Digital Forensic Investigations: Just how good are they?

I note with interest that John Douglas (Finnbarr) is giving this talk to the BCS IRMA ( Information Risk Management and Assurance ) group. It’s certainly open to BCS members, and possibly to other affiliated organisations – worth dropping a line if you are interested …

To register for the meeting please login to www.bcs.org.uk and follow the Events link…Tuesday 8th March 2011

18:30 Registration & buffet
19:00 Presentation
20:00 Networking Session

The British Computer Society
First Floor, The Davidson Building, 5 Southampton Street, London, WC2E 7HA

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Speaker: John Douglas

Event Details

With an increase in regulatory measures forcing organisations to deal robustly with breaches and information loss, digital forensics is quickly becoming a standard feature of the investigators toolkit. This session will look at ways in which digital forensics can assist in dealing with unprecedented quantities of data and help you find the smoking gun. Topics covered will include a discussion of various terms and their specific meaning in the forensic world, the tools employed, the techniques used and the reliability of the artefacts presented. We’ll also look at ‘forensic readiness’ the process of ensuring an organisation is in the best possible place should a digital forensic examination be required. If time allows, we’ll finish with some interesting real life case studies from both law enforcement and commercial investigations.

Speaker Profile

John Douglas MSc, MBCS

Senior Forensic Scientist and Digital Forensic Laboratory Manager at QCC, John has a Masters Degree in Forensic Science from the Royal Military College of Science, Cranfield University, in the discipline of Forensic Computing. He works on serious and complex cases for UK law enforcement and has been instructed by the Crown Prosecution Service to arbitrate in cases where defence and prosecution experts have irreconcilable differences. In 2005 he was awarded a Commander’s Commendation by the Metropolitan Police for bringing to justice a serious predatory paedophile. John regularly speaks to law enforcement and business groups about forensics and is a strong advocate of standards, like the current ISO17025 forensic laboratory standard.

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...