Tag Archives: Document Forensics

DMU and Documents … (Part 2)

Wow. Four days later I think that I’ve grasped it – in a few hours the exam ( a 2 hour practical ) will be over and I’ll know how much of it has actually sunk in !

So, the actual course content – if you forensically examine Office documents, you need to do this course. As with all Sammes/Jenkinson courses – don’t expect “point & click” forensics – this isn’t a step-by-step how to guide, nor does it sell/use any given product ( although examples of EnCase output are included in places where pertinent to the point being made … ). It is much, much better than that – it is a course in how to approach a document ( … and remember an Office document is anything created by Word, Excel, Powerpoint or Visio … ) in order to obtain evidence that can be presented in court regarding the information that supports the case. We’ve been through the usual suspects – creation/modification times & dates, save locations, names etc. – but more importantly how these data structures are represented within the document – this means that ( coupled with the supporting documentation – provided as part of the course ) you can successfully decompose any and all data held in a document by following the principles taught. Please forgive me for not going into more detail – all I can really say is that if you need to do documents, you need to do this course – there is so much here that is (a) original research and (b) that isn’t covered elsewhere I imagine that it would be very bad news to try and present as an expert against someone who has done the course as you will look like a right idiot.

Anyone who has read what I’ve written before is ( I hope ! ) aware of my feelings about education – much as “giving a man a fish feeds him for one day, teaching him to fish feeds him for a lifetime” – teaching someone to use an application solves one case, teaching them to “forensicate” solves a hell of a lot more. I hope that Brian and Tony will forgive me for saying this ( I’m pretty sure that they feel this way themselves ) – if all you want from a course is to learn how to use EnCase/FTK/ForensicatorAppOfYourChoice DON’T DO THIS COURSE – if on the other hand you actually want to learn about the art and practice of digital forensics this course (and any/all others from DMU given by these gentlemen) will set you down the path to that. If you are law enforcement, there is nothing, and I repeat nothing, out in the remainder of the education market that can match the benefits of being taught by Tony and Brian – Dr Colonel Professor Sammes and Ex-Detective Inspector Jenkinson – have, I believe, probably produced ( certainly in combination ) more digital forensics court evidence over more complex cases than any other pair in history – this results in a great deal of practical advice as well as many anecdotes to fill coffee breaks with related to Policing & Computing in general.

For the rest of this entry I’m going to tread a fine line and hope that anyone intelligent enough to be considering a career in Forensics can read between the lines. I’ve known both Tony and Brian for a few years now – I started at Shrivenham more than a few years ago and dragged out my degree there, and now have gone with them to DMU – I consider them both to be friends and thus I’ll allow you to consider my bias both for what is written above and now as you will. I spoke to Brian not long after they parted company with Cranfield/Shrivenham – oddly to ask about my MSc thesis – and I know that there was a serious disparity between the direction that the Department of Forensic Computing at Cranfield wanted to take (“point and click”) and the direction that they wanted to develop the course and their belief in the importance of the understanding of fundamental principles. The ultimate decision to part company was made by Cranfield, _not_ by Tony and Brian – a ludicrous step on the part of Cranfield, which coupled with subsequent staff losses, has left the University with next to no actual real-world Forensic experience in the department full time. Within weeks Brian and Tony had been approached by more than one University – and after much discussion they chose to align with DMU. This is the best thing that they could have done, it has not only provided some first-class facilites for them to use, but it has fully supported them in taking their course in the direction that they want to take it. The Cyber ( sorry, I still hate that term ) Security centre here is practically focused to provide solutions – and they fit right in. DMU has given over secure facilites ( that exceed the guidelines for secure storage btw … ) so that the department can start to take in case work, and the plans for developing this consultancy stream are very exciting indeed. I personally am thrilled that I changed, and I’m very encouraged by the level of commitment shown by DMU , not only to the course, but also to me as an individual.

I understand that more information regarding the course & developments will be officially published by the University over the next few months – I’ll make this available as and when it appears – either follow my Twitter feed or subscribe to the blog, and it should automagically let you know when it arrives !

Anyway, I have to go and try an make use of what I’ve been taught !

Tagged , , , ,

DMU and Documents …

I’m embarrassed to say that I’ve let my blogging slip again – I’d like to plead busy-ness, and it isn’t as if my Twitter hasn’t suffered too ! I think I’ve managed one Tweet this year so far …

In any case, it isn’t like I’ve got much more time now – I’m currently in Leicester at DeMontfort University sitting in the brand new PostGrad Forensics Lab on the “Binary Analysis of Microsoft Office Documents” course. I’ve jumped ship from Cranfield & Shrivenham to follow Professors Tony Sammes and Brian Jenkinson to their new home in the Cyber Security department of DMU*, and I must admit that I have only one regret and that is that Leicester is so much further from home ! Other than that, the course ( so far ! This is day 2 … ) is excellent – the facilities here are far superior to those at Cranfield – much has been invested in the brand new lab – a 15 seat (on a quick count – looks like it can support 3 more) there are some of the snazziest whiteboards that I’ve ever seen (frosted glass none-the-less) and some excellent HD projectors. The smell of various solvents – carpet & paint I think – still are lingering a little, but the AC is gradually filtering it out as the week goes on.

Regarding the course, I won’t divulge content as it is a commercial advantage held by DMU now – I don’t think that you can get this course anywhere else – but needless to say, when it’s being presented by Tony and Brian, you can imagine that not only is it as full of content as you can cram into a day, but it is also seriously stretching all of us here I think – given that 50% of the students are doing their PhD here, I think that gives you some idea of the level that we’re talking about here.

There are several hotels listed by the University, but the closest is the Holiday Inn at St.Nicholas Circle – it’s perfectly acceptable, food is pretty good and the staff are attentive in the restaurant. The Gym, to be fair, is laughable, but lets face it, a majority of Forensic Examiners are known for their athletic ability 😉 It is only a short walk from the Gateway Building where the lab is – and thus far I’ve been blessed with good weather …

Catering on the course is a matter of going to get it yourself – this isn’t a hardship, as the Student Center next door has a number of options for food – including a Starbucks (either rejoice or groan as you personally desire – for me, it beats Nescafe, so I won’t complain !) There is a cash machine, small supermarket etc. much the same range as I recall from my experiences at Edinburgh and Imperial … There seems to be an absence of card taking at the till points – I guess students only operate in cash – so just be prepared. Oh, and two other points – 1) Avoid going to lunch at 1pm, the mass of the student population arrives at this point and 2) there appears to be a constant charity fundraising presence outside – as one of my post-grad colleagues pointed out – this allows the undergrads to feel productive without actually having to do any work 😛 ( Be careful when purchasing cakes/biscuits from the stalls – I’m not sure that student kitchens are best designed for mass catering, and, although the flavour was lovely – the image of Brian having to break his biscuit by repeatedly smashing it against the table in order to eat it will remain with me for a long time ! )

I’ll update this a little later in the week when a bit more course has been covered … But, from first impressions, I’m really rating the move from Cranfield/Shrivenham as “a good thing”…

For more information on De Montfort University courses – both Undergraduate and Postgraduate Forensics & Information Security go to HERE.

* Ok people, let’s be brutally honest here – there isn’t really a course left at Cranfield after Tony and Brian left – so I can’t say that there was much point in _not_ following them …

Tagged , , , ,