Friday, September 24, 2010

Programming for Digital Forensics

by Forensic Focus columnist, Chris Hargreaves

Chris Hargreaves
About the Author

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

This month I wanted to discuss programming, specifically whether learning a programming language is useful for a digital forensic practitioner. I have been unable to find any surveys or polls capturing the proportion of practitioners who can program, or what the language of choice is for those that do. However, anecdotally, my personal experience has left me surprised by the low proportion of practitioners who have programming experience. By ‘programming’ I am not suggesting that all practitioners should be re-implementing Encase, FTK etc. but that when appropriate, being able to write short simple scripts could be useful in a digital forensics context.

One motivation for being able to write bespoke code for digital forensics is the ability to extract data from binary file formats. It is fairly uncontroversial to say that digital forensics is a fast moving field. New versions of operating systems, new applications and new uses of existing applications emerge frequently, and this results in new digital objects that need to be understood. The digital forensics research community can identify relevant digital evidence using a variety of reverse engineering techniques. However, the output of this research may only result in a schema describing the patterns in the raw data and the rules of how they should be interpreted. If an extraction tool was not developed as part of the research, in order to make use of cutting edge advancements there are several options: manually extract information using the published schema; wait for it to be implemented as a feature in a mainstream forensic package; or develop custom code that extracts information according to the identified data structures. Manual extraction does not scale well for large volumes of data, and waiting for implementation in a commercial package introduces an element of uncertainty about when results could be available. Therefore, the ability to write simple, custom code means that data structures can be interpreted that would otherwise be ignored and more digital evidence can be recovered...


Thursday, September 23, 2010

Student work experience and placements - When is time money?

by Forensic Focus columnist, Sam Raincock

Sam Raincock is an IT and telecommunications expert witness specialising in the evaluation of digital evidence. She also provides training and IT security consultancy.
Throughout the world, there has been a recent surge in students studying computer forensics. Some courses encourage placement years or work experience to allow students to expand on their academic knowledge and obtain some practical experience.

Times haven’t changed. I remember as an undergraduate I was delighted to work in IT placements for an investment bank. However, as I look back now, what do internships/placements really provide the company employing you? Are the projects you work on as a student worth any money?

Now that I reflect on my own placements – what did they really get for their money? I believe the main gain was a 6 month interview process with no commitment to hire me at the end. That’s a good deal for a company looking for the very best candidates and with the cash flow to find them.

What did I get from them? Well I received a salary and at the time that’s what I mainly valued. However, now when I consider what I really obtained, I realise I actually gained something far more valuable and costly to them – I received the time of some of their most talented staff.

In the world of forensics, for students looking to gain work experience or placements it’s quite a grim situation with few places available and high competition. Unlike computing placements where a company may provide a student with a coding project or assign them to IT support, the forensic world is all about looking at case evidence, most of which involves legal or confidential matters. This may induce issues surrounding appropriate justification of the skillset and experience of the person conducting the work. In some situations, a firm may not be able to rationalise a student working on a case. Hence, a lot of forensic firms do not hire placement students...


Wednesday, September 22, 2010

What is "Information Security" anyway?

by Forensic Focus columnist, Simon Biles

Simon Biles
About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

So what is "Information Security" anyway? The traditional model that is taught to all InfoSec newbies is based around the “CIA Triad” – this isn’t some weird American-Chinese governmental underground society – rather it is the “holy trinity” of Confidentiality, Integrity and Availability that is used to define security. It’s been around for over 20 years, and, dig as I might, I couldn’t find the original source ( if anyone knows – please tell me ! ), it hasn’t stood unchallenged – more of that later – but certainly it is still in daily use, and, if your InfoSec professional doesn’t know what it stands for, it’s time to get a new professional ! In any case, it isn’t a bad place to start, so here are the component parts for you:

Confidentiality – this relates to secrecy of the information in question. Confidentiality comes in many and varied shades – from things that you actively want everybody to know all the way through to the things that you want nobody to know. These levels of secrecy relate to the “protective marking” of documents in Government departments – we are all familiar with the concept of “Top Secret”, they are in fact as follows : “NPM” ( Not Protectively Marked – e.g. anyone can know ), “Protect”, “Restricted”, “Confidential”, “Secret” and “Top Secret”. They are listed in a document called the Security Policy Framework ( which is publically available. Figuring out the required level of confidentiality for a given item of information is important – the higher the required confidentiality, the more expensive and difficult the process of securing it from others becomes – thus you only want to apply appropriate controls where necessary, rather than spending a fortune protecting something that is either of no consequence or that everyone already knows!

Integrity – this relates to the “quality” of the information. Is it the same as when it was entered ? Has it been corrupted? Such a corruption could be accidental or deliberate, but the effect, in either case, is that the information can no longer be used, or trusted. It could be as simple as a wrong digit in a phone number, or as complex as accounting fraud, but both are compromises of integrity. Again, the effort made and cost expended in maintaining integrity should be proportional to the value and type of the information – one bit error in a JPEG library ( which uses lossy compression anyway ) may go completely unnoticed, a one bit error in a bank account balance probably won’t...


Wednesday, September 08, 2010

Please support David Benford running for the Cystinosis Foundation

David Benford from Blackstage Forensics is raising money for the Cystinosis Foundation by running in the Amsterdam Mizuno half marathon on the 17th of October. David's daughter suffers from Cystinosis, a very rare and serious condition which is as yet incurable, and he is running to help fund research into improvements in medication and ultimately a cure.

Forensic Focus is supporting David and would like to encourage all our members to make a donation, no matter what size, via David's own page at David is currently 27% of the way towards his target and urgently needs your support in the final weeks before the race next month.

Please give what you can and, on behalf of David, many, many thanks in advance.

Friday, September 03, 2010

Metadata – 21st Century Document Authentication

by Eric Robi

Signatures, faxes and paper are so 20th century

While there is still a need for handwriting analysis experts, modern document authentication techniques takes place primarily in the digital domain. Frequently a document such as a contract or letter of intent comes into question during litigation and we are asked to verify if it is authentic or fraudulent.

One of the first things computer forensic experts check during a document evaluation is metadata. Files such as Microsoft Word documents can contain hidden information known as metadata. Metadata is “data about the data.” If we were to use an analogy, if you were to investigate a homicide in which a gun was used, the metadata would be everything about the gun, including fingerprints on the handle and trigger, the type of bullet fired, the time and date it was fired, and the number of times it was fired. The metadata embedded in a Microsoft Word document might reveal: the creator name, company name, when the file was created, where the file was saved, total editing time and potentially much more. This list is not exhaustive, instead just offering a peek of what most document metadata contains. Any of these elements can be used to show a document is authentic or not.

Unexpected Metadata Revelations

If someone is surreptitiously trying to backdate a contract created in Microsoft Word, one thing they might do is set the clock back and then save the document with an earlier date. Taking a casual look at the computer, you might see Windows shows that the document was created or modified on the earlier date. However, a deeper inspection of the document itself might reveal that the metadata embedded in the document is inconsistent with the Windows time/date stamps. For example, Windows might show a Last Modified Date of Jan. 23, 2005 while the metadata embedded in the document itself might show a much later date and even a different author.

The document metadata can also reveal the total document editing time. When a document is intentionally backdated by setting the clock back and then resaving the document, the total editing time indicated can be unrealistically high, sometime showing that the document was edited for years. Since typical document editing time is measured in hours or days, when we see a document that has been edited for years we become understandably suspicious.

Metadata used in conjunction with other elements of computer forensics such as internet activity, examination of emails and Windows time/date stamps can be used to determine if a document is the real deal or a forgery.

Is The Document Worth The Paper It’s Printed On?

Recently we have looked at a number of agreements, and letters of intent that are provided to us on paper. If the authenticity of the document is questioned, somehow the electronic version of the document is almost always difficult to get access to. However, in those cases where we are able to examine the electronic version of the document, often a very different story emerges, illuminated by the bright light of metadata.

Visit Eric's website at