Digital

The Quarterly Magazine for Digital Forensics Practitioners

HAPPY 1ST
BIRTHDAY!

ForensicS
/ magazine
ISSUE 05
1 NOVEMBER 2010

INSIDE
/ Scott Zimmerman on
Chain of Custody
/ Survey Results
/ Criminal Profiling
/ Ethics In Computer COMPETITION!
Forensics Bundles of goodies for
our Anniversary Issue!

TRAINING &
EDUCATION
ISSUE

LAW ENFORCEMENT
TRAINING
Bev Nutter analyses the digital forensics challenges 04

and training requirements for law enforcement

9 772042 061103
Issue 5 / £11.99 TR Media

/ REGULARS / INTRODUCING / Book Reviews / FROM THE LAB

LEGAL NEWS, 360, Sean Morrissey’s brand 3 great books from Frazer Lewis on
IRQ… AND MUCH MORE new column: Apple Autopsy Syngress and Apress Anti ForensicS Tools

DF5_OFC_Cover - [Link] 1 2/11/10 [Link]

SANS-ad2 7/10/10 14:16
SANS-ad 13/07/10 17:39 Page
Page 11

LONDON • September 8–9, 2010

10% discount for DFMag readers: use the code DFIRSTNDFM10 to register @
[Link]

The SANS London Experience - BE PART OF IT! • Forensics 508: Computer Forensic Investigations and
Nov. 29–Dec. 4, 2010 MORE INFORMATION:
Incident Response
[Link]/london-2010/
• Forensics 558: Network Forensics
To learn more about the 3 forensics courses coming up at
the largest information security training event in Europe, emea@[Link]
• Forensics 610: Reverse-Engineering Malware: Malware
visit [Link]/london-2010 Analysis+44
Tools(0)203 384 3470
and Techniques

DF5_IFC_Ad.indd 83 20/10/10 [Link]

 / EDITORIAL

EDITORIAL
Digital Forensics Magazine is a quarterly magazine, published by
TR Media Ltd, registered in the UK. It can be viewed online at:
[Link]

Editorial Board

W
Tony Campbell, Sharon Campbell, Roy Isbell, Moira Carroll-Mayer,
Alastair Clement and Angus Marshall
hat an interesting year it has Acquisitions
been since we launched DFM. The Roy Isbell
response to the first 4 issues has
Editorial
seen our membership rise significantly Sharon Campbell, Tony Campbell
and more of you are joining every day.
News Desk
We have listened to the feedback and Matthew Isbell
we have made changes to the way that
Sales & Marketing
DFM is delivered both digitally and in
Matthew Rahman
print form and have added new features
Production and Design
and sections to provide more of the content you want to read. A
Matt Dettmar (Loud Vision Ltd)
perfect case in point is the addition of the Mac Forensics section
Contributing Authors
and I want to offer a warm welcome to Sean Morrissey, who will
Scott Zimmerman, Frazer Lewis, Christa Millar, Ross Patel,
be looking after this section for us. We also welcome Rob Lee,
Moira Carroll-Mayer, Bev Nutter, Darshan Karia, Lucas Donato,
who after his inaugural article in Issue 4 is now taking care of Matt Davis, Sean Morrissey, Ron Tasker, Rob Lee, Tim Watson,
the training section, as well as providing many insightful articles Gary C. Kessler, Harry Parsonage and Angus Marshall
about our profession. Our aim as ever is to bring you good Technical Reviewers
content from the best and brightest in our industry. Tony Campbell, Tim Watson, Roy Isbell, Sean Morrissey and
This issue is also the first of the “themed” issues where we will Moira Carroll-Mayer
be taking a particular topic and concentrating a percentage of the
magazine to allow a wider and deeper analysis of the subject. We Contact Digital Forensics Magazine
have chosen training as the first theme allowing us to discuss all Editorial
aspects from education and training, both vendor provided and Contributions to the magazine are always welcome; if you are
vendor neutral, as well as looking at the skills and qualifications interested in writing for Digital Forensics Magazine or would
required by the modern day digital forensics practitioner. like to be on our technical review panel, please contact us on
As a profession we have seen a widening of the skills and editorial@[Link]
capabilities required of a practitioner. As an industry we Alternatively you could telephone us on:
have moved from the original computer forensics post event Phone: +44 (0) 844 5 717 318
analysis (which is still highly relevant) to adding mobile or News
other electronic devices, where artefacts may be recovered If you have an interesting news items that you’d like us to cover,
including engine and building management systems. We also please contact us on: news@[Link]
have seen the development of skills and tools used to analyse Advertising
and investigate incidents in eDiscovery and eAudit cases, If you are interested in advertising in Digital Forensics Magazine
along with real time scenarios such as security operations. In or would like a copy of our media kit, contact the marketing team
recent discussions with Rob Lee, he used the phrase ‘intrusion on: marketing@[Link].

forensics’, I prefer the term operational forensics, to ensure Subscriptions

that it covers not just Intrusion but also network forensics and I For all subscription enquiries, please visit our website at
[Link] and click on subscriptions.
think an interesting debate is to be had. As ever I welcome your
For institutional subscriptions please contact our marketing
views and if you have a thought on this, do let us know via 360.
department on marketing@[Link].
As the profession grows we will see additional descriptive
Feedback
terms used to describe the activities carried out, such as analyst,
Feedback or letters to the Digital Forensics Magazine editor
researcher, investigator and auditor, as a profession we owe it
should be sent to 360@[Link].
to ourselves and to those joining the profession to have some
structure for career development. We need to agree what are the
Copyright and Trademarks
core skills that should be the foundation of the profession and
Trademarked names may appear in this magazine. Rather than
what skills are then required for the various disciplines, providing a use a trademark symbol with every occurrence of a trademarked
structure that anyone can follow and is recognised internationally. name, we use the names only in an editorial fashion and to the
I hope you enjoy the thoughts and discussions around benefit of the trademark owner, with no intention of infringement
training in Issue 5 and as ever, if you want to have your say, of the trademark.
just drop us a line at 360. Digital Edition Provider
Digital Forensics Magazine uses ZMags for its Digital Editions,
/ ROY ISBELL allowing the creation of carbon neutral publications.

DF5_03_Editorial.indd 3 2/11/10 [Link]

 Reviewing the latest
sports highlights

Attending a Review
Seminar online

Put your time to better use. In pursuit of your (ISC)²®

certification, attend an Official (ISC)² CBK® Review Seminar
live online, in person or on site. You’ll ready yourself for an
(ISC)² exam by refreshing your knowledge in information
security. You’ll also send a message to peers and current
employers that you’re in this game for real.
Learn more at [Link]/reviewseminar

Look for an (ISC)2 Authorized Education Provider.

DF5_04_Ad.indd 4 20/10/10 [Link]

 / CONTENTS

CONTENTS
/ DIGITAL FORENSICS MAGAZINE ISSUE 05

REGULARS
/ NEWS 06
12
/ 360° 09
/ COMPETITION 17
/ BOOK REVIEWS 78
/ IRQ 82

FEATURES
/ IDEAL DF COURSE 12
How to design a fit-for-purpose DF curriculum
/ TRAINING IN LAW ENFORCEMENT 23
An analysis of the challenges and training requirements
faced by law enforcement today
/ DFM TRAINING SURVEY RESULTS 38
Your opinion towards training and qualification
/ MEET THE PROFESSIONALS 44 53
Sean Morrissey – The man behind Mac forensics
/ MAC FORENSICS TRAINING 48
Comparing vendor neutral and tools based training
/ ETHICS IN COMPUTER FORENSICS 53
Darshan Karia talks about ethics
/ ALPHABET SOUP 58
Certifications and their role toward professionalisation
/ CRIMINAL PROFILING
Modus Operandi and signatures in digital investigations
63
30 32
/ SHEEP & HEAP 69
Are we placing too much faith in the operating system?
/ hide and seek 74
The effectiveness of public domain anti-forensic tools

LEGAL
/ RIPA
Examining the regulation of Investigatory Powers Act
/ CHAIN OF CUSTODY
30

32
23
What happens to evidence as it is collected and stored

FROM THE LAB

/ INTRODUCTION TO RAM 18
Ron Tasker provides us with an introduction to
RAM capture and analysis

DF5_05_Contents.indd 5 2/11/10 [Link]

 / NEWS

NEWS
SANS Inaugural EU Summit

It was not only stranded holidaymakers and travelling business

people that were inconvenienced by the closing of the airspace
over the UK due to the Icelandic volcanic ash cloud. The
inaugural SANS Europe Summit had to be postponed, but
finally took place on the 8th & 9th of September in London.
Delegates came from all over the EU with Finland, Norway
and the Netherlands being well represented but included
delegates from as far away as Russia. The delegates also
represented a fair cross section of the industry with the majority
coming from computer services and consulting, no real surprise
there, however what was interesting was the cross section
of industries in attendance with Real Estate, Utilities, Media,
Manufacturing and Non Profit sectors being represented,
providing a clear indication that the world of Digital Forensics
covers all industries and sectors and is not just the purview of
Government, Finance and Law Enforcement.
It was also not just DF Practitioners from these industries
who were attending, whilst Forensic Analysts and Information
Security Specialists did make up the bulk of the delegates
(almost 50%); the job functions were as diverse as the
industries represented with Sales Executives, Academics,
Application Programmers, Business Managers and Students
all adding to the mix and all bring different perspectives to the
world of Digital Forensics.
The two days were packed full of content and discussions
around the wide ranging topics that make up Digital Forensics
with Day 1 seeing keynotes on Fuzzy Hashing, Timelines, “because of the success of the event this year, we expect to see
Dealing with the Retrieved Data, Windows Volatile Data, participation from Law Enforcement, Government and Financial
Advanced File Carving and Shadow Copies; plus expert panels Services grow significantly next year”.
discussed Forensic Tools and Vendors. Rob Lee was on hand Registration for the 2011 Summit is now open, where SANS
to lead the discussions that were lively and informative. The are planning to run three SANS Forensics courses, check out
second day continued where the first left off and looked at their website for more information: [Link]
current trends and techniques from industry and practitioners, eu-digital-forensics-incident-response-summit-2011/
with an eye towards the future, Emma Webb-Hobson (Senior
Digital Forensic Investigator with QinetiQ) talked about new IETF approves format for e-crime reporting
computer forensic techniques.
It was clear from the topics discussed at the summit that the
use of traditional computer forensic tools and techniques are The Internet Engineering Task Force (IETF) has now approved
being used and developed to investigate suspected intrusions a new customised version of the Instant Object Description
to the data stores, as well as in an operational context, dealing Exchange Format (IODEF).
with real time attacks and events being encountered on live The new format includes various extensions and ‘add-ons’
information systems. It is expected that the need for Operational that will make it simpler for the user to create comprehensive
Digital Forensics will become more prevalent as we strive to move e-crime reports.
from the post event investigations to real time analysis. The IODEF is XML-based and was created by the IEFT
SANS have already set the date for the 2011 EU Summit (14th in 2002 so that CSIRT’s could exchange operational and
& 15th September) and when asked about next years event, statistical incident data between themselves. It has become
Terry Neal the Director for EMEA at SANS Institute commented the basis for incident reporting.

6 Digital / ForensicS

DF5_06-07_News.indd 6 2/11/10 [Link]

 / NEWS ROUND-UP
Information Security Report 2020

The report, titled ‘Revolution or Evolution’, was commissioned

by the Technology Strategy Board with the aim to “set out
the drivers that will shape the future Information Security
environment to 2020 and beyond.”
35 leading security experts and business leaders across the
private sector, government and academia were interviewed to
determine the trends that were most likely to impact the broad
field of Information Security in 2020.
The report, or Roadmap as it is referred to, highlights 7
different trends that seem most likely to impact the area:

• Infrastructure Revolution
• Data explosion
• Always-on, always connected world
• Future Finance
New features such as the ability to create reports in • Tougher Regulations and Standards
multiple languages, time-stamps and the ability to attach • Multiple Internets
• New identity and trust modules
samples of malware code enable the reports to be consistent
and will allow for faster reaction times upon identifying new The results of this report show that developments in Security over
malicious attacks. the next decade look to have a wide impact on all organisations.
The hope for the new format is that organisations
Iran’s strife with the Stuxnet Worm
which are hit by cyber attacks and Internet crime will
The Stuxnet Worm has become the most infamous piece of
be able to look into a central database that houses the malware in our modern age over the past few months. The
IODEF e-crime reports. The database can be queried to windows-specific worm was first discovered by VirusBlokAda,
find the IP addresses used for the offences and to see if in Belarus, in June 2010 and was written to attack and
reprogram Supervisory Control and Data Acquisition systems
similar attacks from the same addresses have hit other used to monitor industrial processes.
organisations. Patterns can then be identified and the The worm is the first in its class, as it is the first to include a
information forwarded to ISPs so that actions can be taken Programmable Logic Controller (PLC) rootkit.
to stop the abuse. Iran was the target of the attack and more specifically, its
nuclear facilities are Natanz and the Bushehr Nuclear Power
A trial of the new format within certain organisations is Plant. An official report from Iranian Intelligence Minister Heidar
to be run by the Anti-Phishing Working Group to see how Moslehi on 11th October states that the Stuxnet worm affecting
the information is shared. A main objective of the trial is the start up of the Bushehr Plant has been put under control.
to discover whether one organisation can use reports from The current suspicion is that the Stuxnet worm was programmed
in either Israel or the United States but, more importantly, the
another organisation without further communication. In the complexity of the worm could spark a new era in cyber warfare and
past, communication has hovered around small details such could start a new kind of arms race, unique to the modern age.
as the time of an event due to differences in time zone.

DF5_06-07_News.indd 7 2/11/10 [Link]

 Mobile Development
from Apress
The largest catalog of quality books for
Android, iPhone and iPad developers
[Link]/mobile

DF5_08_Ad.indd 8
Ad_A4_DigitalForensics_Apress_AugIssue.indd 1 20/10/10
6/29/10 [Link]
1:01 PM
 360°
Your chance to have your say …

T
This issue represents the first year of the subscribed
DF magazine and during that year your feedback has / PRINT ISSUES
played an important part in how the magazine has
I have a recent print and online subscription to the magazine
developed in style, content and layout, as well as how we but haven’t received a print copy of the current issue – can you
provided the online version of the magazine. To improve the let me know if/when I’ll receive it?
way we deal with your problems we have added a technical Jonathan Krause
support facility to the website, allowing users to register the
I have checked the system and your order was received on the
problems they are experiencing. If you have a problem and 16th August 2010. This was after the 1st August when Issue 4
need technical support, please click on the Support menu was released.
item on the left hand side of the DFM website “Home Page” When orders are received we start sending the subsequent
print issues and your first print issue will be the November
and follow the simple submission process.
Issue of the magazine and your annual subscription entitles
you to 4 issues from the date of purchase. You do, however, get
Send your letters and feedback to: instant online access to all issues. Issues that are required prior
360@[Link] to the date of invoice are sold as back issues.
We do it this way to simplify the order management process,
if we were to send you the previous issue we would have to
reset the date of the annual subscription to a date prior to
Flash trouble the previous issue. If we did not do this date reset you would
I am a subscriber but I cannot download to my iPad, which is receive 5 issues instead of the 4 for your annual subscription.
The system is set up in this way to minimise manual input,
why I subscribed in the first place. How can I download the which subsequently keeps our costs down and the price of the
PDF file without being forced through flash? magazine at exceptional value for money.
Matthew Jett Hall

Following this email from Matthew we investigated the whole iPhone 4

iPad issue and I extracted the following from the Blog and The iPhone 4.0 has a variety of new features, however, does
Newsletter to provide advice to those who want to use such it stack up as a magazine reader? With iBooks available and
devices. other applications, such as GoodReader on the App Store,
We’ve been evaluating some of the devices available and you have a good choice as to how you might read a PDF. DFM
believe that the best platform for viewing DFM, other than a however is an extremely rich medium, graphically speaking
typical PC laptop or Mac book, is the iPad. We have carried and this is our priority 1-design consideration. We found
out evaluations of various other devices. The pros and cons of you continually have to zoom and pan to read even the
each are listed here: most straightforward of articles and when you start to try to
consume an article that’s complicated, it is just too hard to
Amazon Kindle work with.
The Amazon Kindle device is great for reading novels and
newspapers and in the mode where you are not using the Other Mobile Phones
Whispernet technology the power consumption is kept to an Other mobile devices, including Blackberry, Windows Mobile,
absolute minimum. You could potentially get weeks of usage Palm Pre and a Nexus 1 were much the same as the iPhone
out of your Kindle with just one charge. However, the e-ink when it came to reading the magazine. Reading was possible
technology, which is the main reason for the Kindle’s low power on all of them, however, like the iPhone, the more complicated
consumption, will not view hi-res images well. It’s ok for low-res articles were hard to consume properly. The Windows devices
images and text, but for DFM the content won’t appear nearly rendered the large PDF quite slowly and seemed to lose
as nice. In trials the content is so degraded from the original, resolution in the text when zoomed. We are not sure if this was
especially complex diagrams, that it’s not a good fit at this time. a device specific problem or an OS problem.

DF5_09-10_360 [Link] 9 2/11/10 [Link]

 / LETTERS

iPad
First we tried the magazine using Safari, however, they have
not resolved the authentication issues yet. We tested using
iBooks and GoodReader. We found that the experience with
GoodReader, especially in being able to browse directly into
your DFM account from within the application and download
directly to the iPad, into a DFM specific folder, made the
experience seamless. The page turning in both iBooks and
GoodReader was nice, but the experience of reading in
iBooks, we thought, was slightly better than in GoodReader.

In conclusion, it’s up to you to decide how you want to

consume your own media when you are out and about,
however, the preference with the DFM team is to use the iPad
with iBooks 1.1.2.

Logging in
The following email trail led to the solving of an issue that
has plagued a number of subscribers and with a little help
from Keith we got to the bottom of it.

I tried to read issue 4 today and I receive a message that

says, “You must be logged in to read this material”. I am
logged in through your site. Is there a problem today or am I
just missing something?
Keith J. Jones

A few people experience this problem and we’ve not got to

the bottom of it yet. Some people seem to experience the Lastly, as a belts and braces approach, we will reset the
problem when in Private Browsing mode, although I’ve not permissions for your user account to make sure the system is
been able to reproduce that myself. Also, some people have configured as it should be for your level of access. Please give
had a problem with Safari, so if you are using Safari, can us 24 hours and try to log in again. If you still have problems,
you try another browser just in case it’s that. Otherwise, you then we can investigate further.
are free to download the PDF of any of the issues from the Keith’s solution also helped Vijay:
“Downloads” section of the website and read the magazine
offline. Let me know how you get on? Great, thanks; I can now see all the issues! I had AD Block Plus
installed but I configured an exception for the zmag and digital
I figured it out. I had “noscript” running in Firefox, so it was forensics magazine website. Thanks again for your help!
blocking something that probably passed my credentials. Vijay
Hope that helps! Thanks for getting back to me so quickly!
Keith J. Jones Competition winner
We received this letter from the winner of the SANS competition:
Following Keith’s response we did some more digging and
have now added the following to the knowledge base on the I am delighted that I have won access to such a prestigious
support section of the website. event as the SANS Summit and would like to extend my
Some people have experienced problems with using Safari gratitude for the opportunity that you have given me.
to view our site. This is apparent when they log in using their Having access to such an invaluable resource as the SANS
DFM credentials and for some reason the system has not Summit where some of the greatest minds in the industry get
recognised them as being logged in. If this is happening to together is beyond value. As most individuals in the Forensic
you and you are using Safari, can you first try logging in from Community are aware there is no better resource or collection
another browser? of resources then SANS. Again I would like to thank you for
Secondly, some people have experienced problems with this spectacular opportunity.
their system not working properly if they have clamped down Brian Quinn
the browser with a variety of script exclusions, or even in the
event of Firefox the noscript setting. If you have some of these Enjoy the summit, having attended the UK Summit I know you
tightening of controls set, you might want to consider relaxing will enjoy the US Summit. We must also pass on our gratitude
them for our site. to SANS who graciously provided such a superb prize.

10 Digital / ForensicS

DF5_09-10_360 [Link] 10 2/11/10 [Link]

AD9117a 19/01/2010 14:20 Page 1

Shape your future

Forensic Computing MSc Forensic Computing BSc Honours

Computer Security MSc Computer Security BSc Honours

To find out more visit [Link]/technology or contact us:

T: (0116) 257 7456
E: technology@[Link] AD9117A

DF5_11_Ad.indd 2 20/10/10 [Link]

 / FEATURE

THE IDEAL
practical experience dealing with hardware either inside
or outside of their courses – much less hands-on practical
experience with computer forensic examinations. This is to
some degree, a chicken and egg situation where candidates

DF COURSE
can’t get practical experience because nobody will give them
a job for lack of experience; the obvious answer is for them to
get it during their education.
Yet students are at university for an education: to learn
the concepts underlying the tools. Too much practice and
the programme becomes little more than training; too much
How to design a Fit-for-Purpose theory, and the student’s education becomes irrelevant to the
Digital Forensics Curriculum industry. The right mix creates practitioners who understand
by Christa M. Miller, Tim Watson, Gary C. Kessler enough of their discipline to respond to change when it
and Harry Parsonage happens – if not anticipate it beforehand.
At De Montfort University in Leicester, UK, the balance is
/ ENTRY split about 50/50. The first two years of a four-year course use

N
theory combined with practical work to prepare students for the
o one disputes the growing need for digital forensics second two years: a third-year placement, or internship, and a
experts and services. Cybercrime and digital forensics final year at the university that includes a year-long project.
topics appear daily in mainstream news. Each story During the first two years, students learn computer science
highlights a trend or single high-profile case in which digital forensics-focussed classes that show them how applications,
forensics played a prominent role. databases, operating systems, networks and websites (among
Demand for digital forensics expertise is high, and in a push to other elements) work. It is a generalised curriculum tracked to
supply it, many colleges and universities have created courses, the students’ needs, and prepares them for the “field” work
certificates, and degree programmes. In doing so, however, they they will do in their third year.
may be focusing on the wrong thing: the popularity of digital A placement can be in the public or private sector, with
forensics. This is evident in the way that many of them merely students going to law enforcement agencies or working for
replace or adapt existing computer science courses. private consultants, forensic accountants, or any related role.
To remain competitive in the long run – to continue to profit
from digital forensics curricula – academic institutions must
be able to graduate properly educated and trained examiners
who fulfill the need for their expertise. Thus digital forensics
curriculum designers must answer a number of critical questions:

• What should the degree include? What is the balance

between theory and practice?
• What is the scope – the balance between breadth and depth?
• What kinds of facilities and equipment are necessary?
• Who should teach; should teachers be practitioners?
• How to ensure graduates have the skills they need at the
end of four years?
• How to ensure consistency across institutions?

/ The balance between theory and practice

Industry recruiters want candidates, preferably with
experience and/or certifications on tools like EnCase or
FTK, whom they can put to work immediately. Indeed, hiring
managers have difficulty finding candidates who have

/ EXPERT TIP
Students at the University of De Montfort-Leicester do not
have a “required reading” list. Professors have found that
often, the intensity of some courses require students virtually
to eat, sleep and breathe the subject matter – so that it is
usually enough for them to “gently suggest” that the book list
would help their studies go much more smoothly.

12 Digital / ForensicS

DF5_12-15_Ideal DF [Link] 12 2/11/10 [Link]

 In the fourth year, the student spends 25 percent of his The idea, then, is to aim for “mile wide / inch deep”
or her time on a project related to a chosen specialism. The education, covering as much as possible so that students are
other 75 percent goes towards cementing core competencies exposed to specialism’s which they may opt to learn more
needed to continue in that specialism. about in the future.
Meanwhile at the graduate and postgraduate levels, curricula At De Montfort, rather than attempt to support many
should be more technical, closer to computer science. This different curriculum streams, curriculum designers provide all
allows students to understand digital forensics as a science. students with a working knowledge of four core areas:
A practitioner does not need to be a scientist, of course, and a
scientist often does not make a good practitioner. The proper • “Traditional” computer forensics using EnCase, FTK and
balance is for scientists to help practitioners understand the other commonly accepted commercial tools
complexities of the media they examine. • Mobile and small devices
Put another way, graduate-level digital forensics curricula • Corporate incident response including e-discovery and
must be able to produce experts who can explain why and post-mortem network forensics
how computers can work one way one day, and in another • Live forensics, including memory dumps and encrypted
way the next. Such variances mean that an examiner cannot drives, and reverse engineering
always obtain precisely the same results. A practitioner may
not be able to answer why, but a scientist could. Thus graduate
programmes should be able to produce scientists, and a body BY THE TIME THEY GRADUATE,
of work to go with them, that support practitioners’ daily work. students of digital forensics
/ Degree programmes’ purpose and scope should be able to question
In the United States, degree programmes are based upon methodologies, results, and
a certain number of credit hours. As such, different schools
come up with different programmes based upon credit other investigative aspects
requirements. However, all should include certain foundation
classes on computing, operating systems and networks, At Champlain College in Vermont (USA), meanwhile, the
along with criminal procedure and tort law. Whether it should Computer & Digital Forensics curriculum has evolved over
also include related areas like audio/video analysis, cell site time together with the industry. Three courses focus on
analysis, forensic accounting, and steganography is another computers, operating systems and networks, in particular
question. So many forensic specialisms exist, in fact, that it how user interfaces differ across operating systems. Another
would be impossible to cover them all in four years. three courses cover criminal procedure and law. (This part of
the curriculum was developed in 2003, in response to the law
enforcement community needs identified after September 11)
The eight or nine courses left for digital forensics teach basics
such as report writing, how forensic tools work, cybercrime, and
network investigation. Instructors also cover the rudiments of
disciplines like forensic accounting, so that practitioners can
recognize it when they see it and know whom to call.
And, because the last few years have seen growth in civil-
side hiring, Champlain’s curriculum has recently included
courses on e-discovery, courtroom testimony and anti-
forensics. Mobile device forensics, too, has gone from only
cursory mentions in 2005 to being a much more significant
part of coursework.

/ Teachers, professors, practitioners

In higher education, a teacher’s sole purpose is to get
students to think critically. By the time they graduate,
students of digital forensics should be able to question
methodologies, results, and other investigative aspects. Thus
forensics teachers should be practitioners on some level, in
order to design exercises that simulate practice.
Because the best curriculum is a mix between practical and
theoretical, the teachers reflect the courses. Guest lecturers
at De Montfort teach master classes in topics such as cell
site analysis, while courses on reversing malware combine
teaching from academics and industry leaders alike.

13

DF5_12-15_Ideal DF [Link] 13 2/11/10 [Link]

 / FEATURE

Hiring the digital forensics instructor, whether professor

or guest lecturer should be very flexible; the goal must be / Teaching how culture affects
digital forensic practice
to find engaged, inspiring educators who know what they
are talking about. They must be or have been involved with
research and/or involvement in the greater community, such Finding good instructors can be difficult depending on
location, so curriculum developers should consider creating
as through consulting – in other words, doing the job they online courses – which can benefit from instructors who teach
will be training students to do. all over the world. A secondary benefit: learning how digital
A caveat: lack of formal education is anathema to most forensics is handled in other countries. This is important not
academics, especially when institutions seek accreditation. just in terms of rule of law, but also in terms of culture.
These are important subjects for undergraduates to
Digital forensics educators are especially vulnerable because understand from a practical standpoint – they may find
of the field’s newness; in a way, forensics is in the same themselves working with police or service providers in other
position the first sciences were hundreds of years ago – they countries – and for graduate students to understand from a
didn’t exist, and only a few pioneers without graduate or management perspective.
For example, what happens when a Saudi investigator
postgraduate degrees knew enough to define their fields. encounters child pornography in an American lab? Or when
So while it is important to draw from the pioneers and the a “routine” investigation in the West presents serious moral
“grunt” practitioners – the people who best understand the issues for Middle Eastern investigators? The Koran’s precepts
field to the extent that they balance theory and practice in require the need for a thorough investigation to be balanced
against the privacy of the one being investigated.
their work – it is also important to develop the scientists who It is not necessary for international instructors to teach
will ultimately lend credibility to any programme. extensively about Frye and Daubert to American students, or
about the Association of Chief Police Officers standards to
/ Necessary facilities and equipment English students; they should be able to refer to them, but
also pull from their own laws and codes of conduct.
It’s tempting to look at large-scale digital forensics labs like
the ones at Purdue University and the University of Tulsa and
think every academic lab should look the same. However, forensics, examiners are faced with virtually everything and
these labs support practitioners who process actual cases. anything made in the last 10-15 years: various versions of
This is not the norm, and is not likely to become the norm. Windows, Linux, Solaris and other operating systems, of many
Thus lab directors must question whether a set of US$8,000 applications and web browsers, and so forth.
FREDs (Digital Intelligence’s Forensic Recovery of Evidence In addition, the nature of some of the coursework, which could
Devices) is really necessary for their purposes. For instance, include penetration testing and malware analysis, is a security
FTK 1.0 can process hard drive images containing fewer risk to the rest of campus and beyond. It requires a specialised
than 5000 files. Champlain bought two underutilized FREDs lab with its own separate IT infrastructure. This is expensive
cheaply from a local lab, although instructors task on-campus – costing into the hundreds of thousands of pounds – but
and online students to build their own forensic towers and important in order to avoid the escape of malware into the wild.
toolkits, which they can use every day. Needless to say, security and supervision are critical for
this sort of facility. At De Montfort, students are constantly
supervised, and not allowed into the department’s two dedicated
It is crucial for all digital labs apart from scheduled hours; even cleaners cannot enter
forensics graduates to the space without supervision. (One “general” lab is maintained
for non-sensitive projects.) The lab supervisor, meanwhile, is a
share core competencies; dedicated staff forensic analyst, whose duties include system
this lends credibility in an backups, the creation of lab practical’s, research, and so forth.

academic world / Ensuring up-to-date skills

Students do not leave university for four years. Consider that
Even at that, however, academic institutions should not in this time:
plan to get by with demo versions. Instead, they should be
prepared to pay for annual licenses for full versions of industry • Mobile device forensics went from an obscure specialism
standard software including EnCase, FTK, Cellebrite, XRY, and to an examination which even average investigators must be
so on. This is the only way for students to become familiar familiar with.
with tools by the time they enter their third-year placement. • GPS devices went from a “nice to have” luxury item to key
Still, paid-for licenses are not enough. Students must be evidence in homicide, stalking, domestic violence, and child
able to analyse data without common tools; not only must predator “traveler” investigations.
they be able to validate their software, they must also be able • Hard drive storage sizes increased exponentially, to the
to obtain hard-to-get data using open source tools, scripts extent that “triage” has become a digital forensics buzzword.
they have written, and other measures. • Memory dumps went from being the domain of corporate
They must also have access to equipment that allows them incident responders, to a necessity in on-site crime-scene
to understand digital media at their deepest levels. In digital previews of live (and possibly encrypted) computers.

14 Digital / ForensicS

DF5_12-15_Ideal DF [Link] 14 2/11/10 [Link]

 At De Montfort, Faculty have found that the things they / Only the beginning
teach students in their first two years remain relevant by These questions are just the beginning. The broader
the end of the fourth, but technological advances occur so question is whether digital forensics should, like both
rapidly that professors must update their courses regularly – medical and legal professions, have formal career structures,
sometimes even as they are teaching. This is particularly true with examiners obtaining core knowledge and developing
of techniques, which can change as often as annually. specialisms later on.
Curricula must also take into account that most textbooks Support personnel and how to train and educate them must
are inaccurate, even if recently published. De Montfort also be addressed. Where doctors have nurse practitioners
teachers constantly update their book list, and do not create and nurses, and attorneys have paralegals and clerks, digital
courses based on any book; no textbook currently can forensics examiners can expect support from law enforcement,
accomplish the range of topics to allow for this. Champlain corporate security, information technology, and professionals
instructors, meanwhile, use dynamic sources of information from various other “crossover” fields, many of whom will find
to bridge learning gaps: e-newsletters, wikis such as themselves in the position of “first responders.”
ForensicsWiki, blogs, and so forth. Thus the training and education of these professionals
Additionally, some procedures cannot be learnt from must be as consistent as those for digital forensic examiners.
textbooks alone. Capturing RAM data from a Linux device, for Students should be given a global perspective about why
instance, or seeing live packets transmitted over WireShark they do what they do: not just trained for civil or criminal
are uniquely hands-on; many books on these topics contain investigations, but also for incident response, with the ability
procedural errors. Preferable is for students to complete their to see both sides and their similarities and differences. /
own experiments, which forces them to think more judiciously
about the process.
In fact, De Montfort programme directors have found that / Author Bios
third-year students become useful team members at their Christa M. Miller is a writer and public
placements within their first few weeks. Likewise Champlain relations consultant who specializes in
digital forensics and law enforcement.
programme directors, who report that employers can hire a She has had more than 100 articles
graduate to send to vendor training and end up with a highly published in US trade magazines while as a
proficient examiner within six months. consultant, she works with clients such as
Vere Software, Continuum Worldwide, Teel
Technologies and the International High
/ Institutional consistency Tech Crime Investigation Association.
vs. programmatic diversity
Across institutions, across regions, across countries, Dr Tim Watson is the head of the
Department of Computer Technology at
consistent training and education will ensure that forensic De Montfort University and the leader of
examiners can share information with likewise trained and its computer forensics and security group.
educated counterparts. With more than twenty years’ experience in
the computing industry and in academia,
Consistency should not remove diversity, however.
he has been involved with a wide range of
diversity is what makes the digital forensics field computer systems on several high-profile
adaptable. It is crucial for all digital forensics graduates projects and has acted as a consultant
to share core competencies; this lends credibility in an for some of the largest telecoms, power
and oil companies. Tim is a regular media
academic world. But for all programmes to parrot each commentator on computer forensics and security.
other could ultimately hurt students. One employer’s bad
experience with students from one school could affect Gary C. Kessler is an adjunct associate professor at Edith
all the others; the stigma of a “bad programme” is hard Cowan University in Perth, Western Australia, a member of the
Vermont Internet Crimes Against Children (ICAC) Task Force,
enough to get over as it is. and director of training at BitSec Global Forensics. He was an
A standard approach could be a kernel: 40 credit hours Associate Professor and program director of the M.S. in Digital
rather than 60, for instance, with programmatic diversity Investigation Management program at Champlain College in
Burlington, Vermont, USA; he started the Computer & Digital
based on the geographic area in which the school is located. Forensics (on-campus and online), Computer Networking, and
For example, the digital forensic needs of Chicago’s financial Information Security majors at Champlain College, in addition to
services will be much different from the governmental being the principal investigator at the Champlain College Center
concerns of Washington, DC. for Digital Investigation.
Another approach would be for the digital forensic industry Sgt Harry Parsonage is a 30-year veteran of law enforcement
itself to develop minimum training standards that focus on and has spent 22 years as a Detective Sergeant investigating
process. It is helpful when a job candidate applies to a shop every kind of serious crime, including fraud and Internet crime.
A digital forensics practitioner since 1999, he created the
that uses the tools s/he is most experienced in, but is better
Nottinghamshire Police’s Hi Tech Crime Unit, which currently
when that candidate knows when to use each tool and why. consists of a Detective Sergeant and seven technical staff. He is
The minimum standard would assure consistency of process, available on a limited time basis as a consultant in any area of
without being so rigid that examiners could not adapt to the computer forensics.
industry’s dynamism.

15

DF5_12-15_Ideal DF [Link] 15 2/11/10 [Link]

 Cell
site
analysis

Computer
forensics

Audio
visual

Questioned
documents

Mobile
phone
forensics

Understanding the digital picture

MP3 players, mobile phones, laptops, As part of the UK’s largest independent For the complete picture visit
Blackberries, SatNavs, printers, CCTV, provider of forensics services, our digital [Link]
digital cameras and more. and document investigators take a
holistic approach that draws on a whole LGC Forensics
These are the tools of a modern society,
range of innovative and traditional Tel: +44 (0)844 2641 999
painting a digital picture of our everyday Email: d&df@[Link]
methods to reveal high quality digital
lives in images, emails and text. What
and documentary evidence that will
can they tell us about someone’s PLEASE QUOTE REF: DFM0410
stand up in court. Using the latest
behaviour and movements? How can IN ANY CONTACT
forensic techniques, we will work
we combine and present this evidence
closely with you to establish the facts,
to support reliable verdicts in criminal
applying years of forensics experience
and civil proceedings?
and understanding to uncover and
follow all potential lines of inquiry.

© LGC Limited, 2010. All rights reserved. 2456/OR/0210

DF5_16_Ad.indd
LGC_Digital 16 - [Link] 1
A4 Ads-v5 20/10/10 [Link]
07/04/2010 [Link]
 COMPETITION
/ To celebrate our 1st ANNIVERSARY in style, we’ve got a
grand first prize plus four runners up prizes!
1st prize: Archos Player, books from O’Reilly and software from Kuiper Forensics
4 runners up prizes of software from Kuiper Forensics

/ Question TERMS AND CONDITIONS

The competition this time is a little different. This competition is open to anyone aged 18 or over, except
for employees of TR Media Limited and their immediate
Following in the tradition of the great cyber challenge, families. Only one entry is permitted per person. Entries
we have a pleasant image for you to take a look at. can be submitted by email only and should be sent to
However, not all is what it seems. All you have to do is competition@[Link]. TR Media shall
not be responsible for technical errors in telecommunication
go to [Link]/Issue5Comp networks, Internet access or otherwise, preventing entry to this
and download the .jpg file you’ll find on that page. Now, competition. Closing date for all entries is on 31st December
using your skills as a digital forensics investigator, tell us 2010 at 9.30am GMT. Any entries received after that time will not
be included. The correct winning entries, chosen at random by
what you did and what the secret answer is. the DFM team, will be notified by email on Monday 11/01/2011.
The winners will be announced in Issue 6 of the magazine and on
/ To Enter the Digital Forensics Magazine website. Submitting your entry
constitutes your consent for us to use your name for editorial or
To enter the competition all you need to do is send an publicity purposes, should you be one of the winners. TR Media
email to competition@[Link] Ltd reserves the right to change or withdraw the competition and/
writing ISSUE5COMP in the subject line, including your or prize at any time. By entering the competition, entrants are
deemed to have accepted these terms and conditions.
name address and phone number with your entry.

1P ST
RIZE!

17

DF5_17_Competition.indd 17 2/11/10 [Link]

 / FROM THE LAB

VOLATILE RAM
ANALYSIS
An introduction to RAM capture and analysis
by Ron Tasker

/ INTERMEDIATE

O
nly in the last few years has the practice of immediately are commonplace in the modern internet connected world,
powering a target PC off at the scene of a crime become but how does an investigator actually know if malware was
viewed as less than best practice. In the UK, the present on a target machine at the point of seizure if RAM is
Association of Chief Police Officers (ACPO) did not officially not captured? Some malware may leave traces or even copies
recognise the necessity of volatile data capture until 2009 of itself on hard media, however there is a category of memory
(ACPO 2009). Unfortunately, there are no statistics for the resident malware, which is growing. This malware loads onto
seizure of volatile data captures recorded by first responders, the target machine every time the machine connects to the
however the lack of prosecutions relating to evidence from source (usually the internet) and leaves no trace of itself on
volatile RAM capture may suggest that volatile data is rarely hard media. In this situation, how can investigators prove
captured at the scene of seizure, regardless of whether the the guilt of a suspect who claims the ‘Trojan Defence’? More
target machine at point of seizure is powered on or off. It importantly, how can examiners exculpate an innocent suspect
would seem that in many cases, first responders are too where memory resident malware has been responsible? RAM
zealous to comply with ACPO principle 1 which states that, capture at the point of seizure and its subsequent analysis
“No action taken by law enforcement agencies or their agents could be the only way to eliminate memory resident malware as
should change data held on a computer or storage media the cause of any malicious activity.
which may subsequently be relied upon in court.” (ACPO Given the seemingly obvious benefits of RAM capture at the
2009; pp4), whilst not understanding that ACPO principle 2 point of seizure, it is judicious to examine some of the reasons
which states that, “In circumstances where a person finds it RAM capture is not performed by first responders by routine,
necessary to access original data held on a computer or on where possible.
storage media, that person must be competent to do so and It could be the fear of ‘tainting’ evidence. This is based on
be able to give evidence explaining the relevance and the the Locard’s exchange principle, which states that when two
implications of their actions.” (ACPO 2009; items come into contact with each other, there will always
High profile cases such as those of Aaron Caffrey and Julie be an exchange of evidence. In terms of RAM capture, this
Amero have highlighted a new risk for investigators, that of means that first responders may alter primary evidence, based
the ‘Trojan Defence’. In simple terms, this is where the suspect on their interaction with it (in this case target machine RAM
blames their actions on the target machine. More specifically, and hard media) risking the inadmissibility of any evidence,
malware loaded on the target machine, which performed subsequently discovered, in court. ACPO guidelines, however,
malicious acts without the knowledge of the user. This, of are clear on what investigators may do to target machines in
course is entirely feasible. Virus payloads, Trojans or Keyloggers a powered on state (ACPO 2009; pp18). The prescribed list
includes running a list of processes and capturing a binary
dump of RAM. Given the pressing argument for collecting
/ 5 things you should know RAM based evidence and as long as principle 2 (ACPO 2009)
about RAM is adhered to, it may seem that RAM should be captured in all
• RAM may be the only place where relevant evidence exists
cases. However RAM is captured in very few cases.
• Most modern RAM capture tools for MS Windows will image One potential reason for this is that the ACPO guidelines
• RAM from Windows 2000 onwards, including 64bit versions. (ACPO 2009) contain references to the performance of a
• RAM captures will be of better use later in analysis if the page ‘risk assessment’:
file can be captured simultaneously, look for tools that do this. “Perform a risk assessment of the situation – Is it
• RAM is often temporarily dumped to hard media slack file
space in MS Windows.
evidentially required and safe to perform volatile data
• Most modern RAM capture tools can work with most modern capture?” (ACPO 2009; pp19).
RAM capture analysis suites. This is not always true, though, As first responders are often non-technical, it is possible
so make sure that you check. that they often do not feel that they are qualified to make
such a judgement. It could be argued that there should be

18 Digital / ForensicS

DF5_18-22_Introduction to [Link] 18 28/10/10 [Link]

 pressing reasons why RAM should not be captured before
the process is not carried out.
Training is certainly a factor and it may be argued that first
responders (often Scenes of Crime Officers) could readily be
trained to perform RAM capture since, as will be shown in this
article, that it is a relatively non-technical operation and has
minimal risk to evidence integrity if performed correctly.
It is, of course, true to say that due to the very nature of
volatile RAM, once a target machine has been powered off,
then data in RAM is lost, if not captured. This means that
reproducibility may be an issue since the RAM capture can
never be reproduced. Reproducibility has long been a principle
tenet of forensic science. This is where effective documentation
and the proper use of photography can help. It could be
argued that the destructive process is not the RAM capture,
but powering off the target machine. In many ways, this could
be viewed as no different to cleaning up after fingerprinting
has taken place, as this, in effect, prevents the reproducibility
of the fingerprinting exercise. This is accepted as a necessary
risk to evidence with fingerprinting and many other forensic
techniques. After all, what does the investigator lose by
capturing RAM versus the potential benefits of doing so? Figure 1. Creating a RAM dump from the target machine using MDD
RAM capture, when carried out effectively, is an extremely easy
procedure with very little changes made to a target machine.

/ RAM capture made easy

A RAM image was taken using ManTech Memory dd (MDD),
which is a memory dump tool produced by ManTech and is
free to use. This tool is straightforward to use and creates a
RAM dump, which is compatible with many analysis tools. It
is very simple to run and need not be installed on the target
machine as it is a stand-alone .exe command. The code in
mdd_1.[Link] is statically linked. This means that no operating
system DLL’s are called for the process. In this case, it was run
from a USB drive, which also served as the recipient drive for
the subsequent RAM capture. Figure 1 illustrates this.
Figure 1 shows that of the 245,628 memory locations
found during the MDD dump process, 33 of them could not
be mapped. This is usual and is likely to reflect the memory
locations changing during the MDD transfer process itself.
245,595 memory locations were mapped, however. The target
output file was called ‘targetout’ and (due to the lack of an
alternative directory specification) was deposited in E:\MDD
– in this case a USB stick. The total process took 632 seconds
to map ‘targetout’. During the RAM dump process; MDD Figure 2. ‘targetout’ RAM dump written to USB
calculates an MD5 hash of the generated target file. In terms
of Windows registry, this process has generated a registry key At this stage, we are ready to remove power from the target
in the recent items list for the process [Link]. machine and perform offline analysis of the RAM dump using
The file ‘targetout’ is a byte for byte copy of the RAM a laboratory based analysis machine. The only effect of our
installed in the target machine (in this case 1Gb). This is the live explorations has been the creation of a single registry key
file that will be used for analysis in the next part of this article. (in recent files), which should be noted for information during
Following the output of the ‘targetout’ file, the file should be the hard media analysis.
separately verified for its MD5 signature on the investigator’s
laptop. Figure 2 shows a listing of E:\MDD. / Installation of the Analysis Machine
We have now performed a RAM capture from the target Now that we have the RAM capture, we are ready to analyse
machine using MDD, saved to a USB drive for later analysis. it. Volatility has been chosen for this article, as it is an open
It’s that easy! source suite of RAM image analysis tools based on Python

19

DF5_18-22_Introduction to [Link] 19 28/10/10 [Link]

 / FROM THE LAB

/ Tangential Topic
Why don’t non technical (in the IT sense) first responders
capture RAM? It is easy, procedural, straightforward and
logical if implemented correctly. The steps for RAM capture
are few and the training required would be minimal. The same
principles of evidence handling apply to RAM captures that
Figure3. output from the ‘ident’ command
first responders such as SOCO’s are extremely well versed
with and no IT technical knowledge is required.
Shouldn’t first responders be trained to capture RAM if
a computer is found powered on at the scene of a crime or
evidence seizure? Are we dealing with ‘Technofear’ or are their
real reasons why a rigorous, documented simple RAM capture
procedure should not be adopted by first responders?
I am sure that everyone will have their own opinions on this
subject, but what is difficult to deny is the potential loss of
evidence and leads that might occur if RAM is not routinely
captured and examined.

script. It is extremely flexible and because of its open source

nature, many plug-ins are available for it.
In order to install Volatility, first the Python interpreter was
downloaded and installed. This is an open source project
and the interpreter is available from [Link]. On the
analysis machine, the Python interpreter was installed into
C:\Python27 and this directory was added to the %path%
environment variable.
Figure 4. Output from the ‘Pslist’ command The volatility toolkit itself is produced by Volatile Systems
and freely available at [Link]. The toolkit is
essentially a set of Python scripts, which may be executed
using the Python interpreter that was previously installed on
the analysis machine. The Volatility tools require no actual
installation and on the analysis machine they were copied into
the directory d:\v.

/ A few basic volatility commands

In this next section, now we have seen how easy it is to
capture RAM using the command line, we will look at just how
easy it is to run some basic tests on the file that we captured
(‘targetout’) using Volatility. All tests are run from a simple
command line on the analysis machine.

/ ‘Ident’
Running the volatility ‘ident’ plugin will give a basic initial picture
of the memory image. The command is run using the syntax:
Figure 5. output for ‘[Link]’ from ‘files’ python volatility ident -f targetout Figure 3 shows the output
The name of the image file is shown, in this case ‘targetout’,
IT COULD BE ARGUED THAT THE along with the image type, XP Service Pack 3. In addition
the VM type is shown as ‘pae’. In this context, a VM type of
DESTRUCTIVE PROCESS IS NOT THE PAE shows that at the time that the image was created, the
RAM CAPTURE, BUT POWERING operating system was set to ‘Physical Address Extension’ type.
This means that the operating system was able to access more
OFF THE TARGET MACHINE than 4Gb of virtual memory space.

Figure 6. output for ‘mdd_1.[Link]’ from ‘files’

20 Digital / ForensicS

DF5_18-22_Introduction to [Link] 20 28/10/10 [Link]

 The ‘DTB’ field shows the physical memory address (‘offset’)
of the directory table base and the ‘Datetime’ field shows the
date and time that the image was created. This test just gives
us a baseline of what the RAM capture file is. The results should
be compared with those expected (it is assumed that the MD5
has already been checked against that shown in Figure 1). In our
case it is exactly what we expect from our capture file.

/ ‘pslist’
The ‘pslist’ command will produce a list of the processes that
would have been produced had the ‘[Link]’ command (or
task manager) been run while the target machine was switched
on. In other words, those processes that Windows can see by
following the Active Process Links in the EPROCESS objects.
The command is run using the syntax: python volatility pslist
-f targetout. Figure 4 shows the output from this command.
Figure 4 shows that all processes were created at
approximately 10:33, with the exception of [Link] (PID 532)
and mdd_1.[Link] (PID 408). This could be explained if 10:33
was the boot time of the computer. In this case, the examiner Figure 7. a section of the output for output from ‘dlllist’ for [Link]
created [Link] and [Link] and they match Figure 1 above.
NB., the time is in GMT and does not take into account daylight
savings time. This accounts for the 1-hour difference between
THE PYTHON INTERPRETER WAS
the mdd_1.[Link] time in Figure 4 and the screenshot in Figure 1. INSTALLED INTO C:\PYTHON27
/ ‘files’
AND THIS DIRECTORY WAS
Once a Process ID (PID) has been identified which may be of ADDED TO THE %PATH%
interest, the ‘files’ command allows us to list what files were in
use for a particular process. This may help when subsequently
ENVIRONMENT VARIABLE
investigating hard media. Figure 18 shows the output of the
command: python volatility files -f targetout -p 1748 as can be
seen from Figure 17 above, PID 1748 corresponds to ‘[Link]’
There is quite a lot of information here, most of it of limited
use to investigators. However, towards the end of the listing,
the file locations of the history and ‘[Link]’ files that were
in use at the time of capture are clearly shown. This could give
an excellent pointer to the whereabouts of any evidence when
later looking at hard media.
Not all processes are as complex. Figure 6 shows the
output from the command: python volatility files -f targetout
-p 408 process PID 408 ids the mdd_1.[Link] process run by
the investigator.

/ ‘dlllist’
‘dlllist’ is a command which allows the investigator to view
which dll’s are loaded in memory by any particular process.
One common way of subverting a process or acquiring access
rights on a Windows machine is to change the DLL file in a way
that compromises its intended functionality. This is known as
‘injection’. In addition, the process itself could be changed
to load DLL files, of which there is no intention to be used by
the original process. This concept is known as ‘hooking’, by
examining the DLL files loaded for a given process, suspicious
DLL files could be identified for later examination of hard
media. Figure 7 shows a section of the output from the
command: python volatility files -f targetout -p 1748 process
PID 1748 is [Link].
Figure 8. an extract from the output of ‘regobjkeys’

21

DF5_18-22_Introduction to [Link] 21 28/10/10 [Link]

 / FROM THE LAB

Figure 7 shows all the DLL files that have been loaded
for [Link] and has been used as an example. The / 5 Tips for RAM analysis
important thing is that, in this test, no obvious suspicious
• Try to understand the memory structures of the operating
DLL files were found. system version of the RAM capture under analysis. For MS
Windows, learn about EPROCESS and ETHREAD objects as
/ ‘regobjkeys’ a minimum.
This test shows us what registry objects are open in RAM. • Study rootkits and other malware. When performing RAM
analysis, many ‘tell-tale’ signs can be easily spotted if you
The purpose of this test is to identify suspicious processes know what to look for and easily missed if you don’t.
or registry keys in use at the time of RAM capture. Figure 8 is • Use a suite of RAM capture analysis tools that you feel
an extract from the output of the following command: python comfortable with. It might be your job later to explain to the
volatility regobjkeys -f targetout court exactly how your tools work!
• Automated reporting in all forensic tools is useful, but don’t
The section shown is simply an example; every running forget to take notes. It’s often the crucial information that
process shown by the pslist command has its own entry in the becomes evidence that is lost in automated reporting. This
output. As can be seen in the pslist above, PID 192 relates to is particularly important when analysing RAM captures, as
the evidence is frequently open to interpretation.
[Link], which is the Java Update Scheduler.
• Remember, when looking at RAM captures, chances are
The full listed output from ‘regobjkeys’ in our example that the first responder made changes to RAM in the capture
shows nothing suspicious and the PID’s listed match with process. Always understand the changes and ensure they
those listed in pslist. are properly documented.

/ ‘connscan 2’
The command ‘connscan2’ scans the target RAM capture
(targetout) and prints any outgoing TCP or UDP connection made Figure 9. output from the ‘connscan2’ command
at the time of the RAM capture. Figure 22 shows the output from
running the command: python volatility connscan2 -f targetout
As can clearly be seen, there were no outgoing connections
from the target machine at the time of the RAM capture.

THE FULL LISTED OUTPUT FROM

‘REGOBJKEYS’ IN OUR EXAMPLE
SHOWS NOTHING SUSPICIOUS
AND THE PID’S LISTED MATCH
WITH THOSE LISTED IN PSLIST
/ ‘sockscan2’
In many ways, ‘sockscan2’ is a more revealing command
than connscan2. ‘sockscan2’ analyses and lists TCP and UDP
sockets open at the time of the RAM capture. That means
ports opened to listen for instructions by running processes.
Figure 10 shows a section of the output from the command:
python volatility sockscan2 -f targetout
‘sockscan2’ shows the open sockets on the target machine
in terms of the PID of the process responsible, the open port, Figure 10. the output from ‘sockscan2’
the protocol type (e.g. 6 is TCP and 17 is UDP), the date and
time the socket was opened and the physical address in
memory of the socket object. / Author Bio
Detailed analysis of this output shows no suspicious Ron Tasker has over 20 years experience
processes or open sockets, only those one would expect from in the IT industry. Beginning as an
RAF apprentice, Ron has worked in a
normal Windows operation. wide variety of roles such as Business
In this article we have had an introduction to simple RAM Analyst, Project Manager and Product
capture and analysis, using open source tools. There are, of Development Manager. Ron has a BSc
course, many commercially available tools, although arguably, with first class honours from Leeds Met
and has just completed an MSc in Forensic Computing at the
none as customisable as Volatility. In the next issue, we will University of Bradford. Ron’s particular interest is the forensic
look at how rootkits work, how they hide processes and how capture and analysis of RAM images.
we can use Volatility to detect their presence. /

22 Digital / ForensicS

DF5_18-22_Introduction to [Link] 22 28/10/10 [Link]

 / LEAD FEATURE

TRAINING IN
LAW ENFORCEMENT
An analysis of the challenges and training requirements faced by law enforcement today
By Bev Nutter

/ INTERMEDIATE

D
igital forensics as a profession is still comparatively 2. Cost – Technical training is costly (often £1,000 for a
new. Only in the last ten years has the industry really 3-day course) and in the current financial climate, there is
grown in size, fuelled by the increase in technology pressure on training budgets in both public and private sector
available to the general public. Within law enforcement, every organisations. An often forgotten additional cost is that of lost
UK force has some digital forensics capacity, but this differs productivity while staff are out of the office attending courses,
greatly between forces with regard to staff levels, resources and this can easily mount up.
and organisation.
Training needs for digital forensics have some obvious 3. Evaluation of individual courses – In the digital forensics
differences from those in the ‘traditional’ forensics arena field, there are a large number of different courses, some
(e.g. fingerprints, DNA or firearms analysis). The techniques of which are more popular than others, but no method for
of traditional forensics do not change at the same speed, evaluating the quality of different courses other than by
as digital forensic analysis must. A new technique could be attending them. This will inevitably receive more attention
developed to examine a version of a smartphone operating in the current financial climate, where bids for training will
system that will only work for three months until a new be scrutinised closely and an applicant expected to clearly
operating system version is released. As a result, it is demonstrate the benefits of a particular training course.
difficult to maintain up-to-date knowledge and competency
in the field of digital forensics and this creates unique
demands on training. UNIVERSITY COURSES
Adequate and ongoing training of digital forensic staff GENERALLY DO NOT HAVE THE
working in law enforcement is crucial for three reasons.
Firstly, to ensure quality work is done, and that the best VOCATIONAL CONTENT WHICH IS
possible evidence is provided to the justice system. Secondly, NEEDED FOR A PRACTITIONER TO
to ensure staff have the skills to research and document
new technology, to make sure that as soon as new devices BE FULLY COMPETENT IN THE USE
are released the agencies have the ability to examine OF DIGITAL FORENSIC TOOLS AND
them. Thirdly, to enable digital forensics to be considered
as a forensic science, equal to other forensic disciplines, TECHNIQUES IN THEIR NEW JOB
staff working in this area must undertake the appropriate
professional development. One point that is worth emphasising again is that the function
However, the current state of digital forensics training in of training in this area is twofold, not only to share knowledge,
many agencies is ripe for improvement. There are a number of but also to give a level of accreditation. For practitioners in
challenges to overcome. the law enforcement field, a judge and jury will usually not
have enough technical knowledge to evaluate whether the
/ Challenges to training evidence that is given is correct. They will be influenced by the
1. Different backgrounds – Digital forensics staff often come qualifications and experience that the practitioner has, and this
from different professions with varying levels of knowledge. is a key factor in the need for training.
They may be IT professionals, recently qualified in computer Even if a practitioner comes to a role with academic
science, electronic engineering or even digital forensics itself, qualifications in the area, they will still require some specialist
or investigators who are moving into a technical arena. Some professional training, as university courses generally do not
forces employ only police officers; others may employ only have the vocational content which is needed for a practitioner
civilian staff or a mixture of both. Tailored training must account to be fully competent in the use of digital forensic tools and
for these different starting points to ensure that employees techniques in their new job. In addition, different companies
complete the training to a common level of competence. will use different tools and have different working practices,

23

DF5_23-26_Training in Law [Link] 23 24/10/10 [Link]

 / LEAD FEATURE

and ongoing advancements in technology will almost certainly is – needs a more in-depth understanding of the fundamentals
mean that further training will be required. of digital forensics. This is potentially a very wide area and
Academic qualifications are almost a separate issue on includes the operation of hardware, the intricacies of file
their own, partly because the majority of on-the-job forensic systems and potential aspects such as the technicalities of
training will be short courses and so academic courses are video encoding or the way in which mobile networks operate.
mainly of relevance before beginning on a digital forensics Not all vendors training will include a full explanation of the
career. (Although of course there are exceptions – for example, theory behind the tools.
staff engaged in research may be studying for a postgraduate A further issue with vendor training is that it is usually not
qualification.) Greater collaboration between employers and assessed, and so it is possible for anyone to attend and be
universities enables course content to be tailored to ensure trained. Therefore, attendance of a vendor-training course
the course is relevant, and is mutually beneficial to both. does not necessarily mean that the person is competent in
With the recent increase in the number of digital forensics the techniques shown on the course and un-assessed vendor
degrees being offered, it is vital for employers to engage with training, alone, cannot be used to demonstrate competency.
universities to ensure that students are being taught what On the other hand, non-vendor training – both academic
they need to know from an employer’s perspective. With that and non-academic courses – are often less effective at
said, it is important to realise that a degree must teach the teaching the practical aspects and will not give a practitioner
theory as well as the practical aspects – after all, a practitioner a full understanding of the capabilities – and quirks – of the
with a good grasp of the theory should be able to apply this forensics tools which he or she uses. This, of course, cannot
using a number of different tools or techniques. A practitioner only increase a practitioner’s capabilities but also the accuracy
who is only taught the use of a tool will find it difficult to of his or her results (e.g., by knowing that a particular tool
transfer this and may not have the understanding necessary to cannot handle a certain type of file) and the speed of his or
explain the significance of his or her results. her work (as he/she can select the most effective tool for
the job). Academic courses, in particular, have proliferated
in recent years and as many of these are new courses, it is
Academic courses, in difficult for employers to assess the quality of the course
particular, have proliferated content and teaching. Some digital forensics degrees are
computer/IT courses effectively re-branded with an
in recent years and as many extra module in digital forensics, whereas some
of these are new courses, provide a much better grounding in the subject.
But without having direct knowledge it is very
it is difficult for employers difficult for an employer to judge the value of a
to assess the quality of the particular qualification.

course content and teaching / Requirements for training

in the future
/ Vendor versus non-vendor training There are a number of things that could be
Digital forensic training currently available can be generally done to develop digital forensic training from
split between vendor training provided by forensic hardware a law enforcement perspective, in order to
and software manufacturers in the use of their kit, and non- improve training provision in the future. In
vendor training provided by either academic institutions particular, and in no particular order, the
or other training providers (e.g. the National Policing following are suggested as desirable for
Improvement Agency). digital forensic training:
Vendor training has a role to play, as it teaches the use of
specific software which a practitioner will use, and equips him 1. Improve efficiency and effectiveness of
or her with practical skills. In phone and computer forensics, staff conducting analysis
vendor training is generally the best-known training. (In video 2. Assist in demonstrating competency
and audio forensics this is not the case; there are non-vendor- (especially as an expert witness)
specific courses available for video and very little formal 3. Allow value of different courses to be judged
forensic training at all for audio.) Vendor training is well 4. Maintain cost-effectiveness
established and in the past has been a de-facto standard for 5. Raise professional standards
forensic practitioners.
However, it is crucial for a practitioner to understand the Whether or not training improves efficiency and
theory behind the actions he or she performs, and how effectiveness is not always easily measured. Some specialist
the forensic tools he or she uses actually operate. Anyone training will allow a unit to examine devices that they
can recover deleted graphics from a camera card, but to could not previously handle – this is an obvious increase in
understand how this is done – and so identify whether any effectiveness. Training in new smartphones (Android OS and
data has been missed, and what the provenance of the data iPhones) is an example.

24 Digital / ForensicS

DF5_23-26_Training in Law [Link] 24 24/10/10 [Link]

 To demonstrate an individual’s competency, some measure
of assessment is required. If a unit regularly assesses its There is also a hidden cost
entire staff, then it provides to the court a sound basis for a to cascade training,
practitioner to show in court that he or she meets the standard
required. If core competencies are assessed following training of staff time, which means
and on a regular basis, and this assessment recorded, this is a that while a staff member
much more valuable than course attendance to evidence the
competency of a practitioner. This is also key to demonstrating is training others, he or
the value of training which helps to justify future training costs. she isn’t working on
Of course this requires the input of staff time and resources,
so will take time to implement. The Skills for Justice National forensic casework
Occupational Standards ([Link]
com) for forensic science and e-Crime provide the basis of this Making a value judgement on those particular courses is more
assessment but time will still need to be invested to determine difficult; especially to do this in the required objective fashion,
how the assessment should be carried out. For example, the but this could start from a measure, which indicates how ‘in-
unit ‘C04 – Investigate electronic evidence’ within the eCrime depth’ the course content is in a particular area.
NOS is not sufficiently detailed to show how competence in a Maintaining cost-effectiveness is also difficult but there
particular area of digital forensic analysis could be assessed. are a number of options here. Cascade training, where staff
This is a prime example where different forces could collaborate
to develop this to avoid duplication of effort. It will also be
required by any force or agencies working towards achieving
the ISO17025 quality accreditation standard.
Judging the value of different courses is another complex
area. Again this is best done nationally and by an objective
body. Initially a national register of course content, ideally
aligned to competencies, would enable a unit to judge
which courses would cover the necessary areas.

25

DF5_23-26_Training in Law [Link] 25 24/10/10 [Link]

 / LEAD FEATURE

members who have attended a course then pass on the and academic courses and research are still in their infancy
knowledge to their colleagues on their return, is one way compared to many other disciplines. Public awareness of
to bring the knowledge gained into an organisation. That digital forensics is still relatively low.
of course relies on the course attendee gaining a sufficient This matters for a number of reasons but one of the primary
grasp of the content not just to use it but to teach it to others, ones was alluded to earlier in this article. The culmination of
and it is likely that the quality of training will not be as high. a digital forensic investigation, for law enforcement, is the
There is also a hidden cost to cascade training, of staff time, presentation of the evidence in court. The judge and jury
which means that while a staff member is training others, he must evaluate this evidence, and in the majority of cases they
or she isn’t working on forensic casework. The accreditation will not have the technical expertise to fully understand a
aspect of training is also not fulfilled by cascade training – it complex examination. The evidence itself should of course be
doesn’t carry as much weight as attendance on a formal understandable, when presented by a competent practitioner,
course, though this can be partially addressed by competency but the judge and jury are unlikely to be able to challenge
assessment afterwards, if cascade training can be shown to any assertions or assumptions the practitioner has made. A
allow a staff member to achieve the same level of competency. practitioner who says that the presence of particular files and
artefacts indicates intention on the part of the computer user
to hide activity may be correct, but there is also the possibility
Digital forensics needs to that he or she may be unaware of his/her own limitations and
operate in a way that allows so may fail to give the court the complete picture.
Digital forensics needs to operate in a way that allows the
the judge and jury to make a judge and jury to make a more informed evaluation of the
more informed evaluation of evidence rather than by how convincing a practitioner sounds
or how long a list of qualifications and experience he or she
the evidence rather than has. For example, there need to be standard ways of assessing
by how convincing a and demonstrating competence, so that when a practitioner is
assessed as competent that has a meaning not just within his/
practitioner sounds her own organisation but also throughout the profession. There
is a need for a career structure, so that a practitioner at a certain
Another option is to negotiate with training providers to level is recognised as qualified to conduct particular types
provide training internally, for larger forces. This generally of investigations. There needs to be an increase in academic
can be done at a lower cost and saves staff time in travelling involvement and research activity, to create an environment
to a course, and expenses of travel and accommodation. where forensic techniques are peer-reviewed and shown to be
For smaller forces, if they cannot provide enough internal robust in a more formal way than is currently in place.
candidates to justify this, then a course could be opened up All of this requires investment in the key components
to nearby forces and cross-charged to recoup costs. This is of the digital forensic profession – which is, of course, the
obviously dependent on individual training providers being practitioners themselves. Training them in an appropriate way
prepared to offer training in this way. and to an appropriate level helps to create the environment
Forces could also look at tailoring training to their own where all of this can take place. It will be difficult but is
requirements – for example, if there is a common training undeniably necessary to ensure digital forensics continues to
pathway and core content which all staff require, or mature as a profession and is able to meet the challenges that
alternatively if there is a specialist area where little training future developments in technology will present. /
is currently available then it could make sense to develop
this as a custom training course. This also requires more
work on the part of the force itself though, so whether it is an / Author Bio
option depends very much on an individual force’s situation. Bev is a senior technologist at the
Generally this will only be worthwhile if economies of scale Metropolitan Police’s Digital and
Electronics Forensic Service (DEFS), which
can be achieved, so is only appropriate either in larger forces handles the forensic examination of
or with collaboration between forces. digital devices in all types of crime. She
The final requirement is perhaps the one least often has a background in computer forensics,
considered and that I believe deserves more attention. Digital having worked in the DEFS computer lab
for more than four years.
forensics has come a long way from its original beginnings and During that time Bev coordinated a national project that
when this is compared to the history of traditional forensics, it tested available triage tools to examine their suitability for
is clear that the speed of its development has been extreme. triaging at crime scenes. She continues to provide technical
The capabilities of digital forensics have been well developed assistance to the Association of Chief Police Officers (ACPO)
eCrime triage project.
– for example, the techniques that are now available in areas  In her current role Bev is responsible for developing DEFS’
such as memory (RAM) forensics and data recovery from flash technological capability as well as coordinating the delivery of
memory chips – but the supporting infrastructure is not yet training within the unit.
established. There is no clear career path for digital forensics,

26 Digital / ForensicS

DF5_23-26_Training in Law [Link] 26 24/10/10 [Link]

 Maximise
Prioritise
Visualise

Call IntaForensics on 0845 0092600 for a demo and

to discuss how Lima’s end-to-end forensic case
management can work for you

tel: 0845 0092600

fax: 0845 0092601
email: limasales@[Link]
web: [Link]

DF5_27_Ad.indd 27 24/10/10 [Link]

 Digital
ForensicS
/ magazine

PLACE YOUR ADS HERE

email: marketing@[Link]

DF5_28_Advertise [Link] 28 24/10/10 [Link]

 / LEGAL EDITORIAL

LEGAL EDITORIAL
Welcome again to DFM’s legal section
by Moira Carroll-Mayer

I
t’s the coldest morning of the winter so far folks, the log
fire is roaring and all is well; I hope this finds you just as
comfortable and ready to break open the latest edition
of Digital Forensics Magazine. This time around from Scott
Zimmerman, his legal section article has some very practical
and indispensible information. This article considers the
practicalities of preserving the chain of custody in digital
forensics. Even in the age of computer software for this, that
and everything else, we are reminded of the role played by
the good old paper notebook, in ensuring the admissibility
of hard-won evidence in a court of law. During my first
school days Mrs Taylor would warn against scribble and
unexplained gaps; I obey her to this day. Similarly, Scott
takes us through what to do and not to do, in and upon
evidential notebooks, quaint and simple, his advice too will
resonate as persistently throughout the career of the good
investigator. But that is not all; immutability lies at the heart
of the admissibility of digital exhibits and Scott describes
how this state of grace is attainable for mutable media using
a somewhat surprising device!
The Regulation of Investigatory Powers Act 2000 (RIPA)

32
is the scourge of many an investigation, where evidence
floating temptingly near the surface of the murky pool is
rendered near and yet so far by the niceties of the Act. At
every stage, from interception, acquisition to disclosure CHAIN OF CUSTODY
perils lurk; in his succinct piece Rob Lee describes the
importance of due authorisation and warrants for obtaining People’s Court. Meanwhile, in Thailand the application of the
electronic evidence under RIPA. From there he moves to country’s Computer Crime Act appears to have entered a new
data encryption issues under the Act and to associated dawn, as its focus seems set to switch from issues Royal to
issues of disclosure. Rob alludes to a central absurdity that those threatening Thai economic sustainability. If gaps are
hazards the outcome of many an investigation – a prison widening in Europe the opposite is apparent in Africa, as many
sentence of up to two years under section 53 for failure governments there unite with the UN in the fight against cyber
to disclose encryption keys palls into significance where crime through the inauguration of the African Center for Cyber
revelation would uncover crimes with sentences measured Law and Cybercrime Prevention in Kampala, Uganda. Finally,
in many multiples of that. The reader is given a real-life feel there is an amusing aside involving the US Secret Service.
for the consequences of RIPA as Rob enlivens his tale with That’s it for this issue all – I’m off to the fireplace and a mug of
illustrative and instructive case law. hot coffee! /
The Legal News section gives you your usual whizz around
the world with the latest updates from places near and far.
The gap in Europe approaches to Privacy versus the rights / AUTHOR BIO
of investigators to trawl social networking sites is widening, Moira Carroll-Mayer, Digital Forensics Magazine’s Legal Editor,
as Germany invokes legislation limiting those rights, learn is a lecturer in Procedural and Substantive Law of Forensic
about the delicate balancing act now necessary in Germanic Computing with published articles on Communication Ethics,
forensics. From Canada, we hear the latest in the saga of Identity Management & the Implications for Criminal Justice,
the Ethical Implications of Nanotechnology, and Digital
revisionary rules of civil procedure for expert witnesses with Crime & Forensic Science in Cyberspace. Moira is currently
the emergence of Beasley and Scott [Link]. As China conducting research into the ethical and legal implications of
gets its act together on the question of digital evidential advanced autonomous weapons systems.
integrity, we peer through the curtains of the Supreme

29

DF5_29_Legal [Link] 29 2/11/10 [Link]

 / LEGAL FEATURE

RIPA
AN INTRODUCTION FOR E-INVESTIGATORS

Examining The RIP Act (Regulation of

Investigatory Powers Act) – introduced in
2000 in order to establish much needed
protocols concerning communications data
by Ross Patel

/ INTERMEDIATE

A
n investigation into people trafficking across European
borders, a requirement to tap and listen in on the
conversations of a known drug baron, intercepting
emails within a paedophile ring, attempting to crack a
terrorist’s encrypted drive containing plans for attacks. What
does each of these scenarios have in common?
They all require the support of a legislative tool known as
the Regulation of Investigatory Powers Act (RIPA).
The RIP Act, commonly referred to as RIPA, was introduced
in the year 2000 in order to establish much needed protocols
concerning communications data. The act covers interception,
acquisition and disclosure of communications, surveillance
and human intelligence sources, as well as the investigation
of electronic data protected by encryption. From a digital
investigator’s point of view, the most relevant of these topics
are information encryption and acquisition/disclosure issues.

/ Obtaining Communications Data or other forms of electronic media are discovered, procedures
Section 22 with due authorisation and a warrant, any must be followed in accordance with RIPA.
public authority can obtain communications data from a Under section 49, an authorised person must impose a
Communications Service Provider (CSP), such as T-Mobile or disclosure requirement if suitable grounds for doing so are met.
AOL. The definition of a public authority covers government In terms of encrypted information, a disclosure requirement must
bodies, the police, as well as local councils or enforcement be used when there is reasonable belief or evidence to suggest
departments such as Trading Standards. that a person has the key to decrypt communications data. Again,
Communications related data might be seized on request by threats to national security and crime can help provide further
a public authority for several reasons or in different scenarios. need for measures to decrypt protected information.
The most immediate of these would be a threat to national Disclosure requirements must describe the encrypted data
security, public health, prevention of injury to a person’s for which the requirement has been created; on what grounds
mental or physical health and the prevention of a crime. it has been issued, the time allowed to comply with the notice
However, the RIP Act also covers less serious circumstances and information regarding the authorised person providing
where charges may need to be collected or assessed by the notice. Total secrecy surrounding a disclosure notice must
government and for any issues relating to the general well be adhered to under section 54 of the RIP Act. Any ‘tipping off’
being of the United Kingdom economy. Authorisation will can result in a person facing imprisonment or a fine.
be valid for one month and no further data can be legally If a person knowingly fails to comply with a disclosure
collected after this time period without further authorisation. requirement and does not provide the necessary authority
with the key to encrypted data, that person may be subject
/ Collection and Investigation of Encrypted Data to two years imprisonment or a fine under section 53 of
Encrypted data can be a significant hurdle to digital forensics RIPA. This is commonly a difficult area in digital evidence as
and can bring an investigation to a total standstill. In the event encrypted communications may have the potential to imprison
that encrypted documents, drives, e-mails, conversation logs a suspect for more than the two years for not providing a key.

30 Digital / ForensicS

DF5_30-31_RIPA.indd 30 2/11/10 [Link]

 all intercepted e-mails to and from Mr. Porter. Upon
pleading guilty, both men were sentenced to sixth month’s
imprisonment, fined £20,000 and ordered to pay prosecution
costs totalling £7,000.
During the R v. Button & Tannahill case in 2005, Police had
permission under RIPA to have an audio recording device in
place during interviews and general surveillance. However,
authorities used a video recorder instead and admitted
the evidence. Based on the fact that the evidence had
been obtained unlawfully and without authorisation, both
defendants were entitled to appeal.

Under section 49,

an authorised person
must impose a disclosure
requirement if suitable
grounds for doing so are met
The R (NTL Group Ltd) v Crown Court at Ipswich [2002]
case also concerned legal and illegal interception of e-mails.
NTL were served with a notice requesting electronic data
in association with a certain e-mail address over a ten-day
period. They were also warned that they must not destroy,
alter or conceal the data to which NTL lawyers confirmed that
they would be in breach of RIPA if they did this. The e-mails
were automatically destroyed after a user accessed them; the
company explained that they would need to intercept them
to stop this from happening. The judge then gave NTL lawful
authority to intercept e-mails to resolve the situation.

/ Summing Up
Those who do not comply with the RIP Act when intercepting, The RIP Act is a significant piece of legislation governing
obtaining or otherwise dealing with evidence will be liable to procedures relating to digital evidence and complex issues
criminal or civil proceedings. such as encryption. Specific protocols must be adhered to,
both when requesting and collecting digital communications
/ Legislation in practice & case law evidence or legal proceedings may be carried out against
During 24th November 2008, a man only known as ‘JFL’ was those who do not comply with the act. It is thought that RIPA
arrested under the counter terrorism act and several hard disk will become of more use as increasing amounts of people
and USB drives were seized. Upon examination, it was found and companies utilise encryption techniques for their own
that the exhibits had been encrypted with Pretty Good Privacy personal security. /
(PGP) and the suspect was cautioned that Police would be
issuing him with a disclosure requirement. Several months after
the caution, the suspect was found after fleeing to another / Author Bio
location in the UK and refused to comply with the disclosure Director of e-Evidence at AFENTIS
requirement based on his ‘right to silence’. As a result, he was FORENSICS and vetted member of the
‘UK Register of Expert Witnesses’ (Law
sentenced to thirteen months and later sanctioned under the
Society / Sweet & Maxwell), Mr Patel
Mental Health Act upon diagnosis of schizophrenia. holds the CISSP, CISA, CCNA and MCSE
In the case of George Liddell (founder of Demon Internet technical qualifications. A specialist in
and Redbus) and Clifford Stanford (former employee of murder, complex drug conspiracies and
Redbus), both men were charged under RIPA for illegal terrorism, he is regularly instructed in the most high profile
criminal matters on the court circuit. He is a representative
interception of e-mails. The e-mails involved in this case
on the prestigious Home Office ‘Internet Crime Forum’ (ICF)
belonged to the victim John Porter – a former chairman of and member of Executive Council at the ‘British Academy of
the Redbus Company. During the investigation it was found Forensic Science’ (BAFS).
that Liddell had set up a hotmail account that received

31

DF5_30-31_RIPA.indd 31 24/10/10 [Link]

 / LEGAL FEATURE

CHAIN OF CUSTODY
THE FOURTH PART IN SCOTT ZIMMERMAN’S SERIES ON PLANNING AND PREPARATION

In this part of his planning and preparation series, Scott focuses on examining what
happens to any piece of forensic evidence as it is collected and stored
by Scott Zimmerman

/ INTERMEDIATE

T
he chain of custody describes in detail what happens to Sometimes a complete machine will be seized from a location,
any piece of evidence as it is collected and stored. For particularly if the machine belongs to a suspect who was
example, a hard disk containing valuable log information placed under arrest. In this case the hard drive would not be
is removed from a suspect’s system, and is subsequently placed removed on-site, but would most likely be removed from the
in a safe. In order to demonstrate a verifiable chain of custody system later at a law enforcement facility.
for this piece of evidence, the organization must maintain an
uninterrupted account of the item’s whereabouts and condition
from the time of the intrusion until the item is presented in
court. A suitable guideline for creating this record is to use what
the media call “The 5 Ws”: Who, What, When, Where, and Why.
Using “The 5 Ws” in conjunction with the Rules of Evidence, we
can create a list of questions that should be answered for the
hard drive in the example:

What exactly is the item in question?

In this example, the item is the hard drive. The description of
the item should be detailed and specific: “a SCSI drive form
Vendor A” is not a detailed description. Information of note
includes the complete make and model, size, serial number,
date of manufacture, jumper settings, general condition, and
any odd or noteworthy characteristics.

Who removed the drive from the system? When?

The removal of the drive should be documented thoroughly
and witnessed by at least one other person. Use the log book
to record the date, time, location, and method of removal,
and be sure all witnesses sign the log book. Photographs or
videotape can also be helpful at this stage.

Was the drive functional at the time it was removed?

This answer should be yes, but the removal entries in the log
book should include a description of the drive’s condition.
If the machine was not powered on when it was seized, the
personnel on-site will not be able to attest to the functionality
of the drive. Powering the machine on to check whether the
drive works may very well modify critical data, particularly if
the drive in question contains a swap file or a log file. If this
happens, the veracity of the information on the drive will
remain in some doubt throughout the investigation.

Was the drive removed from the system in the location where
the system was found? If not, at what location (address, room
number, etc.) was it removed? Why?

32 Digital / ForensicS

DF5_32-35_Chain of [Link] 32 28/10/10 [Link]

 Was anyone else present? Why or why not? airplane, etc.) used to transport the item. Also record who was
As mentioned above, at least one witness should be present present and who actually handled the item.
while the drive is removed. However, if for some reason a
second person is not available, a video camera on a tripod can Was the drive subsequently relocated? Why?
be used to record the drive removal and storage process. When Ideally any seized hardware will be taken directly to the place
the process is complete, the videotape should be marked and where it is to be examined. However, the long-term storage
stored with the same care as any other piece of evidence. facility may be in another building or in another city. In a
case like this the evidence tracking form should reflect that
Where and how was the drive stored? How many people had the drive was seized, taken to Location A for duplication and
access to this location? examination, and then taken to Location B’s evidence storage
Once the drive is removed from the machine, it should be room to be safeguarded.
stored in a safe or in a locked storage area. Be sure to observe
all mechanical and electrostatic precautions for sensitive Who was the primary custodian of this item?
items. Ideally, access to this storage area will be restricted to Each investigation will have a lead investigator; some will have
incident response personnel, and all accesses to the area will a secondary or tertiary individual to support the leader. Each
be verified and recorded. member of the team should have pre-determined and specific
roles to perform during the investigation, with validation checks
How was the drive transported to this location? to ensure no tasks are omitted or duplicated.
Record the date, time, and method (company car, taxi, While this list of questions is not meant to be all-inclusive,
it does elicit numerous important details about the handling
of the hard drive. Each piece of evidence should be handled
and tracked in a similar manner so the chain of custody
remains unbroken.

Each member of the team

should have pre-determined
and specific roles to perform
during the investigation,
with validation checks to
ensure no tasks are omitted
or duplicated
/ Tips for Maintaining the Chain of Custody
The questions asked via the five Ws will generate a lot of
answers. Instead of trying to rely solely on memory to track
the chain of custody, individuals should record all evidence-
related actions in a log book at the time the action occurs. The
book should be constructed with a sturdy, stitched binding,
such as that found in an Engineer’s Notebook. This item
can also be called an Inventor’s Notebook or a Laboratory
Record, and it is designed to allow individuals to record their
notes and ideas in an effective and tamper-resistant fashion.
A stitched binding – instead of a three-ring, glued, or spiral
wire binding – makes the surreptitious removal, addition, or
replacement of pages extremely difficult. If a page is removed,
the portion that is held in place by the stitches will remain
intact; removal of this remnant is nearly impossible without
disassembling the binding itself, which of course would
soon be discovered. Each log book entry should provide as
much detail as possible about the handling of each piece of
evidence, and all personnel involved should sign or initial the
entry. As an added precaution, the log book itself should be
handled as a piece of evidence.

33

DF5_32-35_Chain of [Link] 33 24/10/10 [Link]

 / LEGAL FEATURE

Of course, not everyone is familiar with or comfortable glue the item thoroughly and securely to its own page.
with the concepts of evidence and evidence handling. A more Explain in detail what the item is, and draw lines through
[familiar parallel] would be the actions taken by an inventor as any remaining blank space on the page.
he creates new and interesting devices: in order to apply for a • Have a reliable and trustworthy witness sign and date
patent, the creator must record when and how he came up with each entry.
his idea. He must also describe the idea in detail, and sign and
date the entries so they can stand up in court if necessary. Here / Personnel
are some guidelines used in the patent application process that As mentioned in the example earlier in this article, the
are relevant to maintaining the chain of custody. evidence gathering process should be conducted by two
members of the team: one will do the required work and one
• As mentioned above, use a notebook with a stitched binding. will serve as a witness. This two-party approach can help keep
• Keep a detailed record of activities, ideas, and observations. mistakes and other variations to a minimum. Once the two-
• Sign and date each entry; write the date longhand, for party quota has been met, the number of personnel involved
example June 11, 2010, instead of 6/11/10. should be kept to a minimum. As in a traditional crime scene,
• Write everything in permanent ink; do not use a pencil or a unnecessary personnel can complicate a situation, and
pen with erasable ink. complications can lead to oversights in a normally rigorous
• Draw a single line through mistakes, and re-write the entry. process. These oversights can undermine an otherwise
Do not overwrite or obscure the original entry. effective case by casting doubt on the quality and veracity of
• Fill as much of the page with text as possible. Draw lines the evidence.
through empty areas when a page is finished. Organizational policy on post-intrusion procedures must
• Do not leave blank pages. If a page is skipped or otherwise clearly identify the tasks to be performed and the personnel
left blank, draw a diagonal line across the page and annotate that will be performing them. The individuals need not be
the page as being blank (not containing text or diagrams). identified by name; the position or the job title should be
• Explain all figures and diagrams in detail and in writing. sufficient. For example, the Senior System Administrator will
• If an item such as a sticky note must be added to an entry, perform tasks A and C; the Information Assurance Officer will

Interested in Cybercrime?
Want to work in a profession with long-term job security?
Here at the University of Bedfordshire our Here at the University of Bedfordshire we offer a
graduates are in constant demand to overcome wide variety of Computing courses, including:
security issues that organisations face on a daily
Undergraduate:
basis. By studying at Bedfordshire you can
benefit from: • BSc (Hons) Computer Security & Forensics
Courses taught by leading experts – both academic Postgraduate:
and industry-based • MSc Computer Security & Forensics
State-of-the-art facilities – including a dedicated Security • MSc Computer Security & Forensics (Part-time, 7-Safe)
and Forensics lab, a Biometric lab with 3D face recognition, • MSc Information Management & Security
palm vein and other biometric authentication tools
• MSc by Research in Computer Security & Digital Forensics
Internationally excellent research – recognised in the • PhD/MPhil in the field of Computer Security & Digital
latest Government’s Research Assessment Exercise (RAE) Forensics
Each of the Master’s courses have start dates in October
and February to fit around your requirements. They can also
be studied part-time at our Luton campus.
To apply for the MSc Computer Security & Forensics (part-
time, 7 Safe) pathway please visit 7Safe: [Link].
For all other courses, please contact the University directly.

Call: 01582 743705 Email: [Link]@[Link] Visit: [Link]/computing

34 Digital / ForensicS

DF5_32-35_Chain of [Link] 34 24/10/10 [Link]

 perform tasks B, D, and E. When assigning tasks to personnel, that was on the disc before the session is still there: the new
it might be a good idea to provide suggestions for individuals files are appended to the current contents of the disc.
to witness the tasks. If team members are working on multiple Paper, while not strictly immutable, is extremely difficult to
tasks in parallel, there may not be enough witnesses to go modify without leaving evidence of tampering. Any attempt to
around, and some tasks may have to be put on hold until a erase text printed on a page – using a rubber pencil eraser, for
witness becomes available. example – will almost certainly leave a visible trace in the form
of a rough or worn patch on the paper. The erasure process
/ Mutable vs. Immutable Media will also alter the ink absorption qualities of the surface:
All storage devices in computer systems fall into one of two writing on common bond or copier paper on a patch that has
categories: mutable or immutable. Mutable media – as the been erased will show that the ink spreads more easily and
name suggests – can be written and subsequently rewritten rapidly. A quick glance at the page will show relatively blurry
with data. Most storage devices present in computers use text in an otherwise clear line.
mutable media; this is what makes the devices useful! The use of paper also has a unique advantage in a court of
Bear in mind that destruction does not constitute law: paper is a very familiar format. The judge, counsel and
modification. Modification means the manipulation of the jury are all familiar with information printed on paper. This
data, be it changing all fours to sevens, rewriting the ending familiarity often allows printed logs to serve as convincing
of a story, or deleting incriminating entries in a log file. evidence, especially if the logs are extensive. Compare this to
Destruction means that the media is not usable by anyone, presenting a CD-R to a jury that is not especially tech-savvy:
and the data on the media cannot easily be retrieved. the evidence on the CD is rather abstract compared to that on
Here are some examples of devices that use mutable media: the printed page and may not be as effective.

• Hard drives
• Floppy diskettes Reputation and integrity
• USB Flash, Secure Digital (SD) cards and other removable are extremely important
media items
• CD-R/RW (Compact Disc – Recordable/Re-Writable) and a single finding of fault
• DVD-R (Digital Versatile Disc – Recordable) by a judge can dash all
Because mutable media can be rewritten, it is not career prospects
particularly well suited on its own to preserving evidence.
Immutable media, on the other hand, may be written once / On Evidentiary Requirements
but not subsequently rewritten. This one-way process Evidence that is collected for a criminal trial must meet the
makes the use of immutable media more suitable for highest standards for integrity and for the chain of custody.
recording evidence, but also a bit more resource-intensive: Evidence intended for use in a civil trial may need to meet these
media cannot be re-used. This means organizations will same stringent requirements, or the bar may be a bit lower.
be need to purchase new media more frequently, and Evidence used in an in-house investigation, on the other hand,
additional secure storage space will be required for may only need to meet the standards of the security staff.
new and used media. Note that media such as magnetic However, what if a preliminary investigation leads to the arrest
tape that has a write-protect feature is not considered of an employee on the suspicion that he committed a crime? The
immutable, even if the write-protect option is enabled. purely internal investigation has suddenly become a criminal
One way to address this issue is to use a small amount proceeding. Will the evidence in hand hold up in court? Perhaps it
of strong adhesive to hold the write-protect tab in place will, but it is likely that the exacting standards mentioned earlier
after the information has been stored on the tape. This will have not been met. To cover instances like these, an organization
prevent casual modification of the tape’s contents and will that intends to prosecute offending individuals [must] be inclined
provide visual indication of tampering, but may not deter a to gather and preserve evidence consistently and completely in
motivated interloper. accordance with Federal requirements. Later articles will describe
Currently there are three forms of immutable media in how technical personnel can do just that. /
common usage:

• CD-R (CD-Recordable) / Author Bio

• DVD-R (Digital Versatile Disk – Recordable) Scott C. Zimmerman, CISSP has been an
• Paper Information Security consultant, presenter,
and trusted advisor since 1995. He has
been researching legal issues in computer
Once written, CD-R and DVD-ROM media cannot be forensics part-time for nearly ten years,
overwritten, even if the media is placed in a CD-RW or DVD- and is working to bridge the gap between
RAM drive. Additional writing sessions to fill multi-session law and technology in this area.
discs do not constitute overwriting, because the information

35

DF5_32-35_Chain of [Link] 35 24/10/10 [Link]

 / LEGAL NEWS ALERT

LEGAL NEWS ALERT

an applicant, except where the legitimate interests of the
employee in that data outweigh the legitimate interests of
the employer. The law intended to establish a fair balance
between the interests of employees in protecting personal
data and the legitimate interests of employers presents a
challenge to digital forensics. Try not to leave it to a court to
decide if you weighed the interests of parties correctly.

Not as Inscrutable as You Thought?

Chinese Courts and Digital Evidence

Courts in China admit web-based evidence and are increasingly

inclined to scrutinise the integrity of that evidence. In June 2010
the Taipei Times reported the passing of new laws to exclude
Privacy Noose Tightens on Social Network Forensics evidence obtained from unverified sources. It is clear from
earlier case law that the new prohibition will reinforce judicial
opinion on the issue of evidence obtained from the Internet.
Behavioural profiling and pre-employment screening through In NuCom Online (Beijing) Information Technology Co., Ltd. v.
the investigation of applicants profiles, on-line social networking ChinaNetwork Communications Corporation Limited, Zigong
sites is grist to the mill in digital forensics; an on-line search Branch [2008], the Supreme People’s Court underscored the
reveals thousands of companies and individuals supplying this importance of interrogating the origin of web-based information.
basic service. The website CareerBuilder estimated in 2009 that The court found that in order to inform the basis of a judgement
approximately 45 percent of employers used social networking the origins of notarized digital evidence must be established. If
sites to research candidates. Approximately 35 percent rejected a notary public is unable to gain access to the computer or hard
candidates based on inappropriate photos, insulting comments drive before the notarization procedure, and if the notarization
or admissions of drug use.
In the UK on-line searches for information on potential
employees is lawful though investigators need to be aware of / The Case of the
the Information Commissioner’s Employment Practices Code, Swallowed Pen Drive
which aids compliance with the Data Protection Act. The Code In February 2010 Judge Viktor Pohorelsky of the New York
requires employers to ‘Explain the nature of and sources from Brooklyn Federal Court thought he’d heard it all when Romanian
which information might be obtained about the applicant... national Florin Necula told him he had attempted to destroy
and to ‘Ensure a clear statement on the application form or the incriminating evidence by swallowing a Kingston flash
drive. Having been arrested outside a bank in the Queen’s area
surrounding documents, explaining what information will be on suspicion of ATM fraud Florin was being held with fellow
sought and from whom’. The bottom line in the UK is that the suspects at the headquarters of the Secret Service in Brooklyn
less obvious an investigation is the more open employers when he undertook the risky feat in full view of investigators.
need to be about its likelihood-avoid contamination by After four days there was still no sign of the flash drive and
Secret Agent Joseph Borger, anxious to get at the evidence,
association-check your principal’s compliance with the Code. sought a search warrant. His request was supported by doctors,
Those of you at work in Germany need to be even more who feared Florin would be injured by the drive, which had
vigilant. On the 25th August 2010 the German Federal Cabinet become lodged in his intestinal tract. Since the suspected
approved a draft law to prevent employers from investigating crime did not involve firearms Agent Borger was obliged to
wait until Florin gave consent to the drive’s removal at New
applicants’ profiles on social networking sites such as York’s Downtown Hospital. Forensic concerns as to the potential
Facebook which are associated with communication per se. effects of stomach acids upon the evidence go unanswered as
It is still however, open season on sites such as Linkedin, a Kingston representative told ‘The Smoking Gun’ that this was
since individuals represent their professional qualifications their first encounter with a swallowed flash drive. Florin for his
efforts was charged with electronically stealing credit and debit
and advertise themselves to potential employers. In addition card numbers from ATM machines and obstruction of Justice, to
generally available information on candidates obtained which he pleaded guilty, and will be deported to Romania after
from such as Google may also be mined. Essentially you he has finished his sentence.
can investigate anything in the public domain concerning

36 Digital / ForensicS

DF5_36-37_Legal [Link] 36 28/10/10 [Link]

 itself does not include a record of the state of the computer or
hard drive prior to the downloading, the Court deems that the / Will Digital Forensics Force
Thailand’s Computer Crime Act
notarization merely proves that the act of downloading occurred
before a notary public, but cannot prove that the data was
actually downloaded from a specific location on the Internet. to Grow Up?
A chief fear addressed by the Supreme People’s Court is the The introduction in 2007
danger of confusing downloaded pages from a cache in a local of Thailand’s Computer
computer, when using that computer to visit target sites in a Crime Act was expected
to open the doors to
remote system, with those from the target site. It is accordingly the investigation
recognised by the Court that simply having the notary present and prosecution
to bear witness to the downloading cannot guarantee the origin of hackers and
or authenticity of that downloaded. To enhance authenticity fraudsters. Those
disappointed by its
Chinese courts require downloading to take place in the failure to do so may
notary’s premises from the notary’s computer with the notary be about to have a
having firstly recorded the condition of the computer. Where pleasant surprise.
it proves impossible to utilise a computer belonging to the Offences under the Act
comprise two categories;
notary sanitisation should take place with the notary deleting all those committed against
pertinent files from the cache. Appropriate procedures must be computer systems or computer
used and every step recorded in detail. While it is probably too data (Sections 5-13), and those
early to assess the success of Chinese laws and their application committed via a computer, which are already crimes in the Thai
Penal Code (Sections 14-17). Since 2007, as a consequence of
to digital forensics interesting moves are clearly afoot. political influence, the focus has been entirely upon the latter;
thousands of websites have been closed and users and ISPs
Africa Unites in Fight against Cyber Crime brought before the courts. Section 14 is the most frequently
used and most controversial piece of the legislation. The
section, indirectly, opens up the possibility of prosecution for
offences against national security, the most interesting for
Under the auspices of the UN African Institute for the the authorities being lèse majesté and defamation associated
prevention of Crime and Treatment of Offenders and in with King Bhumibol Adulyadej, his family and supporters.
collaboration with the International Association of Cyber Crime Section 14 provides for imprisonment for up to five years and/
or a fine of up to 100,000 baht (approximately US$3,012) for
Prevention (France) in late August 2010 the UN launched the offences, including importing into a computer system forged
African Center for Cyber Law and Cybercrime Prevention. The or false data in a manner likely to cause damage to a third
event is a direct response to the sharp rise in cybercrime, party or the public (sub-section 1), false data in a manner
which threatens to undermine the basis of African Internet likely to damage national security or to cause public panic
(sub-section 2), data constituting an offence against national
banking and customer services. Africans have unprecedented security under the Penal Code (sub-section 3) or pornographic
access to mobile phones and computers with 85 million users data (sub-section 4), or disseminating these types of data.
facilitating the growth in numbers engaging with internet Lèse majesté is not directly referred to in Section 14, but
banking and commerce; that growth increases opportunities charges may be laid under sub-sections (2) or (3) since
lèse majesté is classified under the heading of Offences
for their victimisation through various forms of on-line crime. Relating to the Security of the Kingdom in the Penal Code.
The Center will monitor digital crime throughout Africa in Consequently any law that includes a reference to offences
states such as Uganda, Zambia, and Nigeria and is intended against national security implicitly includes the offence of
lèse majesté. However the ‘traditional’ focus of the Act is
to provide the infrastructure and processes necessary for
likely to widen since the emergence, on the 29th September
investigating and prosecuting cybercrime in Africa. Zambia 2010, of computer evidence indicating fraud by Satyam
was the first African state to introduce Internet crime Computer Services of Thailand estimated at $1.75 billion. The
legislation with the possibility of 25-year jail sentences for alleged fraud, uncovered during forensic investigations of the
company’s computer systems, was reportedly carried out by
those guilty of hacking and it is upon such efforts the new
the creation of fictitious revenues recorded by the creation of
Institute will build. The move is also likely to address cyber false invoices circumventing the normal revenue recognition
crimes carried out from Africa against victims abroad; the cycle. The alleged irregularities are highly complex effecting
Faculty of ICT at Makerere University is reported to have found revenue, income from interest, exchange fluctuations, salary
costs, expenses, borrowings, interest payable on borrowings
that 25% of respondents questioned had either planned or
and taxation. The progression of this case will truly test the
successfully carried out a cyber crime. The Institute is situated maturity of the Thai Computer Crime Act.
in Naguru, Kampala, Uganda.

37

DF5_36-37_Legal [Link] 37 24/10/10 [Link]

 / TRAINING SURVEY RESULTS

DFM TRAINING
SURVEY RESULTS
Matthew Rahman and Roy Isbell analyse the results of the DFM training survey

T
hrough July 2010 we hosted a survey that explored We also have to deal with rapidly changing technology
attitudes among the digital forensics community and investigation methods that are involved in the field of
towards training and qualification, within the trade. computer security.
What follows is a report on the results obtained. If you took It is therefore no real surprise that results showed that 40%
part in the survey, we’d like to thank you for your time and for of respondents are self-taught. This figure rises to over 60%
helping us to get a better understanding of the growing area of respondents who have been involved in digital forensics for
of digital forensics training. more than 10 years. See figure 2a for a chart that shows the
The survey was a self-completion online survey hosted via length of time involved in digital forensics by those self taught.
Survey Monkey. Respondents were invited to complete the
survey via email (using a sample from the DFM database) and / Figure 2a. Self-taught respondents vs.
other online promotional mechanics, e.g. via the DFM website length of involvement in digital forensics
and posts on blogs and other social media sites. What is a little surprising is to see is that those relatively new
In total there were 75 completed surveys between the 4th to the business are also self-taught. In times when we see
and 29th July; sadly not enough for us to drill down into too university courses in digital and computer security admissions
much detail for fear of losing statistical rigour, but enough at an all time high, the number of self-taught newcomers
to give us a flavour of the research objectives we were seems high. This may well be worth exploring further in
exploring. We hope to bring another survey to our readers future research. One suggestion as to why this may be is the
soon and hope that you will all take part (and encourage change of pace of the industry and it is ahead of education
others to as well). establishments and those that provide the courses. If those
The objectives of the research were to provide an insight at the cutting edge of digital forensics need to develop a new
in to what our readers and visitors to the website thought way of solving a problem, they get on and do it, rather than
about training and qualifications in our industry. It was wait for a course to emerge and leave themselves open to a
created with three distinct elements: allowing us to learn potential threat.
about those taking the survey; their views on education and The more mature respondents being self-taught can be
training; and finally their thoughts and views on the future of more easily explained by the fact that a wide range of courses
our profession. were simply not widely available more than 10 years ago, so
The survey was split into 5 areas of questioning. Firstly we self-taught was the only way.
looked at where respondents are from, what they do and how
long they have been involved in digital forensics. Figures 1 – 3 / Figure 3. Where are you based?
give the top level results. We already know that digital forensics is a truly global
industry and this was demonstrated when asked where
/ Figure 1. How long have you been involved in respondents were based. What was surprising was the large
digital/computer forensics? contingent (over 38%) of respondents from Western Europe,
We see that the majority of respondents (over 70%) have been with USA close behind with the UK and Africa following up.
involved in the field for 5 years or less. This suggests that we This potentially demonstrates that a lot of research and work
are involved in a relatively new discipline, and with 40% of is not centred in the USA as expected, but in other areas of
respondents involved in the profession for 2 years or less, this the world. This is not conclusive evidence of such but is an
is confirmed. interesting development to watch.
When we look at how long people have been involved in
/ Figure 2. How did you get started in digital forensics against their location, we see a clear split
digital forensics? between North America and Western Europe, with those
Digital forensics is a young and emerging field that is still involved longer in forensics more likely to be coming from
learning and finding its way as it establishes itself. As we deal the new world. This can be explained by the fact that digital
with all the normal things that a new industry has to deal with, forensics is a more mature discipline in America and more of a
such as establishing standards, processes and qualifications. recent development in Europe. See table 1.

38

DF5_38-41_Survey [Link] 38 2/11/10 [Link]

 The next section we explored the business and disciplines
of digital forensics where respondents worked. Figures 4 and
5 highlight the different companies/businesses respondents
work for and their roles therein.

/ Figure 4. Which of the following do you

work in?
When asked what sector our respondents worked in and if Figure 1
they worked in any particular field the results showed that
the predominant sector is Corporate IT/Security with just
fewer than 50% of the respondents working in this field.
The results also showed the emergence of the Specialists
Digital Forensic companies as the second largest grouping.
We are mindful that many more groupings exist and that
Corporate IT/Security may have been the closest industry
sector on offer within the set. Private Investigators and Figure 2
the Legal Companies are obviously finding that Digital
Forensics are having an impact on their normal daily
business and therefore requiring additional knowledge
and skills.

/ Figure 5. Which field of digital forensics

do you work in?
We then started to explore the qualifications people in digital Figure 2a
forensics had and believe they require to further their careers
in the field of computer forensics. Figures 6 and 7 highlight
the results obtained.

/ Figure 6. What qualifications do you have

in Digital Forensics?
From the comments received, there are a number of respondents
currently studying for degrees and in post-graduate studies at
the time of completion. There are also a number of respondents Figure 3
who have CCE, GCFA and GIAC qualifications.

/ Figure 7. What type of training do you

believe you require to further your career
in digital forensics?
Respondents believe that, even more than academic
qualifications, both formal certifications and conferences
are most important to furthering ones career. Irrespective of
length of time the respondents have been involved in digital
forensics, formal certification still came out as the most Figure 4
important factor.
It is suggested that due to the speed of change in
the industry, those bodies that provide certification are It is therefore no real
able to react faster and develop courses that address
technology changes more quickly. The same is put forward
surprise that results
for conferences, where the ability to share knowledge and showed that 40% of
information quickly is a more effective method of learning –
added to the networking nature of conferences.
respondents are self-taught
Location Less than 1 year 1 – 2 years 2 – 5 years 5 – 10 years More than 10 years
UK 12.5% 13.6% 4.2% 15.4% 9.3%
W Europe 75.0% 54.5% 37.5% 15.4% 0.0%
N America 0.0% 18.2% 33.3% 46.2% 62.5%
Table 1

39

DF5_38-41_Survey [Link] 39 2/11/10 [Link]

 / TRAINING SURVEY RESULTS

One comment was received about career enhancement; UK and 64% of European respondents selected ‘None’ in the
“More than training, you need to let others know your skill above question. This should hopefully pave the way for more
by putting them in the development of tools or techniques to European-based training event. In fact, since the survey was
share with the community.” conducted there has been the SANS European Summit held
We then asked what training and/or vendor courses in London.
people have attended in the past 12 months, most people When asked if respondents believed there should be a
hadn’t been on any. This may be a result of financial recognised international qualifications framework for DF
restrictions biting or just a result of timing and course Investigators, the response was an overwhelming “Yes”, with
availability. See Figure 8 below. 80% of votes being affirmative.

/ Figure 8. What training and/or vendor / Core Competencies and Ongoing

courses have you attended in the past Requirements
12 months? We explored what respondents believed were the core skill
Other responses included: Self training with Forensics books, sets for someone within the digital forensics field and how
Cell phone forensics, X-Ways, NPIA, CHFI by EC-Council, knowledge of these skills sets must grow as the practitioner
Law Enforcement related, Tool Foss, Forward Discovery Mac becomes more advanced. Table 2 and Figure 9 below gives
Forensics, Open University Course, Techno Forensics 2009 and the results obtained.
NW3C Intermediate Data Recovery & Analysis. What is obvious from the outset is there are some very
SANS came out head and shoulders above other providers clear opinions as to what is essential as a core set of skills
of training courses across all respondents. This was heavily for practitioners of digital forensics. This could be used to
skewed by responses from North America. When explored help form the basis of testing or course development for
by other geographies we see that respondents from the UK relevant bodies.
and Western Europe are far more likely not to have attended In terms of Core and Basic skill sets, there is little difference.
any training than their North American counterparts. 75% of It would appear that a solid Core and Basic skill set is required
as a foundation for any investigator, as well as a good
There are a few areas where grounding in investigative techniques, report writing and a
good understanding of the collection methodologies, analysis
their knowledge would need and presentation of evidence.
to be more in-depth and this As far as the skills for advanced practitioners, it would
appear that respondents expect them to have a good, all-
includes programming skills round knowledge of all of the aspects questioned. There are
and techniques, scripting, a few areas where their knowledge would need to be more
in-depth and this includes programming skills and techniques,
reverse engineering of code scripting, reverse engineering of code and penetration testing.
and penetration testing Figure 9 shows the results in a graphical format, where the
clear different sets of expectations can be seen more clearly.

Core Basic Intermediate Advanced

Research Methods 46.4% 31.5% 42.0% 53.8%
Investigative Techniques 76.8% 63.0% 52.0% 55.8%
Logical Process Thinking 64.3% 53.7% 56.0% 51.9%
Report Writing 71.4% 55.6% 52.0% 53.8%
Computing Architectures 48.2% 42.6% 52.0% 55.8%
Evidence Collection Methodologies 87.5% 72.2% 56.0% 57.7%
Evidence Analysis 78.6% 68.5% 58.0% 55.8%
Evidence Presentation 64.3% 53.7% 60.0% 53.8%
Computing Device Construction 25.0% 25.9% 40.0% 46.2%
Programming Language Skills 12.5% 7.4% 22.0% 57.7%
Programming Techniques 12.5% 7.4% 34.0% 50.0%
Networking & Internetworking 46.4% 37.0% 68.0% 59.6%
Programming in C 5.4% 3.7% 18.0% 44.2%
Operating Systems 69.6% 64.8% 66.0% 57.7%
Device Operating Systems 50.0% 48.1% 46.0% 57.7%
Scripting 32.1% 9.3% 40.0% 67.3%
Reverse Engineering of Code 16.1% 5.6% 8.0% 71.2%
Pen Testing 17.9% 5.6% 32.0% 57.7%
Table 2

40

DF5_38-41_Survey [Link] 40 2/11/10 [Link]

 / Figure 9. Core competencies and
further requirements for
digital forensics
This set of questions generated some useful comments. For
the skills required for core competencies, one respondent
noted that file systems and a degree of legal knowledge
including law on evidence, collection of evidence, criminal
offences and civil redress, should be included.
Another comment for what should be included within Figure 5
the intermediate range of skills included protocols,
communication, data locations and that the advanced skill set
should also include “critical thinking, scientific methodology,
file systems and law” and “recovery without automation, HEX
analysis and header identification”, which are all perfectly
valid points.
This is an area of debate that could run on forever and it is
one we shall investigate further without doubt.

/ The Future
When asked what you consider to be the major challenges Figure 6
facing digital forensics over the next 2 to 3 years, some really
interesting comments were received. Several people talked
about the Cloud and the degree of virtualisation to come that
will present a unique set of challenges.
Others talked about a lack of international frameworks
or governing bodies, including a “lack of international
jurisdiction” for digital forensics
This was supported by another respondent who comments:
“…there are many places that do not recognise digital
forensics as a science on its own and keep trying to bundle
it with other professions. Legislation both locally and Figure 7
internationally needs to look at digital forensics and be better
defined and acted upon.”
Some comments picked up on the lack of decent courses
available at university level, including “Universities are not
doing mobile phone forensics as an independent discipline,
just a short module and no real degree that works through
electronics, programming, reverse engineering within UK, in
one course.”
Figure 8
/ In Summary
Training and qualifications within our world of digital
forensics is obviously an emotive one, as even our little
survey would indicate. And as a relatively new discipline,
there are areas that still need to be smoothed out. We also
work in an very dynamic environment where the traditional
method of compiling a suitable university degree course
simply cannot react in time to technological advances.
However, these university courses can be designed
to give a thorough and good base knowledge in the
numerous skills that are required, e.g. legal frameworks,
evidence collection, report writing, etc. it is then up to the
business to ensure that it polices and allows the share of
knowledge and skills to ensure that new techniques and
methodologies are shared quickly enough to allow for the
safe, legal and productive practice of digital forensics in
years to come.
Figure 9

41

DF5_38-41_Survey [Link] 41 2/11/10 [Link]

 Pharos Flyer With [Link] 1 11/06/2010 [Link]

TURNING COMPLEX DATA INTO SIMPLE INFORMATION

CM

MY THE PROBLEM THE SOLUTION

CY

CMY

Today’s information security To identify a comprehensive and

consolidated decision support, reporting
K

infrastructure affects multiple layers and

uses a number of different vendor and data collection solution. A solution
technologies. that collects information from any
source and stores data in the right
The result is the implementation of many format in a data warehouse.
different security solutions, all with their
own management console and reporting To identify a solution which provides
capability, but not always operating appropriate views and noti�ications to
cohesively together. different audiences for operations and
management in the form of ad-hoc
Legacy technology is often underused and reports, sophisticated dashboards or
implemented ‘out of the box’ thereby email noti�ications.
resulting in poor information being fed to
decision makers. To speak to PragmaticDefence Limited; a
company which assists businesses of all
sizes to manage the complexity of risk.

[Link]

DF5_42-43_Ad.indd 42 24/10/10 [Link]

 Pharos Flyer With [Link] 2 11/06/2010 [Link]

THE PHAROS SITUATIONAL AWARENESS

Databases Dasboards Operations
PLATFORM

enables you to:

Technical
Application Reports Management
Output
Collect data from any data source, thereby maximizing
PHAROS
the use of existing technology; be it raw log data,
databases, intelligence data, application output or syslog;
Senior
Intelligence ‘–‹ϐ‹…ƒ–‹‘• Management
Data
Provide individual reports or views on the data with
many attributes, the reports being available in different
formats such as:
Logs &
Actions Auditors
Events
Dynamic tables, pie charts, line and bar charts, gauges,
speedometers, traffic lights, bulbs, mini trend lines etc.

PHAROS Create tables and charts allowing visualisation of

thresholds with colours, icons and lines;
C PragmaticDefence’s Pharos platform provides
M
an individual view for each technology. It gives: Export reports to XLS and PDF;
Y

CM
•Operational views on logs and events Create dynamic dashboards with no layout restrictions.
MY
•Service related views (SLA, KPI) Quick filters, drill down capabilities and the
CY
•Risk related views (KRI) WYSIWYG dashboard configuration set no limits to
CMY
•Lookup and mashup views visualise information in an easy understandable and
K role specific look and feel;
By putting relevant data into a data warehouse and
adding additional intelligence data (e.g. CVE or Intelligently use the information to:
GeoIP), Pharos is able to generate a comprehensive
status overview of any organisation’s IT infrastructure. Reduce costs in systems management and monitoring,
making the right decisions with the right prioritizations;
Pharos is the �irst dedicated Security Business
Intelligence system. It helps you to make the Provide a service, risk- and event-related view on the
right decisions at the right time by turning data into IT environment
meaningful information, easily understood.
Reduce risk by having the right information at the right
time for the right people.

To find out more, contact PragmaticDefence Ltd:

Tel: 0845 130 9039

Email: info@[Link]

Web: [Link]

The Old Dairy

Brewer Street,
Bletchingley,
Surrey,
RH1 4QP

DF5_42-43_Ad.indd 43 24/10/10 [Link]

 / MEET THE PROFESSIONALS

MEET THE DF
PROFESSIONALS
Sean Morrissey – The Man Behind Mac Forensics
Interviewer: Roy Isbell

T
he number of disciplines and roles within Digital
Forensics is many and varied; as a way to demonstrate
this we have identified a number of
individuals who either practice or research
Digital Forensics, who have either influenced,
are influencing or plan to influence this diverse
profession. Our hope is that by highlighting their
work it will inspire others to do likewise.

Can you tell me a bit more about your history

and what you think influenced your life to get
you where you are now?
Well my father was a career US Army Officer,
which meant that we lived in many different
places. I lived in places like Morocco, Panama,
Germany and Italy.
As far as I can remember, I have been always
fascinated with technology and was always
keeping an eye on it by reading different
periodicals such as “popular science”. My
father also knew where technology was
going and exposed us to it as much as he
could. I also remember when my father first
brought home a computer and from then on a
computer was always in my life.

Were there any events in

your life that you are
either proud of or
think are significant?
I think like everyone my life
took several turns I always remember
establishing goals that I wanted to achieve
and things to experience such as becoming one
of the youngest eagle scouts, graduate from college,
serve in the military and go into law enforcement. All those
goals were accomplished and along the way I picked up more
and more about technology and computing. I felt in order to
learn more about computing it was important to know how asked to assist with the Mac training & development. In order to
they work. The movie “Yes Man” comes to mind when I look do this I felt I needed to know more about the Mac platform if I
back at my life for I never said “no” to an opportunity. was to teach this subject successfully, so for two years, every day,
When I came back from training in Africa, I took a job as 16+ hours a day I studied the Mac. Eventually after all this study
a contractor working for the Department of Defence as an I looked for an opportunity to ply my skills and found it working
instructor in computer forensics. During this period and I was with the US State Department as a Computer forensic analyst.

44 Digital / ForensicS

DF5_44-45_Meet the Professionals [Link] 44 2/11/10 [Link]

 With all of this study did you have any time for hobbies? up with validating tools. One day the Digital OJ Simpson case
Hobbies… I wish I had the time for hobbies. When I had time is going to come along and the community is going to look
for hobbies, it was building models, art and classical music. stupid because we don’t take the time to train or validate our
tools. We just use them blindly without really knowing how
What first got you interested in the science of Digital Forensics? they work.
As a police officer, one of my first cases was an unwanted
person that turned into a suicide attempt, which turned into What is your view on the convergence of computing devices
a pornography distribution case and eventually into a child such as PC’s, Mobile phones and portable devices like iPads
pornography case. Our department wasn’t capable of handling and the implications for the Digital Forensic Investigator?
such cases, which then got me interested in the science The convergence of mobile devices is taking over how
behind it and I started to go to training, even sometimes at my we compute. Mobile phones were just a means to
own expense. communicate; now they are central to our lives. We are
moving towards smaller, smarter devices that blend
What are your thoughts on the current state of education productivity with mobility. There will be conventional
and training, accreditation of courses etc. as they relate to desktops for sometime, but in the future these will be
Digital Forensics? replaced by mobile and cloud computing devices. This
I believe that education and training are paramount when presents challenges for the community in making sure we
it comes to this evolving science. Unfortunately, there can analyse these devices.
are those that come out of College with Masters Degrees
who don’t know the first thing about how to start an
investigation. There are cases where Law Enforcement One day the Digital
Officers are taken off the road after many years and told, OJ Simpson case is going
“You’re the new computer crimes investigator”. This cannot
be good for the profession! to come along and the
In the early days training was plentiful and not very community is going to
expensive, nowadays prices have soared and with diminishing
budgets, training is not on the minds of administrators. With look stupid because we
law enforcement experiencing increasing caseloads, coupled don’t take the time to train
with limited resources, digital forensics is moving towards
“Triage Forensics”. or validate our tools
Critical investigative analysis is being lost as the need for
speed influences traditional digital forensic investigations. What do you think about the relationships between Digital
Forensic investigations, eDiscovery, operational analytics and
Do you think that digital forensics training should be accredited? malware analysis?
Yes, I do think their needs to be accreditation of training. The Each has its place. Personally I don’t classify e-Discovery
problem is who does it? This seems to be the question no one as part of Digital Forensics, I see this as a different need
wants to answer. Everyone wants to do it but no one can agree that uses aspects of digital forensic tools and techniques.
how it is done. There are many certification programs, from I believe that civil cases have a lower threshold for proof;
Vendors to IACIS and SANS, etc. but not one centralized basis where a criminal investigation has to be “beyond a reasonable
for how one gets a certification in Digital Forensics. doubt”. Malware Analysis however is a growing part of digital
forensics and should be part of the total forensic process
What are your main areas of research relating to Digital Forensics? including evidence collection. I also think we should be
My main research interest is in Mobile devices, this is aware that there are things that traditional digital forensic
where technology is heading and I believe that mobile people don’t care to collect which would inhibit the job of the
devices will be used more and more over conventional Malware examiner. /
laptops and desktops in the future. Hopefully my research
and methods will restore critical thinking back into mobile
forensics, instead of the push button analysis we are / AUTHOR BIO
seeing at present. Sean Morrissey is presently employed
by Paradigm Solutions and assigned
as a Computer/Mobile Forensic
What are your views on the industry standard tools used Analyst, in the Department State
to investigate Digital Forensics and the fact that so few are Computer Investigations and Forensics
actually validated other than by mass use? Division. Sean was an Instructor of
Currently the user base does validation. What bothers me is Forensics at the Defense Cyber Crime
Center, a former Law Enforcement Officer and U.S. Army
that vendors put out tools that are not tested and it’s up to Officer. He also authored Mac OS X, iPod and iPhone Forensic
the community to do that for them. One of the problems is Anaylsis and the upcoming book iOS Forensic Analysis.
that bodies such as NIST do not have the resources to keep

45

DF5_44-45_Meet the Professionals [Link] 45 2/11/10 [Link]

DF5_46_Ad.indd 46 2/11/10 [Link]
 / APPLE AUTOPSY

APPLE AUTOPSY
Welcome to our new Editorial Section that will
detail forensics specific to Mac, OS X and iOS

I
by Sean Morrissey

have the great privilege to be asked to join the Editorial team

at Digital Forensics Magazine. I feel truly honored to have
been asked to give the Mac perspective on Digital Forensics.
I would like to thank the other members of the Editorial team for
their invitation to join the publication. This shows that with the rise
of Mac and OS X and iOS, that its time to add some articles for the
forensic community to read and hopefully gain knowledge which
will make their examinations easier and more effective. Examiners
always asked me many questions of how to do this and how to do
that. This Magazine is a great resource that examiners should have
as part of their reading regime, which will hopefully answer all of
those questions. The sharing and transferring of knowledge is very
important to me. I hope that I can meet the expectations of the
editorial team and the subscribers of this magazine.
48
Mac forensics is a growing dynamic in the digital forensics
community. Apple has made great strides since 1996 when
Steve Jobs returned and took the helm at Apple. Apple today is
the number one technology company and has moved passed
Microsoft. This was not done overnight. If those that look at
how Apple has come to this point, you would see a company
that has had a very long range plan. This was a methodical
and patient growth.
Apple has become the center of innovation in the mobile
device realm. First was the iPod, a multimedia device that took
the music world by storm. Today there are over a 100-million iPod
devices around the world that are now total multimedia devices.
Apple shocked the world again with iOS Devices; iPhone, iPod
Touch, and the iPad. There are now over 120 million iOS Devices.
This doesn’t take into account the millions of iMacs, MacBook
Pros, Mac Minis, and Mac Pros. So with the proliferation of Apple
devices now in the hands of owners, it would be reasonable
to assume that the digital forensic community will see these
devices. With my experience and those that I have talked with
Labs around the world are seeing more Macs and iOS Devices
than they’ve ever seen before. Even some of the toolmakers are MAC FORENSICS TRAINING
finally seeing this trend and are developing their applications
to examine these devices. Most examiners that have worked
with Macs and OS X and its little brother iOS, know that the best / AUTHOR BIO
platform to do any examination correctly and effectively is the Sean Morrissey is presently employed
Mac itself. The Mac can effectively image, examine and report on by Paradigm Solutions and assigned
as a Computer/Mobile Forensic
all aspects of Mac forensic artifacts, easier, faster and better than Analyst, in the Department State
any Windows based software tool. Windows tools are getting Computer Investigations and Forensics
better, however they always miss something and just can’t quite Division. Sean was an Instructor of
do what the Mac can do by itself with a handful of free tools. Forensics at the Defense Cyber Crime
Center, a former Law Enforcement Officer and U.S. Army
The automated tools can’t do the thinking for us, it is important Officer. He also authored Mac OS X, iPod and iPhone Forensic
to read, train, and continue to develop our skills so that those on Anaylsis and the upcoming book iOS Forensic Analysis.
the defense can’t poke holes in our examinations. /

47

DF5_47_Apple [Link] 47 2/11/10 [Link]

 / FEATURE

MAC FORENSICS
TRAINING
Comparing the merits of vendor neutral and tools based training
by Sean Morrissey

/ INTERMEDIATE

I
n 1996 Apple was on death’s door until the return of Steve then look at two such training programs that actually follow this
Jobs who drove the company to surpass Microsoft as the concept, and two vendors who provide training courses.
number one technology company. The Mac has come a In order to forensically analyse any Apple based product,
long way and with the stewardship of Steve Jobs. Macs are one must understand the operating system and file systems
no longer just a cult, but gaining worldwide exposure and that are found on Macs. The training should give the student an
acceptance as a home and work platform. A lot is accredited understanding of the Apple Partition Map and GUID partitioning
to the present line of the big cat named operating system, schemes that are found on modern Macs and external devices.
OS X. It is not really apparent how much the failure of Students should be exposed to the range of all the Apple
Microsoft’s Vista has had on the upward surge of Mac sales, products from its inception to today’s powerful Macs. From the
but it is quite evident that it had a lot to do with the way Mac ability of the Operating system’s capabilities of partitioning and
is today. Apple also had the greatest advertising campaign erasing, to the use of RAIDS, that is now possible within the
“I’m a Mac” which drove people to Apple Stores and Apple’s operating system and the hardware that it’s attached to.
online store to purchase its hardware and the venerable The next item on the agenda should be the evolution of the
OS X operating system. Over time Apple products became HFS file system. Students should walk away from the training
known for durability and rock solid performance. The rise of with an understanding of how data is placed and organised on
the Power PCs had people looking at their devices more and a disk. One should know the differences between HFS, HFS+
more. The Macs started with plastics and evolved to brushed and HFSX. Knowing the Mac, understanding the operating and
aluminium cases that just gave them the look of quality files systems is just the beginning.
craftsmanship. But with the introduction of Intel Processors, Training should develop into imaging of Macs. There are a
the craftsmanship was now merged with power. With brilliant lot of people, who are afraid to take apart a Mac, take out the
advertising, awesome hardware, and an operating system hard drive and image the drive traditionally. One should be
known for performance and stability, Mac sales began to drive exposed to FireWire Target Disk mode, and the use of some
upwards and are still like that today. Therefore the prevalence free tools that are on the market like Raptor and Paladin, that
of Macs in forensic cases will also grow exponentially. are Linux based boot disks. These free options can easily
image a Mac without taking it apart. The instructor should be
/ Macintosh Training Guide able to advise students, which Macs are easy to remove the
There are many places to get trained in Mac Forensics, from hard drives and image normally, and, those that aren’t and use
Vendor tools like SubRosaSoft, Blackbag, Access Data/MFI a boot disk or target disk mode. Training should also include
etc. Then there are some private training companies that offer the concept of File Vault and it’s impact on imaging.
Mac training as well. Vendor neutral training is the best way to So, the Mac is setup, and image is created, then what?
receive any forensic training. Any good training should be on This is where the rubber meets the road. Here is where a lot
the process, not on how an automated tool can do the thinking of training fails. If one tells you that you can
for you. So one would ask, what makes good Mac Forensic learn the Mac and do
training? Firstly, we will look at some things to take into an Investigation in less
consideration when one looks to find good quality training and than 5 days, that’s just not
possible. When I was doing
Mac forensics training our
/ MAC FACTS course was 2 weeks long. First
• First Apple Computer – Macintosh XL also known as “Lisa”. week was all lecture and theory.
Introduced in 1983 at a price of $9995. How to find, locate, and report all
• The most powerful and cheapest Macs, both released in 2010
• The 16 Core Mac Pro at a price of $4999
the various artefacts found on a modern Mac. The next week
• The Mac mini Core Duo at a price of $699 is all hands on, with multiple practical exercises that made the
student proficient in doing a complete Mac Investigation.

48 Digital / ForensicS

DF5_48-51_Mac Forensics [Link] 48 28/10/10 [Link]

 There are so many applications that come with a new Mac
that aren’t seen on its windows counterpart. The Mac is a
true productivity tool for the home, student, or office. With
its own version of Microsoft Office, iWorks, iLife, there can be
a multitude of different artefacts. The Mac has Safari as the
default browser, which over time has changed the location of
possible artefacts. However, as with all things Internet there
are Mac versions of Firefox, Chrome, and Opera. All these
leave behind data from property lists to SQLite databases.
As we communicate within cyberspace, Apple provides
applications that help people connect. There is the Mail and
iChat. Mail is for traditional email that connects with the
address book application, which holds all contacts. The iChat
application enables instant messaging and video chat. All of
these applications should be included in the training and how
to extract the artefacts.
Images, depending on the type of investigation can be
extremely important. iPhoto, a popular image application

The Macs started with

plastics and evolved to
brushed aluminium cases
that just gave them the look
of quality craftsmanship
catalogs and edits images. The newer versions of iPhoto can
even contain GEO location artefacts, and facial recognition,
that if trained on the use of iPhoto can properly show a visual
representation of artefacts that a jury can view and understand.
Apple has given birth to two great suites of applications,
iLife and iWork. Training should cover these applications as
well. Other notable apps that are present on Macs should be
mentioned. One of the last items that need to be contended with
is Time Machine. Apple’s new backup system from a Mac to an
external device is a rather ingenious way that Apple has conjured
up. A good instructor can reveal its secrets. Last, but not least the
venerable iPod. Covering the various versions of the iPod Classic,
Nano, and shuttle. All these can be imaged and analysed. These
devices can hold a plethora of different possible artefacts.
So, how does one go about this? A trainer worth his salt
will know the ins and outs of the Mac and can teach you how
to conduct a Mac Investigation without the use of automated
tools. A skilled instructor with a detailed training program can
show you how quickly and easily an Investigation can be done
with the Mac and a few free tools.

/ Mac Forensics Training

There are different avenues to receive training on any
type of media. There is vendor presented training and non-
vendor training.
Vendor Training – Tool based training to gain proficiency in
using the forensic application
Non-Vendor Training – should be application neutral and geared
more to the process of forensics rather than tool proficiency.

49

DF5_48-51_Mac Forensics [Link] 49 25/10/10 [Link]

 / FEATURE

To emphasise the point we loosely reviewed two vendor

neutral and two vendor provided Mac Forensics training
courses. This is not an in depth review and therefore not an
endorsement of any of the courses featured.

/ Vendor Neutral Training

Sumuri, LLC
Sumuri is a vendor neutral training organisation that meets
the requirements of acceptable length and vision to teach the

A trainer worth his salt

will know the ins and outs
of the Mac and can teach
you how to conduct a Mac
Investigation without the
use of automated tools
course using the Mac as the forensic platform. Steve Whalen
who has been training people on Mac forensics for many
years founded Sumuri. Steve takes his courses seriously
and teaches the course without the reliance on automated
tools. Sumuri has two levels of training, Macintosh Survival
Course levels 1 & 2. The level 1 course is a five-day training
regimen, which covers a lot of the areas that have been
previously discussed. The course takes the student on the
journey of what to do when encountering the Mac, imaging
the Mac and how to investigate the Mac. This course however
only glances at the Mac OS X operating and file system. The
training does cover incident response techniques, imaging
and the collection of artefacts from all the applications that
are found on the modern Mac along with the System, Library
and User domains. The level 2 courses delve deeper into
analysis of the Mac using command line techniques, using
spotlight to conduct searching and how to locate artefacts in
virtual machines, RAID devices and servers. Overall, if both
levels of the training are taken, an investigator will have all the Since the iPhone and iOS is a cousin of OS X, training on these
knowledge to systematically complete a forensic examination devices still needs the understanding of the UNIX underpinnings
of a Mac using the best platform on which to conduct such of the operating and file systems. There are a lot of people
training. Sumuri teaches students how to setup their Macs as jumping on the iPhone bandwagon just to cash in.  Teel provides
a digital forensic platform and is focused on the process of no nonsense training that emphasises validating the output of
digital forensics, not the push button tools that always seem tools and methods, with an eye on shrinking budgets.  In the
to miss things when it comes to Mac based investigations. world of the digital forensics practitioner, we are asked to do
more with less and quality and affordable training is much in
/ Teel Technologies (Figure 2) demand. The Teel iPhone Boot Camp course is based on the Mac
Teel Technologies established by Bill Teel is an exemplar platform, but with an interesting twist.  Students can bring their
of vendor neutrality, providing training on the iPhone. It is own Macs or learn on Teel’s cutting edge use of Virtual Machines
only through training that is free of a sales agenda that the to produce a proper platform for the exploration of OSX as the
mobile phone digital forensic investigator can achieve the perfect forensic environment for iPhone forensics. Students get
level of expertise necessary, in the ever changing area of experience on command line interactions with SQLite databases,
mobile forensics. Teel Technologies embraces the philosophy linux/unix commands and shell scripting. Mac based GUI and
of training, which is getting individuals the education they commercial Windows tools are also used in a well-rounded
need to complete thorough digital forensic analysis of course that investigates the iPhone file system structure, from
mobile devices.  property lists to databases, to file system structure.

50 Digital / ForensicS

DF5_48-51_Mac Forensics [Link] 50 25/10/10 [Link]

 / Vendor Training
ATC-NY Corp – Mac Marshall
One Mac application that caught my eye when if first was
released was Mac Marshall. An excellent tool that does a
lot of pre-processing of Mac based images. ATC-NY Corp
developed Mac Marshall and provides it free to members of
law enforcement.
ATC-NY Corp also provides training on Mac based
investigations and how their tool can assist the process. This
training provides only an overview of the OS X operating
system and HFS+ file system. It teaches the use of Spotlight
in conducting searches and training on File Vault and how Mac Marshall
Mac Marshall can contend with its encryption. The training
provides the student with “hands on” experience of Mac
Marshall and how it can analyse logs, artefacts from Safari,
Mail, iChat and the Address Book applications. Virtual
machines are also covered and delve into all the three major
virtual machine applications; Fusion, Parallels, and Virtual
Box. For practitioners who haven’t done any analysis on Mac
based images, this training can be very helpful, however this
is not a replacement for good sound Mac forensics training.

SubRosaSoft – MacForensicsLab Training

One of the major vendors in Mac Forensic Tools is SubRosaSoft’s
MacForensics Lab. As with all vendors of forensic tools, they also
provide training on the application. MacForensicsLab is a GUI
based tool that can image, investigate and report. SubRosaSoft
has provided training in Mac Forensics for some time. MacForensicsLab
After proper training, MacForensicsLab can be easily used
on any Mac Based image. At first look, one would look at from those who jump on the bandwagon and stick with steadfast
MacForensicsLab and ask where do I start? If you have the programs that have knowledgeable staff and a curriculum which
time and inclination to learn it for yourself, you could muddle stimulates thought, not just pushing the “magic evidence”
through the tool. But the training is very beneficial in utilising button. Run from those that aren’t more than an ad campaign for
all the aspects of their application. As with any decent tool one tool or another. The training programs detailed previously
training, MacForensicsLab training first goes over the interface are two private firms that take the philosophy seriously and take
of the tool to get the student familiar with it and navigate the time and patience to educate the student. There is however
around it’s various features. Next, their training goes over how always room to take training from vendors, it’s their tool, and
the tool acquires Mac media. The course begins to pickup they should know more about it than anyone else as long as you
steam with searching in allocated and unallocated space, and have the basics first.
last but not least carving and salvage operations. A student Tools will come and go, but it is incumbent on the
is taught how to effectively find all Mac related file types that investigator to know what goes on under the tool. Apple has
window based tools are capable of recovering. made its comeback from near certain death to now overtaking
the venerable Microsoft. The need for Mac forensics will
/ Summary continue to grow in need. Therefore training in conducting
Vendors are a great resource of tools that makes the investigators Mac investigations will be more important than ever. /
life easy. But this does not account for the knowledge that the
investigator needs in the fundamentals of forensics. If one does
not understand about operating and file systems, how the data / AUTHOR BIO
got there and just pushing a button for “Get All Evidence”, this Sean Morrissey is presently employed
will not get the pass from the court room. Training and continuing by Paradigm Solutions and assigned
as a Computer/Mobile Forensic
education is an important part of the investigators arsenal. As Analyst, in the Department State
training dollars shrink and time is short, investigators need to Computer Investigations and Forensics
look harder at the training available in the marketplace. Look Division. Sean was an Instructor of
to more vendor neutral training that focuses more on the art of Forensics at the Defense Cyber Crime
Center, a former Law Enforcement Officer and U.S. Army
forensics, not the beauty of a GUI. Look to what you are actually Officer. He also authored Mac OS X, iPod and iPhone Forensic
paying for in that training. Ask your colleagues about training. Anaylsis and the upcoming book iOS Forensic Analysis.
Make an informed decision before taking that leap. Stay away

51

DF5_48-51_Mac Forensics [Link] 51 25/10/10 [Link]

 Digital
ForensicS
/ magazine
Digital Forensics magazine keeps you up to date on all the latest
developments in the world of computer and cyber forensics.

The magazine covers the following topics areas:

/ Cyber terrorism
/ Law from the UK and rest of the world
/ Management issues
/ Investigation technologies and procedures
/ Tools and techniques
/ Hardware, software and network forensics
/ Mobile devices
/ Training
/ eDiscovery
/ Book/product reviews

CHECK OUT
[Link]
for all the latest news and views on the world
of digital forensics (special feature articles are
available for registered users).

SPREAD THE WORD

[Link]/subscribe

DF5_52_Subs [Link] 49 25/10/10 [Link]

 / FEATURE

ETHICS IN
COMPUTER
FORENSICS
Computer forensics is an integral part of the
widely increasing field of digital forensics,
as with any investigative field there comes a
time when ethical issues will arise, here we
look at some of the ethical issues associated
with computer forensics
by Darshan Karia

/ ENTRY

C
omputer forensics is the art of collecting, analysing,
preserving and presenting digital evidence collected off
a computer in a legally acceptable manner. The process
of computer forensics is thus quite complex and involves
various activities. Due care must be taken that the evidence
is not altered or tampered with in any way. The role of the
investigator is therefore crucial and any mistake on their
part may put the whole investigation in jeopardy. To counter
this problem the forensic investigator must follow the basic
guidelines and rules suggested by ACPO and / or NIST.
The rules and guidelines provided by ACPO and NIST
address the legal and technical issues but not the Ethical and
Moral issues. These issues are not published but they form an
integral part of professional life. Like every other profession,
computer forensic investigations must also be conducted
under an ethical framework.
Ethics in general is considered as “Behaviour of an individual
with relation to something”. The legal dictionary [2] defines ethics
as “The branch of philosophy that defines what is good for the
individual and for society and establishes the nature of obligations,
or duties, that people owe themselves and one another.”
The digital world has its own view of the term ethics, [3]
“Ethics in computer forensics is a set of moral principles
that regulate the use of computers; some common issues of
computer forensics include IPR, Privacy Concerns and how
computers affect society.”
Thus, almost all the definitions of ethics revolve around
the principle of morality. By morality I mean the degree of
conformity to moral principles. However, with respect to
computer forensics, the definition provided by the digital
world looks more relevant as it not only covers ethical and
moral issues but digital issues as well. Therefore, some

53

DF5_53-56_Ethics in Computer [Link] 53 2/11/10 [Link]

 / FEATURE

important areas in computer forensics must be identified In an eDiscovery case it’s an imperative that the sole
where ethical and moral codes should be followed. objective of the investigation is to discover the evidence
defined in the court order.
/ Honesty
In any professional field, keeping up to date with / Competence
contemporary technology and thinking is imperative. However, As stated previously, the examiner must be honest enough to
in a field such as computer forensics where new developments state his or her level of expertise and competency. The examiner
are offered regularly, it becomes difficult for an investigator must also be competent enough to testify as an expert witness in
to keep pace with all the latest developments. To understand a court of law. Any failure on his or her part in giving a satisfactory
all aspects of the field the investigator may require some explanation to the court may result in a lost case. Expertise in
‘time out’ to experiment and gain expertise. By the time the a variety of domains might be involved and the investigator
investigator feels competent to call him or herself an expert, must be competent enough all domains being considered. The
things may have moved on again. Similar is the case with examiner must therefore evaluate his or her personal levels of
the products available for conducting computer forensic competency in the subject matter before accepting the case.
investigations; with new versions being launched all the time
it might not always be possible for the examiner to keep up. / Integrity
For any investigator, taking on a new case is a challenging job.
The examiner must always However, some additional challenges make the work even
more complicated. There might be a case where a relative
keep in mind the sole or friend may be involved; hence there may be a ‘conflict of
objective of his investigation interest’ that needs addressing. This could lead to a bias in the
investigation. There could also be a scenario where a criminal
and stick to it has approached the investigator to effectively take the
investigator’s services as a customer. In this kind of situation
In this scenario it is responsibility of the forensic it becomes a difficult decision as to whether to accept or reject
investigator to be critical of his or her personal level of the case as the investigator may not be sure whether the
expertise before accepting a case. An examiner should never customer has actually committed the crime.
misrepresent or claim competency where little exists – this will A forensic investigator must always remember that their
always fall down under courtroom scrutiny. The examiner must sole objective is to present the facts. It is up to the court or
always give a fair account of competency and convince any concerned authority to decide whether the convict is guilty or
prospective client of efficacy based on past successes. not. Thus the investigator must have strong integrity and ethical
values to justify decisions under these difficult situations.
/ Legality
The process of conducting a forensic investigation must be / Confidentiality
aligned with any legal requirements imposed on it. Therefore, During any investigation an investigator may recover personal
the issue of legality becomes an inevitable part of the whole or private data. The Data Protection Act defines personal data
investigation. In several countries it might be necessary to and sensitive personal data and states explicit ways to treat,
have certain permissions, court orders, or principles to follow
etc. before you can conduct investigations. Due care must be
taken to ensure that all principles are followed.
A contract should always be signed, in case of private
investigations, explicitly stating the purpose, scope and extent of
the investigation. The authority for conducting investigations and
the person to whom the investigation answers must be clearly
mentioned in the contract. No change in this documentation
should be permissible after both the parties duly sign it. Police or
law enforcement must be involved wherever required.

/ Objectivity
From a digital forensics investigation standpoint, the whole
objective of the investigation is to discover incriminating
evidence. This objective should be unambiguously defined
in order to ensure accuracy. Any other information that might
look attractive that is not directly relevant to the investigation
must not be used or exploited in any way. The examiner must
always remain attuned to the objectives of the investigation
as per the agreement in the contract.

54 Digital / ForensicS

DF5_53-56_Ethics in Computer [Link] 54 2/11/10 [Link]

 store and use it. However, there might be private data that analysis of evidence or compilation of the report. If retained
doesn’t fall under these two categories. It is the responsibility by a counsel, due care must be taken that the report is not
of the investigator to ensure the confidentiality of this data is biased with the retaining counsel’s views.
maintained. The effects of disclosure of this data on the life of
the suspect and family must be considered by the investigator. / Non-discrimination
Thus an investigator must maintain absolute confidentiality. The examiner must not discriminate on age, caste, creed,
sex, religion, social status or any other personal biases. He
/ Audit TraiL or she must follow the same procedures and guidelines as
The forensic examiner is responsible for defending all the work or they would have followed for any other case. Ethically, the
evidence produced in the court of law from a technical perspective. investigating officer must be strong enough to distinctly
The opposition closely examines the procedures followed by the identify the case issues and present them in the best possible
investigator to look for flaws. Therefore, it becomes mandatory for way so as to keep all the principles of computer forensics
the examiner to disclose all investigative procedures. investigations intact. Thus, it becomes ethical for the
The examiner must never use covert software or tools that investigator to demonstrate non-discriminatory practices in
might not be permitted by law or the court. Also, if third-party the professional work environment under all circumstances.
analysis of the data does not produce the same results then the
integrity of the investigation comes under scrutiny. It becomes an
imperative for the examiner to maintain complete transparency
The examiner must not use
in the procedures followed during the investigation. It should, any covert software or tool
thus, not only come under the investigator’s ethical code but also
under a legal obligation to ensure that a proper audit trail is kept
that he might not be able to
so that any third party investigator may reach the same results disclose in court
using the same procedures.
/ Respect for Intellectual Property
/ Carefulness The forensic examination of a computer may retrieve a whole host
As we have already seen, there are various activities involved of varied information. This could include legitimate IPR pertaining
in a forensic investigation. All these activities are significant to the individual being investigated. It need not necessarily be
and any mistakes or ambiguities would make the evidence something relating to patents, trademarks or copyrights, but
unacceptable. Thus, it becomes very important for the even literary works, art, designs, business plans, trade secrets
investigator to be extremely careful during investigations. etc. must be considered under the same category and provided
All protocols including ACPO/NIST guidelines for, Chain of adequate protection. It is the investigator’s call to operate within
Custody of the evidence, Transportation and Storage must be sound ethical boundaries and consider only data related to the
carefully followed. Any carelessness could result in a lost case. investigation. There must be a firm assurance that any additional
Investigators must also be careful to analyse the complete intellectual work discovered during the investigation remains safe
set of evidence to try to find as much relevant information as and not misused or abused for any other purposes.
possible. The investigator must not rely on any third-party for
/ Respect for Colleagues
Respect for colleagues and co-workers is a key attribute for
any professional. Similarly, in computer forensics, an ethical
code of conduct between the employees of an organisation,
and their counterparts in other organisations, must be
observed. No offending or derogatory remarks or statements
should be made. A professional spirit must be maintained to
retain the dignity of the profession.

/ Responsible Publication
After the completion of the analysis, the investigator may be
required to create a report of the work that is subsequently
delivered to the appropriate authority. After the report is
delivered, the investigator cannot control the distribution of
that report. It may change hands and people may interpret
this information in different ways. Thus, it becomes important
for the investigator to frame or publish the report such that all
important issues are considered. It is an ethical issue for the
investigator to publish the report stating only the facts and
findings of the investigation relevant to the case without any
ambiguity or personal bias.

55

DF5_53-56_Ethics in Computer [Link] 55 2/11/10 [Link]

 / FEATURE

/ Responsible Mentoring have strong ethical values to safeguard the human subject in
In computer forensics, the investigating officer may also play the case of doubt during the proceedings of the investigation.
role of a mentor. The investigator has to guide the investigating
team and help legal advisers to present the case in an effective / Conclusion
manner. This means that the entire process from safe retrieval, Ethics form the basis of the human character and thus it is
analysis, storage and presentation of the data, through to very important to have the right set of ethics considered for
helping the lawyers execute the case, the investigator has to be a the role you perform. Computer forensic investigation is a job
mentor. It may become an ethical requirement on the part of the where stress and pressure are high, and working under such
investigator to mentor throughout the entirety of the case to both pressure, bearing in mind all the statutory issues etc. could
technical and legal teams. well be tough. When it comes to decision making in this kind
of workplace, the investigator must be able to justify decisions
Only things that are legally, in a manner that is acceptable to a court of law. Only where
evidence and reporting is legally, ethically and morally correct
ethically and morally can it be fully justified to a court of law. A strong set of ethical
correct may be justified in values can certainly assist an investigator through the course
of any case and protect him or her from committing any errors
the court of law or unethical activities, setting high standards for the whole
community of computer forensics professionals. /
/ Social Responsibility
The examiner must not forget that the convict is not guilty References
until proven so. Therefore, the suspect must be given the 1.[Link]
chance for fair trial. It should also be ensured that the family 2.[Link]
members of the convict are not involved or put in harms way 3.[Link]
during an investigation. Care must be taken to ensure that 4.[Link]
external parties are not disturbed as part of this investigation. 5.[Link]
Other scenarios may arise in the case of private computer 6.[Link]
forensic investigations. It must come under the ethical code Computer%20Forensics
of investigator to inform law enforcement agencies if traces
of criminal activity are discovered during a civil investigation.
In event of finding special categories of pornography, for / Author Bio
example, it becomes statutory for the investigator to stop the Darshan Karia is an ‘Ad-hoc’ Lecturer
investigation and inform the police. for UG and PG levels at Dr. Ambedkar
Institute of Management Studies and
Research, Nagpur. Subjects taught include
/ Human Consideration Software Product Project Management,
There might be a situation where ‘hacked’ wireless Software Development Methods,
Management Information Systems and
connections or automated malware was used to commit a
Information Technology. He has an MSc in
crime using someone’s IP address or system. An innocent Computer Forensics, Master in Computer Management, PG Dip
system could be used to attack a target (the subject’s machine in Computer Commercial Applications, an Advanced Diploma
might be used as one of the ‘bots’ for an attack) and the user in Cyber Law and a certificate in Ethical Hacking.
Darshan is currently studying for a PhD, the topic being ‘the
may be totally unaware of it. In such a scenario, it becomes scope and limitations of Cyber Laws and Cyber Crimes’, which
the moral responsibility of the forensic investigator to is keeping him busy.
evaluate and understand the situation on its merits. He should

56 Digital / ForensicS

DF5_53-56_Ethics in Computer [Link] 56 2/11/10 [Link]

 / NEXT ISSUE

COMING SOON…
Some of the great content coming up in Issue 6, out 1st February 2011

T
he team here at DFM is already working on what looks to be an
exciting special issue on Operational Forensics for Issue 6 and
here is just a taster of what we are looking at for you:

/ Situational Awareness &

Digital Forensics
Ian Murphy takes a look at the latest issue to hit the world of
Operational Forensics: Situational Awareness. Investigating
how simple monitoring and management are no longer
sufficient to investigate incidents on our networks, time is the
enemy and access to information to aid decision making can
be the key to success or failure.

/ Digital Forensics in the Cloud

With the increase in cloud computing services available to
home and enterprise users, digital forensic investigators
need to consider what the challenges are for collecting and
analysing data. This article will examine five possible areas of
data capture when collecting cloud service data.

/ Netflow & Forensics

Digital forensic examiners are in a constant race to stay one
step ahead of the bad guys; always looking for new ways to
uncover evidence of probative value. This article by George
Bailey discusses the challenges and benefits to using netflow
data in digital forensic investigations.

/ BotNet Forensics
Jonathan Rajewski investigates “what role does digital
forensics play in BotNet investigations?”

/ Do You Have an Opinion TO SHARE on

OPERATION FORENSICS? NEXT ISSUE PUBLISHED
If so we would like to hear from you and the best letters will
be included in 360. FEBRUARY 2011
/ Features on the Website Note: DFMag may change the planned
content of future issues without notice.
We are looking for authors who would be prepared to
contribute short articles on the DFMag website. These
articles are limited in word count and not as extensively
reviewed as our feature articles. We are looking to provide
up-to-the-minute information, news and interesting
articles that would be of interest to the readers of
DFMag and the visitors to the web site. If you do not
have the time to contribute a feature article, but would
like to write a piece for the web, contact
acquisitions@digitalforensics [Link]

57

DF5_57_Next [Link] 57 2/11/10 [Link]

 / FEATURE

ALPHABET
data found on these devices, are increasing. The amount of
knowledge an investigator must have to meet this challenge
is immense. Certification helps ensure that professionals
have the knowledge needed to analyse the variety of complex

SOUP
evidentiary sources.
Over the past 15 years, certifications have become the
standard way all computer professionals have accredited
their skills. From the MCSE, CCNA, CISSP, and A+ there is a
certification for every professional and skill. Digital forensics
DIGITAL FORENSIC CERTIFICATIONS AND THEIR is no different. We have multiple certifications in our industry
ROLE TOWARD PROFESSIONALISATION as well. Some argue that it is difficult to distinguish one
from another, but each certification has its place and many
individuals hold multiple certifications. Not everyone who
Digital Forensic Examiners who are seasoned performs digital forensics becomes certified. In fact, it looks
and new are facing the question. Should as though less than 25% of all digital forensic practitioners
I become certified in digital forensics? carry any type of certification. This leads to an obvious
Stepping through why certifications question: Why certify at all?

are needed, this article will explore the / Why certify at all?
relationship between certifications and the Certifications are not intended to rate an individual’s talent for
profession. We will answer the questions digital forensics. Certifications help ensure professionals pass
as to why there are so many certifications, the minimal qualifications for someone in the field. Much like
what to look for in a good certification and basic training teaches you the basics to fight in combat, but
hardly makes you qualified for Special Forces in the military.
discuss the future of certifying digital forensic For too many years, professionals can simply claim they
professionals in the long term. know the core tenants of digital forensics without having to
by Rob Lee demonstrate that they have indeed mastered that knowledge.
Anyone off the street who uses a mouse can download a
/ INTERMEDIATE program and then claim they are now a “subject matter expert”,

E
as they have used computers since they were teenagers.
verywhere around you, you can find a digital storage You cannot fly a plane without passing flight exams and
device within arm’s reach. We have “electronic attention screening. You cannot drive a car without a road test and
deficit disorder:” our concentration being pulled from exam in most countries. Many can drive a car without taking
one device to another. them, but exams are geared to show you understand the
You use a mobile device to make your phone calls, send text basics of road safety and vehicle control. Digital forensic
messages, post on Twitter, all while surfing the web. You use certifications will set apart a true professional from the
a computer to communicate, pay bills, order groceries or even untrained amateur. From doctors, to lawyers, to teachers,
watch television. You probably also use one or more of the most professions need to pass a qualification in order to
following devices on a daily basis: GPS, video game system, practice their profession. Due to the in-depth competency
eReader, MP3 player, digital video recorder and more. requirements of a digital forensic specialist, a true
professional will desire to show that they have had their skills
tested and accredited.
SOME FORM OF DIGITAL
FORENSIC LICENSING WILL BE / Professionalisation for Digital Forensics
Unfortunately, some form of digital forensic licensing will be
BARRELLING DOWN ON OUR barrelling down on our profession faster than most think,
PROFESSION FASTER THAN MOST for everyone in both information security and computer
forensics. There are proposed bills in U.S. congress, as well
THINK, FOR EVERYONE IN BOTH as legislative actions that are taking place in many states and
INFORMATION SECURITY AND countries around the world, that will begin to regulate the
digital forensic profession and ensure a common standard
COMPUTER FORENSICS that all must attain in order to perform their jobs. In many
countries, you need a license to cut hair1, be a plumber2 or to
For better or worse, our lives—our personal/private simply babysit3. In addition, an alarming trend has developed
data—are recorded on these devices moment-by-moment. in several states regarding legislation of licensing of digital
As a result, we are seeing the rise in crimes, civil litigation forensic specialists as private investigators, without regard to
cases and computer security incidents that exploit your digital forensics qualifications.

58 Digital / ForensicS

DF5_58-62_Training.indd 58 2/11/10 [Link]

 Accredited and industry
accepted digital forensic
certifications are needed
as a counter to grouping
of digital forensics
into fields that might
not be the best-fit overall. 
The organisational efforts
of the Consortium of Digital
Forensic Specialists (CDFS) are
a part of that solution, but the US
want educational/testable proof that
professionals accomplishing the job
have rigorous testing to prove they
are not snake oil salesmen.
For the profession overall to
be recognised, certifications are needed.  There are many
highly respected certifications that one can choose from.
Many professionals choose to become certified in more
than one certification. 

/ Benefits of Professional Certification

There are many benefits to digital forensic
certifications. It helps provide employers
and professionals a measurement in
which everyone can be judged.
Certifications even the playing field
in court. Legal teams hire an expert that
has a list of impressive credentials. The / Quick Facts of the Digital
jury/judge is wowed with their notable Forensic Profession
education, number of year’s experience and Three broad industries need qualified digital forensic
adept scientific expertise. Law enforcement expertise on a daily basis.
might have an expert that does not have a PhD, only 5 years 1. Information Security Industry
2. Litigation Support Industry
experience and was never a scientist. Even though the law 3. Law Enforcement/ Intelligence & Military Communities
enforcement analyst might have accurate results, without a Respectively the industries goals are unique:
baseline to compare against, the defence expert will simply 1. Stop hackers, computer based attacks, and recover from
look like they know more and refute the accurate analysis. data breach incidents.
2. Win civil and criminal cases involving electronically
Accepted industry certifications will help expose those who stored evidence.
have a lack of expertise in the digital forensic field, even if their 3. Arrest and prosecute criminals/Deter enemies
resumes might point to the contrary.

59

DF5_58-62_Training.indd 59 2/11/10 [Link]

 / FEATURE

/ Benefits of Certification
1. Expert Equalizer
2. Increased Demand for Certified Professionals
3. Professional Acceptance in Commercial and
Government Organizations

the labs and professionals could be held

accountable for failing to meet standards of
evidence processing and analysis.

/ Who certifies the certifiers?

To achieve professional acceptance, every digital forensic
certification should have a goal to become accredited.
While many certifications have not attained accreditation,
Employers tend to hire individuals with they should make plans to accomplish this in the near
certifications prior to those without. future. Some of the accreditation options available would
There are exceptions to this rule, but be the ANSI/ISO/IEC 17024 Personnel Certification
it helps opens doors to opportunities. program or the Forensic Specialities Accreditation Board
Getting a MBA does not guarantee business (FSAB) certification program. These standards have been
acumen, but it will help win you an interview. Education, developed with the objective of achieving and promoting
certification, and years of experience all add up in a hiring a globally accepted benchmark for bodies managing the
manager’s mind. Trends over the years have shown that certification of persons. The U.S. federal government, the
those with certifications tend to have an edge in being hired. certification industry and organised labour are increasingly
Certifications provide professional acceptance in recognising these standards.
commercial and government organizations. Legislators Accreditation means that individuals must go to a testing
are looking to ensure quality of forensic laboratories. With centre to ensure the integrity of the exam. The exam itself and test
personnel certification, it makes it easier to ensure that methodology must have test mechanics measured and approved
based on peer review and fairness. You cannot take the SAT,
MCAT, or bar exam at home via the anonymous web. Like other
/ Consortium of Digital standardised exams, digital forensic certifications should prove

Forensic Specialists their testing methodology ensures the integrity and fairness
behind the exam. Without personnel certification accreditation,
The Consortium of Digital Forensic Specialists (CDFS) is a
certifications will not be worth the paper they are printed on.
global alliance of organizations and individuals committed to
advancing and professionalizing the practice of digital forensics.
/ The Path Toward One Certification
Consortium Objectives One certification will in all likelihood, eventually, occur for
CDFS was founded on the core philosophies of consensus and
the profession. However, if one certification is backed too
inclusiveness. Together, the members of CDFS will:
soon, creativity and ingenuity will begin to languish at a time
• Develop minimum standards for digital forensic procedures. when it is needed most.  Certifications need to continue to
• Develop minimum standards for digital forensic academic evolve, create better testing mechanisms, and push limits. 
and training programs.
Competition among the certifications will help accomplish that
• Develop minimum standards for digital forensic certifications.
• Promote and develop an enforceable ethical framework for for the digital forensic community.  Even though competition
digital forensic practitioners. exists, all the certifications should understand that it is in the
• Promote the international cooperation of digital forensic industry’s best interest to cross promote all certifications. 
practitioners.
There are those who feel that too many certifications are
• Advocate on the behalf of digital forensic specialists.
diluting and hurting the profession. To the contrary, the digital
CDFS is already involved with a diverse collection of forensic field needs competition among the certifying bodies to
individuals and organizations: improve the testing methodology. An enterprise intrusion forensics
professional needs different, but related skills, compared to an
• Global Information Assurance Certification (GIAC)
• High Tech Crime Consortium (HTCC) individual that performs traditional host-based digital forensics for
• High Technology Crime Investigation Association (HTCIA) potential litigation. A single certification will probably not be able
• International Association of Computer Investigative to cover everything that is necessary. However, all the certifications
Specialists (IACIS)
should at least have a common base. This is where the CDFS will
• International Society of Forensic Computer Examiners
(ISCFE) potentially help focus the certification market. CDFS will attempt
• SANS Institute to create a standard common body of knowledge that every
certification should test, regardless of niche focus.

60 Digital / ForensicS

DF5_58-62_Training.indd 60 28/10/10 [Link]

DF5_58-62_Training.indd 61 28/10/10 [Link]
 / FEATURE

/ Most Popular Digital

Forensic Certifications
CCE – Certified Computer Examiner
Website: [Link]
Description: Accessible to candidates worldwide, the CCE
has become widely accepted as a prerequisite certification
for forensic examiners, recognized by industry professionals
and academic institutions alike. The CCE aims to provide a
fair, vendor neutral, uncompromised process for certifying the
competency of forensic computer examiners. The CCE also
certifies computer forensic examiners solely based on their
knowledge and practical examination skills and abilities as
they relate to the practice of digital forensics.
The debate is not “Which Certification?”
Exam Type: Written and Practical Test The debate really focuses on “Should Digital Forensic
professionals certify at all?” This is why many are
CFCE – Certified Forensic Computer Examiner adamant about pushing individuals to certify in a
Website: [Link]
Description: The Certified Forensic Computer Examiner respected certification. Being certified will help you
(CFCE) credential was the first certification; demonstrating in your specific career in law enforcement, litigation
competency in computer forensics in relation to Windows support, or information security.
based computers. The CFCE training and certification is
conducted by the International Association of Computer
Investigative Specialists (IACIS), a non-profit, all volunteer / Get Certified!
organization of current and former law enforcement members. Sitting on the sidelines is no longer an option. If you are not
Exam Type: Mandatory course followed by Written and currently certified, choose a certification that matches your
Practical Assessment professional goals, and begin the process. The profession depends
DFCB – Digital Forensics Certification Board on individuals seeing a need to accredit their skills and increase
Website: [Link] the overall acceptance of the profession as a legitimate industry. /
Description: The DFCP or DFCA designation is only available
to Digital Evidence Professionals with a minimum of 5-years REFERENCES
experience related to digital evidence or digital forensics. Those
seeking the DFCP must demonstrate two or more years of practical 1 [Link]
experience in the last 3 years. Those seeking the DFCA are not 2 [Link]
required to demonstrate practical experience over the last 3-years. 3 [Link]
Exam Type: Planned Written and Practical Assessment 35/[Link]&coll=7
EnCE – EnCase Certified Examiner
Website:[Link]
[Link]
Description: The EnCase Certified Examiner (EnCE) program
/ Author Bio
certifies both public and private sector professionals in the use Rob Lee is a Director for MANDIANT
of Guidance Software’s EnCase computer forensic software. EnCE ([Link] a
certification acknowledges that professionals have mastered leading provider of information security
computer investigation methodology as well as the use of EnCase consulting services and software to
during complex computer examinations. Recognized by both Fortune 500 organizations and the U.S.
the law enforcement and corporate communities as a symbol Government.  Rob is also the Curriculum
of in-depth computer forensics knowledge, EnCE certification Lead for Digital Forensic Training at the
illustrates that an investigator is a skilled computer examiner. SANS Institute ([Link] Rob has more than
Exam Type: Planned Written and Practical Assessment 13 years experience in computer forensics, vulnerability and
exploit discovery, intrusion detection/prevention, and incident
GCFA – GIAC Certified Forensic Analyst response. Rob graduated from the U.S. Air Force Academy
Website: [Link] and served in the U.S. Air Force as a founding member of the
Description: The GCFA certifies that the individual has the 609th Information Warfare Squadron, the first U.S. military
knowledge, skills, and abilities to utilize state-of-the-art forensic operational unit focused on Information Operations. Later, he
analysis techniques to solve complicated Windows- and Linux- was a member of the Air Force Office of Special Investigations
based investigations. GCFA experts can articulate complex where he conducted computer crime investigations, incident
forensic concepts such as the file system structures, enterprise response, and computer forensics. Prior to joining MANDIANT,
acquisition, complex media analysis, and memory analysis. he directly worked with a variety of government agencies
GCFAs are front line investigators during computer intrusion in the law enforcement, Dept. of Defense, and intelligence
breaches across the enterprise. They can help identify and secure communities where he was the technical lead for a vulnerability
compromised systems even if the adversary uses anti-forensic discovery and exploit development team, lead for a cyber
techniques. Using advanced techniques such as file system forensics branch, and led a computer forensic and security
timeline analysis, registry analysis, and memory inspection, software development team. Rob also coauthored the
GCFAs are adept at finding unknown malware, Rootkits, and data bestselling book, Know Your Enemy, 2nd Edition. Rob earned his
that the intruder’s thought had eliminated from the system. MBA from Georgetown University in Washington D.C.  Finally,
Exam Type: Written Assessment (Silver), Practical Rob was awarded the “Digital Forensic Examiner of the Year”
Assessment (Gold) from the Forensic 4Cast 2009 Awards.

62 Digital / ForensicS

DF5_58-62_Training.indd 62 28/10/10 [Link]

 / FEATURE

CRIMINAL MINDS
MODUS OPERANDI AND SIGNATURES IN DIGITAL INVESTIGATIONS

This feature article proposes an instrument to interpret digital evidence through the employment
of criminal profiling. As part of a study that emphasizes that human nature leads criminals
to commit mistakes and leave cyber trails, this article focuses on the analysis of a computer
criminal’s modus operandi and his signatures aspects, suggesting to the reader that traditional
investigative techniques can be translated to the digital investigation and effectively provide
new ways to extract more from the digital evidences that we see everyday.
by Lucas Donato

/ ENTRY

F
rom shopping online to checking stock quotes in the / A LITTLE BIT ABOUT CRIMINAL PROFILING
comfort of our houses, technology is fully embedded Being a scientific discipline that has been employed in
in our lives. With this growing dependence, it is with no traditional criminal investigation since the end of XIX Century
surprise that we watch cyber crime rates rising in our society. [Innes], criminal profiling consists of the identification and
Unfortunately, despite all the advances that technology offers
to fight this phenomenon, the anonymity offered by computer
networks (e.g., the Internet) still presents many obstacles.
Obtaining an IP address or even a username is often useless
when we face a public Internet cafe – without cameras or written
records – or a workstation compromised by a backdoor or, still,
the usage of a pair of stolen credentials. Who is the criminal?
In this scenario it becomes essential to review our
foundations and to revisit the literature and traditional
methods of investigation, in order to allow us to extract
more from digital evidence in addition to a cold analysis
over bits and bytes.
Crime follows humanity since immemorial times
[Innes]. Weapons, tools and techniques used to
commit a crime evolve with time, so technology is
just one more instrument in this process. Motivations,
in turn, continue to be rooted in the human being.
According to [Reik], the – imperfect – human being
is confronted with interesting mental conflicts:
to proclaim to the world that he was able to
commit a crime or to protect himself from
any punishments. This conflict, taking place
in the deepest levels of our mind, manifests
itself in the actions: the criminal will commit
mistakes and leave traces. Always.
So, our first question is: Is it possible to consider
the aspects above in an attempt to get more from the
interpretation of digital evidence? If our answer is “Yes,
we should try”, then a serious candidate that deserves
our attention to support investigations is criminal
profiling. In this article we will explain why. So, lets try
and apply what Agent Starling from Silence of the Lambs
or Dr. Reid from the series Criminal Minds did to a computer
crime scene?

63

DF5_63-67_Criminal [Link] 63 2/11/10 [Link]

 / FEATURE

examination of criminal evidence in order to elaborate and don’t re-evaluate them during the investigation, you can
a profile of a person responsible (or persons) for a develop an investigation following the wrong track.
crime [Turvey]. Features like personality traits, physical WHEN? After identifying what happened, we ask: When
characteristics, habits and activities are included in this did the events related with the attack take place? We need
set of characteristics. The proposal of criminal profiling to see since the events that motivated the attack, passing
is straight forward: to be of support to the investigation, through the phase of first contacts and footprinting, until the
allowing [Douglas02] the reduction of the pool of suspects, last actions. The intrusion is only one detail among many. Try
the correlation of the crimes apparent distinctions and the to develop a complete time line. Do not forget to know the
definition of a strategy for interviews. It is essential that we context in which the target belongs (e.g., a defaced website
do not rely solely on criminal profiling in a investigation; it is of a company that was going through a period of dismissals).
designed to be a support activity. Also, please try to resist and Through searching for public information and interviewing key
don’t point a finger to the middle of a crowd and say, “you’re people related with the victim, you can obtain very valuable
guilty!” It does not work that way. information. Technical analyses, in turn, can be concentrated
According to [Blau], in a review of 193 cases where criminal in log entries, timestamps of files, information stored in
profiling was applied as a support activity, investigators related systems (IDS, Firewalls…). Care must be taken with
claimed that 77% of the cases studied showed that this regard to any time or time zone discrepancy among systems!
had been of significant assistance in the investigation. It WHERE? We have more than one angle to analyze:
is very interesting to see if we could get the same results the environment where the target was located and the
for Computer Criminal Profiling. In order to make the most environment from where the attack was launched. First angle:
of the advantages of criminal profiling, we will use the What is the physical location of the victim? What company it
same approach used by most of the profilers: a hybrid one, belongs to? What department? What is its logical location?
consisting of a combination of the deductive line (strong Where was it located, inside an IP range? Second angle: Was
emphasis in the collection and analysis of evidence and this attack launched from inside the corporate network or
the construction of a unique profile for the given case) and from an external environment (e.g., Internet)? Was this system
the inductive line (strong emphasis in statistics derived a specific target of the attack or was it just a victim of an
from a database of known crimes, allowing the inference of attack that targeted an IP address range? These answers will
personality traces of the criminal) [Turvey, Rogers01]. influence the resolution of the motive.
HOW? To investigate the Modus Operandi of a criminal
is one of the keys to elaborate his profile. According to the
THE – IMPERFECT – HUMAN equation of [Douglas01], HOW + WHY = WHO. Therefore we
BEING IS CONFRONTED WITH will delve deeper in to Modus Operandi in this article, since
the technical analysis is strongly based on this point.
INTERESTING MENTAL CONFLICTS: WHY? The other piece of the puzzle. Try to resist and don’t
TO PROCLAIM TO THE WORLD go straight into analyzing log files. Just ask: Why? Why this
happened? Is there a clear reason? Was the intention to harm
THAT HE WAS ABLE TO COMMIT A someone? Was the intention to benefit anybody? Was this target
CRIME OR TO PROTECT HIMSELF offering something valuable to someone? If these questions are
answered early, the investigation will evolve significantly.
FROM ANY PUNISHMENTS TO WHOM? What system was attacked? If somebody were
harmed, who would that person be? (Or group of people)? Did
/ INITIATING THE PROCESS: TRANSLATING this attack target a person, a company or just the technology?
CONCEPTS TO COMPUTER HACKING SCENE... Victimology needs to consider these different possibilities
Based on the standard approach, our process to use (person X machine) [Donato02]! Was this target a specific one
criminal profiling in digital investigations, and specifically or was it randomly chosen (e.g., a mass attack)?
in this article in computer hacking crimes, we will start by WHO DID NOT? It’s not different in the virtual world. Like
proposing a translation of key questions regarding general a wife that messes up her house to simulate a robbery with
aspects of a crime [Donato01, Rogers02]. These questions death instead of a homicide, “Staging” can be present in the
have been applied in traditional crime investigations for a digital crime scenes too.
long time. We will need to adjust them in order to help us in
a digital crime scene. After understanding these key concepts, we can now
go deeper into our analysis. As curious people, we can’t
WHAT? Like in a traditional crime investigation, it is wait to know how we can identify the main elements in a
reasonable that this is also the first question to be answered psychological analysis of a crime scene that could allow us
here. What happened? What type of attack was realized? What to, effectively, build a profile and support our investigation.
is the scope, depth and damage? Also what did not happen? According to the extensive literature (e.g., Douglas), the
Eliminate false positives! They seem to be simple questions, answer is: in the analysis of Modus Operandi and Signature
but if you don’t ask them at the beginning of the investigation of a criminal.

64 Digital / ForensicS

DF5_63-67_Criminal [Link] 64 28/10/10 [Link]

 Feature Analysis
Port Range • A scan launched against a full port range (0-65535) rather than against only a few ports can be an indicator that
the attacker is more concerned to find enough vulnerabilities than to be detected.
• The selection of very specific ports to scan can be an indicator that the attacker already knows the target or, at
least, the technology used.
Time between probes • Large time intervals between two probes, rather than a very aggressive scan, can be an indicator that the attacker
is cautious and interested in not being detected.
Selection of Tests • The selection of a few vulnerability tests (e.g., Nessus’ plug-ins) can be an indicator of:
• The attacker is cautious and does not want to be detected
• The attacker discovered previously what ports are open on the target
• The attacker has previous knowledge about what services are executed (open ports) on the target
On the other hand, a full selection of vulnerability tests is a significantly slower exercise. While chances to detect
additional vulnerabilities are higher, chances to be detected are higher too.

Table 1

/ MODUS OPERANDI phase will be the second step of an attack (after the choice of
Modus Operandi (M.O.), an expression in Latin that means a target) or, in well-elaborated scenarios, it will be the phase
“method of operation”, has the function of a guarantee that following the fingerprinting/target recognition. Although
the correct execution of all activities to commit a crime and this phase can employ tasks like services enumeration (port
to permit a safe escape of the offender. It consists of several scanning) and fingerprinting,
different actions, like the way that a criminal bypasses After open ports are identified, the attacker will want to
defences, penetrates a house, immobilizes his victim and know what services are vulnerable. There are a plenty of
kills them [Innes]. As a set of practical steps, M.O. is a tools to do that (e.g., Nessus, Retina, N-Stalker, Acunetix).
method that is learned and evolved with time, being based While doing the vulnerability scanning, these tools will leave
on previous experiences. traces as network/services requests (which can be observed
We will see M.O. in a computer hacking crime scene in through system logs, IDS, network traffic analysis…). Do you
the way that an attacker chooses, recognizes and explores remember that identifying tools and techniques are essential
his target (just to name a few steps – there are even more), to comprehend the M.O. of the offender? Great. So each tool
beginning with the first steps of the footprinting and ending has some features that can be distinct and so it can now be
in how he cleans his traces when leaving a system. To perform used to identify them, as the enumeration below:
these actions, we know that he employs distinct tools and

/ Case Study:
techniques. Fortunately, it is exactly with this kind of choice
and how they are employed, that it will be possible to obtain
some information about the offender. A Web Defacement
To do that, we need first to organize all actions that an offender A company had its main website defaced. An analysis of
can take in our case, as proposed below – as attack phases: the content of the new web page had revealed feeling of
anger against the company owners. An initial investigation
identified that the company was passing through a period of
• The process to choose a target
dismissals and the message seemed to be related with this
• Target’s public information gathering (footprinting) [increasing the chances that our offender was an employee,
• Target recognition and fingerprinting an ex-employee or somebody close to these ones]. A signature
• Vulnerability identification (nickname) was found in the end of the message [the same
type used in some underground circles]. The analysis of the
• Vulnerability exploration
exploit used, a local and outdated exploit [limited access to
• Privilege escalation resources or the attacker chose the easiest way to attack],
• Actions with the target had showed that the attacker had a knowledge enough in
• Access maintenance programming to modify the tool to allow it to work properly
[technical knowledge in programming]. The command history
• Traces removal
(not deleted) [lack of caution and knowledge] showed a
subject that was exploring directories like it was his first
Note that not all of these phases are mandatory. Some time logged in the system [the attacker is likely new on that
attackers can go straight and employ a mass router tool to try system or he was staging]. Some log entries were not erased
[lack of caution, lowering the chances of staging] although
to compromise as many hosts as possible. Others, in turn, will
a machine was used as a bridge [minimum of caution]. The
dedicate efforts and time to plan every step of their action, first steps of the attack (e.g., port scanning) were identified
with a very specific objective, against a very specific victim. and conducted three days before the attack [the attack was
Of course, we cannot detail all these phases in this short planned, the motivation had begun at least three days earlier
than the attack], from the attacker’s original workstation [lack
article. But to point out some advantages of this approach,
of caution, again]. This machine had a single user account,
we can discuss a very interesting phase, called here the shared among three users. One of these users fits the profile
“Vulnerability Identification”. In this context, unless the and a correct strategy of interrogation conducted him to
attacker is already aware of a specific and useful vulnerability confess the crime.
on the target, in most of times the vulnerability identification

65

DF5_63-67_Criminal [Link] 65 28/10/10 [Link]

 / FEATURE

• The set of directories and files searched on the target kiddie launching a mass router tool, we rarely will see him trying
• The user-agent (although this information can be altered) advanced manual SQL Injections or Cross-User defacements.
• Strings sent to test input validation flaws But besides these metrics, our analysis can focus on how
• The capacity to conduct parallel scannings the attacker employs a tool. For the Vulnerability identification
• The capacity to test a specific vulnerability (e.g., only the phase, Table 1 will enumerate some interesting points.
vulnerability scan “ABC” is currently able to test While identifying different techniques and tools, it is
CVE-2010-XXXX) fundamental to differentiate where an automated tool
• The capacity to cause a DoS or code execution on the target generated a trace and where it was generated by a manual
• Names of files created while testing permissions or upload interaction. The below example shows excerpts of a log file
functions on the target (e.g., “[Link]”) where we can see both of the cases
• The set of user accounts tested in password cracking An automated inspection of a web server, using Nikto Web
(brute force or dictionary) Server Scanner:

[Link] – – [28/Jun/[Link] +0000] “HEAD / HTTP/1.1” 200 -

some behavioural aspects of [Link] – – [28/Jun/[Link] +0000] “HEAD / HTTP/1.0” 200 -
signatures can be present in [Link] – – [28/Jun/[Link] +0000] “GET / HTTP/1.0” 200 44
[Link] – – [28/Jun/[Link] +0000] “GET /[Link]/ HTTP/1.0” 404 206
computer hacking crimes [Link] – – [28/Jun/[Link] +0000] “GET /webcgi/ HTTP/1.0” 404 205
[Link] – – [28/Jun/[Link] +0000] “GET /cgi-914/ HTTP/1.0” 404 206
After identifying what tools were used, we can go further. [Link] – – [28/Jun/[Link] +0000] “GET /cgi-915/ HTTP/1.0” 404 206
The choice of tools and the way that they are used can talk [Link] – – [28/Jun/[Link] +0000] “GET /bin/ HTTP/1.0” 404 202
about the offender. Accordingly [Parker], tools can be grouped [Link] – – [28/Jun/[Link] +0000] “GET /cgi/ HTTP/1.0” 404 202
following some metrics. One of them is its availability. There are [Link] – – [28/Jun/[Link] +0000] “GET /mpcgi/ HTTP/1.0” 404 204
tools freely obtained through the Internet. Others, in turn, cost [Link] – – [28/Jun/[Link] +0000] “GET /cgi-bin/ HTTP/1.0” 403 210
thousands of dollars and are available in a restricted manner. [Link] – – [28/Jun/[Link] +0000] “GET /ows-bin/ HTTP/1.0” 404 206
Finally, there are tools that are distributed only in closed circles. [Link] – – [28/Jun/[Link] +0000] “GET /cgi-sys/ HTTP/1.0” 404 206
The ease to use can also be mentioned. While some tools are
easy to use (e.g., a point-and-click tools), others will demand a A manual inspection of the same target:
minimum knowledge (e.g., in computer networks, databases,
programming…). To identify these prerequisites is useful to [Link] – – [28/Jun/[Link] +0000] “GET /[Link] HTTP/1.1” 200 1994
restrict the pool of suspects. Although we can see a script- [Link] – – [28/Jun/[Link] +0000] “GET /cgi-bin/ HTTP/1.1” 403 210
[Link] – – [28/Jun/[Link] +0000] “GET /bin/ HTTP/1.1” 404 202

Some features that can help us in this task are the interval
between probes and the probes per se. Although useful, the
difference between manual and automatic interactions are still
a challenge.

/ SIGNATURES
After understand the role played by M.O. in our analysis
and what its limitations are, we need to address Signatures
aspects. A signature is a more individual manifestation of the
criminal [Douglas02]. While the method to commit a crime is
practical and evolves with time, a signature is a behaviour that
seems to be consistent and is directed to satisfy a necessity
that’s uses to be unique for the offender (e.g., a psychological
need) being even unnoticed to him in some cases. They are
not necessary to commit a crime, in practical terms, but they
used to be very linked with what drives him. [Reik] An example
is the way that a murderer mutilates his victim after the death.
The study of Signatures is essential when we are dealing with
multiple victims (e.g., murder victims in a traditional crime;
multiple websites in a mass defacement attack). It is clear that
a mass defacement can occur – in technical terms – without
the use of a signature (e.g., a nickname written on the page).
As we understand that motivations in a computer hacking
crime follow its expression like traditional crimes, it is

66 Digital / ForensicS

DF5_63-67_Criminal [Link] 66 28/10/10 [Link]

 leaves traces. Our challenge is to identify how these traces
/ Manual or Automated? can be represented in the digital world, once a human being
As pointed out by [Casey], one of the challenges that the
commits the computer hacking crime. This article proposes
application of criminal profiling faces in a digital investigation that Modus Operandi and Signatures aspects are some
is the level of automation offered by many attacking tools. of the richest sources of information to conduct a digital
Currently, almost all the steps of a computer intrusion can be investigation supported by criminal profiling.
automated: services enumeration, vulnerabilities exploitation,
traces removal and so on. Based on that, the use of these Although many of the translations presented in this article
automated tools allows different intruders to leave very are hypothesis that are passing through experiments intended
similar traces on the compromised systems, making difficult to disprove them – as the scientific method rules – it sounds
the task of establishing profiles, which could differentiate a to be reasonable to consider the application of criminal
computer criminal from another. To be clear, we can synthesize
the doubts that we have about this issue in the following list: profiling when considering the successful results presented in
the resolution of traditional crimes.
• Was this attack based mainly on automated tasks Finally, there are a lot of challenges to be faced in this
performed by a tool (or tools) or was it based mainly on research: the automation of attacking tools, the possibility of
manual attack techniques?
• In which steps could a tool automated tasks on this attack? staging… and so on. And they are objective of further works. /
• In the case of automated attacks with similar traces, were
they launched by a single person or by distinct people? References
Blau, T.H. Psychological Services for Law Enforcement. New York:
The more automated an attack is, the lower will be the surface
of manual actions. And it is on this surface that we can extract John Wiley, 1994.
rich psychological evidences. For instance, analyses of system Casey, E. “Criminal Profiling, Computers, and the Internet.” Journal of
logs and command history can show manual actions conducted Behavioral Profiling, May 2000, Vol. 1, No. 2.
by a cyber criminal. And these actions can reveal features like: Donato, L. ‘Uma Metodologia de Forense Computacional Apoiada por
Caution: Offender tries to leave traces at minimum. He tries
to not execute any process that would overload resources, Profiling Psicológico’, Undergraduate Thesis, Federal University of
generates noise or warns his presence on the system. Also, he Pelotas, 2004.
would try to spend the minimum time logged on the system. Donato, L. ‘An Introduction to How Criminal Profiling Could Be Used
Previous knowledge of that specific target: The attacker as a Support for Computer Hacking Investigations’, Journal of Digital
already had logged on that system before. The attacker knows
the directory structure and names of specific applications, Forensic Practice, 2:4, 183 — 195, 2008.
directories or files. Douglas, J.E., Ressler, R.K., Burgess, A.W., & Hartman, C.R. Criminal
Previous knowledge of that specific technology: The attacker profiling from crime scene analysis. Behavioral Sciences and the Law,
shows familiarity with system commands and common paths 4: 401-421, 1986.
of that kind of system or service.
The current challenge offered by this level of automation will Douglas, J., and Olshaker, M. MindHunter: Inside the FBI’s Elite Serial
require further works to be better distinguishable. Crime Unit. New York: Scribner, 1996.
Innes, B. Profile of a Criminal Mind: How Psychological Profiling
Helps Solve True Crimes. Pleasantville, NY: Reader’s Digest, 2003.
expected that some behavioural aspects of signatures can Parker, T., Devost, M.G., Sachs, M., Shaw, E., Stroz, E. Cyber
be present in computer hacking crimes. Here, we propose Adversary Characterization—Auditing the Hacker Mind. Rockland:
the following elements to be considered as some signatures Syngress Publishing, 2004.
aspects, as they seem to be not related with M.O and are not Reik, T. The Unknown Murderer. New York: Prentice-Hall, 1945.
necessary to commit the crime: Rogers, M. “The Role of Criminal Profiling in the Computer Forensics
Process.” Computers & Security 22, no. 4 (2003): 292–298.
• The usage of nicknames in defacements Rogers, M. “The Psychology of Computer Deviance: How It Can Assist
• Messages left to a sysadmin in Digital Evidence Analysis.” Disponível em [Link]
• Comments and syntax inside the programming code of a tool [Link]/assets/video/secsem/secsem_20061206.mp4
used in the attack (useful to help identify virus authors) Turvey, B. Criminal Profiling: An Introduction to Behavioral Evidence
• Unnecessary alterations of integrity in the victim (e.g., removal Analysis. 3rd ed. San Diego: Elsevier Science, 2008.
or alteration of arbitrary files in a compromised server)

While M.O. will be linked with the HOW in Douglas’ equation / Author Bio
[Douglas01], Signature – as it is more intimately related with Lucas Donato, BS in Computer Science,
the criminal – will be linked with the WHO. CISSP, is a Senior Information Security
Analyst and Project Leader of Sicredi,
one of the biggest Brazilian financial
/ CONCLUSIONS institutions. He has extensive experience
This article tried to address a possible gap in the current digital as senior consultant in risk analysis,
investigation, by offering a proposal to translate criminal vulnerability assessments, penetration
testing and digital investigations, participating in projects
profiling concepts to computer hacking investigations. in more than dozen different sectors, like Finance, Energy,
It seems to be clear that human nature plays a significant Government, Gas and Oil and others (including Fortune 500).
role in the execution of a crime, including how the criminal

67

DF5_63-67_Criminal [Link] 67 28/10/10 [Link]

 Digital
ForensicS
/ magazine

BACK ISSUES

Issue 1 Issue 2 Issue 3 Issue 4

November 2009 February 2010 May 2010 August 2010

/ Anatomy of a Web Request / Android Forensics / Interpreting Email Headers / Preservation of Evidence
/ Data Erasure – / Counter-Forensic Techniques / Proactive Computer Forensics / You’ve Been Framed
Fact or Fiction? / Introduction to Forensics / The Facebook Murder / Psychosocial Forensics
/ Forensic Examination of a / Who Needs Cofee? / A Digital Forensics Lab by / Digital Forensics in
Computer System / Forensics Modelling any other Name Law Enforcement
/ Backup Tape Forensics is / Data Retention Act / Dissecting Malicious Malware / iPhone Forensics
Here to Stay / Faraday Bag Test / Modelling for / Exclusive Interview
/ Brief Introduction to / Mobile Phone Practitioner Operational Forensics
Counter-Forensics / Data Integrity / It’s Not About Prevention
/ Expert Witness Reporting / Forensic Evidence Collection / Time for Forensics
/ Impact of Federal Rules / Introduction to
/ The Diary of a PDF Book Steganography
/ The Fourth Amendment

ORDER ONLINE
[Link]

DF5_68_Back Issues [Link] 68 28/10/10 [Link]

 / FEATURE

OF SHEEP & HEAP

We are sheep to the heap. That’s right sheeple, we place much faith in the
operating system, and consequentially become mere sheep to the heap
by Matthew Davis
/ ADVANCED

I
n other words, the dynamic memory allocated during
an application’s runtime, as often the case, is internally
maintained as a combination of the memory allocator
used (glibc’s malloc, jemalloc [4], etc) and the operating
system. However, the developer
is still responsible for
managing the chunk
of memory returned
from this OS+allocator
combination.
Heap analysis comes
as an aid to forensic binary
analysis, which can aid in the
detection of heap attacks. Such
attacks as heap-overflows or heap-
sprays provide a vector for exploiting
an application and compromising the
system running the binary. The aforementioned
are not the purpose of this stroll down the good ‘ole lane of
“dynamic” memory, but be for certain the good ‘ole Wikipedia
can provide a much cleaner explanation of heap-overflow and
sprays than this sheep can provide.
This article discusses a relatively simple way of analysing a
binary’s heap at runtime, without even having the source code
to that executable. Likewise, this executing binary can also
be inspected without having to manipulate the binary in any
specific way.

/ Mr. Heap I Presume? Or Shall I call you

Dr. Dynamic Memory?
During an application’s lifetime, it is often necessary for the
application to make a request to the operating system for
memory. The size of memory the application needs is not
always known when the application is being written, thus it is
not known at compile-time, rather it is only known at runtime.
This request for memory is dynamic, as its size might vary,
based on other factors that change during runtime, such
as user input. When the application needs such dynamic
memory, it makes a request to a memory allocator, such as
malloc(). Such an allocator manages the locations and sizes of
memory that are returned to the application. One of the goals
of such a memory allocator is to maintain adequate system
performance of the underlying operating system.
When the application makes a memory request of a certain
size, the returned region (chunk) of heap memory is to be at

69

DF5_69-73_Sheep & [Link] 69 25/10/10 [Link]

 / FEATURE

least the size requested by the user/application. The allocator or stack. Placement new allows a memory area to be specified
takes note of the memory it is pimping out, and makes sure when ‘new’ is called. The memory returned from that call is
not to divest that same chunk of memory to other pieces of returned from the application specified region. The following
the application, unless that chunk has been previously freed example illustrates such a concept (remember to #include
by the application. By managing the chunks of memory it <new> for this alternate ‘new’ syntax):
gives out, a memory allocator can reduce system memory
fragmentation and increase performance, as returning char foo[757];
memory segments closer together can reduce paging of the Object *obj_pointer = new(foo) Object;
operating system. Such paging can decrease the system
performance, since having the operating system reach out to This example creates an Object instance using the memory
disk for a chunk of memory that is not available in RAM can from the character array of foo. Such functionality can be
require many cycles of CPU time. It is much more efficient to desired if, for instance, the application needs memory placed
return memory that is close together and not necessarily out at a specific location, as is often the case in the embedded
on Planet Disk. So, with that said, it is useful for an efficient computing world [1].
memory allocator to manage the chunks it spits out to be
spatially close together, or even contiguous. And where does / Turn Your Head and Cough
Mr. Memory Allocator obtain the chunks of memory to manage With a quick one-two of the allocation process mentioned,
and spit out to the user application? He gets it from his John, let us suppose we want to analyse how an allocator is using
aka the operating system. A system call, such as in the GNU/ memory at runtime. Where are the chunks of memory coming
Linux world to ‘brk’ and ‘sbrk’ can increase a process’ heap from, and are the returned addresses of those memory
size. Often, the headache of efficiently managing the heap chunks suggesting that the system is becoming fragmented?
is left to the memory allocator, thus the application is only Therefore, a quick trick to observe the heap and allow a user
responsible for what data it puts in that memory. Also, the to analyse it follows.
application is responsible for releasing the memory back to We can analyse the heap of a process in a GNU/Linux
the allocator when that memory chunk is no longer needed. based system, even though we might not have the source
If the memory is improperly managed by the application, code of the binary that is being executed. Further, we might
such as not freeing the chunks when they are no longer not want to manipulate the binary in any fashion, as that
needed, memory leaks can arise, thus draining the system might either bork the binary (screw it up), or it might hint
of resources. To summarise, the allocator manages the giant to someone who checksums/hashes all their binaries that
heap of memory that the operating system allows the process something has been changed. Alternatively, the analysis
to have, and the application uses the chunks from the region of an unmodified application might be desired, thus the
that is distributed by the memory allocator. Thus, the allocator following approach can be taken. Since one must run the
and application are both “sheep” to the operating system. application to obtain the analysis from the method discussed
More often, the application is sheep to the memory allocator below, the application will then be running at the executing
used. The size of the runtime executable grows based on the user’s permission level. Therefore, this is not necessarily an
heap. The heap is dynamic, meaning it grows in size based immediate security flaw.
on the memory that the application requests. By utilising To analyse runtime heap data of an application using a
the brk() and sbrk() routines the binary’s runtime image can malloc system call and a corresponding free call (signaling
increase (or decrease) in size to make room for more dynamic to the memory allocator that the application has finished
memory that the application can use. using the previously malloc’d chunk of data) we instrument a
wrapper to malloc and free. This method will only work with
applications that use a malloc and free and not necessarily
DURING AN APPLICATION’S a C++ written application that uses the respective ‘new’ and
LIFETIME, IT IS OFTEN NECESSARY ‘delete’ calls.
The wrapper approach can also be used to wrap the malloc
FOR THE APPLICATION TO MAKE and free calls from other allocators aside from the one studied
A REQUEST TO THE OPERATING here (glibc’s malloc aka ptmalloc2). It is important to mention
that certain applications can use alternative allocators, such
SYSTEM FOR MEMORY as jemalloc, by including their respected libraries at link time,
and thus overriding the system’s default malloc. The result
With that said, the user can write their own memory is an ambiguous call to malloc and free in the source code
allocator, and call ‘brk’ or ‘sbrk’ to talk with the operating that can be swapped with whatever malloc implementation
system, in an effort to modify the heap size and get values desired, given they the calls have the same malloc/free
from that region. However, it is probably easier and safer prototype and identical routine names. This is a good trick,
to use a memory allocator that’s tried-and-true. Other if one might be writing your own memory allocator and need
techniques, such as C++ and its ‘placement new’ syntax, can a way of testing the allocator in a real-world application. The
be used to allocate memory from a certain portion of the heap linking phase of the application’s build process resolves which

70 Digital / ForensicS

DF5_69-73_Sheep & [Link] 70 25/10/10 [Link]

 malloc implementation to use. In our case, since we are just “dlsym.h” in our wrapper’s source. This macro allows the
wrapping whatever malloc/free the application is using, we “dlsym.h” header to provide the ‘RTLD_NEXT’ macro that we
might be wrapping a glibc malloc, or possibly some other use in our wrapper. Once compiled, the application that is to
implementation, such as jemalloc. bend-over for analysis needs to have its malloc routine call
our wrapper. In turn, our malloc wrapper then calls the true
/ Jimmy Cap malloc without getting into an infinite loop. To have our malloc
To instrument such a malloc/free/calloc/realloc or some other be called first we must tell the GNU dynamic linker to use
routine wrapper, the key is to match the routine name so that our implementation first, before any other implementation.
the binary linker can match it to the function symbol. In our To accomplish this short-circuit concept, we use the ‘LD_
case malloc and free can be written as: PRELOAD’ environment variable. This variable should be
set to point to the compiled wrapper. Note that by setting
void *malloc(size_t size); the aforementioned variable to the shell, any calls from that
void free(void *data); shell will try to wrap all mallocs in binaries started from that
environment, even if one were to preform an ‘ls’ call. As an
For brevity, we will only look at malloc, which we can wrap and alternative to setting the ‘LD_PRELOAD’ to the shell, we can
then output useful information to aid our heap analysis goal: load it just for the application, by specifying it right before we
execute the application:
void *malloc(size_t size)
{ user@host> LD_PRELOAD=/path/to/[Link] ./
void *data_chunk; analyse_me_binary
void *(*real_malloc)(size_t);

/* Call the next malloc implementation, presumably the one that

SINCE ONE MUST RUN THE
* is to perform the real allocation work. APPLICATION TO OBTAIN THE
*/
real_malloc = dlsym(RTLD_NEXT, “malloc”);
ANALYSIS FROM THE METHOD
data_chunk = real_malloc(size); DISCUSSED BELOW, THE
printf(“Allocated %u bytes starting at address %p\n”, size, data_
APPLICATION WILL THEN BE
chunk); RUNNING AT THE EXECUTING
return data_chunk;
}
USER’S PERMISSION LEVEL
To obtain the true memory allocator that the application Now, there is nothing revolutionary about this wrapping
is using, we must find it. The dynamic linker can be called method, and its probably commonly used. I learned this trick
to search the binary’s symbol table to find the true memory from a stackoverfl[Link] [2] post, and the code is similar, if
allocator, merely specified by just the routine name, in our not nearly identical to the post there.
case “malloc.” The symbol should have a matching prototype Also note that the GNU linker ‘ld’ has the ability to wrap
we plan to call: ‘void real_malloc(size).’ The function pointer calls at link-time via the ‘--wrap’ argument [3]. With that said,
we define, ‘real_malloc,’ points to what the dlsym call returns, let us take our heap examination concepts a tad further.
thanks to the effort of the linker. So, if we pass the returned Another possible application of this trick would be for
function pointer improper arguments, we get unspecified forensic data analysis. Consider that one might be interested
behavior, and that can create nasty situations, like the in how an application fills the requested memory chunks.
application producing a segmentation fault. Also note that the Heck, who wouldn’t want to know what the application is
‘RTLD_NEXT’argument in the wrapper, is a GNU extension, stuffing into those regions? Commonly, the data will just be
thus the dynamic linker should be GNU’s implementation. data-structures used internally to the program and contain
It should go to mention that not all languages implement little information. However, certain programmers of malware
memory allocation, consider Haskell or Java, which might implement their own data-structures. Thus, in theory,
automatically handle memory allocation. In other words, the this technique could be used to help identify writers of
programmer never has to make use of a “malloc” routine. The software. Likewise, possibly the data being allocated might
application could also be written to never even utilize such be for a string, which might be used to store your mother’s
routines, possibly only using stack memory and avoiding maiden name, or a password. The latter concept can simply
dynamic/heap memory all together.. be accomplished by periodically inspecting the data in the
The example above should be compiled as a shared library chunks of memory that the application requested. Since
and linking with ‘-ldl’ to get the dlsym call. Likewise, the macro our wrapper catches the allocation and size, we can keep
‘_GNU_SOURCE’ should be defined and appear before the track of those chunks to see what the application tosses
necessary includes of “features.h” and in. While one might not know the format of the data, there

71

DF5_69-73_Sheep & [Link] 71 25/10/10 [Link]

 / FEATURE

are other analysis techniques for determining such. The to look at the data that is located one ‘size_t’ size before the
field of forensic analysis is concerned with just such a returned chunk. Where the type ‘size_t’ is either 32 or 64 bits,
concept. Essentially, the feds, err whomever, try to determine and architecture dependant.
what the unknown data might be. Strings of text might Recall that ptmalloc2 actually uses the first three low-order
be easy to decipher, but there are other techniques that bits of that size for encoding maintenance hints or flags.
such analysis can provide, which might aid in figuring-out Therefore, we can infer that ptmalloc2 only manages chunks
what the unknown data really represents. Consider the of data larger than 2^3 or 8 bytes of data. Also note that if you
work of analysing binary data visually, which tries to make want your wrapper to spit out somewhat more accurate size
sense of unknown information by visually representing the data, these three bits will need to be set to ‘0.’ As mentioned,
“intercepted” data [7]. the preceding is for ptmalloc2 and is not the same for other
malloc implementations. Therefore, if you try the same trick on
/ Glibc Malloc another allocator unspecified behaviour might result.
The glibc 2.7 malloc implementation is that of efforts from
Doug Lea and Wolfram Gloger [5]. This brings us to the / ret
interesting question: How does the memory allocator keep Wrapping can extend to other symbols, and not just that
track of the heap memory it distributes? In the ptmalloc2 of malloc or free. I hope this article has been somewhat
case, when the application requests memory from malloc, enlightening. Before I finish this up, one can learn more about
the malloc routine actually looks for blocks of data in its pool memory allocation via Jonathan Bartlett’s article over at IBM’s
or bins. As long as the memory it returns is of the requested Developer Works [6]. I do realise that many of the readers
size, it does not necessarily matter how big of a chunk is understand dynamic memory, and it was not my intent to insult
distributed. In essence, this distributing of fixed-sized chunks any intelligence. I hope that the information provided here can
aids in reducing memory fragmentation. By not merely spawn off ideas to aid people in analysis and other actions.
returning the requested size, but that of a predefined-size While useful in analysis, the memory wrapper can also be used
chunk, system performance can be preserved if not increased. as a man-in-the middle for watching and manipulating data.
Consider that it is probably easier to replace or locate free However, the data one might be manipulating is from a process
chunks of fixed sizes via a nicely maintained heap rather than run at the executing user’s permission level. But who knows,
one riddled by holes of non-deterministic sizes. maybe we sheep can mangle things to aid our efforts, whatever
those efforts might be.
An implementation of this is available as Free and Open
AS LONG AS THE MEMORY IT Source Software at [Link]/wiki/Projects/libsheap /
RETURNS IS OF THE REQUESTED
REFERENCES
SIZE, IT DOES NOT NECESSARILY [1] Marshall Cline. “What is ‘placement new’ and why would I use it?’
MATTER HOW BIG OF A CHUNK <[Link]
[2] Checkers. StackOverfl[Link] Answer Reply.
IS DISTRIBUTED <[Link]
function-for-malloc-and-free-in-c>
To aid this maintenance, the chunks returned by ptmalloc2 [3] Linux ld Man Page. LD(1) GNU Development Tools.
actually have an attached header and footer. The header binutils-[Link].2. March 17, 2009.
specifies the true size of the returned chunk, and not just [4] Jason Evans. jemalloc. <[Link]
the user requested size. The header also uses the first seven jemalloc/>
bits of the size field to encode flags which ptmalloc2 can use [5] Doug Lea and Wolfram Gloger. glibc 2.7 malloc implementation:
internally for maintenance. The application never sees this ptmalloc2.
header, but if daring, one can try to obtain the data from it. <[Link]
The memory chunk looks as follows: [6] Jonathan Bartlett. “Inside Memory Management.”<[Link]
[header][user data][footer] ptmalloc2 returns a pointer just [Link]/developerworks/linux/library/l-memory/>
after the header segment (at the beginning of [7] Conti, Dean, Sinta, and Sangster. “Visual Reverse Engineering
‘user data’ where the application can start putting data of Binary and Data Files.” <[Link]
into). Therefore, if the application were to peek back a few cfm?id=1431914>
bytes the header information can be obtained: [8] Linux Programmer’s Manual: sbrk() man page.

/ Author Bio
void *data = malloc(user_request_size);
size_t true_size = *(size_t *)(data – sizeof(size_t));
Matthew Davis is currently pursuing his Doctorate in Computer
The “true” allocated size is encoded as a ‘size_t’ word and Science after taking educational leave from his software
engineering employment in the ‘757 area’ of Hampton Roads,
located just before the returned data in “data.” Therefore, to Virginia, USA.
obtain the true size recognised by the allocator, we just need

72 Digital / ForensicS

DF5_69-73_Sheep & [Link] 72 25/10/10 [Link]

MD5 Investigator full page ad:Layout 1 31/3/10 15:47 Page 1

MD5 are recognised as one of the leading digital

forensic specialists delivering mobile phone and
computer solutions to Corporate, Legal and Law
Enforcement/Government Agencies. Working within
a law enforcement security vetted building, our
highly skilled forensic investigators have over 50 mobile phone and computer forensic specialists

years collective experience.

Mobile Phone Examinations

> Expert Service for all handset models.

> Competitive, fixed price service.

> Specialists in ‘Chip Removal Process.’

> Able to bypass iPhone passcode and

Blackberry security codes.
> All examinations compliant with
ACPO and RIPA guidelines.

Computer Forensics
> State of the art, fully equipped computer forensics lab
in a security vetted building.
> Expert examination service
to support backlogs and
outsourcing requirements.
> Ex law enforcement
investigators.
> Fully compliant with ACPO
standards (presently
working towards
ISO 17025).
> Developers of unique
forensic software
including VFC and Forensic Analyser.

For more information call:

01924 220999
or e-mail: sales@[Link]

[Link] URS CERTIFICATE NO. 26889 URS CERTIFICATE NO. 26889

DF5_73_Ad.indd 73 25/10/10 [Link]

 / FEATURE

HIDE AND SEEK

THE EFFECTIVENESS OF PUBLIC DOMAIN “ANTI-FORENSIC” TOOLS

Are public domain “anti-forensic” tools successful in their

attempts to manipulate data into unrecoverable states?
by Frazer Lewis

/ INTERMEDIATE

R
ecovering deleted data goes hand in hand with forensic holiday snaps or important email from work. The uptake of
computing. It is difficult to imagine an investigative data recovery tools continued to spread.
scenario whereby the information recovered in deleted On the flip side, a few clicks of a pretty GUI were worrying.
data does not play a key role when drawing final conclusions. The comfort and security a user had once felt when “emptying
Historically, anti-forensic or secure delete tools were the bin” had gone. Paranoia spread in environments with
somewhat “underground” executables. These applications shared computers, particularly in the workplace. It is of
were shared between the paranoid computer enthusiasts course unnerving when thinking about what a computer
or those who “had something to hide”. Today, there exists a reveals about a user – what has been searched for, websites
wide variety of secure delete tools that no longer carry such a visited, personal email etc. In fact, through recovering deleted
dubious stigma. How and why did such tools get so popular? documents one can not only deduce the actions taken during
Only a few years ago the average user believed that a specified period of time, but often also accurately speculate
the process of securely deleting a file consisted of merely as to what a user was thinking. People began to desire for
“emptying the bin” – and why wouldn’t they? There was no the security they once felt, thus application developers of
button for the user to get the file back. Many (if not, still most) established recovery applications responded with secure
people believe the same today, though a growing number delete functionality. This functionality soon earned the right to
are becoming more aware that deleted files are not exactly go mainstream in dedicated tools.
what they seem. Day-to-day computer operators are gradually Free tools are everywhere, but do they really work? The
gaining more education as to the implications of “non-secure” following popular free applications on both Windows and
delete operations, though it is unlikely that this knowledge Linux operating systems were tested for effectiveness against
has emerged via a direct public interest in forensics. User standard forensic investigatory software and procedures:
awareness of secure deletion began not because people
were looking for a way to hide data from prying eyes; rather, Microsoft Windows 7 (NTFS):
that people were looking for a way to recover the holiday Piriform Recuva [Link]
snaps they accidentally deleted, or the important email sent Eraser (Open Source) [Link]
from their boss. With this growing demand for data recovery,
applications began to emerge providing the functionality Ubuntu Linux (EXT4):
which the mass market was looking for. Some companies were Shred (Standard Unix Command)
quick to cash in on the success, though in today’s world the SRM (Open Source) [Link]
average user has a wide choice of free offerings. Wipe (Open Source) [Link]

PARANOIA SPREAD IN As the majority of readers will predominantly deal with

Microsoft platforms on a daily basis, we’ll begin with the tools
ENVIRONMENTS WITH SHARED designed to run on the NTFS file system.
COMPUTERS, PARTICULARLY IN Piriform Recuva is a perfect example of a data recovery
tool, which also provides a secure delete feature. The
THE WORKPLACE application does not have the functionality to delete
existing files; rather, it gives the user the option to
Due to experiences with other file system applications such “securely overwrite” previously deleted files it is able to
as disk continuity checkers or de-fragmentation programs, fully or partially recover – a useful tool for validating that
many believed that an application advertising “deleted data confidential deleted is just that. See Figure 1.
recovery” would prove to be a long and arduous process. Eraser is a far more streamlined affair regarding file deletion.
Individuals were no doubt surprised when within in a few It goes beyond the delete functionalities of Recuva providing a
clicks of a pretty GUI, they had successfully recovered their more thorough list of overwrite standards along with options to

74 Digital / ForensicS

DF5_74-77_Anti-Forensic [Link] 74 25/10/10 [Link]

 potentially achieve “plausible deniability” (the results of which
are discussed later in the article). See Figures 2 and 3.
Both tools are easy enough for a computer novice to
operate and understand, but can such straightforward
applications really defeat forensic investigation? To find
out, an analysis was undertaken on two investigatory
platforms. The first platform utilised the commercial, costly,
widely used and well-supported forensic case management
software EnCase Forensic by Guidance Software ([Link]
[Link]). The second testing platform made
use of only free and open source code: TSK (The Sleuth Kit –
[Link] forensic tool suite with Autopsy (a
web front end). Both platforms analysed identical DD images
(containing the artefacts from the executed tools) acquired
through a hardware write-blocker.
Initial analysis revealed that both Windows applications do Figure 1. Secure overwrite option in Recuva
a great job at making data unrecoverable; however, there are
still clues for the forensic investigator.
Examine the following screen-shot taken from Autopsy.
Eraser and Recuva managed to successfully hide the original
data and original file names; however, only Eraser was able
to hide the original file size. [Note: Encase reported similar
results]. See Figures 4 and 5.
The leaking of the exact size of a deleted document is
potentially critical information. On a case whereby an email
containing an attachment of “illegal content” had been
identified to have originated from a particular public IP (after
examining data sourced from the email recipient’s machine) a
forensic investigator would first enumerate the IP in question.
Should the IP be/have been in use by a NAT device, the
investigator would look to identify the email or attachment Figure 2. Settings page for Eraser. Note the 35-pass default setting
in the storage medium of the computers residing on the NAT
device’s internal LAN. Failing to discover the unmolested file,
an astute investigator would no doubt be drawn to any file
with the exact size of the illegal data, even if the content and
file name did not match. This information combined with the
presence of a secure delete tool which would produce such
a result on a host drive should of course not be considered
concrete evidence; nevertheless, many would deem such
discoveries to indicate reasonable and justified suspicion.
Perhaps expectedly, the tools completed their primary
goals successfully, resulting in the deleted data revealing no
information as to the original content (See Figure 6).
When thinking of the average computer user, nobody would
disagree with the assumption that Windows would be the
most likely operating system in use. Whilst the public image of
Linux maintains a connotation with computer enthusiasts or
even “geeks”, Ubuntu in recent years has obtained a massive
user-base due to its simplistic design, support community
and of course, the price tag (free!). The following screen-shot
details the results of secure delete operations on an EXT4 Figure 3. Eraser windows shell integration
(Ubuntu + Fedora default) file system. See Figure 7.
All three tools, much in the same manner as the Windows revealed an interesting characteristic when analysed by
equivalents, produced patterns or random “garbage” when Autopsy and TSK. As can be seen in the image, it is possible
the disk space once occupied was examined in Encase. to link the detected file name “[Link]” with the random
Both SRM and Wipe managed to remove indications as to file name “LTV.wOg6” when examining the last modified/
the original file size; however, the result of executing Wipe changed timestamps (shown in red boxes). In other words, an

75

DF5_74-77_Anti-Forensic [Link] 75 25/10/10 [Link]

 / FEATURE

investigator can enumerate the file names of even securely

deleted data. An interesting point to note is that Encase
Forensic failed to present the finding in Figure 8.
The most likely cause for the lack of deleted file detection
is Encase’s lack of support for EXT4. Does this mean a victory
for The Sleuth Kit? Not exactly, as Encase provides a far
superior means to view and export the unallocated disk,
whereas autopsy + TSK (also with no official support for EXT4)
has no such feature, and viewing unallocated disk space via
command line is simply not a time-productive task.
Figure 4. Recuva does not protect against revealing original file size The previous screen-shots demonstrate how the built in
(shown in red box), Eraser delete reports size 0 (green box) Unix command Shred does not attempt to delete a file when
executed with no options (it only overwrites it, unless told
otherwise). When instructed to remove a file, Shred will
produce the result shown in Figure 9.
Here it can be noted that Shred overwrites a file 26 times
with different characters. Once the 26th pass has completed,
the file name is set to zeros, then truncated one character at
a time until named simply “0”. Whilst thorough in operation,
the behaviour exhibits a notable artefact when analysed post-
delete (See Figure 10).
The file names in the red box correspond to the renaming
and truncating Shred performed. The identical MAC times
in the blue box provide a further indication that the files
are indeed associated and have likely been subject to an
automated action. When encountering such results in forensic
investigations, consider a user’s potential use of the tool
Shred. [Note: without the -z option, shred will reveal the
original file size (as demonstrated in the green box)].
To summarise, these tools make it easy for a non-technical
individual to permanently delete data. Provided that care has
been taken to not leave trace of a particular file elsewhere
on disk, attempts to recover the original data will be largely
Figure 5. Original file properties before deletion by Recuva unsuccessful.
One can see how an educated individual who wishes
to hide data has a great chance of doing so. Should the
forensic community focus on combating this issue? Perhaps
not, as these tools may become obsolete in a little as three
years’ time for consumer-grade personal computers. Why? –
Advancements in storage technology. Forensic investigation
has long relied on magnetic disks. Modern file systems such
as NTFS/EXT4 are optimised for this media. With the uptake
Figure 6. Data produced by Recuva as viewed by Encase in of solid-state drives, however, public domain tools look to
free space browsing mode become redundant.
Think what happens when a “permanent” delete command
is issued in Windows. That is, a delete, which does not simply
move the file in question to the recycle bin. As we all know,
this operation doesn’t really erase the file from the drive;
rather, it removes the pointer to the file from the MFT. The
file remains unmolested until the “free space” it occupies is
overwritten with other data. This is the basis for the purpose
and demand of the tools documented in this article.
Until recently, those who could afford solid-state drives
for their machine were deleting in the same manner as
those operating on a cheaper medium. A magnetic disk can
overwrite as fast as it can write – there is no performance
trade off. Unfortunately for early adopters, on an SSD, in order
Figure 7. Results of all Linux tools ran with no specified options

76 Digital / ForensicS

DF5_74-77_Anti-Forensic [Link] 76 25/10/10 [Link]

 to overwrite data, the blocks occupied by old deleted data
must first be freed before new file data can replace it. This
process carries with it an overhead and as such over time an
SSD can greatly lose performance as more and more of the
free space becomes filled with deleted files (and subsequently
each new write operation has a greater chance of overwriting
deleted data in free space). Manufacturers supplied tools
to reset drives to factory settings as a solution to improve Figure 8. Encase failing to detect deleted file names
performance, though it is not hard to imagine most consumers
were reluctant to reinstall their operating systems and
applications every 6 months.
To combat the problem, the TRIM ATA command was born.
A TRIM message is sent to an SSD after a file residing on the
medium is deleted. Having received a TRIM command, the
SSD will “zero out” the blocks containing the just-deleted
file to prevent a build-up of deleted data in free space. This
process is transparent to the user, ticking away silently in the
background, eliminating (to a large extent) the performance
degradation after months of frequent use. In other words,
when a file is deleted, it really is! The operating system delete
is now equal to the current generation of secure delete tools.
Do not fall into the trap of thinking that you will not
encounter TRIM in your daily forensic investigations any time
soon. Not only is TRIM supported by Windows 7, it is enabled
by default for every supported drive. With SSDs becoming
ever cheaper, faster and larger, their popularity is rising
exponentially, especially in the ultra-portable/netbook sector:
one of the largest selling subdivisions of the PC consumer
market currently.
Perhaps there will develop a means to analyse an SSD
at a purely physical level. Even if an advanced technique is
discovered to be possible, universal analysis of SSDs would Figure 9. Verbose output of Shred overwriting the content of [Link],
likely remain unsolved. Whereas one magnetic disk varies then overwriting and truncating the file name
only slightly from another, there are a number of competing
technologies in SSD development resulting in drives with
different flash storage technologies (MLC, SLC), different
controller logic (SandForce, Indilinx Barefoot) and different
performance optimisations (garbage collection, TRIM).
In what state does this leave the forensic community in Figure 10. Data suggesting a “shred” operation was executed
now and the future? Investigators would all concur as to the
importance of viewing deleted data. Some professionals In the current climate, forensic investigators face
believe that hardware manufacturers and software developers many hurdles in retrieving deleted data. The climate is,
should be developing a means to ensure that personal however, changing, and the forecast is cloudy. By adopting
computers maintain a more comprehensive set of “history and influencing this upcoming technology before mass
logs” out of the box – after all this evidence may be used in a deployment, the forensic community may just prevent the
serious criminal trial. There is certainly an argument for such predicated storm. /
endeavours, though it is difficult to concede to suggestions
that only add to the “big brother” status of much of the
“civilised” world. / Author Bio
If the outlook for the immediate future seems worrying, Originally working as consultant for a
perhaps looking a little further beyond will cheer up company providing network solutions
for SME’s, Frazer established a home lab
investigators. The cloud is coming, offering seemingly to concentrate on his newfound interest
endless storage capacities for users. This storage will likely in Digital Forensics. Building on his
be subject to routine back-up and duplication, making it hard self-learning he attended De Montfort
University to study for an BSc in Computer
for individuals to remove every instance of a file. Forgetting Forensics before securing a post as a
problems with jurisdiction and data protection, this growing consultant and researcher with NGS Ltd.
technology could just be the saviour of hidden data recovery.

77

DF5_74-77_Anti-Forensic [Link] 77 25/10/10 [Link]

 / BOOK REVIEWS

BOOK REVIEWS
Digital Forensics For Network, Internet, and and complete reference section, but quite a few chapters
Cloud Computing: A Forensic Evidence Guide had no reference section at all, yet it was quite obvious
for Moving Targets and Data that they required a reference section. Poor screen shots
and lack of reference sections just seems to be laziness on
Authors: Terrence V. Lillard, behalf of the publisher.
Clint P. Garrison, Craig A. Schiller, Because of the above problems with the book I only gave it
James Steele a score of 3. However it would not have taken much to give a
Publisher: Syngress score of 4.
Date of Publication: 2010 Despite having said all the above, for a digital forensics
Price: £42.99 (UK), $69.95 (USA) investigator totally unfamiliar with virtualization technology,
ISBN: 978-159749-537-0 it is a good introductory book into this world. It does contain
Reviewer: John Hughes a balanced mix of describing the technologies, how to
Verdict: investigate virtualized environments and then finally the
challenges (current and future). However for me I would have
appreciated more technical forensics information.
Another book that has in its title a theme of virtualization or
cloud computing network forensics, and in my opinion it does
a reasonable job. Virtualization and Forensics:
The book consists of 368 pages, divided into 6 parts A Digital Forensic Investigator’s Guide to
with a total of 13 chapters. Part 1 sets the scene. Part 2 Virtual Environments
then goes on to describe how to capture network traffic
and evidence. In particular it describes a number of the Authors: Diane Barrett,
keys tools in networking analysis, including tcpdump, Greg Kipper
wireshark, fiddler and Snort. Part 3 shows how to analyze Publisher: Academic Press
evidence with open source software. However, and quite Date of Publication: 2010
bizarrely, the first chapter in this section describes the TCP Price: £36.99 (UK),
protocol. Surely one should describe this before delving $59.95 (USA)
into the intricacies of wireshark? Part 4 goes on to describe ISBN: 978-1597495578
a number of commercial network forensics applications, Reviewer: John Hughes
namely NetWitness Investigator and SilentRunner. Part 4 Verdict:
provides guidance to the forensics investor on how to make
a case. This includes incorporating network forensics into
incident response plans and admissibility requirements. As an experienced user of a number of VMware virtualization
Part 6 finally concludes by looking at the future of network technologies, as well as working with the technologies for
forensics. Chapter 12 in this section is about the future of several clients, I was really looking forward to receiving
cloud computing, a total of 20 pages. One has to ask oneself a copy of this book to review. I have to say I was a touch
whether having 20 pages on this subject deserves “Cloud disappointed. Having read the excellent article “Ghost in the
Computing” to be in the title! Machine” in Issue 2 of this publication I was expecting more of
So what of the shortfalls? Given that many of the network the same. This is not what this book contains.
attacks are web based I wished it would have provided an The book is split into three parts, with only Part 2
overview of the HTTP protocol and the various techniques being of real use to a digital forensics investigator. Part
in session management (e.g. cookies) and attacks against it 1 contains four chapters. The first chapter describes the
(e.g. XSS). It did quite a good job in providing an overview main categories of virtualization, the other three chapters
of TCP/IP, but the book would have been so much better then going on to describe in more detail server, desktop
if it included an overview of HTTP as well as some of the and appliance virtualization. Part 1 does provide a good
web attacks one could encounter. The quality of the book summary of the technologies and products present in the
in places was not to the level I would have expected. There market place, but it’s certainly not complete. I found it
were a number of screen shots that were unreadable. surprising that VMware’s Thinapp technology (an application
In addition the book was very inconsistent in having a virtualization product) is not mentioned. Part 2 contains
reference section. A number of chapters had a very long three chapters. The first looks at how to investigate “dead”

78 Digital / ForensicS

DF5_78-79_Book Reviews [Link] 78 2/11/10 [Link]

 virtual environments, with the second chapter looking at live
environments. The last chapter discusses how to find and
image virtual environments. As far as I am concerned this is
the meat of the book, yet it is only 70 pages long (the book
being a total of 254 pages). My disappointment in this book
is that I would have liked to see the details provided in the
“Ghost in the Machine” for a wider selection of virtualization
technologies. Part 3 concentrates on the challenges
presented by virtualization and what the future may hold,
especially given the apparent rise of Cloud Computing.
The first chapter in Part 3 also discusses the issues with
demonstrating a clear chain of custody of evidence in a
virtualized environment. I found this very useful.
Although the book disappointed me, I still think it will
be a valuable addition to a forensics investigator, not that
familiar with the mysterious world of networking. However I
would advise any person really wanting to get into this field
will also need a number of detailed books describing the
key open source tools in this area, namely wireshark, nmap
and Snort.

iPhone and iPad Apps for Absolute Beginners

Author: Dr Rory Lewis

Publisher: Apress market (which is a challenge in itself ), it’s well worth a read.
Date of Publication: 2009 One problem I found is that there are quite a few typos in it
Price: £19.99 (UK), $29.99 (USA) and from Apress’s point of view that’s lazy. This seems to be
ISBN: 978-1430227007 an increasingly troublesome trend in technical publishing,
Reviewer: John Forrester especially where the problems are in the very code they are
Verdict: trying to teach you. Typing in various modules of the code
presented in the book, resulted in compiler error message
after compiler error message that I simply could not fathom or
I realise this is a slight deviation from the usual Digital fix (not being a Mac developer at all). However, I now know the
Forensics Magazine book reviews, but this was my idea, I take difference between a .nib file and a plist, so that’s cool. Also,
the rap and I am happy to, because this book promised to be the first time I compiled a project and ran it on the simulator
so much fun. (no code behind it mind) it was fabulous to see my app fire up
The basic premise of this book is that anyone who can type on the iPhone. What fun!
and use a computer (well, a Mac anyway) should be able to What I liked most was Dr. Lewis’s approach to simply
create stunning, well designed and conceived apps that could getting on and building something, then finding out why it
even make a few $$$ on the side. The approach outlined is worked later. All the frustration you get from other books
certainly fun, if a little patronising at times, however, it’s well with the long slow build up is overcome and this is actually
written, unlike many technical books I have come across and very satisfying. All in all it’s a good book to get you started,
this is almost excusable, as Dr. Lewis is just trying to convey and if you can get over the typos and Google for the code
what he probably does very well in the classroom in this fixes, you’re going to do all right. It’s also modestly priced
simple book format. compared to many other technical books, so that’s a bonus
Apress is a publisher that doesn’t yet dabble much in too. So, my hope for making a quick buck on the back of the
security or forensics publishing (except for the forthcoming current App Store madness seems dashed and I’ll have to
iOS 4 Forensics by Sean Morrissey, which promises to be go back to the drawing board and actually try and learn to
great), but for a technical book aimed at the consumer program. Damn it!

79

DF5_78-79_Book Reviews [Link] 79 2/11/10 [Link]

DF5_80_Ad.indd
DF1_OFC_Cover -80
[Link] 1 20/10/10 [Link]
29/10/09 [Link]
pm
 CALLING ALL
RESEARCHERS &
PRACTITIONERS
If you are a practitioner or researcher working in the field of Digital Forensics
then we want to hear from you…

/ Academic know where further work is required, again fostering

If you are a researcher, academic or student of digital collaboration between industry and academia.
forensics, we would like to hear about your work. One of the We also want to let the wider community know what
key aims of Digital Forensics Magazine is to bridge the gap problems practitioners are facing. You can do this by writing
between the researcher and the practitioner. We provide a to 360@[Link] (details on the website)
platform where your research can reach the widest possible and we’ll do our best to get an ‘expert’ to get back to you.
audience, far greater than that of an academic journal. By
showcasing your work in Digital Forensics Magazine you will / Submissions
be able to find like-minded parties who are interested in your If you would like to submit an article to DFM you can do this
research, maybe for collaboration projects or indeed for a by sending an email to editorial@digitalforensicsmagazine.
route to market. com with your details and a 250-word abstract explaining
what the subject is and how you will cover it. You should also
/ Practitioners include why you think it will make a good article, and what
For those of you living and breathing in the professional target audience it addresses.
world of Digital Forensics we would love to hear from you.
It is a well-known fact that some of the best learning comes Digital Forensics Magazine bridges the
from “on-the-job” experience and we want you to share that
experience with your peers. Whether it is a complete case gap between the researcher and the
study of an investigation (obfuscated where required) or a tool practitioner… It is a well-known fact that
for extracting information from a website, you can guarantee
that your fellow practitioners will want to hear about it.
some of the best learning comes from
Providing these articles are a great way to let our community “on the job” experiences

81

DF5_81_Call for [Link] 81 20/10/10 [Link]

 / COLUMN

IRQ
In competence…

I
’ve just returned from another “fitness for purpose” visit When I was designing and reviewing academic
to a police High-Tech Crime Unit. Invariably, these visits programmes, the justification for content always required
are instigated by managers who want to know just how some sort of justification – usually in the form of a
much they’re going to have to do to meet the requirements statement from one or more major employers that the
of ISO17025 and the regulator’s codes, aside from the usual syllabus was appropriate for the sort of graduates who we
issues of good people doing good things without being able to were going to employ. It would be disingenuous to suggest
show that they are doing them consistently to a plan prepared that, since production of these statements depends on
in advance (standard operating procedures are almost never personal contacts, it is possible to manipulate them a little
written down), the major stumbling block is around the dem- so that the course is the one the designer wants to run, not
onstration of “competence” of the people involved. necessarily the best possible choice for the student or
If one considers this issue for a little while, it becomes fairly the employer.
obvious that there are two elements required to demonstrate Even if training or education courses are appropriate and
are of a good standard, knowledge in our field degrades at a
Even if training or education rate of approximately 20% per year. How then can we show
that someone who has been educated and trained to a good
courses are appropriate level is still competent?
and are of a good standard, There really is only one answer – independent definitions
of competence, combined with independent accreditation
knowledge in our field of courses, and properly planned and assessed Continuing
degrades at a rate of Professional Development.
Anything else is the hallmark of a well-meaning amateur.
approximately 20% per year Their results may be good and significant, but they always
face the challenge of proving their competence in the absence
competence – one is a definition of what someone should be of independent validated evidence.
able to do, and the second is evidence that they can do it. If Mind you, with a slew of organisations competing with
the first is present, the second can be achieved by getting each other to offer the various parts of this system, we should
the people to undertake training, education or testing that never forget Admiral Grace “COBOL” Hopper’s opinion that
allows them either to acquire, or simply to demonstrate that “The wonderful thing about standards is that there are so
they already have the necessary knowledge and skills for the many to choose from”. /
job they are going to undertake. However, who should be
responsible for defining the “what”? Disclaimer: the fact that I’m involved in the CPD system of, and
In my career, I have been told (by a major tool vendor) that writing some course accreditation standards for, the Forensic
I must do the manufacturer’s training course in order to be Science Society has not influenced my view of which body
considered an expert witness. Strangely, I have never been provides the “best” mechanisms at all.
asked to provide any certificates from any company by any
judge, barrister, solicitor or police officer with whom I have
worked. The problem with these manufacturer or tool-specific / Author Bio
courses is that they tend to concentrate on showing users how Angus Marshall is an independent digital forensics practitioner,
to drive the tool, without worrying too much about developing author and researcher, currently working on the ‘fitness for purpose’
a deeper understanding of what the tool actually does. challenge. In a past life he was an academic course leader in Digital
Forensics & Forensic Computing and still retains strong links with
Principles of operation are often sacrificed in favour of getting academia, professional bodies and regulators. He can be contacted
fast results in a controlled environment and ensuring future through his company, n-gate ltd. ([Link]
sales of tools & courses.

82 Digital / ForensicS

DF5_82_IRQ [Link] 82 2/11/10 [Link]

AD9117b 19/01/2010 12:49 Page 1

Forensic Computing
12-month student placements

Undergraduates: Postgraduates:
August 2010–July 2011 June 2010–May 2011

Shape your future

To find out more visit [Link]/technology or contact us:
Technology Placement Unit
T: (0116) 257 7465/66
E: placementunitech@[Link] AD9117B

DF5_IBC_Ad.indd 83 20/10/10 [Link]

DF5_OBC_Ad.indd 84
2010

Ma
April

2010y
Virtualization and Forensics Phone Forensic Analysis
By Diane Barrett, Greg Kipper By Sean Morrissey
9781597495578 9781597495554
$59.95/£32.99/€40.95 $69.95/£37.99/€47.95
Ma
Order Today!

AvaiNow
2010y

lable
!
Windows Forensic Analysis Digital Forensics for Network,
DVD Toolkit, 2nd Edition Internet, and Cloud Computing
By Harlan Carvey By Clint P Garrison

Visit the BRAND NEW [Link]

9781597494229 9781597495370

to purchase these or other great Syngress titles!

$69.95/£37.99/€47.95 $69.95/£37.99/€47.95
Cutting Edge Content in Digital Security

20/10/10 [Link]