Christa: Hello and welcome to the Forensic Focus podcast. Monthly we interview experts from the digital forensics and incident response community on a host of topics ranging from technical aspects to career soft skills. I’m your host, Christa Miller.
Our guest this month is Graeme Horsman, a lecturer in Digital Forensics at Teesside University. Graeme has over six years’ experience in teaching and higher education, and previously worked as a digital forensic analyst. His research focuses on digital forensic examination techniques; methods for forensically investigating mobile devices; and knowledge-based systems for improving digital forensic examinations and evidence identification.
In addition, Graeme is research-active in the area of testing and validation in digital forensics, and learning and teaching methods. Sub-research topics include the use of so-called ‘anonymous’ communication services and the potential detection of users; and legislation surrounding the possession, creation and distribution of illegal imagery.
Graeme, welcome to the podcast! We’re happy to have you on the show.
Graeme: Yeah, thank you very much for having me.
Christa: We have a few things to cover today. First, we want to discuss Teesside University’s new Master of Science in Digital Forensics and Cyber Investigations programme; and on a not unrelated note, we also want to talk about digital forensics research: why more of it is needed, and how to overcome some of the challenges associated with it.
So we’re going to start with the Master’s programme. Graeme, how long has this programme been in the making?
Graeme: Well, at Teesside University we’ve had an undergraduate programme in the area of digital forensics for a while now. And we’ve been wanting to bring on board some postgraduate study. So over the last year, myself and colleagues in the digital forensics area at Teesside have been thinking about what we need in terms of what subject areas; what we’d want to put into a postgraduate qualification that we think would work really well, studying at this level with these topics. So it’s been a development process that’s probably been about twelve months, of which we have just had everything accredited, in the sense of now it can run, and [it kicked off] in September 2019.
Christa: Well, congratulations on that!
Graeme: Thank you very much.
Christa: What drove the programme’s development? You mentioned that there had been the undergraduate course of study, and that you wanted to bring on postgraduate. What was important about adding that postgraduate level of education?
Graeme: I think there’s a number of factors. First of all, digital forensics is a massive field, and those studying at undergraduate level we can only cover so much of that field. And we can only cover it to a certain level, because we only have a certain amount of time and there’s a certain development stage amongst the students, as they learn and develop their knowledge.
So there’s a whole area of digital forensics that exists at the more advanced scale of things, and I guess the postgraduate portion of study allows the students that studied undergraduate, or have an undergraduate underpinning in digital forensic science – not just from Teesside but from elsewhere – and they want to take those skills and learn something that’s more advanced than what they would be exposed to at an undergraduate level. We want to provide that follow-on.
So it’s a vehicle that we wanted to cram full of advanced techniques, advanced understanding and advanced knowledge, in what we think are some key areas of digital forensics: package those up into something that the students can progress into, if they wish to, or if they already have sound computer security or digital forensics in terms of knowledge set, they want to move towards this area of the computing field and forensic field, then they’ve got that opportunity.
And because it’s at Master’s level, that means we can really deep-dive on some of the areas and go into lots and lots of detail, and hopefully lots of technical content we can explore, which we just wouldn’t have had the opportunity to do at undergraduate level.
Christa: I see that. You mentioned that you wanted to package up some of the key areas of digital forensics. Can you explain a little bit more about that, and how that sets Teesside’s Master’s programme apart from others?
Graeme: In terms of a Master’s structure, it’s going to be very similar to a Master’s structure in general. You’re going to study modules, and you will do a project, for example. In terms of where we feel are the core areas, we want the students to study six modules that we think are important, and they are: advanced forensic computing; advanced internet forensics; advanced mobile forensics; crime science – so we’re looking a little bit at intelligence sources; principles to be used around those sorts of areas – legal evidence in evidence reporting, because those are aspects that are going to be important if you’re going to be undertaking this work, specifically in the criminal sphere; and also we have coding for intelligence analysts.
So learning a little bit of coding, a little bit of visualisation of data, a little bit of handling data, and how that’s done. So we’ve got those six key areas that we think are important; and those key areas give them a general idea of what they might cover. And in each module, we’ll dive into a series of sub-topics within those areas and explore certain particular issues that the field may be having, or areas of research, and go from there.
So for example, in terms of advanced forensic computing, if you’ve done undergraduate you might already have some technique knowledge, and how to maybe do some advanced forensic computing. This gives us a chance to look at things in a lot more detail.
For example, we might be able to pick apart some of the file system information and artifacts in a lot more depth than what we might have done at an undergraduate level; and really get to grips with how they function, and what the impact of that functionality is in some of the contexts that digital forensic examiners might encounter on a frequent basis.
Same with advanced mobile forensics: you could classify it as a sub-field of its own. And while some people with an underpinning in digital forensics already have some knowledge of mobile forensics and what that involves, and extraction techniques, what we want to do is take this time to go into a lot more detail in terms of extraction techniques – not just your basic ones, but up to your advanced JTagging and chip-off approaches.
And also, look at how we test and interpret artifacts and applications in a lot more detail; how we can reconstruct mobile environments; and how we can ensure that those that are engaging with mobile forensics can interpret the data they see from extractions in a reliable manner.
As we’re seeing a lot more mobile devices in for interpretations and extractions now in criminal cases, there are a lot of things that practitioners will experience on a day-to-day basis, and often they won’t have seen some of these sorts of things. So this module is about prepping those that undertake the module in a way that allows them to tackle this beast that is mobile forensics.
That’s a kind of insight, if you like.
Christa: You mentioned data visualisation. It sounds like the programme is preparing students not just for what they might encounter today, but those big data, some of those types of issues that they may encounter going into the future as well.
Graeme: Yeah, for sure. I think one of the things the practitioner will always be aware of now is the sheer volume of information that’s coming in on the devices they’re seizing. Not all of it’s relevant – a great section of which isn’t evidentially relevant – that being said, the practitioner might have thousands and thousands of internet history records, for example, that over a period of time might need to be visualised in a certain way in order to make them digestible to those who maybe don’t have the technical skills, but need to make decisions on what they’re seeing in these cases.
How we can visualise that information, how we can connect it, I think is a valuable skill, and it’s something that is definitely finding its way into the digital forensics field more and more, and it’s kind of preparing students, giving them a base to build on that. And it’s starting to go hand-in-hand with some of the more core digital forensics skills that you would typically associate with this area of study.
Christa: Speaking of things that go hand-in-hand with core skills, or core skills that go hand-in-hand with each other: you recently tweeted about the new blog that you’re co-authoring with Dr. Amber Collins and Tim James. So are you anticipating that there will be convergence between the digital forensics and the physical forensic disciplines that the three of you represent?
Graeme: Absolutely. I think I’m really fortunate in the sense of, my area in Teesside, we sit within forensic science, so we have Crime Scene Science, we have Forensic Science, and we have Digital Forensics. And because we work quite closely together in the way that we research, and the kind of teaching that we undertake, we can see that there’s now becoming more and more of a crossover, and that when you attend a scene now might not just be a case of “There’s glass on the floor,” or “There’s blood over there.”
I think it’s becoming more multifaceted in the sense of, there’ll be a digital presence, there might be a biological presence. And how do we handle those? What do we do with them? How do we process the information in the right order? Who gets the first go at what? And there are lots of things now to think about from a general forensic science point of view; from digital; and from crime scene science.
And what we’ve tried to do with the blog, I suppose, is just to try and provide a platform so that people can see the things that our area of forensic science, and what we as staff members are engaging with and doing. And hopefully we can demonstrate how that crossover occurs.
So for example, Tim James, who’s our crime scene scientist, he will look at not just what is present from a biological point of view. His role now would be also looking at what sort of electronic devices are in there that might describe the behaviours that occurred at that particular certain scene or dwelling, up to a certain point, and what devices might need to be collected, for example.
Same with crime scene visualisation in forensic science, or forensic science principles that can be applied to digital methods for preservation and collection of information.
So the blog is just a vehicle that hopefully everyone can see the sorts of things that occur when we have a multidisciplinary team, in the sense that we’ve got a lot of forensic science subfields together, and teaching and researching in the same sorts of areas. So hopefully it’s useful to those that can drop in and out of it, and see the sorts of challenges and research areas that are prominent across forensic science in general.
Christa: Yeah, it sounds like there are lots of really great practical takeaways as well, especially for students. I think you mentioned those that are coming in are already working in the field, they already have that experience and they need to carry that forward.
Graeme: Yeah, for sure. So again, it depends on where the students enter at. So if the students come at undergraduate level, and they come to study, there are opportunities to go and undertake years in industry, and to engage with industry, and gather practical experience that will marry with their education, so they get a nice balance of academic and practical experience.
And the same at Master’s level. There’s opportunities to engage with that practical experience, both in industry and on the university campus with practical research projects that have real-world applicability, where they’re undertaking research and activities that can directly harvest results that can be applied to local and national police forces. Maybe the development of standard operating procedures or best practices; or even just the discovery of new knowledge that is valuable in those people’s hands that are actually doing the work in a lab somewhere, for example.
Christa: And on that note, I know the programme website talks about your strategic partnerships with different law enforcement agencies in England. What kinds of opportunities do those arrangements represent for your students?
Graeme: What students have the opportunity to engage with is industry-specific projects, potentially. So we may have specific problem areas; research questions; challenges that are presented to us, or given to us, which maybe are something that is an issue, but just time or resourcing does not allow that to be explored when your organisation is presented with that challenge.
What we have an opportunity to do is to provide students with those areas, those tasks, and they can undertake that research and hopefully provide a solution, whether that be a product, a knowledge, a procedure. And they can work closely with these clients, whether they be law enforcement or private organisations that are involved in digital forensics or forensics in general, and they have a chance to undertake real-world research and hopefully yield some results that could directly feed back into industry and make a benefit in the sense of improving processes, or just develop something that hasn’t been developed before. Or even just add to a process that’s already in place, but just maybe give it a little bit more of additional functionality, or validates existing work, for example.
So there’s a lot of opportunities for a student to engage with. Basically, organisations and law enforcement that are experiencing some issues maybe that they have, that they can’t solve themselves because of time, maybe. And they have a chance to really make a contribution in these areas. And we look to try and set students up with those sorts of projects, and those sorts of tasks, so that they’re not just undertaking research for the sake of it; that they’re undertaking research where they can see the benefit being applied back into an industry context.
Christa: And that actually is a nice segue into the second topic that I wanted to cover with you today, which is the new Forensic Science International Reports journal. I know you have written the paper Raiders of the Lost Artifacts. Your paper started out by discussing that research that you were just talking about – that practical, field-level research, but also some of the challenges, and I wondered if you could quickly go into a little more detail on what those challenges are?
Graeme: Yeah, sure. I guess if I start with the journal itself, because it is a new journal, and it’s a science journal, and it’s designed to look at smaller contributions, I guess. And my role as a section editor is for digital forensics. And we’re looking for those that want to put out results of tests in the sense of little bits of knowledge: validation studies, reverse engineering of applications; basically, research that helps to bring the field forward, even if it’s just little steps at a time.
So it could be that we have someone who provides a new test methodology, or validates something that’s existing; or somebody’s come across an artifact that they think is going to be important; and they provide us with a nice little interpretation of that, that can be picked up by anyone who wants to learn about it, essentially.
And because the journal is open access, there’s no paywall involved, so literally anyone can access this information. And it’s available for those that want to look at it. And we want to provide that resource.
And I guess this paper that I put out regarding this is essentially trying to put all of that in a nutshell. So what the paper itself is trying to stress is the fact that we need digital forensics research. You know, we deal with technology, and technology moves significantly fast, whereas forensic science – and I’m not saying that it doesn’t move fast – but the human body evolves at a certain pace. And there’s certain things that we can explore in digital forensics, we might have a popular brand of mobile phone, or a popular application that we see in 2019: in 2020, it might have gone. Or it might have significantly changed.
And what that paper’s doing is essentially a bit of a call to arms, I guess, in that we need more research, and we need it to be consistently put out there in whatever form that it has. We need to be also looking at the quality of it, and we need to make sure that it hits the right target, in that it’s had some peer review, it’s had some scrutiny, and it’s available for those to look at and to review themselves, and to take on board. And ultimately, it’s the distribution of knowledge. And we need that because of the pace at which technology changes.
So yeah, we need that consistent flow. We need the people that come across a certain artifact, or a certain application, and spend a lot of time reverse-engineering its functionality. They’ve done a really important thing there, and essentially it might be the crux of a certain case that they’ve been working on.
What we really would like is for that information to be available to others, so that the next person who encounters that research, that application, that artifact, they don’t have to start from scratch. They can start from where somebody has already undertaken and developed – and put out there – a transparent methodology, for which someone else can take on board, scrutinise, apply, peer review, and apply that to their context and findings.
And we need that on such a consistent basis, just because of the significant turnover and development in software and hardware in this field that we will be encoutering so often.
Christa: By the same token, you also in that paper describe the lifespan of applicable forensic research. There is, I think, four levels that you identified in order, from slowest level of change to fastest. And there was a lifespan, there is a finite amount of time that some of the research might end up being applicable. So what do you think that means for future research efforts, as the pace of technological development accelerates?
Graeme: It’s an interesting one, because you’ve got competing interests of academics and practitioners, and what research means to one is different to what maybe it means to the other. Because the fact that digital forensics is such a fast-moving target, in the sense of, what might be a common artifact today may not be so in six months’, a year’s time.
It’s difficult in that you might spend a large amount of time processing or producing a piece of work that ultimately might have a six-month patch of amazingness and applicability, and then all of a sudden not be worth anything anymore.
Now, I don’t necessarily think that is as straight-cut as what I’ve said it there. And I do think there is a lifespan of artifact-based research, and I’ve tried to depict that in the article itself. So I think that there’s certain periods in which the research is applicable.
For example, any time someone undertakes some research of a particular artifact, obviously that research is applicable during the lifespan of that artifact. So whilst someone might investigate application A whilst application A is still in use, clearly that research is still going to have a value. So if that’s something like Facebook, obviously that research is going to be applicable – well, has been, will be, applicable for a very long time.
There might be a little-known application where there might be a short space of time where that application is still available on a market somewhere and can be downloaded. Now once that stops, or ceases deployment, or whatever that might be, it doesn’t instantly mean that research is dead in the water. There’s sustained artifact usage.
And those applications might be used for a period of time beyond when they’re available. So if support stops via a company, the application might still be functioning for some people, they might still be in use. So if it’s a communication app you’ve got people out there who think, “Well actually, this is a cool little app, and I’m still going to continue to use it, as long as it functions.”
So you’ve got whilst the application is alive, and then you’ve got whilst there’s sustained usage of the application, as well. And eventually that will come to an end, I guess – and that might be for a prolonged period of time – you will have backlogs of case information. You’ll have those devices that have been awaiting investigation where you might encounter historic, or what appear to be historic, applications and artifacts. And that might just be because they’ve been in a queue waiting to be examined. So you’ve still got that information still applicable.
And then even beyond that period of time, you’ve got the informative and influential stage of your research as well. So when the next communication app comes out, someone can say “Well actually, previous works have looked at application A and we can see that they’re using these sorts of file formats, structures, this is the communications protocols that are in use.”
And it might be a case of 90% of it is different, but there might be some fundamental bits in there that you can take going forward. So I don’t think that it’s just a here today, gone tomorrow piece of research. And I think people need to think that it’s not just a month-long project: it’s a piece of research that you could pick up a year or two later when that application is gone, and still take something from that and build upon that going forward.
I’m just thinking in terms of the levels, as well. And this is just my interpretation of it, in terms of what I think, and others may disagree. But I think that you’ve got pace of change, and pace of change changes depending on what we’re looking at here.
So if we’re looking at core artifacts on an operating system, then arguably they might have a slower pace of change in terms of structurally, and format-wise, and whatnot, compared to say, the pace of change of log files for particular niche applications on iOS and Android or something like that.
So you’re always going to get the more fundamental artifacts that are going to be around for a long time, around multiple iteration of operating systems, for example; and those iterations might not actually cause many changes, or not major changes. Whereas in terms of artifacts in an application, major updates might even change the format of how logs are stored, or even if they’re stored at all, all those sorts of things.
So you’ve got the applicability of the research as well, to factor in how quick some of these artifacts can change. And that’s also going to have an effect on what the lifespan of that research might be.
Christa: I think you mentioned, though, on the opposite end of that spectrum, the more rapid pace of change. I’m sorry, I don’t have the paper in front of me, I’m remembering off the top of my head. There was a fourth level that was the most rapid pace of change.
Graeme: Yes. So that’s what I was touching upon there. And again it’s just my opinion, and others may disagree, but I think at the faster pace of change scale you will see it more in the quick turnover of some of these new applications that come out, that only last for a couple of months before the support for them is withdrawn. Or become so popular that they develop massively and quickly to cope with additional functionality that’s added to them.
So you might get an application that, when it’s released, starts off in January in some structural shape or form, and then depending on how that application has gone with its release, maybe they find that actually they’ve discovered a different login format that’s more efficient, or they want to add additional functionality to it that means they have to created a different set of formatted data for login information. And I think that at that scale of things – the back end of applications – you’re going to find a quicker change in the information that’s stored; the structure of information, maybe associated metadata, those sorts of things.
And that’s probably where you’re going to get quick turnaround of research; where you’re going to have to have people looking at these applications; getting the research out and live, and maybe they can apply that.
Christa: Right, right. That does make sense. I wanted to ask about that sharing process, because another thing you mentioned in the paper was the tendency to hoard information, to retain it. I wanted to get a little more insight as to where that tendency comes from.
I was at the SANS DFIR Summit a couple of weeks go, and there’s obviously a lot of emphasis at events like that about sharing, and yet to see that there’s still a tendency to hoard information is striking to me. So I wanted to find out more about that phenomenon.
Graeme: Yeah. It’s a difficult one, and I think it’s something that’s been discussed, and it’s been around for a while as a problem area, I guess, if you can highlight it tentatively as one of those.
And I don’t think it’s anything tha’ts necessarily always malicious, or anything like that. But sharing of knowledge is a difficult thing to do. It’s time-consuming: where do you share it? What do you share it with? What platforms do you use? We don’t really have a massive infrastructure for that.
There are places out there that attempt to do it, and I’m not going to say there hasn’t been attempts made because there has, but we haven’t at this point – and I remain to be proven wrong – but we haven’t really got that ultimately accepted platform where someone can say “Look, this is what I’ve done and this is really clever,” and it’s put somewhere for everyone else to harvest and really benefit from.
I think everyone can see the benefit of sharing knowledge, and if everyone’s doing really clever things and sharing their really clever things, then as a field we’re getting cleverer. We’re getting better. We’re getting more advanced with what we know.
We all tend to be looking towards a common goal, but I think it’s hard. Because if you’re facing outside factors influencing what time you have to do the work you’ve got; if you’re constantly doing case work and you don’t have the time to stop and package up the clever things that you’ve done, sanitise the data, do everything that you would need to do to effectively share results, then it becomes very easy to not do that and just keep the data to yourself. And that’s not because you don’t want to share it, it’s just because knowledge-sharing isn’t really facilitated.
On the opposite side of the scale you might have people who have knowledge that they can make a financial benefit from, or that will mean that they’ve got a one-up on a competition or something like that. And again, that’s also understandable, if you’ve invested a lot of time in doing something, then maybe you want to make money from that. And that might be a new tool, or a technique.
But generally I think most, if not all, practitioners would see knowledge-sharing as a benefit, and I don’t think that a lot of us want to harbour the knowledge that we possess, or we want to be little individual siloed entities, as the term that gets bandied around.
I just don’t think that we often or always are in a position to take half a day out to package up all of the things we’ve done; write a tutorial, or write something that means that the next person that discovers it can just jump straight in and “Thank you very much, you’ve provided me with an excellent foot on the ladder there to investigate this type of data.”
And yes, there are some initiatives that try to get that information out there, but again I don’t think we’ve got that nailed down at this point in time. And I don’t have the solution for it. I don’t know if it involves a centralised body that can look over all of this. But those sorts of things have been mooted for a long time, and I don’t think, as of yet, that we really have got to the point of really addressing that.
Christa: I was going to say, it almost sounds like there would need to be a dedicated group of people somehow that were able to either take over some of those processes or facilitate in some way, to help the researchers walk through how to do it in the easiest possible way.
Graeme: Yeah. And possibly it’s a thankless task. Because, is that a voluntary role? If it is, who’s going to do that? If it’s paid, who’s going to fund that? Is it national? Is it global?
And then you’ve got loads of different factors to hone in on standards of what people work to, processes, a lack of standardisation and principles that they apply to their investigation. It requires a lot of thought.
And again, I think everyone has probably given it a lot of thought, but we just don’t have a common solution. And I just don’t necessarily see one coming any time soon.
Christa: So, given those rather significant hurdles, what is your advice to people who might want to contribute, but they’re either fearful of somehow getting it wrong, or the time that they know it takes is somehow not – I hate to say it’s not worth the reward of getting something out there, but it also at the same time is that significant hurdle. What is your advice to people on breaking the thought of such a huge task down into manageable chunks that they can share more easily?
Graeme: Yeah, sure. I mean, don’t get me wrong, it’s a daunting task. You’re putting yourself out there for public scrutiny, essentially. And I know that doesn’t appeal to… does that appeal to anyone? I’m not sure.[laughter]
Graeme: But I guess, no one is expected to be an expert in everything, but you might have some really cool information or expertise on a certain topic, a sub-topic. A little bit. Something cool you’ve discovered over how a certain log functions, and how you can parse that information out.
Now, yeah, if you want to share that, then obviously there are different platforms that you can engage with. You get a lot of people that blog; you get people that go to academic platforms, such as FSIR – Digital Investigation is another one, just to name a few. There’s lots to choose from. And the methods in which you have to present that data do change, do differ.
We also have initiatives like the DFIR Review, which has just come on board. So there are different places, you choose where you want to go, essentially. You choose what you’re most comfortable with.
Regardless of the place, there are guidelines on how to do it. And most, if not all, the people that will be involved with any of those platforms will be supportive in how to get that work into a format that is good, or acceptable. Obviously, those platforms are going to be scrutinised. Even if you put a blog post out there, the passerby who stops to visit is going to have an opinion on that. And should.
If you have some knowledge, then why not share it, and give the chance of others to look at it, and peer review it, and scrutinise it, and provide constructive criticism? Because the last thing you would want to do is sit on a misinterpretation, I guess. You want to provide your knowledge and view feedback as a positive.
I don’t think anyone out there would sit and make it their purpose to destroy someone’s interpretation if they can see little holes in it. I think it’s all a learning process, and I think by engaging with it, whether it be again by a blog, or a journal, or at a conference level, it’s a chance to say “This is what I’ve done. What do you think of it? Can I do anything better?” And learn from that process, and keep that iterative process going.
But I know that’s not going to be for everyone, and I don’t think everyone’s going to like the idea of opening themselves up to that. But I think, for the most, it should be constructive, and people should bear that in mind when they do that, or when they want to comment on that.
And if we’re all contributing, whichever shape or form it’s in and however little, then we’re helping, I guess, in that the field itself can be adding to the existing body we have of information that can support our investigations as we go through them.
Christa: That makes sense, and I want to interject too that forums like the one at Forensic Focus could be a good way to put even loose thoughts out there and engage with other practitioners in advance of putting something a little more formalised together.
Graeme: Absolutely, yeah. Sorry, I totally forgot forum platforms. Again, blogs, forums. Forums offer a really nice place to almost get instantaneous feedback. You know, if you’ve got something that you can share, whether it be as a forum post or maybe a small article on the forum itself, where you can provide some almost tutorial-like feedback to it, you’ve got a community of individuals there that should be able to be really positive, and really provide you with some good feedback on the work that you’ve done. If it needs improving, then maybe we can suggest ways to do that, or practitioners can do that. Because I think there’s always room to improve on it.
But ultimately, what we’re after is the discovery of new knowledge that is robust, and if we can do more of that, regardless of the platform, then we’re going to get there as practitioners. We’re going to get more knowledgeable, and we’re going to understand the landscape that we’re investigating on a daily basis.
Christa: Absolutely. And thank you for that positive outlook, I know there are a lot of challenges, but it’s helpful to know some of the ways of overcoming, and that there’s really nothing to fear about getting engaged with the community. It’s more about getting that help.
So Graeme, we’re about at time now, I’m going to close. Thank you again for your time and your insights. This has been a really good conversation, and I appreciate it.
Graeme: Thank you very much, I hope it’s been helpful.
Christa: Of course, it absolutely has been. And I hope it has been for everybody else as well.
So thank you for joining us on the Forensic Focus podcast. You can find more articles, information and forums at www.forensicfocus.com. If there are any topics you would like us to cover, or if you would like to suggest someone for us to interview, please let us know.