Tuesday, May 20, 2008

What happened to FTK 2?

A selection of comments from a recent forum thread:

"The product is good, but wow is it unpolished and slower than...well it's slow."

"What I find frightening is that regardless of which system its used on, the performance still sucks. I have a quad core w/ 8gb ram, striped raptors and oracle on a raid 5 and it doesn't make a difference."

"...the problems seen in the latest 2.0 release of the venerable AccessData Corp. product, Forensic Tool Kit (FTK 2.0), just seem deeper and wider than I've run into elsewhere...

"I helped the dept decide to buy 10 licensed copies of FTK 2.0 about 3 months ago. To my regret, it has not turned out well for us so far."

"What really hurt me was the [lack of] ability to save all your case data to independent HDD's for better control and storage. There were also cases where the client wanted all the work to be done on site. They did not want their data leaving the premisses. With FTK 2.0 that made it pretty much impossible."

Things don't get much better elsewhere:

"What little credibility Access Data had in the past, is now gone. At least under their old management, they could focus on doing one thing, right. Now, management is so distracted by trying to play the enterprise and eDiscovery market that they have forgotten their core competency. All we get now are empty promises, buggy code, horrible customer service and promises of vaporware. I just can't risk my own career credibility by continuing to invest in such a product. I am going to stick with Guidance, which is the gold standard in this space."

To be fair, it hasn't all been bad news:

"...it's not all grim for FTK fans. AccessData still has about the best Registry Viewer application on the market, and the FTK Imager is, hands down, the best acquisition application for an unbeatable price. The Password Recovery Toolkit is an able application, and AccessData's telephone product support is first rate." [Craig Ball]

and it should be noted that SC Magazine awarded FTK 2.0 a "Best Buy" rating.

Overall though, you'd be hard pressed, even after Access Data CEO Tim Leehealey's attempt to repair some of the damage here, to see this release as anything other than a disaster for FTK's reputation. That's sad news for Access Data, for us as practitioners - especially those who had such high hopes for this new product - and for anyone concerned about the lack of competition in this marketplace.

Monday, May 12, 2008

Matthew Shannon, F-Response - Interview questions please!

The release of F-Response has prompted some considerable interest within the forensics community within the last few weeks and with that in mind I'm delighted to introduce Matthew Shannon as an upcoming interviewee.

Matthew Shannon is a Principal at Agile Risk Management LLC as well as a Founder and the Chief Software Architect of F-Response, a vendor neutral solution to remote forensics and eDiscovery.

Matthew has nine years of professional experience in private industry, including KPMG LLP, ExxonMobil, and United Technologies. Matthew is also a well received speaker and author. He has instructed the United States Secret Service on specific digital forensics techniques and was a well received speaker at the DEFCON 11 annual Information Security conference in Las Vegas, Nevada. Additionally, Matthew has been published in the International Journal of Digital Evidence for his work on incorporating statistical inference into digital forensics investigations.

Matthew graduated cum laude from The University of Florida in Decision and Information Sciences (BSBA) in 1999. In addition, Matthew holds numerous professional information technology certifications, and is the developer of Nigilant32, Agile Risk Management's premier Windows first responder tool.

Please add your interview questions for Matthew to this forum post, thank you!

Tuesday, May 06, 2008

UK Criminal Justice Bill - Clause 62 (or is it 63, or 64?)

Although it hasn't yet caused much of a public stir, Clause 62 in the UK Criminal Justice Bill certainly hasn't gone unnoticed in the forensics community (judging by the number of news submissions received at Forensic Focus). There's also plenty of debate at various general IT sites such as The Register.

So, what is the clause? Well, the entire Criminal Justice and Immigration Bill is covered in some detail here but the relevant clause can be found here (and I apologise for the confusion over the numbering of the clause, I've seen it specified as variously 62, 63 and 64).

In a nutshell, the clause seeks to shift criminal responsibility from the producer (as specified in the existing Obscene Publications Act, although this will remain in force) to the person who possesses the image(s) in question.

The background to the Bill is a tragic one, involving the murder of Jane Longhurst five years ago at the hands of a man addicted to violent pornography. Liz Longhurst, Jane's mother, then began to campaign against such images and was supported by the Home Secretary at the time.

The proposed new laws are, however, controversial with campaigners fighting against their introduction primarily citing concerns over the (lack of) evidence linking pornography with violence, the vagueness of the offence and the risk that a large number of people will be criminalised unfairly.

Regardless of what we might think of the clause on a personal level, it's clear that its introduction will have consequences for some forensic examiners in the UK. Only time will tell what impact, if any, it has on violent sex crime.

Thursday, May 01, 2008

Interview with David Sullivan, Appointments-UK

Forensic Focus: Can you tell us something about your background? How did Appointments-UK come into being?

David Sullivan: I’ve enjoyed over twelve years in recruitment, starting out in the city [London] specialising in IT within Investment Banking.

The area that really interested me was Information Security, and after a successful period in this sector, I further refined my focus into computer forensics. Then, in 2003, I decided to take the plunge and set up Appointments-UK.

My reasons were simple and remain the underlying vision for my company today: when contacting a recruiter you want them to demonstrate good market knowledge and a genuine understanding of the companies, personalities, trends, conditions and pressures that impact your sector. At Appointments-UK all our people offer this.

It has been a tremendous challenge and I’m pleased that organic growth has enabled me to develop a team of specialist recruiters in related areas: however, my personal operational focus remains in the computer forensics/electronic discovery market.

Forensic Focus: You operate in a dynamic, changing market place; what are the main challenges you face and what are your strategies to tackle these?

David Sullivan: The single biggest challenge I face is identifying suitably talented and skilled candidates. Advertising on specialist sites such as Forensic Focus produces results, but the niche nature of this sector means using generalist job sites (Monster, Jobsite etc) offers limited success. Recommendation remains the cornerstone in identifying suitable talent; in fact, well over three-quarters of our placements are due to networking.

After five years in this sector I have a fantastic network of key people – many of whom I now know both socially as well as professionally – and this makes my job much simpler! I can rely on this group to keep me updated with what is really going on and who may be open to making a move.

Another challenge we face is managing expectations. There is much hype around computer forensics as a growth area suffering from a shortage of candidates. This often leads to unrealistic expectations – especially around salaries -which needs to be tackled.

This is particularly common with people moving to the Private Sector from Law Enforcement/Public Sector organisations. With earnings between £35 and 40k they often ‘need’ to realise a package of around £65k to compensate the loss of other benefits. In the majority of cases this is unlikely, and, in reality, when they first move the pay increase is likely to be minimal. However, based on performance the strong performers will soon see substantial increases in both salary and bonuses. As a benchmark, when somebody changes jobs it is very rare to see a basic salary increase by more than 20%.

We don’t make promises where we cannot deliver and I often tell prospective candidates that they are, in my opinion, unrealistic in their salary expectations. Although I don’t pretend to always get it right, more often than not we see these people again when, after searching the market, it is our honest and informed service that they really need – once more, back to the very essence of what we provide; an honest assessment of the opportunities available based on a real understanding of the market.

Forensic Focus: What do you think of the rising number of educational courses in computer forensics? Is there a genuine demand from employers for an increased number of students?

David Sullivan: I enjoy playing my part in raising awareness of the opportunities available by speaking annually at a number of Universities that run Computer Forensic courses. It is vital that we reach and develop relationships with tomorrows talent today.

The standard of courses is certainly mixed but there are some outstanding, inspiring people running excellent courses and being incredibly innovative (particularly, in my experience, Vasilios Katos and Cheryl Hennell at Portsmouth University and Angus Marshall at Teeside University).

However, it remains clear that there will not be positions in Forensics for all the graduates, which is why it is so vital for them to be thinking seriously about their careers from Year One, and what they can do to give them an edge. I try to emphasise to the students that it is not necessarily the brightest who get the plum jobs, but those who prepare and position themselves correctly.

Graduate vacancies do exist and as a company we placed 14 computer forensic graduates in a variety of companies last year. It is also worth noting that salaries vary tremendously: in my experience in 2007 new graduate salaries varied from £16k - £34k, but in terms of long-term careers, I don’t think it is necessarily always correct to go for the highest salaried position as some of those organisations paying less offer outstanding training and exposure which can be very beneficial in the longer term.

Forensic Focus: How can people break into computer forensics and is it a ‘career’?

David Sullivan: Here on Forensic Focus lots of people who are currently working in IT related roles ask how to get into Computer Forensics and I get numerous calls asking the same question. I think it is a difficult area as it is not like becoming a Doctor where the career path is structured and you know what you need to do. My advice is usually that they need to personally contact every Computer Forensics Manager in the UK, be persistent, happen to be in the right place at the right time and get lucky. Oh yes, and be willing to take a pay cut.

Once you are in Computer Forensics there are some outstanding opportunities and if you are good, you can reach Senior Manager level very quickly. In my experience, the one thing that distinguishes those people who reach the very top is purely their ability to build relationships and develop new business. Technical expertise is important, but in the end, to reach the highest levels, it comes down to the ability to enable an organisation to sell the service.

However, I should add that I do appreciate that lots of outstanding Public Sector/Law Enforcement Computer Forensic Practitioners have no interest in following this path working for Private Sector organisations.

Forensic Focus: What changes have you seen in the computer forensics recruitment market over the past 5 years? What trends do you see in the future?

David Sullivan: Five years ago, nearly all recruitment was word of mouth between people working in the area and potential candidates I called had often never spoken to a recruiter before. Today, there are a number of specialist recruiters of varying quality operating in this market. There are some very good ones (such as Mark Woodward, who also advertises on this forum) but – and this is a general problem in recruitment - there are others who don’t provide such a high quality service, make false promises etc and this can make it harder for us to gain the trust of potential candidates.

As the sector continues to expand and mature, I think we will continue to see an increase in the more general positions being filled by advertising on specialist forums like Forensic Focus and Digital Detective. Companies will do much of this recruitment directly rather than via recruiters (the adverts on Forensic Focus show this happening).

However, for bulk recruiting, very specialist or senior roles, we will continue to see increased demand for pure headhunting and/or working exclusively with one Recruitment Company, which really has an understanding of the recruiting organisation. We have this relationship with some companies in the sector already and, it is not surprising, that we find the very best people for these organisations. As recruiters, if we can really get to know a company culture and work as a genuine Partner, it is so much easier to find the very best and most suitable people in the market, as opposed to currently on the market.

The only Public Sector/Law Enforcement organisation we currently recruit for in this area is the Metropolitan Police. I would anticipate that more Public Sector organisations will realise the cost-savings they can make by using external recruiters.

Forensic Focus: What do you do to relax when you're not working?

David Sullivan: I sail competitively, surf whenever I can and have developed a (healthy!) love of live poker.

David Sullivan specialises in Computer Forensics recruitment at Appointments-UK and can be contacted at David @ appointments-uk.co.uk or on 01787 461082