Kamil, you’re currently an independent consultant in digital forensics – can you tell us more about your work and how you first became interested in the field?
My independent consulting has, to date, been predominantly in the fields of information security and privacy. I haven’t had an opportunity yet to work directly in digital forensics as an independent consultant. Mostly my work in information privacy revolves around ensuring compliance with impending information privacy legislation in South Africa. This legislation is modelled around European Union information privacy law and mandates the use of generally accepted information security standards, such as ISO 27001/2. Thus, much of my work also involves providing consulting advice on the necessary information security controls.I first became interested in digital forensics when I began my doctoral studies at the Information and Computer Security Architectures (ICSA) Research Group at the University of Pretoria. ICSA was (and still is) heavily involved in digital forensics research. Participating in weekly research group meetings where this research was discussed helped pique my interest in the subject – to the extent that I decided to pursue doctoral studies in the field of digital forensic readiness.
You’re also a board member of the METT Centre, which provides trauma counselling to children. Can you describe some of the areas this covers?
Certainly. The METT Centre focusses specifically on providing trauma counselling to children at certain primary schools in and around the Pretoria CBD. These schools cater for a large number of learners that come from difficult socio-economic backgrounds. The METT Centre helps these learners overcome physical, sexual and emotional abuse through individual, family and group therapy. Therapy is provided by registered social workers and psychologists.
My role at on the board of the METT Centre is predominantly one of oversight. The METT Centre is a registered non-governmental and non-profit organisation and must therefore operate within certain legal parameters. As a board member I attend board meetings in which guidance is provided to help the organisation meet its many challenges, for example, funding (the METT Centre is funded entirely from donations). There are of course the more mundane and official duties such as reviewing audited financials etc.
You undoubtedly come across disturbing subject matter in both of your roles. Do you find it difficult? How do you cope with it?
It can be disturbing to see what people are capable of. I think the reality that people will try to steal or defraud companies is far easier to deal with than the reality that there are people out there that will abuse a child.
I am not at the front-line of dealing with the reality of child abuse given my role at METT is primarily an oversight role. As a board member I do, however, know that even seasoned counsellors have required psychological debriefing to help them deal with the extreme cases they come across. Even hearing about some of these cases can be difficult.
Personally I draw strength and positivity in my outlook from my faith as a Christian and also from seeing the dedicated individuals at the METT Centre who ARE at the front-line. They work tirelessly to help others, often at the cost of more lucrative and easier jobs.
Your paper 'The Architecture of a Digital Forensic Readiness Management System' has recently been published in Computers & Security. Could you give us a brief overview of the subject, and your main findings?
The paper addresses the subject of digital forensic readiness, which one can define as a corporate goal consisting of the technical and non-technical actions that maximise an organisation’s ability to use digital evidence. To put that into more concrete terms, technical measures might include enabling logging and securely storing the logs, while non-technical measures might include a digital forensics policy and appropriate training of digital forensics staff.
The main purpose of the paper was to put forward the idea of a system that could be used to manage digital forensic readiness (DFR) in a large organisation, and also to propose an architecture for such a system. In the paper we undertook a comprehensive review of DFR literature to come up with the requirements of the system and then built a proof-of-concept system that showed such a system was indeed possible. Of course to truly test it, one would have to implement it in a large organisation.
What can the digital forensics community do to encourage organisations to adopt a digital forensics readiness strategy?
Many digital forensic readiness (DFR) measures, such as logging or event management, should already be in place in organisations with mature information security and privacy functions. The community should aim to dovetail and work together with these functions as far as possible. If such measures do not exist, digital forensics practitioners should motivate for them together with other functions. This avoids the measures being seen as a ‘forensics problem’ or measures that must come out of a forensics budget.
A DFR strategy of course only makes sense when the cost is justified. Digital forensics practitioners should be realistic in what they expect from a DFR strategy. They should be able to justify the strategy against the risks it helps address. The strategy can also be justified based on the cost it should help save in carrying out digital forensic investigations, and the increase in the effectiveness of digital forensic investigations.
You mention that it’s important to look at both human and technical concerns when it comes to managing resources. What are the main challenges of each? Is one easier to deal with than the other?
In terms of technical challenges, these often revolve around implementing technologies. Take a security information and event management (SIEM) for example. A SIEM can be a powerful DFR tool if properly configured to monitor the correct events and with the correct rule sets. Too often these tools are seen as solutions that will solve problems merely by being installed. The challenge therefore is to ensure that such tools are installed and configured to address specific risks and that the tools integrate well with existing hardware and software, as well as planned hardware and software acquisitions.
Of the human challenges, I would say the foremost is the scarcity of individuals with appropriate digital skills and experience. I think that the lack of digital forensic skills often hampers the potential of digital forensic functions within organisations. Another human challenge in DFR is obtaining the buy-in from various departments or business units since incident response teams comprise of people from various departments and business units. First responders, for example, are often not individuals that work directly within a forensics function.
What do you do in your spare time?
In my spare time I like to keep fit, listen to music and watch sports – I also spend a lot of time on my favourite social media platform. Keeping fit involves gym, tennis and swimming. Although I’ve been sidelined by an injury for some time, I hope to return to competitive tennis one day. As for music, I listen to most kinds and particularly enjoy live music. I also watch most sports, but, being South African, there’s often a lot of cricket, rugby, tennis and football (soccer) involved!