Nick, can you tell us something about your background and why you decided to work in this particular field?
I’ve worked in IT for almost 20 years and around 10 years ago was involved in writing Intranet and Internet based systems for highly secure environments in the UK. That led on to needing to understand the complexities of security, then securing their systems, then investigating when things went wrong. I found that I loved the investigative side and turned to Computer Forensics full time about 6 years ago.
What does your current role involve? Can you describe a typical day?
I am fortunate that my work is varied and fascinating. One day I may be doing a standard disk-based investigation, the next day researching the data stream in a protocol, next teaching RAM analysis and the following night I’m in a covert van with an antenna pointed at someone’s router.I have a personality defect where I get bored if I do the same thing for too long!
As someone perhaps best known to the wider computer forensics community as an expert in "live forensics" can you describe how that discipline has developed over the past few years and briefly bring us up to date with current research and practice?
Wow, that’s a question with a 3 day answer. Principle 1 of the ACPO (Association of Chief Police Officers) guidelines says simply ‘Do no harm, make no changes’. The problem is that PC’s are routinely left on now and in that instance it is impossible to comply with Principle 1. If we leave it on we make changes, if we pull the plug we make changes. I remember Jim Gordon from West Mercia Police and I presenting at the F3 conference in the UK 4 years ago, demonstrating how to capture RAM and create a password cracking list, all leading edge stuff at the time, some people were smiling and nodding, others had their arms firmly crossed! That has changed and I don’t know anyone who denies that the ‘best’ evidence from a running machine includes grabbing the volatile data in an appropriate manner.
Current research revolves around the quite staggering amount of data (evidence?) we can extract from RAM. It used to be just running processes, strings and carving files, now we can extract the SAM file and crack the users’ passwords, find and grab the type and serial number of every USB key ever plugged into the system, get typed URL’s, Truecrypt passwords and large amounts of timed and dated Internet History, the list goes on. The Volatility framework from Volatile Systems has been a huge leap forward for researchers, with some cool plugins appearing. I’m writing a new plugin at the moment building on the great work done by Moyix, if I can get my head firmly around Python that is!
Can you tell us something about the wireless attack techniques you've been working on?
A lot of Police Officers and other Agencies had been speaking to me about the need for a specific course in how to identify, break encryption and exploit wireless routers. There are some good courses out there already but they were heavily focused on theory and were not very hands-on. Working with Jon Evans (now at Qinetic) we developed our own Linux based Virtual Machine with a small Peli-case of adapters, antennas and other bits and pieces, which just work out of the box. We haven’t reinvented the wheel but the course is becoming very popular indeed as you spend 3 days just attacking routers and whizzing around in cars GPS mapping streets and buildings, its loads of fun! I’m afraid it is Law Enforcement only though because of legal issues here in the UK.
I’m currently writing phase 2 of the course which is the exploit of machines once you are on the router, getting a remote command shell, setting keyloggers and stuff like that. I’m writing it with a chap from the US who is involved with building BackTrack, he has to remain nameless for the time-being I’m afraid.
As a trainer of both corporate and law enforcement personnel, how do you meet the needs of these two groups? Are their requirements very different?
Generally with disk-based forensics I think the requirements are very similar, in fact the Helix Live Forensics course and the new Advanced Live Analysis course are equally popular with both Corporate and Law Enforcement.
The more significant divide arises with covert needs. I do a lot of work in this area and have developed/helped develop several tools for unusual requirements and the needs of the users become very specific. In that world the focus tends to be on safely and quietly gathering intelligence rather than procedural, evidential issues and hence the data being extracted and analysed is oriented toward directing further investigations rather than evidence bags and Court reports. It also means that non-Hi Tech crime trained operatives are often deploying the tools and hence they have to be simpler and fairly fool-proof.
What does the phrase "best practice" mean to you in relation to computer forensics?
This is another interesting question and should have the word ‘Debate’ after it.
I have been a member of the British Academy of Forensic Science for several years and watch the traditional forensic sciences very carefully as I think we have a lot to learn from older, more established forensic sciences that have ‘Best Practice’ methods for almost everything they do. They have accepted methods and procedures that are currently missing from our world; I don’t think you can even call Computer Forensics a ‘Science’ yet.
Every HiTech Crime unit I visit does things slightly differently which I think encourages personal free thinking and freedom to work ‘around’ a problem but it can also encourage sloppy work and evidence missed, it really relies upon the motivation and passion of the investigator.
If you visit the FBI in the US you will find everything in their HiTech Crime units is procedural – step1 – step2, virtually laminated cards! This is great for consistency of work but perhaps stifles personal problem solving and lateral thinking around a problem. This is not a critisism of either method, they are just different. As I said – ‘Debate’.
What would you most like to see improved within the computer forensics industry?
Standards for what constitutes an Expert Witness! At the moment my Mum can do an Encase course, convince her Solicitor neighbour to use her and start doing investigations. In fact one or two private practitioners I know are less qualified than my Mum! We have issues in the UK where some private investigators are bringing the whole industry into disrepute and we need a solution to that. I don’t have one – sorry.
Secondly, come back Accessdata, we used to love you! The issues surrounding V2 of FTK are concerning as we need at least 2 primary and widely used investigation tools. Prodiscover, X-ways and others are great but Encase and FTK 1.X were always the tools of choice to check and confirm your findings. I do want FTK 2 to be brilliant but its still not there yet for me.
Nick, you've travelled widely and worked with computer forensics practitioners in many different countries – have you noticed significant cultural differences in the way people work or is there such a thing as a single global forensic community which transcends national boundaries?
One thing that binds the international community together is a real passion for the work we do and a desire to move it forward and make it better. I see that wherever I go. It is reflected on the forums too although I do wish they, Forensic Focus and others, were less confrontational at times. It is not unusual to see a post raising an idea or thought and then see it mashed by others not challenging, but rubbishing. That is a shame.
As few years ago a couple of us posted on another forum our findings about RAM not being quite as volatile as we all thought. We were completely flamed for over 2 weeks and eventually I backed off and stopped posting. We ended up being right but those who posted hindered our research rather than positively adding to it. More positivism please!
What trends do you see in forensic computing and what new challenges do you envisage in the future?
Triage is the buzzword at the moment. With hard drives getting larger the challenges of storage and analysis will continue to mount. Tools to do system triaging to identify the machines that contain the possible evidence we are looking for will become ever more vital, however, the chances of missing data will increase accordingly. The industry may have to come to terms with a trade-off or be prepared for cases to take longer and cost much more money.
What qualities do you think are most important for anyone working in this field?
Simple – patience and tenaciousness.
What is the most rewarding part of your job? What aspect of your job do you find most challenging?
Rewarding is finding that one piece of evidence tucked away in unallocated space or a memory register that changes the case, love it when that happens.
Challenging is not finding that one piece of evidence tucked away in unallocated space or a memory register that changes the case, hate it when that happens.
What do you do to relax when you're not working? What are your plans for the future?
Sorry, relaxing, what is that exactly? Anyone sat up in bed at 11:30 last night reading Python for Dummies does not have a handle on relaxation! Seriously, I like to run, go climbing with my 11 year old and eat my wife’s curries, best in the world, well apart from India I’m guessing!
Plans for the future are many and varied, aside from CSITech I’m Technical Director of my brother’s company, Bright Forensics which sells Helix 3 Enterprise, NUIX and other forensic tools, I think that has an exciting future so will be investing some time in that.
Otherwise, I will be continuing to work, research and train in the most fascinating industry in the world!
Nick Furneaux can be contacted as follows: