±Forensic Focus Partners
|New Today: 1||Overall: 29233|
|New Yesterday: 11||Visitors: 160|
· SADFE 2015 – Malaga 30th September – 2nd October
· Countering Anti-Forensic Efforts – Part 2
· Windows 8 Touch Keyboard Forensics
· Countering Anti-Forensic Efforts – Part 1
· Linux Timestamps, Oh boy!
· Standard Processes in Windows 10
· NAS Forensics Explained
· Project Spartan Forensics
· FT Cyber Security Summit Europe – London 22nd September
Rob Attoe, Senior Vice President Investigations Training and Services, NuixBack to top Back to main Skip to menu
Rob Attoe, Senior Vice President Investigations Training and Services, Nuix
Even though I’ve been at Nuix for seven months now, it still feels new and every day I discover something different. The most important part of my job is applying my experience as a training provider, which I’ve done for the past 10 years, to make sure Nuix represents its products as well in the training arena as it does in the functional arena. It’s about applying a professional adult learning model to the organisation so customers come away with a good experience of the software and gain knowledge of how to use it to best effect.
Please tell us about the training programs offered by Nuix. Which areas are covered? What can trainees expect to learn?
Nuix’s main training areas are investigations, eDiscovery and cybersecurity. We offer three-day Nuix Foundations courses, two-day Specialist courses and certifications for eDiscovery and investigations.
In all cases, it’s about taking any practitioner, whether they are new to the field or experienced, giving them the base knowledge to succeed and then running through some advanced workflows and techniques that will really help them make the most of our software.
A lot of the time we get trainees who have already been using Nuix and sort of fumbling their way through it. Our training takes them through every facet and feature of the Nuix tool and how we as the vendor intended them to use it.
That said we also learn from our trainees. Every student brings something to the class and often our trainees teach the instructors and other trainees something they didn’t know before.
You not only train Nuix customers but also instruct at IACIS conferences and give presentations at events run by the High Technology Crime Investigation Association, Department of Defense, F3 and Internet Crimes against Children taskforce - tell us more about your experiences on these occasions.
At IACIS conferences, I am focused on keeping on top of what is current and relevant for forensic examiners. It’s about researching and developing techniques that aid digital investigation, helping people understand current trends in how people try to conceal data and misuse computers. A lot of Nuix employees volunteer their time and expertise to give back to the community.
At the other events, the organisations are looking for tips and tricks from experts in the field that they can share to their groups. An important thing to understand is that a lot of people who work in this field don’t have the time to read journals or the budget to go to conferences. So often we’ll put together a white paper or similar about a particular area of interest such as forensic analysis of Windows 8 systems, and share with the community.
What are the main challenges associated with digital forensics training today? Is there anything that you feel most courses do not adequately cover?
It’s a huge challenge staying up to date. People are using such a diversity of operating systems and applications like web browsers. Teenagers don’t stick to one chat client for more than a couple of months before they switch to something better, criminals do the same. This means examiners need to keep up with current trends.
As a trainer, you have to keep yourself fresh and sharp, keep the material new and respond to changes at a moment’s notice.
Our courses are typically two or three days in length but we need to cover a full college semester of material. So that’s 200 hours of training in 21 hours. Obviously you can’t cover everything, but you can give trainees the ammunition, enthusiasm and a framework to research further and deepen their understanding.
Many of the students who visit the Forensic Focus forums ask us what kind of degree program they should choose when entering the field, or whether they should focus on other employment-related qualifications instead. What would your advice to them be?
My best advice is to get some kind of computer-related foundation degree. Understand how computers work, how they store data on disks, all the basics. But as early as possible, decide what your focus will be and let that guide you.
If you want to be a forensic examiner, you’ll need to know about disk structure and encryption. For eDiscovery you’ll need to learn about legal challenges and issues such as consent. For cybersecurity, you’ll need training with an information security focus.
I’m not convinced you need to do a five-year degree. Technology changes so quickly, by the time you graduate, a lot of the material you covered early on will be out of date.
I think you need to have some understanding of computing at an academic level but once you have a degree, you can learn as much on the job as you can sitting in the classroom. In some respects, it’s even better. But even while you’re doing your degree, see if you can do some volunteer work – or a placement – in the field. You will gain a lot of experience and it will further your career.
You’re originally from the UK, but your current role is based in the USA. Have you found any major differences in the field – whether in training or otherwise – between the two countries?
I emigrated from the UK to the USA in 2002, initially working at the National White Collar Crime Center. The similarities were always much greater than the differences because they are trying to solve the same problem: a crime has potentially been committed and you have to find out what happened and if you can prove it. The UK, the US and anywhere else in the world have very similar goals for identifying and analysing electronic media.
There was a big difference, though, around the legal authority to examine an exhibit. In the UK, as long as evidence was taken into custody correctly, an examiner could search across the whole evidence to find data that supported the allegations.
In the US, there’s a lot of variation in the legal systems and restrictions at a regional level. Often the way the warrant was written determines whether an examiner had the legal privilege to look at emails, for example. And the medical profession can’t divulge patient records to anyone without a subpoena.
As far as teaching is concerned, of course you have to change some of the modules to suit your audience, for example, in the early days of delivering an internet forensics course I did a whole section on AOL. Then I went to Europe and found out no-one there used it!
What do you think the next major developments and/or challenges will be in digital forensics?
Cloud storage is booming, particularly in the corporate world. There are real challenges for forensics in cloud storage, because the data is typically commingled with other users’ data – so you can’t just go to a cloud provider and say ‘give me the disks’. There can be legal issues depending on which country the data is stored in. You may even have to go to that country to get the data out, rather than requesting it remotely.
Also, lots of applications for tablets, phones and PCs are storing their data in the cloud rather than locally. This is another big challenge for forensics.
People are more aware of their information security so they are using encryption both for data in transit and at rest. Quantum cryptography is becoming a reality and that’s essentially impossible to crack – unless you convince the owner to give you the password, of course.
Finally, I think we’ll see more electronic intelligence aiding examiners in all types of forensics. There are no products yet but there is a lot of research into using artificial intelligence as a way to build a case. It will be able to learn what the features of the evidence are and identify the most likely lines of inquiry. Of course, you’ll always need a technology that can make all the content of the evidence readable to the artificial intelligence system.
On the rare occasions when you're not instructing or presenting, what do you do in your spare time?
Of course, spending time with my family. I enjoy running, archery and most other outdoor sports – participating, not necessarily watching. My passion is hiking in the Utah desert, camping out in the middle of nowhere and looking for fossils and rare stones. I do a lot more looking than finding but it’s well worth the effort.
Rob Attoe is Senior Vice President, Investigations Training and Services, at Nuix, where he heads the training department’s build and delivery of course content, ensuring the curriculum and delivery concepts meet industry standards as well as production of customised courses tailored for forensic practitioners globally. He also leads the research into forensic artefacts found on various operating systems and regularly presents the research findings at large conferences.