Professor Sammes, can you tell us something about your background and your current role?
I have not always been in the academic world. I started out in the military, serving for some 29 years in the British Army. I first became involved with programming computers in the early 60s when machine code was still the main language and we were looking at how these new devices might be used for military command, control and communications.
By the greatest of good fortune, I was posted to Lincoln Laboratory at MIT in 70/71 and there I was tasked with developing the software that would bring the laboratory onto Arpanet as network node number 10. We had no appreciation then that this was just the beginning of what was to become the Internet.With state of the art packet switched network experience under my belt, I found myself involved in the design and procurement of digital command, control and communications systems on my return to the UK. In between this techie stuff, I enjoyed tours of duty which followed a more traditional military career with troop, squadron and regimental postings.
When I left the Army in 1984, I became Professor of Computing Science at Cranfield University. At about this time I started to take a particular interest in forensic computing and by 1989 I was carrying out forensic casework, analysing digital devices for law enforcement.
In 1997 I met Brian Jenkinson, who was then a DI with Cambridgeshire Police and together (with others) we developed a series of courses in forensic computing aimed at law enforcement officers. These courses then became the basis of the Cranfield University MSc in Forensic Computing. In early 2000, I established the Centre for Forensic Computing at Cranfield University and became Professor of Forensic Computing in 2003.
I formally retired from the university in 2006 and was appointed Emeritus Professor. I continue to work for the Centre doing both casework and helping to manage and lecture on the Forensic Computing MSc programme.
"Forensic Computing: A Practitioner's Guide" (co-authored with Brian Jenkinson) is considered by many to be essential reading. What was it like working on this book?
Brian and I decided to write the book based on the material that we then were teaching to the Foundation Courses. At the time of writing the first edition we had taught five cohorts, and we were casting around, unsuccessfully, for a book that could be used as the main textbook for future courses. Writing one ourselves shouldn’t be too hard with all the tried and tested material that we now had, should it? Well, it turned out to be far more difficult than we thought. It is one thing to teach a subject face to face and quite another to write the material down in such a way that a reader can follow it comfortably! Fortunately, Brian and I both had the same view of what the book should contain and how it should be presented and were able to divide the work between us in an equitable fashion. Our styles are not too dissimilar and we did our best to edit out any anomalies so that you shouldn’t be able to see the joins!
Cranfield has a reputation as a centre of excellence for forensic computing education – why do you think that is?
We entered the field quite early on. I was involved with forensic computing casework in the late 80s and we started our series of short forensic computing courses in the mid 90s. From the outset, these courses have been formally examined and run as part of the university’s post graduate programme, and have been subject to our internal and external QA procedures. Subsequently, they have been incorporated as modules into the MSc in Forensic Computing, which we believe was the first MSc of its kind in Europe. We require that all our lecturers on this programme are forensic computing practitioners who are carrying out current casework.
What trends do you see in forensic computing and what new challenges do you envisage in the future?
I am always very wary when asked for predictions in this field and am not so arrogant as to believe that I am any more likely to get it right than the many who have gone before me. The prediction I like best, which does turn out to have been correct, was from the writer in Popular Mechanics of 1949 who stated that “Computers in the future may weigh no more than 1.5 tons.”
That said, however, it is clear that strong encryption is becoming an increasing problem and that whole disk encryption (particularly with disk hardware support) will make dealing with it even worse. The other obvious area is that of increasing storage capacity which makes even simple searches impossibly long and requires us to develop alternative strategies to finding needles in haystacks.
A perhaps not so obvious problem relates to budgets and training. We are convinced that the “find evidence button” and the “script jockey” approaches to forensic computing are essentially wrong and very dangerous. We believe that the various forensic software tools in the armoury of an analyst are most valuable assets, but that the analyst must also have the skills and the knowledge to be able to get beneath the tool and extract the evidence directly from the image. For that “nugget of gold”, on which a case may depend, it is necessary to be able to say “I produce this piece of evidence from this bit pattern located here and I can prove the relationship between them”. This requires sound training and education in the discipline and the trend of some organizations to neglect this aspect because of budget restrictions could lead to severe embarrassment in Court and lost cases.
One of the questions we're often asked at Forensic Focus is "how do I get started in a computer forensics career?" What advice would you give? What qualities do you think are most important for work in this field?
I believe a good starting point (though I wouldn’t mandate it) is a science or engineering background. An analyst needs to have a working understanding of the Scientific Method; considering and collecting evidence for and against a number of hypotheses and not just those that have been put forward by the prosecution or the defence. In advanced work, an analyst will need to be able to formulate and carry out controlled trials and experiments in order to establish what might have happened in a given situation. A good science or engineering course should provide appropriate practice in these areas. Next an analyst needs a thorough grounding in the foundations of forensic computing.
In the hundreds of students that we have seen pass through our courses, the characteristic that stands out most clearly as being of greatest advantage is the “investigator’s nose”. Much of the analysis work is investigation of the digital images to find relevant evidence and good investigators seem to have the greatest success in this activity.
As to qualities, I would place the personal characteristics of integrity, honesty, objectivity and impartiality at the very top of my list. It is also most important to understand that our overriding duty is to the court and to the administration of justice. After this come characteristics such as: professional competence, accuracy in reporting, attention to detail, completeness in examination and thoroughness in analysis.
What would you most like to see changed or improved in the field of computer forensics?
We urgently need standards and a standards body with teeth. Current work by Andy Rennison, the Forensic Science Regulator, gives room for some optimism in this area, but it is still early days. The problem arises because anyone can (and a few do) set themselves up as forensic computing “experts” without having any qualifications or experience. Invariably, such “experts” will appear for the defence in a court case. This is because all material produced by prosecution has, by law, to be disclosed to the court and to the defence, including any experts’ reports. This is not the case with material produced for the defence; the same disclosure rules do not apply. Where a prosecution expert makes a bad error, a very public embarrassment results – where a defence expert makes an bad error, defence is likely to withdraw the report and it will never be seen publicly. It is not a level playing field and there are some defence “experts” who continue to practice, despite making major errors, and who are never brought to book.
What does the phrase "best practice" mean to you in relation to computer forensics?
The obvious starting point for this is the ACPO “Good Practice Guide for Computer based Electronic Evidence”, the four principles of which are still as relevant today as when they were first formulated. I would add, for matters on which you rely, a refusal to accept assumptions or the assertions of others, and the rigorous personal testing and examination of all your hypotheses.
What is the most rewarding part of your activities? What aspects do you find most challenging?
For those who enjoy teaching, as I do, there is always great satisfaction in seeing the light dawning when a student really begins to understand the complexities of what you are trying to convey.
Each new case brings an exciting challenge in not only trying to find relevant evidence but also in trying to establish how it came about. Appearances in Court can be very challenging as well as rewarding when you can see that your findings have played a part in helping to determine guilt or innocence.
What do you do to relax when you're not working?
I suppose the correct answer is another question “What is this relaxing bit?”. In fact, I have grown up children as well as six grandchildren and relaxing is invariably meeting up with them and doing the “grandpa” bit.