Gene Spafford, CERIAS

Gene, can you tell us a little bit about your background and how you came to work at CERIAS?

My academic PhD was work in reliable operating systems. I then did a post-doc in software testing, which I viewed as a follow-on to my work in reliability. During all that time I worked part-time as a system administrator and consultant. I was interested in computer & network security, but was told that it was not an area for an academic career unless I wanted to work in formal methods or cryptography.

I joined the faculty at Purdue in 1987. In 1988, the Morris Worm and some computer viruses became news. So did some of Cliff Stoll’s exploits. I found myself playing a role in all of those, as one of the few academics who was actually working hands-on with systems. So, I began to explore topics in applied computer security for my “day job” – including forensics. (I actually helped solve a computer crime (of sorts) back in 1983, so I’ve been involved in the area for longer than my time at Purdue.)In 1992, I established the COAST Laboratory at Purdue, to share research resources with a few other faculty interested in what I was doing. In 1998, I established CERIAS as a university-wide research center. I’ve been director ever since (or executive director).

One of CERIAS' research focus areas is "Incident Detection, Response, and Investigation" – can you give us some insight into current activities?

We have at least a half-dozen projects that fit under this title – basically, things we do to detect & investigate incidents.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

– The ADEPTS project is based on a knowledge engine that gathers remote data about system performance and attacks, then makes predictive decisions for reconfiguration and containment

– Work in the VIPER lab is being conducted on traceback of digital images and imaging to the devices that created them (think of tracing ransom notes back to typewriters).

– I’m involved in a project using process “coloring” to detect intrusions into systems, and help to narrow the focus onto those files and processes that were actually affected by the intrusion in some way.

– We have a group working on devising special forensic tools for small devices, such as PDAs and cell phones.

– We have a project involving profiling of computer criminals to help investigators decide where to look. This might also prove useful in screening against potential insider attacks.

– We are doing some “live” assistance to state police and the FBI on cases, during which we are identifying characteristics worthy of new projects.

There have been other projects before these, and more to come. The above is not even a complete list, but gives a sense of scope – OS to devices to tool building to psychology to “live” operations.

What do you think are the greatest challenges in store for the computer forensics community? How should these challenges be met?

The big challenges are volume (of data and cases), timeliness (getting actionable results quickly), and crossing jurisdictional boundaries. The latter is related to the attribution problem.

I’m not sure yet how we meet all these challenges. One thing I have been advocating (and working on) are methods we build into systems – OS and applications – that provide great fidelity forensics without requiring substantial postprocessing. “Baked in” if you need a phrase for it. There are things we can do that will thus quickly narrow focus and produce timely results. We are going to need similar mechanisms to examine live systems, too – computing in the “cloud” with SaaS means we aren’t going to be able to shut systems down and examine them at our leisure. Not all the issues will be solved with technology, obviously. Some will require political and human solutions. We need to understand what those are, and work towards those too.

What aspect of computer forensics as it is currently practiced would you most like to see changed or improved?

Almost everything we do is ad hoc and post hoc. We need a more formal framework (I started down this path with Brian Carrier, who did his PhD under my direction) to describe what we do and make it more of a science than a technology application area. We need a greater set of foundational tools and concepts so we aren’t relying on products whose inner workings we don’t understand and which may not be generalizable. And as part of that framework, we need to have structures and logs that support what we are trying to do better than inferring behavior from artifacts designed 20 years ago.

I guess I can summarize that as saying we need more focus on the underlying science and principles of cyber forensics, not simply more case studies and tool development.

Do you have a sense that computer criminals are becoming more sophisticated at covering their tracks?

Oh yes, this is clearly happening, and has been for some time. Most of the people we notice and catch are the ones who are either brazen (they are operating from a location with no fear of retribution), careless, or uninformed. The slow, stealthy ones who are after very high value targets are seldom caught. This includes some of the well-financed “for hire” types who target corporate information, and government-backed agents. Instead, we catch the bot-herders and phishers, and even then we don’t seem to catch many of them. One result is that those lower-end criminals read the mailing lists and news to see when and how they are spotted, and they learn from that.

In many ways, it is like antibiotic resistant bacteria. If you hit the bacteria with a drug, but don’t actually wipe it out, what is left develops resistance so the same drug won’t work the next time. If we don’t actually start getting some action to go with successful forensics, we almost might be better off not doing some of the forensics! Luckily, the supersophisticated attackers are few in numbers compared to the more mundane criminals. Unfortunately, the super criminals can cause much more damage if we don’t find them.

What advice would you give to anyone considering a career in forensic computing?

It’s a field with tremendous promise. It is multi-disciplinary, so study in several fields other than IT will help – criminology, psychology, law, for instance. Also, creating a reputation by breaking into systems or finding and publicizing flaws is not the best path to a fulfilling career: many employers, and especially many in law enforcement, see such behavior as demonstrating that the individual is not trustworthy. Given the number of times “hackers” have reverted to old ways or done questionable things, this is probably a reasonable assessment.

What do you do to relax and unwind?

Listen to music. Watch bad movies. Some reading. Gardening. I’m usually too busy with family & work to relax, however!

Gene Spafford can be contacted as follows:

Email: spaf AT purdue.edu -OR- spaf AT acm.org
Phone: (+1) 765.494.7825
Further contact details: spaf.cerias.purdue.edu

Leave a Comment

Latest Videos

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 5 hours ago

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i41eg24YGZg

Deepfake Videos And Altered Images - A Challenge For Digital Forensics?

Forensic Focus 13th February 2023 10:30 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...