Thursday, December 31, 2009

Adroit Photo Forensics review

A review of Adroit Photo Forensics is now online here with follow up discussion available here. Many thanks to Austin Troxell for the review.

Thursday, December 10, 2009

Interview with Russell May, 4N6 Investigation

An interview with Russell May of 4N6 Investigation is now online at Russell is a well known figure in the computer forensics world with a reputation for providing some of the best training courses available. Enjoy the interview!

Friday, December 04, 2009

Forensic Computing PhD, UK

There is a PhD position available at the Centre for Forensic Computing, Cranfield University, UK. The broad area for the research is the investigation of the digital evidence left on hard disks by users who have communicated via the Internet.

The start date is February 2010.

To apply please see:

Thursday, November 12, 2009

Academic institutions - updated

I've updated the first post of this thread with everything we have so far (in something like alphabetical order). Thanks again to everyone who's contributed and please continue sending in details of anywhere not already listed.



Wednesday, November 11, 2009

Computer Forensics in the Geek Press – A Taxonomy

"So COFEE has finally been leaked onto the Internet. It was inevitable and it’s a wonder that it wasn’t released sooner, but nevertheless it marks a sad day for the Law Enforcement computer forensics community...So why the long face, as the horse said to the Easter Island monolith? It’s the lolz. It’s all about the lolz, and a decrease thereof. Every so often COFEE is mentioned on a geek-news site like The Register or Slashdot, and whenever this happens, the comments come alive with a thousand angry, confused, wounded monkeys, all in an uproar about the existence of this pernicious tool..."

More (Happy as a Monkey)

Friday, November 06, 2009

Academic institutions - who are we missing?

Hi everyone,

As many of you know I've recently made a start on building the new education section at Forensic Focus (hopefully bringing it online later this month) with the aim of listing every computer forensics university and college course worldwide.

I'd like to ask for your help in making sure I don't miss out any relevant institutions. The following is a list of the places currently on my master list - if you know of any place not listed below (and I'm sure there are many of them) I'd be grateful if you could either post a reply to this thread or email me with the details on admin @ If you're able to provide a contact email address for a member of the teaching staff that would be great too (obviously if you yourself are a member of staff please don't hesitate to get in touch!)

OK, here's what I have so far:


University of Bedfordshire
Birmingham City University (contact person details required)
University of Bradford
Coventry University
Cranfield University
De Montfort University (contact person details required)
University of Derby
University of East London (contact person details required)
Edinburgh Napier University
University of Glamorgan
University of Greenwich (contact person details required)
University of Huddersfield
Kingston University (contact person details required)
University of Central Lancashire
Leeds Metropolitan University
Lincolns College London (contact person details required)
Liverpool John Moores University (contact person details required)
London Metropolitan University
Middlesex University
Northumbria University
The Open University
University of Portsmouth
Royal Holloway, University of London
Staffordshire University
University of Strathclyde
University of Sunderland
Teesside University (contact person details required)
University of the West of England
University of Westminster


University College Dublin
Dublin City University
Waterford Institute of Technology

US & Canada

Anne Arundel Community College
BCIT Centre for Forensics and Security Technology Studies
Bloomsburg University of Pennsylvania
Butler County Community College
California State University, Fullerton
Champlain College
DeVry University (contact person details required)
Edmonds Community College
University of Central Florida (contact person details required)
The George Washington University
Highline Community College (contact person details required)
Johns Hopkins University
John Jay College of Criminal Justice
Kaplan University - Hagerstown Campus (contact person details required)
Kennesaw State University
College of Lake County
Missouri Southern State University
Central Piedmont Community College
Pittsburgh Technical Institute
Purdue University Cyber Forensics Lab
University of Rhode Island (USA)
Rich Mountain Community College
Sam Houston State University
Stark State College of Technology
Stevenson University (contact person details required)
University of Texas at San Antonio
Tompkins Cortland Community College (contact person details required)
Walsh College
Washtenaw Community College (contact person details required)
Wilmington University (contact person details required)


University of Cape Town (UCT)
University of Madras
University of Milan
Asian School of Cyber Laws (contact person details required)

If you can help by adding to this list or providing contact details I'd be very grateful - many thanks in advance!

Kind regards,


Thursday, November 05, 2009

Academic contacts - can you help?

I'm in the middle of compiling the new education section for the site and am trying to contact as many academic institutions as possible. However, I'm having some difficulty contacting staff members at the following universities and colleges:


Birmingham City University
De Montfort University
University of Greenwich
University of East London
Leeds Metropolitan University
Lincolns College London
Royal Holloway, University of London
Kingston University
Liverpool John Moores University
Teesside University


Waterford Institute of Technology
Dublin City University


University of Central Florida
DeVry University
Highline Community College
Kaplan University - Hagerstown Campus
Stevenson University
Tompkins Cortland Community College
Walsh College
Washtenaw Community College
Wilmington University


University of Milan


University of Madras

If you have an email address for a member of the computer forensics teaching staff - preferably the course leader - at any of the above I'd be grateful if you could mail me with it (if you're comfortable doing so) or alternatively ask the staff member to contact me directly on admin @ if you think they might want their institution to appear in the new section (there's no fee for inclusion, I just want to make sure the details are accurate.)

Many thanks in advance!


Wednesday, October 14, 2009

Certifications are Evil

Thought-provoking post from John McCash over at Mark McKinnon's blog:

"Folks, this is an opinion piece, and it's going to be a controversial one. Some of you started composing a scathing rebuttal to it as soon as you read the title. Normally I restrict myself to what I hope are useful technical tidbits, but like most of you out there, I'm a forensic practitioner, and I have little patience for time sinks which provide no benefit (no I'm not including the training in that category, save your flames for the end). I've always begrudged the time commitment (over and above what's required to actually take the training and learn the included material) required to attain certifications, despite which I'm in possession of five, soon to be six, not counting my master's degree, so I like to think I speak from some degree of experience..."

Read more, and the ensuing discussion, here.

Tuesday, October 13, 2009

Shrinking the gap: carving NTFS-compressed files

A new paper from Joachim Metz of Hoffmann Investigations titled "Shrinking the gap: carving NTFS-compressed files" is now available here. Readers may be interested to note that carving NTFS-compressed data will also be part of the advanced carving topic of the Hoffmann Forensic Sessions in November.

My thanks to Joachim for another excellent paper!

Thursday, September 24, 2009

Interview with Jim Gordon, West Mercia Police

Forensic Focus: Jim, can you tell us something about your background?

Jim Gordon: I left school in Dundee, Scotland when I was 17 years old and joined the Royal Air Force Police. I served in the RAF Police for just over 15 years, the majority of which was spent in the Special Investigation Service. Like most service personnel I served all over the place including three years in Cyprus, also visiting Belize in Central America, the Falkland Islands and finishing off with three years at the Joint Headquarters at Rheindahlen near Monchengladbach in Germany.

On leaving the RAF I joined Merseyside Police where I served in Liverpool city centre. I ended up on a Pro Active vehicle crime unit. After three great years I transferred to West Mercia Police where I was initially stationed at Kidderminster to the South West of Birmingham.

West Mercia is the fourth largest geographic police area in England and Wales. It covers the Welsh border counties of Herefordshire, Worcestershire and Shropshire. While West Mercia is predominantly rural, it also contains some densely populated urban areas and many market towns. As you can imagine it was quite a culture shock compared to Liverpool City centre.

After a short period in uniform I spent a number of years on the Pro Active CID, mainly employed in drug investigations at a local level, before successfully applying to become a Detective in the Criminal Investigation Department. In 2001 I successfully applied to join the Hi Tech Crime Unit. As they say the rest is history.

Forensic Focus: Why did you decide to work in the field of computer crime investigation?

Jim Gordon: I was always interested in computers from my days of being the proud owner of a ZX Spectrum and later when I seriously upgraded to an Olivetti 486. Whilst in the CID at Kidderminster I successfully completed a project management course and later during 2000 had the opportunity of going on an attachment to help the Force introduce the National Intelligence Model. Whilst part of the project team I first came into contact with the Hi Tech Crime Unit that at that time consisted of one member of staff. During 2001 the Hi Tech Crime Unit expanded and I successfully applied for one of the roles within the unit. As you can see from my background I’ve always worked in an investigatory role which is something that I enjoy and so computer forensics allows me to continue this, learn new things everyday and support the investigation teams...


Wednesday, September 23, 2009

Forensic Focus Graduate Recruitment

I'm delighted to announce the introduction of the Forensic Focus Graduate Recruitment program. Headed by respected computer forensics recruitment specialist David Sullivan and supported by technical experts in the fields of both computer and mobile forensics, this program aims to match graduates with suitable employers throughout the US, Canada and the UK.

Further details can be found at Enquiries and resumes/CVs may be sent to

Helix 3 Enterprise review

A review of Helix 3 Enterprise written by Jonathan Krause of Forensic Control can be read here with discussion here.

"Helix 3 Enterprise (H3E) is e-fense’s flagship investigation suite pitched at a similar level as EnCase Enterprise or Access Data Enterprise. It’s aimed at organisations which need to be able to carry out incident response, forensics and e-discovery functions over networks. H3E facilitates centralised incident response, imaging of drives and volatile data and also enables scans and searches of a user’s internet history and documents on any computer which has had the H3E Agent pre-installed on it..."


Monday, August 24, 2009

Forensic PC anti-contamination procedures

For those who don't follow the forums, there's an interesting discussion ongoing here about hard disk sterilization (if, indeed, that's the term of choice). I'd like to encourage further comments and viewpoints on this topic so please don't hesitate to have your say!

Wednesday, August 19, 2009

Thursday, July 30, 2009

Interview with Sean McLinden, Outcome Technology Associates, Inc.

[Sean is a Forensic Focus forum regular and posts under the username "seanmcl"]

Forensic Focus: Sean, can you tell us something about your background?

Sean McLinden: My first exposure to computers was as an undergraduate when I saw an episode of the PBS series Nova about artificial intelligence (AI). Since I was headed to the University of Pittsburgh to begin a graduate study in Medicine I hooked up with the team of Jack D. Myers, MD, and Harry E. Pople, PhD., who were researching the development of programs which could mimic the actions of human diagnosticians. Their laboratory was kind of a skunkworks which not only explored artificial intelligence, but also computer networking, hardware design and operating systems. Everyone who worked there was expected to be well versed in computer design and applications and innovative and there were a lot of opportunities for creativity and independent action. That model became my model for building collaborative teams in which people are encouraged to think independently, question conventional wisdom and be self-motivating.

Following completion of medical training I was recruited to become the head of MIS for what would become a university affiliated teaching hospital. Whereas in the research lab, sharing was the norm, in a patient care setting, the security of the information is paramount. This experience also taught me how production IT operations work, including the human element, an understanding of which is critical to cost-effective enterprise forensics.

From there, I chaired a university graduate program in IT management and then directed a clinical outcomes research group before starting Outcome Technology Associates in 1998.

Forensic Focus: What type of work is Outcome Technology Associates, Inc. engaged in? What does your role as president involve?

Sean McLinden: Outcome Technology Associates began as an organization that developed software and refined practices for the health care industry. Specifically, we did data analysis for patient clinical trials and helped to design systems for the sharing of patient information via data networks. Because our work involved a high degree of confidentiality, we were retained by law firms which had the need not only for data capture and analysis, but also the ability to be discrete. At that time, computer forensics was unheard of and so, "experts" were drawn from the academic and business units where IT practices were the area of specialization.

Our first cases involved simple data recovery, preservation and analysis for use in civil and criminal legal proceedings. The paper record was still the standard for courtroom evidence and most computer forensics involved the detection of traces of the paper record on computers. In 1995, we were consulted by attorneys for the plaintiff on a very large case involving tens of thousands of electronic documents, including e-mail, which was thought to contain evidence of an intentional breach of contract by the defendant. The outcome of the case was a $30 million judgment in favor of our client, and that was the start of our full-time business.

Today we are involved in any and all types of civil and criminal investigations in which the preparation, storage or transmission of information in electronic format is involved. I can say, in all honesty, that each of our cases has had one or more features which is/are unique among all of our clients, so it would be hard to pin us down as specializing in one form of computer forensics...


Thursday, July 23, 2009

Write Blocker Review

by David Kovar of NetCerto, Inc. (

Digital evidence needs to come from somewhere, right? It doesn’t appear, “forensically sound”, from out of the blue. And the phrase “forensically sound” is key – the evidence needs to be acquired in a manner that ensures that the process doesn’t modify the evidence in any manner. There are exceptions to this – cell phones and live acquisitions come to mind – but even then, the process should be minimally invasive.

The key to this acquisition process is the ubiquitous write blocker, probably the most important tool in any acquisition kit. A write blocker was my first forensics hardware purchase and I keep my collection of write blockers up to date religiously.

The differences between write blockers used to be fairly significant in terms of quality, speed, features, and price. In the last year or two the number of options has expanded somewhat, the major vendors all have similar features, and the prices have come down. The major difference appears to be in the layout, form factor, and physical design of the units...

Read more:

Monday, July 20, 2009

Loser wins major competition!

In a surprising turn of events late yesterday afternoon a rank outsider and frequent loser fought off the challenge of more mature competition to win a major international trophy.

But enough of the Open golf championship. In other news, the Forensic 4cast awards also contained a few surprises :-)

Joking aside, thanks to the guys over there for putting together this fun event. Thanks too for all who voted for a certain website owner (I didn't think the money would reach your accounts in time).

I hope Forensic Focus continues to be a useful resource and I'm looking forward to introducing some exciting new features later this year...stay tuned!

Thursday, July 16, 2009

Hard disk data storage

From the forums...

ForensicMania asks:
"Here is a quick question. I cloned hard disk using bit-by-bit copy and kept this hard disk without power in evidence store. I was wondering is there any limitation on data storage life-time on that hard disk if kept without providing power to it. e.g., will the data be there after five years?"

Logg replies: "You'll want to store your hard drives each in sealed, anti-static bags in a climate-controlled (arid) room. The baggies run under a dollar a piece at Fry's (or free if you keep them when you purchase hardware for yourself).

Power is your hard drive's enemy, so as long as you maintain low humidity, mild/moderate temperatures, and a generally dust-free environment, you'll be fine.

A flimsy cd that's damaged simply by prolonged exposure to sunlight can otherwise last to 100 years in storage (or so they say). An immobilized hard drive (and a backup drive if costs permit!) will last you the necessary 5 years years ... with a few decades to spare..."


Monday, July 13, 2009

Top 100 Computer Forensics Twitterers to Follow

I'd like to put together a list of the "top 100" computer forensics tweeters out there - click here to add your suggestions!

Monday, July 06, 2009

Build Your Own Digital Evidence Collection Kit

by David Kovar, NetCerto, Inc.

Collecting evidence accurately is clearly a foundational element for any ediscovery or forensics analysis project. The equipment required is important, but so are the supporting items – office supplies, forms, and documentation tools. And if you cannot find the items, or get them to the destination, it doesn't matter how great your tools are.

This kit, and the thoughts and processes behind it, attempt to address concerns I've encountered while doing collections all over the world. That said, it isn't perfect, even for my own needs. Treat this as a framework for building your own kit and if you can improve on this, please let me know how so I can improve my own processes.

Bear in mind that, in addition to this kit, I carry a laptop backpack everywhere. The backpack has my primary laptop for note taking and Internet research with WiFi and a cellular modem, cell phone cables, spare USB thumb drives, food, reading materials, and other basic necessities of any computer forensics analyst...


This year's Digital Safety Conference

by Jan Collie

Cyberstalking is the new urban terror – the message rang home loud and clear at the Digital Safety Conference in London.

For although, in Cyberspace, no-one hears you scream, increasing numbers of people are getting off on imagining it.

The evils of instant communication – texting, live chat, social networking – were laid out in lurid detail before delegates meeting in a brick-lined space known as The Brewery, near the city’s Barbican.

Tales of horror: physical threats and psychological manipulation, poured out. The family pursued relentlessly via emails, bulletin board postings and websites dedicated to damaging their names for more than five years. The teenager who suffered Post Traumatic Stress Syndrome following a campaign of anonymous texts. The Information Age exposed in all its gory.

This, said former Scotland Yard detective, Hamish Brown, was the intimidation that kills lives, the silent terror that dogs every waking moment for harassed victims. Who stalks and why is the subject of ongoing research but the trend is that more men stalk women than the other way around. The style of mental torture is similar to that shown in cases of domestic violence, Brown asserted, and the perpetrator often has no previous convictions.

As the first police officer to charge an offender with Grievous Bodily Harm of the mind, Brown passionately believes that victims of cyber violence should be taken more seriously.

“It’s not right that you should have to be punched on the nose for something to happen,” he commented, and asked for a campaign to educate the public on the issue.

Two alarming presentations based on personal experience followed. Graham Brown-Martin described how he, his wife and small child ran from Jamaica to London after enduring a series of death threats and vicious slanders posted on the Internet. The virtual bullying followed them and has continued for five years. Despite continued threats, including an invitation to all-comers to murder the family published with a map of their whereabouts, the authorities have been unable to help. Differences in international law were quoted as the main difficulty

More at

Tuesday, June 30, 2009

UK members - Can you HACK it?

Forensic Focus is pleased to support The National Society for the Prevention of Cruelty to Children (NSPCC), a charity which will be familiar to many UK members, especially those involved with child protection issues. The NSPCC's annual HACK (Hike Against Cruelty to Kids) is now in its fifth year and has so far raised over £250,000. After four successful years in the north this summer there are five 25 mile HACKS taking place in some of the most stunning locations across the UK: Yorkshire 5 September, Northern Ireland 5 September, Wales 12 September and Devon 27 September. And just in case you need any further motivation, there's a Forensic Focus T-Shirt for everyone who completes the hike - what more could you ask for?

More details here

Thursday, June 18, 2009

Message from Nick Furneaux

Thought it might be useful to reproduce Nick's recent welcome message in the new live/network forensics forum:

"Hi everyone and welcome to the new forum covering Live and Network forensics.

My name is Nick Furneaux from CSITech and if you don't know me or have never sat in a classroom with me, then hello! Jamie has kindly asked if I would assist in the moderation of this forum and I was delighted to accept. If you are truly bored you can waste 90 seconds of your life and find out more about me on my poorly used blog at

In the past 3 years or so the subject of so called live forensics has become an increasingly discussed topic and most investigators now believe that a live response to a running machine constitutes best evidence, often ahead of pulling the plug and continuing with a traditional disk image.

Whereas disk imaging has a certain accepted methodology and protocol associated with it, live response still has the feeling of the Wild West about it and as much work as possible needs to be done by the community to work towards a generally accepted method and process. Hopefully this forum, broken out from the melee of other topics will assist with that process.

This, of course, is not to ignore the vital area of network investigations that tends not to get such a 'following' in respect to forum postings, hopefully that will change.

We are fortunate to have some leading lights in these subjects contributing to Forensic Focus (you know who you are) and we welcome your continued positive contribution and input.

I look forward to reading your ideas, thoughts and comments.

Nick Furneaux"

The original message can be read here.

Wednesday, June 17, 2009

New forum (Live and Network Forensics) and new moderator

Hi everyone,

We now have a new forum dedicated to live and network forensics (e.g. memory analysis, running process enumeration, network traffic analysis etc.) If you want to discuss something related to volatile data collection before or without pulling the plug then this is the right place.

That's only half the good news. I'm also delighted to announce that Nick Furneaux has agreed to be the moderator of this new forum which is a huge coup for all Forensic Focus members (for a recent interview with Nick, click here.)

Nick joins Greg Smith (our mobile forensics forum moderator) as another highly regarded and influential name in the forensics world willing to share their knowledge and experience in these forums - my thanks to them both!


Monday, June 15, 2009

Interview with Graham Brown-Martin, Digital Safety Conference

An interview with Graham Brown-Martin, organiser of the upcoming Digital Safety Conference in London, is now online at

There's a link within the interview to a documentary about the event which inspired Graham to put this conference together, and while there's nothing "technical" in it I think it's worth viewing for the perspective it gives of someone who's been a victim of computer crime (surprisingly, perhaps, something we don't discuss very often at Forensic Focus).

Friday, June 12, 2009

Interview with Lee Whitfield, Forensic 4cast

An interview with Lee Whitfield of Forensic 4cast is now online at

It's always interesting to learn more about one of the voices behind a podcast and Lee doesn't disappoint!

Wednesday, June 10, 2009

Interview with Robert Botchek, President and Founder – Tableau, LLC

An interview with Robert Botchek, President and Founder of Tableau, LLC is now online at

This is a fairly lengthy interview and Robert goes into a lot of detail in his responses - I highly recommend taking the time to make your way through it, it's well worth it.

Huge thanks to Robert for taking the time to share his thoughts!

Thursday, June 04, 2009

Digital Safety Conference, 19th June 2009, London

The inaugural Digital Safety Conference brings together thought leaders, policy makers, legal professionals, law enforcement agencies, government representatives, educators, industry leaders and those committed to protecting civil liberties to consider the health, reputation and environment of the digital world.

Speakers include:

• Tom Watson MP
• Tanya Byron
• Anthony Lilley
• Dr Richard Clayton, Cambridge University
• Dr Tim Watson, De Montfort University
• Prof Mike Short, President, Mobile Data Association
• Hamish Brown, MBE (UK's leading expert on stalking)

Delegate places from £95 (students), education and charities £145 and FF members £170 if using the code dsg via online registration at:

A supporting television documentary concerning one of the organisers as a case study can be viewed here:

Two men guilty of student murders

So, after five weeks Sonnex and Farmer have been found guilty of the appalling murders of Gabriel Ferez and Laurent Bonomo. I was actually at the Old Bailey on the first day of the trial (in the public gallery) and had hoped to return at a later date to see if there was any mobile forensics expert witness testimony - as seemed likely given the use of mobile phones on the date in question - but unfortunately my plans changed and I didn't have the chance. If anyone knows what part this evidence played in the trial please feel free to email me.

Interview with Dr Chris Pamplin, Editor – UK Register of Expert Witnesses

An interview with Dr Chris Pamplin, Editor of the UK Register of Expert Witnesses is now online at

Friday, May 29, 2009

Hoffmann Advanced Forensic Sessions, November

Received a note from Robert-Jan Mora this morning that the second Advanced Forensic Sessions from Hoffmann BV in the Netherlands will be held 16th – 20th November 2009. The Sessions are limited to 25 participants but the previous edition was completely booked so early registration is recommended (click here for full details).

Robert-Jan and his colleague Joachim Metz, together with others at Hoffmann, are some of the best in the business and I wish them every success with these new sessions.

Thursday, May 07, 2009

Review - e-fense Live Response

Scot Wesner's review of e-fense Live Response can be read here with follow up discussion here.

Interview with live forensics expert Nick Furneaux

An interview with live forensics expert Nick Furneaux (MD of CSITech & Director at Bright Forensics) is now online at

Thanks to Nick for his time!

Tuesday, May 05, 2009

Infosecurity Europe - Seminars

I managed to catch a few seminars during the first couple of days of Infosecurity Europe, of which I think the following were the most interesting:

Who Should Police The Global Internet - Who Is Ultimately Responsible?
Chair: Mr Philip Virgo, Secretary General, EURIM
Ms Charlie McMurdie, Detective Superintendent, Police Central e-Crime Unit, New Scotland Yard
RT Hon Alun Michael, MP

I'd been looking forward to hearing Charlie McMurdie speak in person for some time, having published snippets from a number of her talks over the past few years. Charlie gave a good overview of current strategy intended to meet the challenges of e-Crime in the UK (forces acting independently of each other, lack of frontline knowledge/training, etc.) and introduced the Police Central e-Crime Unit, together with a sneak peek at their website which is yet to go live. Of most interest was her call (which I understand has been made previously - thanks Si!) for more dialogue and sharing of resources between police and industry in the UK. I managed to grab a few seconds of her time at the end of the talk to pass on my business card and quickly suggest an interview for Forensic Focus - something I intend to follow up on shortly. There's a lot of interest amongst private sector practitioners (both at the company and individual level) in working with the police and I'd like to help Charlie get the word out there about the possibilities for greater interaction.

Security At The Crossroads: Where Are We Headed?
Dr Whitfield Diffie

I expect most people reading this will have heard Whit Diffie speak before but I hadn't and I was keen not to miss him (apologies to all those I pushed out of my way while running to the seminar room!) Whit gave a potted history of cryptography starting a few hundred years ago but unfortunately it wasn't quite potted enough - by the time we got to the present day he'd run out of time and didn't really have a chance to explore the security "crossroads" we're at today in any great detail. That was certainly a shame but he's such an entertaining speaker that nobody seemed to mind too much - at least not those lining up to have their photo taken with him afterwards :-)

The Rising Tide Of Surveillance
Mr Phil Zimmermann, Special Advisor & Consultant, PGP Corporation

Phil Zimmermann made the brave choice to come to the UK and tell the local audience that British society is sleepwalking into a kind of Orwellian police state, with surveillance increasing at an alarming rate. His suggestion was that the Brits need to wake up and mobilise against this insidious evil. By and large this message was met with some approval - I particularly liked the chap who was outraged that our conference badges were being scanned before every seminar - and he also talked about his Zfone project towards the end of the session. If anyone has the chance to hear Phil speak in future, I highly recommend it - he gave us a lot to think about.

Panel Discussion
Chair: Prof. Fred Piper
Panel members: Dr. Paul G Dorey, Mr. David Lacey, Mr. Phil Zimmermann, Mr. Whitfield Diffie, Mr. Dan Kaminsky

This was, without doubt, the most entertaining of the seminar sessions with the topic up for discussion being "What bit of computer security would you get rid of?" (or words to that effect). I really should have made some notes because I've forgotten most of the points raised - including some good one-liners from Whit - but what sticks in my mind most was Dan Kaminsky's thoughts on DNSSEC and its potential for securing our network infrastructure (unfortunately I didn't attend his earlier talk on just this topic but, just to clarify, he was arguing that DNSSEC has real potential, not arguing that we should get rid of it). One of the points he brought up was the failure of PKI as currently implemented to really gain any kind of foothold over the years and I wondered how different things might have been for forensic investigators if encryption - especially for email - had become the norm.

Wednesday, April 29, 2009

Infosecurity Europe

If you're the type of person who enjoys the company of middle-aged men in suits then Infosecurity Europe should probably be near the top of your list of conferences to attend. I last visited the show about 10 years ago when it was held in Olympia (Kensington, London) but it has since moved to a larger venue at Earls Court.

Infosecurity is very much the corporate face of the computer security industry and anyone who's visited or worked on one of the exhibitor stands will be familiar with the commercial heart of the event. There is more to it than just vendors, though, namely a series of free to attend talks, seminars and round-table discussions. Unless you're a large customer looking to develop pre-sales contacts or you're interested in learning more about a particular product I suspect the seminars are what you're going to get the most out of at Infosecurity.

So, what about forensics? Is there anything of interest to the forensic investigator as opposed to the computer security professional? Well, leaving aside the obvious benefits of learning more about a closely related discipline (cross-training for geeks, if you like) there are some highly relevant talks on the agenda:

"Who Should Police the Global Internet?"
"A Look at Global Encryption Deployment and Usage Trends"
"Anatomy of a Database Attack Through Forensics Analysis"
"The Dynamics of e-Crime"

Overall, though, Infosecurity does exactly what it says on the tin and caters first and foremost for corporate security professionals. I'll report back on some of the seminars I manage to see - right now I need to navigate my way to the other side of the hall avoiding as many sales pitches as possible (including those for the 10 minute massage!)

Monday, April 06, 2009

Interview with Professor Tony Sammes, Cranfield University

An interview with Tony Sammes, Emeritus Professor at Cranfield University and co-author of "Forensic Computing: A Practitioner's Guide", is now online at

Wednesday, April 01, 2009

Virtual detection becomes a reality

A breakthrough in computer forensics technology was announced today when investigators were told they would no longer be required to rely on text-based or simple point and click interfaces, but will instead be able to fully immerse themselves in a virtual investigative environment based around the exploits of fictional TV detectives.

A spokesperson for April Software Solutions (ASS), developers of the new forensic tool, said, "The heart and soul of this new system is the Forensic Object-Oriented Language (F.O.O.L.) which was developed right here in our Peckham laboratory. Instead of scripting in Perl or some other language, the F.O.O.L. system allows the investigator to parse the evidence image and create a fully immersive 3D environment where they play the role of a famous TV detective such as Sherlock Holmes or that bloke from Life on Mars. Items which require investigation - the Windows Registry or browser cache for example - are turned into virtual suspects who can be brought in for interrogation."

ASS says that an expansion pack based around the character of Jack Bauer from 24 will be available in the summer to deal with strong encryption.

Monday, March 16, 2009

Sunday, March 01, 2009

Forensic Focus survey results

676 people completed the recent Forensic Focus survey and of those a large number included comments and suggestions in addition to answering the 9 questions. The first thing I'd like to do is to thank all respondents for their time and I'd also like to assure everyone that each answer, comment or suggestion has been read carefully - in fact, they've been read a number of times over the past few weeks. In addition, I thought that readers might be interested in the results of the survey (in broad terms, together with my own thoughts) and what those results may mean for the future direction of the site. So without further ado, let's get started:

Q1. What were your main reasons for registering an account at Forensic Focus?

The most common answer was the forums, with the newsletter and downloads section in second place rated almost equally.

Q2. How important for your own needs are the following sections at Forensic Focus?

Unsurprisingly perhaps, given the previous answer, the forums were ranked as very important by most respondents. I was interested to see that papers and articles were the next highest priority. The newsletter and daily news (i.e. homepage news items and RSS feed) ranked just a little below this with training/education links next. Still important but a little less than I had expected were interviews and job vacancies. The remaining options (e.g. events calendar, email group, LinkedIn group and videos) were all rated as somewhat important.

Q3. What computer forensics qualifications or certifications do you hold or intend to pursue?

The results here suggest that a college or university degree at Bachelor's level are the most common qualifications held (with an MSc also quite popular in terms of current uptake and future intentions). Interestingly, the CCE and GCFA qualifications were less well represented than I had expected in terms of those who currently hold these qualifications but this was somewhat balanced by the figures which suggest they're high on the to do list for a lot of people in the next 12 months. What about training from the big 3 forensic software vendors (Guidance Software, Access Data and X-Ways)? Taking Guidance and Access Data first, the overall figures for Guidance were somewhat higher but for each company about half those who responded had taken training already and about half intended to do so in the next 12 months. The total figures for X-Ways were lower, especially as far as those who had already undergone training were concerned, but there was a strong showing in people intending to take X-Ways training over the next 12 months - not as many as those planning to train with Guidance or Access Data but certainly enough to suggest that X-Ways training is attracting a lot of interest.

Q4. How would you rate your current level of knowledge/expertise in the following areas?

As might be expected, collection/imaging, analysis and presentation skills were rated highly. Standards and legislation knowledge was rated as good and forensic laboratory management expertise was rated somewhere between average and good. The only other option, mobile phone forensics knowledge (handset/SIM/cell site analysis) was rated as below average to poor.

Q5. How much would you like to improve your expertise in the following subject areas in the next 12 months?

I think that this question and the next are the most relevant as far as the future of Forensic Focus is concerned. So, what skills are people most interested in developing? The simple answer to that seems to be...all of them! Every option presented received overwhelming support. Now, in a sense, that's not too surprising given the way the question is phrased, it almost goes without saying that any skill is something which people would like to see improved upon. With that said, a detailed look at the figures does reveal some interesting information. Firstly, if I had to pick one answer where the responses were ever so slightly less enthusiastic than the others it would be forensic laboratory management, but keep in mind that the overall desire to improve in this area was still very high. I think most of us would understand and expect this to be the case, I don't think we're at the stage yet where managing a lab is the primary ambition for most people working in the field, the greatest motivation for most practitioners is still probably the investigative process itself rather than higher level management. What else do the figures reveal? There are three main things which stood out: 1) Even though confidence in existing skills is high (see Q4) there's no evidence of over-confidence. On the contrary, continual improvement seems to be the highest priority for nearly all who completed the survey. 2) Enthusiasm for expertise in the areas of standards and legislation is just as high as for more technical matters (imaging, analysis, etc.) I was a little surprised by this, perhaps unfairly I had expected there would be a difference. 3) The desire to improve knowledge of mobile phone forensics was very high, in fact it was second only to computer analysis by just a few percent. In light of the related result for mobile phone forensics in Q4 I think this suggests there's a perceived demand for this skillset. The results for Q8 in relation to mobile forensics seem to confirm this.

Q6. How much would you like to see the following suggestions implemented at Forensic Focus?

This was very revealing and provided the clearest insight yet into what members would like to see at Forensic Focus in 2009. The results basically break down into two categories, those things people very much want to see either added or more of and those which they're still in favour of but to a slightly lesser degree. In the first category (i.e. things people *really* want to see) were reviews, article/papers, standards and online/distance learning. In the second category (i.e. still keen on but slightly less enthusiastically) were interviews, job vacancies/career guidance, research into psychological effects of computer forensics, conferences, competitions and a podcast.

Q7. Which option best describes your current employment situation?

No big surprises. Most respondents work in either law enforcement or as company employees, with consultants and students making up the bulk of the rest of the numbers.

Q8. How often do you examine the following evidence sources as part of your job?

This is another revelaing section. PCs/workstations, laptops/notebooks and USB flash drives/thumb drives were clearly the devices which are most often the subject of examination. Servers were then next on the list. Those devices which were least often examined were network devices (e.g. routers, switches), tape drives, portable entertainment devices (e.g. MP3 players, iPods) and game consoles. So far so unsurprising. What did strike me as interesting though were two figures: 1) PDAs (e.g. Palms, Blackberrys) were rarely or never examined by a significant proportion of respondents (I had expected them to be examined quite often) and 2) Mobile phones were examined somewhere between "sometimes" and "very often" by 45.6% of respondents. This struck me as an unusual figure given the number of people who had previously rated their knowledge of mobile phone examination as very poor but it would explain the high figure of those looking to improve their skills in this area.

Q9. Overall, how satisfied are you with Forensic Focus as a computer forensics resource?

91% of respondents were positively satisfied with Forensic Focus (the largest proportion of responses gave the site a mark of 6 out of a possible 7). 8% were neutral.

Q10. Additional comments or suggestions

A large number of people who completed the survey chose to enter comments in this section. On a personal note, I have to say I was overwhelmed by the number of positive comments left here - thank you all for your kind words, they're greatly appreciated. I was as surprised as I was delighted to hear that many people use Forensic Focus as their main or only channel for staying up to date with computer forensics issues. On a practical note, there were many useful comments and suggestions about what people like (or don't like) about the site and what they'd like to see added or improved. It's difficult to summarize things succinctly, some people wanted to see more of one thing and less of another while others wanted to see the exact opposite, but one theme seemed to be repeated with more frequency than any other and that was a desire for training/educational material built specifically to address real world scenarios.

Summary (or, where do we go from here?)

The first thing which struck me as the results of the survey started to come in was that this really is something I should have done a long time ago, it's a great way of taking the pulse of the membership and responding to their needs. I'm definitely going to make it a yearly event so expect to receive an email from me in about 11 months from now for the next one!

What have I discovered? Firstly, there's a huge appetite for learning - an appetite which doesn't seem to be diminished by any form of complacency, no matter how experienced the individual happens to be. Although the forums are the most popular area of the site this wasn't because people wanted to socialise or network, it was because that's where a lot of questions were answered. Secondly, although the forums are useful there's a desire for more structured learning with many people suggesting that it should be delivered online (as opposed to in a classroom). I think the benefits of online course delivery are clear in many cases but I suspect that because Forensic Focus has a global membership there's a significant proportion of members for whom distance learning is the only real option. Next, reviews (of software, hardware and training), articles/papers and standards are far more important to members than I had previously appreciated. Finally, there's a genuine sense of community and goodwill amongst the membership in relation to the Forensic Focus site and while I'm proud to have been involved in getting us to where we are now I also recognise two very important things - firstly, sincere thanks are due to all members for making the site what it is today and secondly there's a huge responsibility involved in taking us forward, what people learn from Forensic Focus can and most likely will be applied in situations which have the most serious consequences for those involved.

My thanks once again for everyone's participation in the survey - 2009 should be an interesting year!

Kind regards,


Wednesday, February 18, 2009

Other computer forensics feeds

A suggestion which came up in one of the survey responses was to have a page which displays recent posts from other computer forensics RSS feeds. We now have such a page here:

It's fairly low-tech but does the job, I think. I'm happy to add/remove/move around feeds on this page if there's a sound case for doing so, the only two requirements which spring to mind immediately are that:

1. Feeds should be primarily focused on computer forensics (rather than security or forensics in general)

2. They should be updated frequently

I appreciate most people are probably using their own news readers to keep up to date with these feeds but I think (hope!) it's useful to have a page for browsing here too.

Monday, February 16, 2009

Forensic Focus survey now closed - thank you for your feedback!

The survey is now closed and I've been spending quite a bit of time over the past few days analyzing the results - results which make interesting reading to say the least!

I'll be giving my take on various issues in the newsletter at the end of the month but in the meantime I'd like to say a huge heartfelt thanks to the nearly 700 people who took the time to complete the survey - every box ticked or comment left will be studied to help make sure that Forensic Focus meets your needs in the future.

More at the end of the month!


Thursday, January 22, 2009

The future of Forensic Focus - have your say!

[The following is for non-members or members who have not received the email which went out earlier today]

Over the past six years the Forensic Focus website ( has grown steadily to meet visitors' needs but input from our membership has been fairly informal, with suggestions typically being posted to the forums or sent to me directly. Now that the site is well established, I'd like to take a more rigorous approach to finding out exactly what it is that everyone wants, what aspects of the site they find important, what areas they feel are less useful and what they would like to see added in the future.

With this in mind I have put together a very short survey (10 questions) in an attempt to "take the pulse" of those who use Forensic Focus. I'd also like to make this a regular occurrence, probably at the start of every new year so that I can plan for the coming twelve months and make sure that everyone's needs are met (as far as possible!)

I would be very grateful if you could take the time to complete the survey. There is no need to provide any personal or contact information and I will, of course, treat all information received in the strictest confidence.

The survey, which should take no more than 2 or 3 minutes to complete, can be found here.

Thank you very much in advance, your responses will have a direct influence on the future of Forensic Focus.

Kind regards,


Thursday, January 08, 2009

SIM PIN Challenge

As regular forum members may already be aware, Greg Smith has posted a SIM PIN Challenge in the new Mobile Forensics forum. Full details can be found here.

I think this is a great opportunity for anyone who wants to start learning more about the technical challenges of mobile phone forensics. It's also an opportunity to learn from a world-renowned expert in this field.

For those who are unfamiliar with this side of forensics work and don't know Greg, I hope to be able to interview him in the very near future and bring that to you. In the meantime, good luck with the challenge!

Friday, January 02, 2009

The year ahead

Happy New Year, everyone, I hope those hangovers are starting to wear off!

2008 was a good year for Forensic Focus with solid growth in visitor numbers and a significant increase in those registering new accounts (presumably to allow posting to the forums or subscription to the newsletter) towards the end of the year.

There won't be any resting on our laurels for 2009, though, and there are already one or two additions to the site in the pipeline (in fact, a few have been implemented already without much fanfare - more about those in a later post). In addition, I'd like to stress that Forensic Focus remains very much a community effort - if there's something you want to see, or something you're not happy with, by all means let me know. I can't promise to accommodate every request but I'll try my best!

To all our members and everyone else in the wider computer forensics world, all the very best for 2009!