George, can you tell us something about your background? Why did you decide to work in this field?
George Chlapoutakis: I have been involved with computers and computer programming for as long as I can remember, since my primary school days in the early 80s when I was first taught LOGO and BASIC on an Amstrad CPC6128. When the Internet in Greece moved away from the few BBS and started gaining ground in Greece, during the mid-90s, my hours-long wanderings soon led me to the field of Network Security which I chose to specialise in (and, incidentally, to a series of lectures on “What happens to a household’s phone bill when you spend 8-12 hours on the Internet” as well).
In my BSc in Computer Science degree, by which time I was already quite well versed in Network Security research, development & consultancy, I started specialising in Intrusion Detection & Artificial Intelligence (Artificial Neural Networks, specifically) as my final-year project, and in my EU Funded MSc in Internet Engineering I took this specialisation a step further by adding Bayesian Inference & Forecasting to the mix.My conversion to Digital Forensics & Network Security came about while I was doing my PhD in Intelligent Systems. At that time I was asked to teach the Digital Forensics part of a BSc in Forensic Computing. While researching (and subsequently teaching) the field, having more than 10 years as a Network Security researcher/developer/practitioner under my belt by that time, I realised that the two fields were two sides of the same coin that I called “Security”, and that any Security solution, be it for a SME, company, organisation or whatever, should incorporate both network security and digital forensics principles, methodologies & tools in order to be considered complete (or, rather, “concise”).
You have a number of roles as both a lecturer in computer science and digital forensics, and as the owner of SecurityBible Networks. What do these roles involve and how do you divide your time between them?
I actually have three roles, as I am also a PhD research student in digital forensics & network security. The PhD RS role involves working on my PhD which is to develop a Multi-Agent Systems-based Software Framework for a DF profiling network that will profile network attacks and, through them, the actual network attacker(s) using a mixture of digital forensic, network security, artificial neural networks, data mining & bayesian inference/forecasting methodologies.
My role as a lecturer so far involves designing and developing course material, delivering lectures & tutorials, supervising lab sessions, setting assignments and examination questions and an assortment of administrative tasks that go with the above (a.k.a. paperwork).
In a very real way, SecurityBible Networks is the concrete representation of my realisation that for someone to be a true academic they cannot only live and move about in the safe and secure environment of research & lecturing offered by an academic institution. They have to be in contact with the outside world, the free market, its requirements and its directions in order to both correctly advise & direct their students and, at the same time, focus their research towards current or emerging real-world issues. Such an academic will constantly keep abreast of current and emerging needs and trends in the real world as part of their scientific career and will thus be far more prepared to correctly cover his business clients’ needs.
As for dividing time between the roles, well, when you’re working in three fields, you have the luxury of switching between them when you want to take a break from one (or even two) of them. Besides, who wants or needs more than 5 hours of sleep per day? 🙂
Broadly speaking, how knowledgable are new students with regard to computer forensics when they first start your courses? Do they have any common misconceptions about digital investigation?
The best answer I can give you is that their knowledge level varies, depending on the specific student’s background prior to starting the course. Some of them come in from totally unrelated fields of work, or come in fresh from college. They do tend to have some misconceptions, sometimes because of how the profession is portrayed in popular TV series, as I’m sure most of us have noticed.Others come in from very related fields of work (eg. government organisations, LEOs etc), and they have a much better understanding of what DF involves, especially since some of them are actually serving LEOs working as DF investigators.
And yes, most of them have been / are avid viewers of CSI:LV/CSI:NY/CSI:Miami/NCIS/Spooks etc and yes, you do get tired of hearing mobile phone ringtones featuring the opening theme from the above TV series. 🙂
An old chestnut – are today's students overly reliant on GUI-based forensic suites at the expense of a deeper appreciation of what is going on "under the hood"?
In my completely personal opinion, the answer lies somewhere between yes and no. All of them are taught to use both GUI and CLI-based forensic tools as part of their course(s). And all of them are taught the (very) basics of computer programming. But I do have to admit that I’ve not come across many students who will, as part of the course or in their spare time, sit down and code a tool or read the source code of an existing FLOSS digital forensic tool, never mind expanding it or re-implementing it to see and really understand how it works.
So, I guess, the best way to phrase the answer is that no, at least as part of their university course, they don’t overly rely on GUI-based forensic suites but a lot of them also don’t go sufficiently “under the hood” to say they have a deeper appreciation of what’s going on.
What qualities do you think are most important for a computer forensics student to have? What do you make of the concerns sometimes expressed about the large number of students currently entering the field?
Quite honestly, and personally speaking, I feel that the two most important qualities any university student (and not just CF/DF students) should have are the willingness to keep an open mind and the willingness to challenge themselves and their lecturers alike, and to do so constantly, pushing the envelope, stretching the rules to their breaking point and pushing past boundaries for the betterment of themselves, their colleagues and their field of research.
The qualities stated above, or, rather, the fact that education has changed in such a way that the qualities stated above do not very much apply anymore, is a large part of the reason why, in my opinion, some concerns have been raised about students currently entering the field. After all, when someone does not know (or get taught) how to (or is not constantly encouraged to) challenge the established knowledge and rules of their discipline how are they going to push it towards the future through either expanding the understanding of parts of their field or finding new research topics in their field?
Another part of the reason for those concerns is, as I’ve discussed in a recent ForensicFocus forums posting on this topic, that students are not properly taught even the basics of how to search for information. Combine that with the previous part, put in a dose of lecturers not being very helpful (or assuming too much) towards students sometimes, and add a teaspoon each of unclear Ethics Board rules and recalcitrant university IT administrators, and you end up with students asking for help in a way that would understandably concern people in the field (who don’t have all the facts).
Another part is, again in my opinion, that people’s expectations of the level of education H/E students attain in an undergraduate and post-graduate degree are by far too un-realistic. Universities are _not_ (and should _never_ be) training centres, after all. The knowledge acquired through tuition in an undergraduate and post-graduate university course (excepting MPhil degrees which are research-oriented) is meant to be generalised enough to allow them to expand it by themselves as part of their course and, in the case of a post-graduate course, specialised enough to allow them to contribute to some (small or, in some cases, large) degree to their field of study.
Broadly speaking, are there aspects of computer forensics education in the UK (or abroad) which you feel could be improved?
Regarding CF education in the UK (and generally speaking), part of the answer, I believe, has been covered in my answers to your last two questions, but in short, I believe there should be more of an in-depth Computer Science (including Software Engineering & Software Development) element in university CF courses, for one thing. Classic computer science models, principles and methodologies are far more than an aide to writing computer programs. They are a way of thinking about problems (from boiling an egg to arguing/defending a case in a court of law) logically, in a clear, concise and step-by-step manner, and in a way that both shows they completely understand the problem itself and are able to defend the reasoning behind each step of their solution. It is those skills which people refer to as “critical thinking” and “problem solving” skills. After all, in order to effectively search for the answer to a question, you have to understand the question itself.
As for CF education abroad, the only other country I can really speak for is Greece. As I see and understand things, forensic and computer forensic education is not as straightforward as it is in the UK or US. Part of it is taught in the final years of a Bachelor’s-equivalent degree in Law, another part of it is taught as a (or a small number of) module(s) in the police academy, another part of it is taught on postgraduate-level courses and a final part of it is taught in the form of on-the-job training. LEOs do occasionally attend CF-specific seminars organised by a number of LEO agencies (eg. Europol, FBI) but, on the whole, there is no organised and “complete” (by UK & US standards) CF tuition/training. It is my hope that SecurityBible Networks will, in the short-ish, medium and long-term future, be able to contribute to and even fully provide an environment where organised and “complete” CF education for the Greek Police can be achieved.
What trends do you see in computer forensics and what new challenges do you envisage in the future?
The three main trends and challenges (at the same time) I’m seeing in computer forensics are the drive towards standardisation of procedures, methodologies and technologies, a shift towards one-click forensic analysis and a drive towards equalising CF and on-the-job certifications with academically-achieved qualifications.
The first of the trends is easily a challenge in its own right, especially given that the process of standardisation is a long, laborious process in the best of cases. I quite like it, as a trend, because I see it as one more step towards solving such problems as the differences of CF examination of electronic devices across different countries.
I even like the second trend, the one-click forensic analysis, though I remain sceptical about its real-world application. It will certainly help substantially reduce the backlog of CF examination cases, yes, but of what quality will the results be? As CF practitioners we are not exactly flipping burgers in the local take-out, so we should refrain from analysing data with the same flippancy, especially since what we do or don’t do will affect people’s lives.
As for the third one, what worries me most about it (especially when I heard the guest speaker in CFET2010 this September talking about it) is that its only purpose is to essentially allow expert witness testimonies by LEOs with questionable knowledge & qualifications to carry the exact same weight as those of independent CF expert witnesses. To use a Comic Book pop-culture reference: “My Spider-Sense is tingling!”.
What is the most rewarding part of your work? What aspects do you find most challenging?
The most rewarding part of my work is a combination different things. The increase in my understanding of how the world really works, in a way that network security alone does not offer. The satisfaction that comes from combining multiple disciplines to form a more “complete” and “concise” solution to a problem. The feeling that my work can (and/or does) make a difference not just in my field(s) but in the lives of people, which from a DF perspective usually tends to be a major one (freedom or imprisonment, for instance). And, like any good old-school coder will tell you, the challenge itself.
The biggest challenge for me was the whole transition from Network Security to Digital Forensics, and the associated mental adjustments I had to effect in order to join the two disciplines in such a way so that I’m not myself (or my work) perceived either as a “class traitor” or as a “bad evil ‘hacker’ ” by my peers. The Network Security mindset is substantially different to the DF mindset. Network Security people are trained to think like the “bad guy” (for whatever value of “bad guy”), Digital Forensic people are trained to think like law-enforcement officers. Too often, its such differences that fuel the worst arguments between different disciplines and their related practitioners.
What do you do to relax when you're not working?
In my “copious spare time” (as one of my PhD supervisors put it), I quite like to read books (sci-fi, fantasy, horror), watch movies (same genres as books, on TV or in a cinema), swim & scuba-dive (especially in Halkidiki, Greece, which has the best beaches in all of Greece) and play computer games (FPS & MMORPGs, notably Quake & World of Warcraft). I also love going to concerts (Classic, Opera & Metal) and I always find a bit of time to practice with/play something (Rock & Metal) on my electric guitar. And of course, always and without fail, spoil my little sisters with presents and everything, which is the all-time classic job of the Big Brother in any family.
George can be contacted through the SecurityBible Networks website at http://www.secbible.com.