Tag Archives: Forensics

Building a Linux based Digital Forensic workflow – Introduction

For the whole time that I’ve been doing Digital Forensics, I’ve been using Windows for it. This seriously irks me ! I’ve been in love with open source / free software since I installed my first Linux box at University. The original reason for the install was to avoid having to walk to the CS/AI labs in winter, in Edinburgh. I like being warm and dry as much as the next person – something that doesn’t happen often outside in Scotland in Winter. Linux emulated the SunOS / IRIX environment well enough that I could carry out my C / Prolog work without hypothermia.

Since then, I’ve always had _at least_ one Linux machine running at any one point in time – but since I stopped being a UNIX SysAdmin and started being a Security / Forensics Consultant, usually not as my main machine. I tried for a while to assuage my guilt by using Macs – well documented below – ‘cos at least they are “UNIX” machines when running OS X. Windows though has been an ever present thorn in my side, firstly for the running of proprietary forensic tools ( Oxygen, XWays Forensics & other odds and ends ), secondly for the running of games ( I don’t play many, but enough … ) and finally for the suite that is Office – something that has been required day-in-day-out for far, far too long …

Until now, I haven’t actually _tried_ to get rid of it though – having enough bits of hardware around to run Windows, MacOS and Linux both physically and in virtualised environments has meant that I don’t need to do it. The gnawing feeling that this is wrong has been exacerbated by tuning into a number of Linux podcasts ( I recommend Jupiter Broadcasting, Linux Action Show and Linux Unplugged ) and this had drawn to my attention that perhaps Linux is now “desktop ready”. And now Steam ( at least in theory ) works on Linux for some games in my library ( Bioshock Infinite ), there really is no excuse any longer.

This is it, I’m biting the bullet and removing Microsoft and Apple from my day-to-day workflow – for _everything_ forensics, security, documents, e-mails, IM/VoIP, games, calendar, phone synchronisation (but not phones themselves – I am aware of the Ubuntu phone and may make the switch at some point, but for now my iPhone remains) etc. etc. etc.

I think that there are some things that won’t be straightforward, I’ll admit that up front – but I sincerely hope that the Open Source Eco-System has solutions to all problems, and I’m not unwilling to dust of the few coding skills that I have in order to get to the end goal.

More to follow as this progresses …

Tagged , , ,

DMU and Documents … (Part 2)

Wow. Four days later I think that I’ve grasped it – in a few hours the exam ( a 2 hour practical ) will be over and I’ll know how much of it has actually sunk in !

So, the actual course content – if you forensically examine Office documents, you need to do this course. As with all Sammes/Jenkinson courses – don’t expect “point & click” forensics – this isn’t a step-by-step how to guide, nor does it sell/use any given product ( although examples of EnCase output are included in places where pertinent to the point being made … ). It is much, much better than that – it is a course in how to approach a document ( … and remember an Office document is anything created by Word, Excel, Powerpoint or Visio … ) in order to obtain evidence that can be presented in court regarding the information that supports the case. We’ve been through the usual suspects – creation/modification times & dates, save locations, names etc. – but more importantly how these data structures are represented within the document – this means that ( coupled with the supporting documentation – provided as part of the course ) you can successfully decompose any and all data held in a document by following the principles taught. Please forgive me for not going into more detail – all I can really say is that if you need to do documents, you need to do this course – there is so much here that is (a) original research and (b) that isn’t covered elsewhere I imagine that it would be very bad news to try and present as an expert against someone who has done the course as you will look like a right idiot.

Anyone who has read what I’ve written before is ( I hope ! ) aware of my feelings about education – much as “giving a man a fish feeds him for one day, teaching him to fish feeds him for a lifetime” – teaching someone to use an application solves one case, teaching them to “forensicate” solves a hell of a lot more. I hope that Brian and Tony will forgive me for saying this ( I’m pretty sure that they feel this way themselves ) – if all you want from a course is to learn how to use EnCase/FTK/ForensicatorAppOfYourChoice DON’T DO THIS COURSE – if on the other hand you actually want to learn about the art and practice of digital forensics this course (and any/all others from DMU given by these gentlemen) will set you down the path to that. If you are law enforcement, there is nothing, and I repeat nothing, out in the remainder of the education market that can match the benefits of being taught by Tony and Brian – Dr Colonel Professor Sammes and Ex-Detective Inspector Jenkinson – have, I believe, probably produced ( certainly in combination ) more digital forensics court evidence over more complex cases than any other pair in history – this results in a great deal of practical advice as well as many anecdotes to fill coffee breaks with related to Policing & Computing in general.

For the rest of this entry I’m going to tread a fine line and hope that anyone intelligent enough to be considering a career in Forensics can read between the lines. I’ve known both Tony and Brian for a few years now – I started at Shrivenham more than a few years ago and dragged out my degree there, and now have gone with them to DMU – I consider them both to be friends and thus I’ll allow you to consider my bias both for what is written above and now as you will. I spoke to Brian not long after they parted company with Cranfield/Shrivenham – oddly to ask about my MSc thesis – and I know that there was a serious disparity between the direction that the Department of Forensic Computing at Cranfield wanted to take (“point and click”) and the direction that they wanted to develop the course and their belief in the importance of the understanding of fundamental principles. The ultimate decision to part company was made by Cranfield, _not_ by Tony and Brian – a ludicrous step on the part of Cranfield, which coupled with subsequent staff losses, has left the University with next to no actual real-world Forensic experience in the department full time. Within weeks Brian and Tony had been approached by more than one University – and after much discussion they chose to align with DMU. This is the best thing that they could have done, it has not only provided some first-class facilites for them to use, but it has fully supported them in taking their course in the direction that they want to take it. The Cyber ( sorry, I still hate that term ) Security centre here is practically focused to provide solutions – and they fit right in. DMU has given over secure facilites ( that exceed the guidelines for secure storage btw … ) so that the department can start to take in case work, and the plans for developing this consultancy stream are very exciting indeed. I personally am thrilled that I changed, and I’m very encouraged by the level of commitment shown by DMU , not only to the course, but also to me as an individual.

I understand that more information regarding the course & developments will be officially published by the University over the next few months – I’ll make this available as and when it appears – either follow my Twitter feed or subscribe to the blog, and it should automagically let you know when it arrives !

Anyway, I have to go and try an make use of what I’ve been taught !

Tagged , , , ,

DMU and Documents …

I’m embarrassed to say that I’ve let my blogging slip again – I’d like to plead busy-ness, and it isn’t as if my Twitter hasn’t suffered too ! I think I’ve managed one Tweet this year so far …

In any case, it isn’t like I’ve got much more time now – I’m currently in Leicester at DeMontfort University sitting in the brand new PostGrad Forensics Lab on the “Binary Analysis of Microsoft Office Documents” course. I’ve jumped ship from Cranfield & Shrivenham to follow Professors Tony Sammes and Brian Jenkinson to their new home in the Cyber Security department of DMU*, and I must admit that I have only one regret and that is that Leicester is so much further from home ! Other than that, the course ( so far ! This is day 2 … ) is excellent – the facilities here are far superior to those at Cranfield – much has been invested in the brand new lab – a 15 seat (on a quick count – looks like it can support 3 more) there are some of the snazziest whiteboards that I’ve ever seen (frosted glass none-the-less) and some excellent HD projectors. The smell of various solvents – carpet & paint I think – still are lingering a little, but the AC is gradually filtering it out as the week goes on.

Regarding the course, I won’t divulge content as it is a commercial advantage held by DMU now – I don’t think that you can get this course anywhere else – but needless to say, when it’s being presented by Tony and Brian, you can imagine that not only is it as full of content as you can cram into a day, but it is also seriously stretching all of us here I think – given that 50% of the students are doing their PhD here, I think that gives you some idea of the level that we’re talking about here.

There are several hotels listed by the University, but the closest is the Holiday Inn at St.Nicholas Circle – it’s perfectly acceptable, food is pretty good and the staff are attentive in the restaurant. The Gym, to be fair, is laughable, but lets face it, a majority of Forensic Examiners are known for their athletic ability 😉 It is only a short walk from the Gateway Building where the lab is – and thus far I’ve been blessed with good weather …

Catering on the course is a matter of going to get it yourself – this isn’t a hardship, as the Student Center next door has a number of options for food – including a Starbucks (either rejoice or groan as you personally desire – for me, it beats Nescafe, so I won’t complain !) There is a cash machine, small supermarket etc. much the same range as I recall from my experiences at Edinburgh and Imperial … There seems to be an absence of card taking at the till points – I guess students only operate in cash – so just be prepared. Oh, and two other points – 1) Avoid going to lunch at 1pm, the mass of the student population arrives at this point and 2) there appears to be a constant charity fundraising presence outside – as one of my post-grad colleagues pointed out – this allows the undergrads to feel productive without actually having to do any work 😛 ( Be careful when purchasing cakes/biscuits from the stalls – I’m not sure that student kitchens are best designed for mass catering, and, although the flavour was lovely – the image of Brian having to break his biscuit by repeatedly smashing it against the table in order to eat it will remain with me for a long time ! )

I’ll update this a little later in the week when a bit more course has been covered … But, from first impressions, I’m really rating the move from Cranfield/Shrivenham as “a good thing”…

For more information on De Montfort University courses – both Undergraduate and Postgraduate Forensics & Information Security go to HERE.

* Ok people, let’s be brutally honest here – there isn’t really a course left at Cranfield after Tony and Brian left – so I can’t say that there was much point in _not_ following them …

Tagged , , , ,

De Montfort University – New MSc in Forensics

Below I quote a letter from Brian Jenkinson and Tony Sammes regarding the new digital forensics course at De Montfort University. Brian and Tony, formerly of Cranfield, are considered amongst the foremost Digital Foreniscs practicioners and specialists in the UK. This e-mail is reproduced less contact details to reduce spam / annoyance, but if you are serious, please contact me directly and I’d be happy to pass you on.

Dear Students, Colleagues and Friends,

It is with great pleasure that we can now let you all know that our “new”
MSc has been validated by De Montfort University and we will start teaching
in January 2012.

The MSc will run in a configuration that you will recognise. Many thanks
must be extended to the staff at DMU who have worked long and hard hours
to get the MSc developed and in place in a period of about five months.
It has been a heavy time for all of them and for the two of us. Getting this
done in such a short period must be some kind of record!  We were insistent
on speed so as not to leave any existing students in the lurch, as you know
the move was not of our choosing.

Full details of the Courses will be circulated shortly but to cover some of
the questions we have been asked :

– The MSc is made up of the Courses plus Coursework and Project.
– Three qualifications are available, MSc, PG Dip and PG Cert.
– Short Courses will run together with the MSc residential element.
– Those of you with completed modules “in the bank” can put those towards an
MSc at De Montfort.
– Those of you who have done the residential elements only (without the
coursework) will be able to “top up” with coursework only.
– Costings are not yet settled but we are assured that they will be similar
to or less than those you would expect to pay elsewhere.
– We are not aware that any fee will be charged for transfer of credits (in
their various types) to register completed modules or short course
passes at DMU.

The first course/module will be a Foundations of Forensic Computing in
January 2012.

This is an exciting time for both of us – they are building us a teaching
lab as we write with all new kit and extras. The lab is exlusively for our use so we
can do as we wish without constraints and do not have to share with any
other course, the building is massive and its layout is designed for
teaching and students’ comfort. The atmosphere is friendly and welcoming
and the staff are brilliant “can do, will do” people. There is technical support for us
should there be any glitches and the kit is better than anything we possess.
The MSc is “Forensic Computing for Practitioners” and will focus upon
Forensic stuff to do the job and us teaching Forensics rather than padding out
with non-relevant material.There are shed-loads of new stuff and includes bespoke
scripting, differing operating systems getting past the disk interface and
the like – it feels like we have been released from our leashes and can
run free, its great!

In the first instance any one who wishes to express an interest in transferring to DMU,
starting the MSc (or derivative) at DMU or simply want Short Courses at DMU
should EMail with contact details and a short explanation of their circumstances
to “<on request>” PLEASE use “MScFC4P” as the Subject in the EMail header.

Each person enquiring will then be contacted
personally, initially with some further detail and then to discuss the mechanics for those
requesting a transfer. Please include both EMail and telephone contact details.

Please feel free to contact us at “<on request>” with any queries or
telephone Brian on <on request> if you want a personal discussion.

Further Good News with detail will follow shortly, if you want a Foundation place in
January we suggest you register your interest as soon as possible, we are aware
that interest is already high.

Our very Best Regards to all of you, we hope to see you at F3 in November
or, indeed, at DMU.

Please feel free to circulate the content of this EMail to any person whom you feel may
be interested in its content – we do not have access to a database of students or
organisations at present. It would also be very helpful if you would acknowledge
receipt of this EMail, thanks.

Tony and Brian.

in cauda venenum
Brian Jenkinson MSc BSc[hon] BA  FBCS CITP
Forensic Computer Consultant
Visiting Professor to The Faculty of Technology of  De Montfort University, Leicester

Tagged , , , ,