Joe Williams, PhD Student / Researcher, Canterbury Christ Church University

Joe, you presented an internet research tool at DFRWS. Could you briefly outline your presentation for our readers?

The presentation offered an early glimpse into a tool that will allow law enforcement officials to conduct online research. Essentially what that means is every action an official does while researching on the Internet is kept in an audit trail, for example in the cases of files being downloaded, hashed and logged. The presentation also touched upon the fact that, as far as we are aware, there are no overall guidelines within the UK on how Internet evidence should be gathered. Presently, ACPO guidelines only look at dead and live-box forensics, so there’s a real challenge in creating a tool where there is little official guidance.The tool is open source – do you believe it's important for open source solutions to be available for forensic investigators? What would you say are the advantages and disadvantages when compared with commercial tools?

On a personal level I am an advocate of open source software and think open source communities are incredible.

Do I think that open source solutions should be available to investigators? Absolutely. It’s easy to get stuck in a frame of mind that law enforcement is well funded and that every police force worldwide has money for specialist tools. The simple fact is that many forces (particularly in developing nations) do not have these resources available and rely on open source solutions such as, for example, SleuthKit & Autopsy. The advantages in this case are quite obvious: open source tools are free. However, free usually means relying on the good nature of developers to provide support and features, but if you need help with a piece of open source software there is a real potential of being stuck without assistance. With commercial tools, your licence usually comes with technical support, and I can fully understand why many forces in Europe and America prefer a commercial tool like EnCase, as law enforcement officials don’t have to waste their time figuring out how to use the thing. Open source tools are more likely, to be abandoned by developers, although commercial products are also at risk of this. In a forever changing and challenging field such as digital forensics, software needs to be capable of keeping up with criminals; if software is left-for-dead then that is just not possible.

As an aside, the guys who make DFF (Digital Forensics Framework) have a model of both open source and a commercial aspect; the “we need to eat” model of software development.

We spoke a lot at DFRWS about getting academia and law enforcement to work together, and your tool is a great example of this as it's been developed in line with the College of Policing. How important do you think it is for academia and LE to collaborate, and how can we make it happen?

When I hear “cutting edge” I think academia. Academics are always looking for something new; it’s what they were born to do. Technology grows so rapidly there is a real need for people who both scrutinise and create to match these advancements; and that is what we do in academia. LE requires cutting edge technology and research, and that’s what we pump out, so it seems natural that LE and academia would go hand in hand.

So why doesn’t this collaboration happen more often? I think a lot of it lies in the fact many digital forensic investigators aren’t programmers. Law enforcement officials require tools that get things done, but academia tends to churn out (awesome, I might add) paper-based research. If more academics created tangible and usable products for LE, I think there would be considerably more collaboration.

The presentation included some suggestions for future work; could you talk us through these?

Presently, the browser uses the Trident engine to render webpages (basically, it’s Internet Explorer). The biggest addition to a tool like this would be to have the ability to swap-in different engines. For example, the ability to render a webpage using the Blink engine (same engine used in Chrome and Opera). Web pages act differently under different browser engines, so being able to easily see precisely how a page will render under these engines has the potential to be useful to a LEO.

Other ideas include the ability to scrape a page of its contents. So, an investigating officer can ask the tool to download and hash all images from a particular website without having to visit that site and manually download each image.

The largest addition will be to make it multi-platform. To meet the requirements set out by the College of Policing, the tool had to work with Internet Explorer and the simplest way to do that is to use a Microsoft programming language called C#. While not impossible to transport this tool to other operating systems using C# (such as OSX and GNU/Linux), it does make it a very challenging prospect.

What was it that first made you interested in digital forensics as a field?

When I was an undergraduate here at Canterbury Christ Church University I studied ‘Computing’ which didn’t touch any forensics at all as that fell under the “Forensic Computing” degree, but our department is very big on digital forensics and after I finished my degrees felt I had missed out on a truly fascinating side to computing. Thankfully an opportunity arose after my MSc to do a PhD in Computing at CCCU, and this has allowed me to explore the digital forensic field. I am still very much a newbie, but am hoping to pick it up.

You're studying at Canterbury Christ Church University. What would you say is the most challenging aspect of studying digital forensics?

The most challenging aspect is not knowing much about the field at all! I’m working on it, though.

What are you hoping to do once you finish your studies?

Presently, I’m looking to go into lecturing as I really enjoy the teaching side of academia. Although that may all change after a couple more years.

Joe Williams is a PhD student at Canterbury Christ Church University, which offers a range of digital forensics study programmes at both undergraduate and postgraduate level. Joe has been working on developing an open source internet research tool for law enforcement agents in collaboration with the College of Policing.

Forensic Focus interviewed Joe at DFRWS, the annual Digital Forensics Research Workshop, which took place in Dublin from the 23rd-26th of March. The next workshops will be held in Philadelphia in August 2015, and Switzerland in March 2016. You can find out more and register here.

Leave a Comment