.

Sharing knowledge

admin — Tue, 27 Nov 2007 16:26:00 +0000

Everyone working in a computer forensics role has at least one thing in common - they know a lot more now than they did when they started. No matter how knowledgeable someone is today, there was a time when they knew next to nothing about forensic matters.

Something not everyone has in common, though, is a willingness to share that knowledge. In the 15 or so years that I've been involved with IT (not just forensics) I've had the good and bad fortune to meet some very different personality types, on the one hand true professionals who are only too happy to share what they know and on the other those who take an almost perverse delight in hoarding their knowledge. I've often thought about what it is that makes one person willing to give up their time to teach others while someone else will only ever seem to act in their own interests. I don't necessarily have a good answer to that question but what I have noticed is that those most willing to share their knowledge have always been those who truly understood the subject matter at a deeper level and genuinely enjoyed thinking and talking about it. They felt secure in their own position yet were comfortable talking about their own limitations.

No matter how much we know now, the pace of change is such that there will always be something new to learn tomorrow. Furthermore, the scope of high tech investigations is such that no one can possibly know everything. At some stage we all need to turn to the resources which are available in order to increase our knowledge. Those resources are many and varied. For most forensic examiners studying, training and research (if you're lucky) are the main paths to increasing knowledge and understanding. Frequently, though, a problem or question arises the answer to which is not covered in any training course and the time to research it in the lab is simply not available. On these occasions we need to turn to others who may already have answered the same question.

How we ask that question, especially for those new to the field, can be crucial in determining the type of response we receive. More on that tomorrow...