Tag Archives: Office

DMU and Documents … (Part 2)

Wow. Four days later I think that I’ve grasped it – in a few hours the exam ( a 2 hour practical ) will be over and I’ll know how much of it has actually sunk in !

So, the actual course content – if you forensically examine Office documents, you need to do this course. As with all Sammes/Jenkinson courses – don’t expect “point & click” forensics – this isn’t a step-by-step how to guide, nor does it sell/use any given product ( although examples of EnCase output are included in places where pertinent to the point being made … ). It is much, much better than that – it is a course in how to approach a document ( … and remember an Office document is anything created by Word, Excel, Powerpoint or Visio … ) in order to obtain evidence that can be presented in court regarding the information that supports the case. We’ve been through the usual suspects – creation/modification times & dates, save locations, names etc. – but more importantly how these data structures are represented within the document – this means that ( coupled with the supporting documentation – provided as part of the course ) you can successfully decompose any and all data held in a document by following the principles taught. Please forgive me for not going into more detail – all I can really say is that if you need to do documents, you need to do this course – there is so much here that is (a) original research and (b) that isn’t covered elsewhere I imagine that it would be very bad news to try and present as an expert against someone who has done the course as you will look like a right idiot.

Anyone who has read what I’ve written before is ( I hope ! ) aware of my feelings about education – much as “giving a man a fish feeds him for one day, teaching him to fish feeds him for a lifetime” – teaching someone to use an application solves one case, teaching them to “forensicate” solves a hell of a lot more. I hope that Brian and Tony will forgive me for saying this ( I’m pretty sure that they feel this way themselves ) – if all you want from a course is to learn how to use EnCase/FTK/ForensicatorAppOfYourChoice DON’T DO THIS COURSE – if on the other hand you actually want to learn about the art and practice of digital forensics this course (and any/all others from DMU given by these gentlemen) will set you down the path to that. If you are law enforcement, there is nothing, and I repeat nothing, out in the remainder of the education market that can match the benefits of being taught by Tony and Brian – Dr Colonel Professor Sammes and Ex-Detective Inspector Jenkinson – have, I believe, probably produced ( certainly in combination ) more digital forensics court evidence over more complex cases than any other pair in history – this results in a great deal of practical advice as well as many anecdotes to fill coffee breaks with related to Policing & Computing in general.

For the rest of this entry I’m going to tread a fine line and hope that anyone intelligent enough to be considering a career in Forensics can read between the lines. I’ve known both Tony and Brian for a few years now – I started at Shrivenham more than a few years ago and dragged out my degree there, and now have gone with them to DMU – I consider them both to be friends and thus I’ll allow you to consider my bias both for what is written above and now as you will. I spoke to Brian not long after they parted company with Cranfield/Shrivenham – oddly to ask about my MSc thesis – and I know that there was a serious disparity between the direction that the Department of Forensic Computing at Cranfield wanted to take (“point and click”) and the direction that they wanted to develop the course and their belief in the importance of the understanding of fundamental principles. The ultimate decision to part company was made by Cranfield, _not_ by Tony and Brian – a ludicrous step on the part of Cranfield, which coupled with subsequent staff losses, has left the University with next to no actual real-world Forensic experience in the department full time. Within weeks Brian and Tony had been approached by more than one University – and after much discussion they chose to align with DMU. This is the best thing that they could have done, it has not only provided some first-class facilites for them to use, but it has fully supported them in taking their course in the direction that they want to take it. The Cyber ( sorry, I still hate that term ) Security centre here is practically focused to provide solutions – and they fit right in. DMU has given over secure facilites ( that exceed the guidelines for secure storage btw … ) so that the department can start to take in case work, and the plans for developing this consultancy stream are very exciting indeed. I personally am thrilled that I changed, and I’m very encouraged by the level of commitment shown by DMU , not only to the course, but also to me as an individual.

I understand that more information regarding the course & developments will be officially published by the University over the next few months – I’ll make this available as and when it appears – either follow my Twitter feed or subscribe to the blog, and it should automagically let you know when it arrives !

Anyway, I have to go and try an make use of what I’ve been taught !

Tagged , , , ,