Forums
Main Category
General (Technical,...
MSc Forensics Contr...
 
Notifications
Clear all

MSc Forensics Controversy

 
Page 4 / 4
General (Technical, Procedural, Software, Hardware etc.)
Last Post by benfindlay 10 years ago
37 Posts
21 Users
0 Reactions
4,738 Views
RSS
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
06/12/2015 9:00 pm  

Because the courses are not updated to keep pace with the current state of forensics.

Well, to be fair ? , not even forensics is updated to keep pace with the current state of Operating Systems and devices wink .

jaclaz


   
ReplyQuote
 BitHead
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
07/12/2015 12:17 am  

Well, to be fair ? , not even forensics is updated to keep pace with the current state of Operating Systems and devices wink .

jaclaz

Touché


   
ReplyQuote
benfindlay
 benfindlay
(@benfindlay)
Estimable Member
Joined: 16 years ago
Posts: 142
07/12/2015 2:20 pm  

Interesting, which browsers did you do forensics for? AFAIK of the 'big 3' browsers, both Firefox and Chrome both store their history in a Sqlite file, as do other browsers such as Safari. I know you can do some other work around the cache etc but how do you recover the Internet history without using SQLite?
Obviously the other big one is Internet Explorer, which I'm guessing you covered, but probably covered Index.dat files which haven't been used in that browser since IE 10 in 2011.
Honestly IMHO I cannot imagine how an Internet forensics course can be run without at least some coverage of SQLite.

We covered Chrome and Firefox primarily. IE was touched on only briefly. I seem to recall the justification for this being the market dominance/share Chrome and Firefox enjoyed at the time as the 2 most used browsers - approximately 62% and 22% respectively, (vs IE's 8%) I believe.

For both browsers, focus was on the Cache - data_[n] files in Chrome, and cache_map, cache_001 etc. files for Firefox. There was an awful lot of information provided relating to both caches and the potential for recovery of sueful information, and I think your choice of phrase of some other work is way off the mark.

SQlite is part of Internet forensics, but as I stated previously, it was covered in depth on the Advanced module - part of the same MSc programme. Covering it in both the Advanced and Internet modules would be an unnecessary duplication and repetition of material, and is something I certainly would not have appreciated. The SQLite was acknowledged on the Internet module, but not covered under the scope of that course in any depth.

The SQLite skills gained on the Advanced module are directly transferable to any SQLite forensic work elsewhere.

Honestly IMHO I cannot imagine how an Internet forensics course can be run without at least some coverage of SQLite.

Go take the courses, then you won't need to imagine. wink


   
ReplyQuote
 NathanC
(@nathanc)
Active Member
Joined: 10 years ago
Posts: 9
10/12/2015 4:58 pm  

I have read this thread with interest this is something that is often discussed in my lab. On the open source versus the commercial ones issue I generally prefer commercial products but then again I am not the one having to pay for them. As for what is better and whether EnCase version X is better than version Y or if FTK or X-Ways is better it is so much tosh. Personally I don’t like EnCase and prefer FTK but both work. In my lab the split is 50/50 with a dash of X-Ways thrown in and one lad likes to run his own scripts on image files. My lot can use whatever they want as far as I’m concerned. If they get their work done using an open source tool as quickly as a commercial one (and in either case verify it if need be) then they can crack on.

As for what should be taught on BSc and MSc courses, that is a completely different matter. For me it comes down to a single premise any science subject worth its salt must work from first principles.

This is where the DMU courses very much come into their own. Yes, teaching file systems by starting with FAT and moving through disc maps and finally into NTFS may look antiquated but as a result I not only know a fair bit about NTFS but can deal with disc geometry form first principles so if something looks odd in FTK or EnCase I know how to go back to the hex and check it manually. On more than one occasion I have found old partitions from previous installations that I would otherwise have missed. Will I do it every time or even 1% of the time? Not a chance but the difference is that I know how to do it.

In short good BSc and MSc courses teach you fundamentals and then get you to apply them to any tool you choose. FTK and EnCase courses generally teach you FTK and EnCase. An MSc in Computer Forensics should teach you the underlying principles of computer forensics – the tool that they use is really neither here nor there. What is taught on the DMU courses (as mentioned above) must be taken as a whole - they fit together as a complete package. This means that no, not everything internet related is taught on the Internet course. Some (SQLite) is on the Advanced, some (IP) is on the Networking course. But taken as a whole I can apply the fundamentals taught to anything. I may not know how the browser WhizzyNew v1 works but if it uses SQLite because I know the fundamentals I can work it out. Don't get me wrong, when FTK eventually can parse WhizzyNew then I won't do it manually, but until then, I can.

Finally I suspect that this is about to become even more important over the next couple of years. ISO17025 is coming to all forensic practitioners and a massive part of this is validation. Want to use FTK v6 to produce your evidence? Feel free but your unit must have validated it from first principles.

This means that if you use it to say that a file has a certain date/time and was located at a certain place then saying that the tool told you will not cut it. To be able to verify tools then you must know how to prove the evidence from first principles. This is where those who can prove something from first principles come into their own.

This is not unique to computer forensics. In my undergraduate degree while certain maths and physics equations could be assumed the student has to be able to prove them from first principles. There is no substitute for this.

Now going full circle how should an MSc course do this? Well if the course can afford the licences then by all means use FTK, EnCase or X-Ways – all can be run in an unprocessed mode to manually prove anything that the processed state displays. If not, any tool that lets you work from first principles will do the trick.

Nathan Coutts
Met Police Cybercrime Unit


   
ReplyQuote
Chris_Ed
 Chris_Ed
(@chris_ed)
Reputable Member
Joined: 16 years ago
Posts: 314
10/12/2015 8:07 pm  

Interesting and well considered post. I agree whole-heartedly on most of your points, however I disagree on this

What is taught on the DMU courses (as mentioned above) must be taken as a whole - they fit together as a complete package.

Must it? This would be true if that was how it was sold, but it's not. Quoting directly from the website

The scheme is composed of a series of short course modules and associated coursework modules which can be taken on a standalone basis

If there were related pre-requisites to take the other courses then that's fine - but there aren't. One of the things studied in this course is

The importation of 'unusual' software applications, particularly Email applications, is demonstrated and methods of extracting data from such proprietary storage systems are demonstrated and experienced.

This is (I assume) where turnpike comes in. But as an outsider I have to ask myself why you would spend any time on 'unusual' software applications when something as critical to Internet History investigations as SQLite is shunted to the 'Advanced' course?


   
ReplyQuote
 NathanC
(@nathanc)
Active Member
Joined: 10 years ago
Posts: 9
10/12/2015 8:39 pm  

Fair point on the individual courses. To a point.

Yes the courses are sold individually and in batches - intro course, PGCert etc and they are designed to fit together as a single MSc. I suspect that this is more due to the fact that agencies can't justify 9k up front for all staff and prefer to send people course by course.

There are however overlaps between the courses which have been mentioned - sql, IP, networking, file systems etc. If you wanted to run the courses as self-contained entities that do not rely on each then either they would be much longer or have less overall content which would reduce the learning and result in those completing multiple courses going over the same material.

Now that said that doesn't mean that modules couldn't and shouldn't be moved and I know that this is being reviewed along with whether some bits need to be taken out and new bits put in - such as UEFI. Another one is whether TCP/IP should be networking or Internet. However as these courses are MSc modules, changing one means changing others which can't be done overnight. The other option would be to have pre-requisite learning or courses. i.e. That they should be done in a certain order. Again I know that this is under consideration but for every person that this suits, it doesn't suit another.

Bottom line though is that there are a lot of courses out there to choose from. Having done a fair few of hem over the years I think that the courses on the MSc are on balance the best out there when taken together and in the right order. That doesn't stop me putting my opinions to the two professors as to what should and shouldn't be taught and in what order! The fact that I send all my staff there on the 2 week course, then the PGCert, PGDip and MSc at serious expense means I don't think there is anything else out there that teaches he fundamentals any better.


   
ReplyQuote
benfindlay
 benfindlay
(@benfindlay)
Estimable Member
Joined: 16 years ago
Posts: 142
11/12/2015 4:28 pm  

Interesting and well considered post. I agree whole-heartedly on most of your points, however I disagree on this

What is taught on the DMU courses (as mentioned above) must be taken as a whole - they fit together as a complete package.

Must it? This would be true if that was how it was sold, but it's not. Quoting directly from the website

The scheme is composed of a series of short course modules and associated coursework modules which can be taken on a standalone basis

As NathanC said, they are available as short courses as it is often difficult to justify 9k upfront. Also, it is broken up into discrete chunks as doing it all in one go would require significant time out of the office and therefore abstraction from regular duties. Short term productivity of our unit would very much suffer if we underwent any lengthy staff abstractions.

If there were related pre-requisites to take the other courses then that's fine - but there aren't. One of the things studied in this course is

The importation of 'unusual' software applications, particularly Email applications, is demonstrated and methods of extracting data from such proprietary storage systems are demonstrated and experienced.

This is (I assume) where turnpike comes in. But as an outsider I have to ask myself why you would spend any time on 'unusual' software applications when something as critical to Internet History investigations as SQLite is shunted to the 'Advanced' course?

I don't think anything was "shunted" (as you put it) to another course. Are you perhaps suggesting that there was no room for it, so someone made an arbitrary decision to stick it elsewhere as a compromise? As I have previously said, the SQLite is covered in the Advanced course from a perspective beyond just Internet as it has its uses outside of just Internet history.

Bottom line though is that there are a lot of courses out there to choose from. Having done a fair few of hem over the years I think that the courses on the MSc are on balance the best out there when taken together and in the right order.

[SNIP]

I don't think there is anything else out there that teaches he fundamentals any better.

I couldn't agree more!


   
ReplyQuote
Page 4 / 4
Forum Jump:
  Previous Topic
Next Topic  
Share: