Category Archives: Forensics

DMU and Documents … ( Part 3 )

For the curious – the exam yesterday went “ok” … Not as well as I would have liked. It was good in the sense that as I went through the task, I realised the errors that I was making and managed to correct them before it went _too_ far in throwing out subsequent calculations but it really slowed me down and I didn’t quite get through all of it. I’m confident that I passed, and, interestingly, I managed to learn something new about the behaviour of Word during the exam – I also know that, without any time constraint, I would have been able to do it, so the course should be classed as a success (!). This is the first occasion I can recall in my entire academic history ( since GCSE none the less ) where I want to get the coursework component so that I can beat the darn thing !

The exam was, I think, well positioned – if I hadn’t made any mistakes it would have been feasible to complete it in about 1hr 45min I reckon – Tony and Brian said that they each sat it, and it took each of them just over an hour. The content of the week ( which took 4 days of 9am to 6pm training to get through ) couldn’t possibly all be examined – so the sub section chosen had to demonstrate understanding, and I must admit that it does that very well indeed.

Roll on the coursework !

Tagged ,

DMU and Documents … (Part 2)

Wow. Four days later I think that I’ve grasped it – in a few hours the exam ( a 2 hour practical ) will be over and I’ll know how much of it has actually sunk in !

So, the actual course content – if you forensically examine Office documents, you need to do this course. As with all Sammes/Jenkinson courses – don’t expect “point & click” forensics – this isn’t a step-by-step how to guide, nor does it sell/use any given product ( although examples of EnCase output are included in places where pertinent to the point being made … ). It is much, much better than that – it is a course in how to approach a document ( … and remember an Office document is anything created by Word, Excel, Powerpoint or Visio … ) in order to obtain evidence that can be presented in court regarding the information that supports the case. We’ve been through the usual suspects – creation/modification times & dates, save locations, names etc. – but more importantly how these data structures are represented within the document – this means that ( coupled with the supporting documentation – provided as part of the course ) you can successfully decompose any and all data held in a document by following the principles taught. Please forgive me for not going into more detail – all I can really say is that if you need to do documents, you need to do this course – there is so much here that is (a) original research and (b) that isn’t covered elsewhere I imagine that it would be very bad news to try and present as an expert against someone who has done the course as you will look like a right idiot.

Anyone who has read what I’ve written before is ( I hope ! ) aware of my feelings about education – much as “giving a man a fish feeds him for one day, teaching him to fish feeds him for a lifetime” – teaching someone to use an application solves one case, teaching them to “forensicate” solves a hell of a lot more. I hope that Brian and Tony will forgive me for saying this ( I’m pretty sure that they feel this way themselves ) – if all you want from a course is to learn how to use EnCase/FTK/ForensicatorAppOfYourChoice DON’T DO THIS COURSE – if on the other hand you actually want to learn about the art and practice of digital forensics this course (and any/all others from DMU given by these gentlemen) will set you down the path to that. If you are law enforcement, there is nothing, and I repeat nothing, out in the remainder of the education market that can match the benefits of being taught by Tony and Brian – Dr Colonel Professor Sammes and Ex-Detective Inspector Jenkinson – have, I believe, probably produced ( certainly in combination ) more digital forensics court evidence over more complex cases than any other pair in history – this results in a great deal of practical advice as well as many anecdotes to fill coffee breaks with related to Policing & Computing in general.

For the rest of this entry I’m going to tread a fine line and hope that anyone intelligent enough to be considering a career in Forensics can read between the lines. I’ve known both Tony and Brian for a few years now – I started at Shrivenham more than a few years ago and dragged out my degree there, and now have gone with them to DMU – I consider them both to be friends and thus I’ll allow you to consider my bias both for what is written above and now as you will. I spoke to Brian not long after they parted company with Cranfield/Shrivenham – oddly to ask about my MSc thesis – and I know that there was a serious disparity between the direction that the Department of Forensic Computing at Cranfield wanted to take (“point and click”) and the direction that they wanted to develop the course and their belief in the importance of the understanding of fundamental principles. The ultimate decision to part company was made by Cranfield, _not_ by Tony and Brian – a ludicrous step on the part of Cranfield, which coupled with subsequent staff losses, has left the University with next to no actual real-world Forensic experience in the department full time. Within weeks Brian and Tony had been approached by more than one University – and after much discussion they chose to align with DMU. This is the best thing that they could have done, it has not only provided some first-class facilites for them to use, but it has fully supported them in taking their course in the direction that they want to take it. The Cyber ( sorry, I still hate that term ) Security centre here is practically focused to provide solutions – and they fit right in. DMU has given over secure facilites ( that exceed the guidelines for secure storage btw … ) so that the department can start to take in case work, and the plans for developing this consultancy stream are very exciting indeed. I personally am thrilled that I changed, and I’m very encouraged by the level of commitment shown by DMU , not only to the course, but also to me as an individual.

I understand that more information regarding the course & developments will be officially published by the University over the next few months – I’ll make this available as and when it appears – either follow my Twitter feed or subscribe to the blog, and it should automagically let you know when it arrives !

Anyway, I have to go and try an make use of what I’ve been taught !

Tagged , , , ,

DMU and Documents …

I’m embarrassed to say that I’ve let my blogging slip again – I’d like to plead busy-ness, and it isn’t as if my Twitter hasn’t suffered too ! I think I’ve managed one Tweet this year so far …

In any case, it isn’t like I’ve got much more time now – I’m currently in Leicester at DeMontfort University sitting in the brand new PostGrad Forensics Lab on the “Binary Analysis of Microsoft Office Documents” course. I’ve jumped ship from Cranfield & Shrivenham to follow Professors Tony Sammes and Brian Jenkinson to their new home in the Cyber Security department of DMU*, and I must admit that I have only one regret and that is that Leicester is so much further from home ! Other than that, the course ( so far ! This is day 2 … ) is excellent – the facilities here are far superior to those at Cranfield – much has been invested in the brand new lab – a 15 seat (on a quick count – looks like it can support 3 more) there are some of the snazziest whiteboards that I’ve ever seen (frosted glass none-the-less) and some excellent HD projectors. The smell of various solvents – carpet & paint I think – still are lingering a little, but the AC is gradually filtering it out as the week goes on.

Regarding the course, I won’t divulge content as it is a commercial advantage held by DMU now – I don’t think that you can get this course anywhere else – but needless to say, when it’s being presented by Tony and Brian, you can imagine that not only is it as full of content as you can cram into a day, but it is also seriously stretching all of us here I think – given that 50% of the students are doing their PhD here, I think that gives you some idea of the level that we’re talking about here.

There are several hotels listed by the University, but the closest is the Holiday Inn at St.Nicholas Circle – it’s perfectly acceptable, food is pretty good and the staff are attentive in the restaurant. The Gym, to be fair, is laughable, but lets face it, a majority of Forensic Examiners are known for their athletic ability 😉 It is only a short walk from the Gateway Building where the lab is – and thus far I’ve been blessed with good weather …

Catering on the course is a matter of going to get it yourself – this isn’t a hardship, as the Student Center next door has a number of options for food – including a Starbucks (either rejoice or groan as you personally desire – for me, it beats Nescafe, so I won’t complain !) There is a cash machine, small supermarket etc. much the same range as I recall from my experiences at Edinburgh and Imperial … There seems to be an absence of card taking at the till points – I guess students only operate in cash – so just be prepared. Oh, and two other points – 1) Avoid going to lunch at 1pm, the mass of the student population arrives at this point and 2) there appears to be a constant charity fundraising presence outside – as one of my post-grad colleagues pointed out – this allows the undergrads to feel productive without actually having to do any work 😛 ( Be careful when purchasing cakes/biscuits from the stalls – I’m not sure that student kitchens are best designed for mass catering, and, although the flavour was lovely – the image of Brian having to break his biscuit by repeatedly smashing it against the table in order to eat it will remain with me for a long time ! )

I’ll update this a little later in the week when a bit more course has been covered … But, from first impressions, I’m really rating the move from Cranfield/Shrivenham as “a good thing”…

For more information on De Montfort University courses – both Undergraduate and Postgraduate Forensics & Information Security go to HERE.

* Ok people, let’s be brutally honest here – there isn’t really a course left at Cranfield after Tony and Brian left – so I can’t say that there was much point in _not_ following them …

Tagged , , , ,

De Montfort University – New MSc in Forensics

Below I quote a letter from Brian Jenkinson and Tony Sammes regarding the new digital forensics course at De Montfort University. Brian and Tony, formerly of Cranfield, are considered amongst the foremost Digital Foreniscs practicioners and specialists in the UK. This e-mail is reproduced less contact details to reduce spam / annoyance, but if you are serious, please contact me directly and I’d be happy to pass you on.

Dear Students, Colleagues and Friends,

It is with great pleasure that we can now let you all know that our “new”
MSc has been validated by De Montfort University and we will start teaching
in January 2012.

The MSc will run in a configuration that you will recognise. Many thanks
must be extended to the staff at DMU who have worked long and hard hours
to get the MSc developed and in place in a period of about five months.
It has been a heavy time for all of them and for the two of us. Getting this
done in such a short period must be some kind of record!  We were insistent
on speed so as not to leave any existing students in the lurch, as you know
the move was not of our choosing.

Full details of the Courses will be circulated shortly but to cover some of
the questions we have been asked :

– The MSc is made up of the Courses plus Coursework and Project.
– Three qualifications are available, MSc, PG Dip and PG Cert.
– Short Courses will run together with the MSc residential element.
– Those of you with completed modules “in the bank” can put those towards an
MSc at De Montfort.
– Those of you who have done the residential elements only (without the
coursework) will be able to “top up” with coursework only.
– Costings are not yet settled but we are assured that they will be similar
to or less than those you would expect to pay elsewhere.
– We are not aware that any fee will be charged for transfer of credits (in
their various types) to register completed modules or short course
passes at DMU.

The first course/module will be a Foundations of Forensic Computing in
January 2012.

This is an exciting time for both of us – they are building us a teaching
lab as we write with all new kit and extras. The lab is exlusively for our use so we
can do as we wish without constraints and do not have to share with any
other course, the building is massive and its layout is designed for
teaching and students’ comfort. The atmosphere is friendly and welcoming
and the staff are brilliant “can do, will do” people. There is technical support for us
should there be any glitches and the kit is better than anything we possess.
The MSc is “Forensic Computing for Practitioners” and will focus upon
Forensic stuff to do the job and us teaching Forensics rather than padding out
with non-relevant material.There are shed-loads of new stuff and includes bespoke
scripting, differing operating systems getting past the disk interface and
the like – it feels like we have been released from our leashes and can
run free, its great!

In the first instance any one who wishes to express an interest in transferring to DMU,
starting the MSc (or derivative) at DMU or simply want Short Courses at DMU
should EMail with contact details and a short explanation of their circumstances
to “<on request>” PLEASE use “MScFC4P” as the Subject in the EMail header.

Each person enquiring will then be contacted
personally, initially with some further detail and then to discuss the mechanics for those
requesting a transfer. Please include both EMail and telephone contact details.

Please feel free to contact us at “<on request>” with any queries or
telephone Brian on <on request> if you want a personal discussion.

Further Good News with detail will follow shortly, if you want a Foundation place in
January we suggest you register your interest as soon as possible, we are aware
that interest is already high.

Our very Best Regards to all of you, we hope to see you at F3 in November
or, indeed, at DMU.

Please feel free to circulate the content of this EMail to any person whom you feel may
be interested in its content – we do not have access to a database of students or
organisations at present. It would also be very helpful if you would acknowledge
receipt of this EMail, thanks.

Tony and Brian.

in cauda venenum
Brian Jenkinson MSc BSc[hon] BA  FBCS CITP
Forensic Computer Consultant
Visiting Professor to The Faculty of Technology of  De Montfort University, Leicester

Tagged , , , ,

Zombiecookies …

It’s the middle of the night, and there is the faint sound of  breaking glass from downstairs. The other half, with a sharper than possible elbow, nudges you – “Did you hear that ?” she hisses – “Go have a look.” Snatching for protection the first item that comes to hand, which turns out to be a bound copy of the latest Wikileaks archive1, you edge down the stairs. As you head towards the kitchen, you hear the moans and groans of the undead – there, in the middle of the tiled floor, emerging from a box you thought that you’d thrown out three years ago are crawling, mouldy crumb by decayed choc-chip, are … ZOMBIECOOKIES !

Ok, I’m sorry, I really am. But the image was in my head since I read the term, and I had to either get it out or wake up in a cold sweat tonight. They have nothing to do with actual baked goods, thank goodness, but are about cookies ( those data holding things that websites insert into your browser ) that are a lot more persistent than is good for us – they just won’t die. There is currently a letter going through the US Federal Trade Commision regarding them, and their legality, and has also been the subject of a number of lawsuits – the argument being that they raise privacy concerns as it isn’t possible for users to have full control over their personal data. I’ve not made an extensive study as of yet, but following through the usual suspects ( The Register, Wikipedia, etc. ) eventually led me to the Evercookie. Like a real zombie, Evercookie isn’t quite immortal (for useful hints and tips on killing real zombies, I’d suggest “Shaun of the Dead“) – but it really is persistent enough to be a pain for the average user. It’s quite an interesting exhibition of resiliance that I wish a lot of my other data could follow – Evercookie will replicate itself to various locations, and will rewrite other locations that are cleaned the next time that the browser hits the cookie code. The locations listed are 4:

Clearly this is devious and underhand, it means that unless your cookie cleaner knows all of these storage locations, you aren’t going to get rid of it…

… on the other hand, from a forensic point of view, this could show that a cookie cleaner has been used – if there is a Zombiecookie present, but only in the less obvious places – there is a reasonable conclusion to be drawn that some, but not all, storage areas have been cleaned – you could also infer the time that such a cleaner was run ( after the date of some of the storage ) and that the user hasn’t returned to the source site since the cleaner was run.

As the EU is tightening up on cookies, then these “supercookies” should be few and far between in legitimate European business – but then,  as the internet is the new “Wild West“, I don’t think that we’ll be seeing the back of such tactics any time soon, and I’m sure, despite best efforts to prevent such things, that new and interesting variations will be forthcomming. If you do know of other methods for persistent cookies that could be shared, please do let me know !

1. Which, let’s face it, is more likely to bore an intruder to death before you thump them with it …2
2. I’d also like to clarify, that, as a signatory of the Offical Secrets Act, I have not, nor would I, ever look at the Wikileaks documents that are protectively marked and I have no need to know.3
3. And that has nothing to do with the fact that they are phenomenally dull !
4. Table shamelessly stolen from

Tagged , , , ,