Gene Spafford, CERIAS

by

Gene, can you tell us a little bit about your background and how you came to work at CERIAS?

My academic PhD was work in reliable operating systems. I then did a post-doc in software testing, which I viewed as a follow-on to my work in reliability. During all that time I worked part-time as a system administrator and consultant. I was interested in computer & network security, but was told that it was not an area for an academic career unless I wanted to work in formal methods or cryptography.

I joined the faculty at Purdue in 1987. In 1988, the Morris Worm and some computer viruses became news. So did some of Cliff Stoll’s exploits. I found myself playing a role in all of those, as one of the few academics who was actually working hands-on with systems. So, I began to explore topics in applied computer security for my “day job” – including forensics. (I actually helped solve a computer crime (of sorts) back in 1983, so I’ve been involved in the area for longer than my time at Purdue.)In 1992, I established the COAST Laboratory at Purdue, to share research resources with a few other faculty interested in what I was doing. In 1998, I established CERIAS as a university-wide research center. I’ve been director ever since (or executive director).

One of CERIAS' research focus areas is "Incident Detection, Response, and Investigation" – can you give us some insight into current activities?

We have at least a half-dozen projects that fit under this title – basically, things we do to detect & investigate incidents.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

– The ADEPTS project is based on a knowledge engine that gathers remote data about system performance and attacks, then makes predictive decisions for reconfiguration and containment

– Work in the VIPER lab is being conducted on traceback of digital images and imaging to the devices that created them (think of tracing ransom notes back to typewriters).

– I’m involved in a project using process “coloring” to detect intrusions into systems, and help to narrow the focus onto those files and processes that were actually affected by the intrusion in some way.

– We have a group working on devising special forensic tools for small devices, such as PDAs and cell phones.

– We have a project involving profiling of computer criminals to help investigators decide where to look. This might also prove useful in screening against potential insider attacks.

– We are doing some “live” assistance to state police and the FBI on cases, during which we are identifying characteristics worthy of new projects.

There have been other projects before these, and more to come. The above is not even a complete list, but gives a sense of scope – OS to devices to tool building to psychology to “live” operations.

What do you think are the greatest challenges in store for the computer forensics community? How should these challenges be met?

The big challenges are volume (of data and cases), timeliness (getting actionable results quickly), and crossing jurisdictional boundaries. The latter is related to the attribution problem.

I’m not sure yet how we meet all these challenges. One thing I have been advocating (and working on) are methods we build into systems – OS and applications – that provide great fidelity forensics without requiring substantial postprocessing. “Baked in” if you need a phrase for it. There are things we can do that will thus quickly narrow focus and produce timely results. We are going to need similar mechanisms to examine live systems, too – computing in the “cloud” with SaaS means we aren’t going to be able to shut systems down and examine them at our leisure. Not all the issues will be solved with technology, obviously. Some will require political and human solutions. We need to understand what those are, and work towards those too.

What aspect of computer forensics as it is currently practiced would you most like to see changed or improved?

Almost everything we do is ad hoc and post hoc. We need a more formal framework (I started down this path with Brian Carrier, who did his PhD under my direction) to describe what we do and make it more of a science than a technology application area. We need a greater set of foundational tools and concepts so we aren’t relying on products whose inner workings we don’t understand and which may not be generalizable. And as part of that framework, we need to have structures and logs that support what we are trying to do better than inferring behavior from artifacts designed 20 years ago.

I guess I can summarize that as saying we need more focus on the underlying science and principles of cyber forensics, not simply more case studies and tool development.

Do you have a sense that computer criminals are becoming more sophisticated at covering their tracks?

Oh yes, this is clearly happening, and has been for some time. Most of the people we notice and catch are the ones who are either brazen (they are operating from a location with no fear of retribution), careless, or uninformed. The slow, stealthy ones who are after very high value targets are seldom caught. This includes some of the well-financed “for hire” types who target corporate information, and government-backed agents. Instead, we catch the bot-herders and phishers, and even then we don’t seem to catch many of them. One result is that those lower-end criminals read the mailing lists and news to see when and how they are spotted, and they learn from that.

In many ways, it is like antibiotic resistant bacteria. If you hit the bacteria with a drug, but don’t actually wipe it out, what is left develops resistance so the same drug won’t work the next time. If we don’t actually start getting some action to go with successful forensics, we almost might be better off not doing some of the forensics! Luckily, the supersophisticated attackers are few in numbers compared to the more mundane criminals. Unfortunately, the super criminals can cause much more damage if we don’t find them.

What advice would you give to anyone considering a career in forensic computing?

It’s a field with tremendous promise. It is multi-disciplinary, so study in several fields other than IT will help – criminology, psychology, law, for instance. Also, creating a reputation by breaking into systems or finding and publicizing flaws is not the best path to a fulfilling career: many employers, and especially many in law enforcement, see such behavior as demonstrating that the individual is not trustworthy. Given the number of times “hackers” have reverted to old ways or done questionable things, this is probably a reasonable assessment.

What do you do to relax and unwind?

Listen to music. Watch bad movies. Some reading. Gardening. I’m usually too busy with family & work to relax, however!

Gene Spafford can be contacted as follows:

Email: spaf AT purdue.edu -OR- spaf AT acm.org
Phone: (+1) 765.494.7825
Further contact details: spaf.cerias.purdue.edu

Leave a Comment

Latest Videos

Forensic Focus

Forensic Focus
Learn about the UNISOC extraction method in the Oxygen Forensic Device Extractor.

Learn about the UNISOC extraction method in the Oxygen Forensic Device Extractor.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_I06R1LA8m2Q

Data Extraction From UNISOC-Based Devices In Oxygen Forensic® Detective

Forensic Focus 16th November 2023 3:08 pm

Si and Desi talk to Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation, and Emma Pickering, Head of Tech and Economic Abuse at Refuge. They discuss the impact of digital forensics and incident response (DFIR) in cases of domestic abuse. They highlight the prevalence of tech-enabled abuse, such as the use of stalkerware, and the need for comprehensive support and safety plans for survivors. They also talk about the challenges faced by law enforcement in investigating and prosecuting these cases, as well as the importance of training and awareness in addressing tech-enabled abuse. The conversation emphasizes the need for collaboration between organizations, tech developers, and law enforcement to effectively combat domestic abuse. Show Notes: Apple Support: How Safety Check on iPhone works to keep you safe - https://support.apple.com/guide/personal-safety/how-safety-check-works-ips2aad835e1/web IBM: Five Technology Design Principles to Combat Domestic Abuse - https://www.ibm.com/policy/five-technology-design-principles-to-combat-domestic-abuse/ EFF: Today The UK Parliament Undermined The Privacy, Security, And Freedom Of All Internet Users - https://www.eff.org/deeplinks/2023/09/today-uk-parliament-undermined-privacy-security-and-freedom-all-internet-users Wesley Mission: More support to help escape family violence - https://www.wesleymission.org.au/about-us/what-we-do/helping-people-most-in-need/housing-and-accommodation/wesley-emergency-relief/more-support-to-help-escape-family-violence/ Refuge: How we can help you - https://refuge.org.uk/i-need-help-now/how-we-can-help-you/ Electronic Frontier Foundation - https://www.eff.org/

Si and Desi talk to Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation, and Emma Pickering, Head of Tech and Economic Abuse at Refuge. They discuss the impact of digital forensics and incident response (DFIR) in cases of domestic abuse. They highlight the prevalence of tech-enabled abuse, such as the use of stalkerware, and the need for comprehensive support and safety plans for survivors.

They also talk about the challenges faced by law enforcement in investigating and prosecuting these cases, as well as the importance of training and awareness in addressing tech-enabled abuse. The conversation emphasizes the need for collaboration between organizations, tech developers, and law enforcement to effectively combat domestic abuse.

Show Notes:

Apple Support: How Safety Check on iPhone works to keep you safe - https://support.apple.com/guide/personal-safety/how-safety-check-works-ips2aad835e1/web
IBM: Five Technology Design Principles to Combat Domestic Abuse - https://www.ibm.com/policy/five-technology-design-principles-to-combat-domestic-abuse/
EFF: Today The UK Parliament Undermined The Privacy, Security, And Freedom Of All Internet Users - https://www.eff.org/deeplinks/2023/09/today-uk-parliament-undermined-privacy-security-and-freedom-all-internet-users
Wesley Mission: More support to help escape family violence - https://www.wesleymission.org.au/about-us/what-we-do/helping-people-most-in-need/housing-and-accommodation/wesley-emergency-relief/more-support-to-help-escape-family-violence/
Refuge: How we can help you - https://refuge.org.uk/i-need-help-now/how-we-can-help-you/
Electronic Frontier Foundation - https://www.eff.org/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_nSWQZe9gpVk

Protecting Victims From Stalkerware And Tech-Enabled Abuse

Forensic Focus 15th November 2023 11:11 am

In this webinar, Rich Frawley from ADF Solutions discusses the topic of enhancing mobile investigations, specifically focusing on screenshots and screen recordings. Frawley explains that mobile devices have become increasingly important in investigations and emphasizes the need for efficient methods to extract information from these devices. He introduces ADF Solutions as a company that provides tools for digital forensic investigations, including Mobile Device Investigator (MDI). Frawley explains that MDI allows investigators to customize their searches and quickly gather the necessary information from mobile devices. He demonstrates the capabilities of MDI, including the ability to take screenshots, record screens, and capture metadata from various apps and settings on both Android and iOS devices. Frawley also discusses the importance of obtaining consent from victims and witnesses and explains the legal requirements for consent in digital investigations. He concludes the webinar by encouraging viewers to reach out to ADF Solutions for further information and support.

In this webinar, Rich Frawley from ADF Solutions discusses the topic of enhancing mobile investigations, specifically focusing on screenshots and screen recordings. Frawley explains that mobile devices have become increasingly important in investigations and emphasizes the need for efficient methods to extract information from these devices.

He introduces ADF Solutions as a company that provides tools for digital forensic investigations, including Mobile Device Investigator (MDI). Frawley explains that MDI allows investigators to customize their searches and quickly gather the necessary information from mobile devices. He demonstrates the capabilities of MDI, including the ability to take screenshots, record screens, and capture metadata from various apps and settings on both Android and iOS devices.

Frawley also discusses the importance of obtaining consent from victims and witnesses and explains the legal requirements for consent in digital investigations. He concludes the webinar by encouraging viewers to reach out to ADF Solutions for further information and support.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_75YgOaEgQUw

Enhancing Mobile Investigations: A Focus on Screenshots and Screen Recording

Forensic Focus 13th November 2023 10:00 am

Load More... Subscribe
This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Mike Bates, Technical Sales Engineer, Detego Global
Interviews

Mike Bates, Technical Sales Engineer, Detego Global

ByForensic FocusNov 27, 2023
Forensic Focus Digest, November 24 2023
News

Forensic Focus Digest, November 24 2023

ByForensic FocusNov 24, 2023
Digital Forensics Round-Up, November 23 2023
News

Digital Forensics Round-Up, November 23 2023

ByForensic FocusNov 23, 2023
Mission-Critical Speed: A Special Operations Veteran’s Take On Ballistic Imager From Detego Global
News

Mission-Critical Speed: A Special Operations Veteran’s Take On Ballistic Imager From Detego Global

ByDetego Digital ForensicsNov 22, 2023
UPCOMING WEBINAR – Harnessing The Power Of Advanced Extractions With Mobile Ultra
News

UPCOMING WEBINAR – Harnessing The Power Of Advanced Extractions With Mobile Ultra

ByCellebriteNov 22, 2023
Event Recap: The CyberWomen Conference 2023
Event Info & Recaps

Event Recap: The CyberWomen Conference 2023

ByForensic FocusNov 21, 2023