Thursday, October 28, 2010

A big thank you from David Benford!

I am really pleased to say that I completed the Mizuno Amsterdam Half Marathon on Sunday 17th October 2010 in aid of the Cystinosis Foundation UK.

Please may I thank everyone on Forensic Focus that sponsored and supported me. My family and I are really touched by everyone's generosity and we are going to raise close to 3000 Pounds Sterling from the event. Every penny raised will go to researching improvements to drugs and ultimately a cure.

I am a trustee of the foundation and my 9 year old daughter has cystinosis, which is a chronic genetic metabolic disease. It is very rare with only around 2000 patients in the Western world. The race was particularly challenging for me as exactly 6 weeks prior to the race I competed in the Lichfield 10k event to warm up for the main run. It evolved that in the 10k run I managed to tear the meniscus in my left knee. This meant that I was unable to train or exercise further for the marathon and had to take a chance and just go for it on the day.

I flew to Amsterdam on the 16th and stayed near to the Olympic Stadium where the event was due to finish. On the day all went OK. Things were going well for me up until 15km, when my legs didn't want to work as this point was further than I had ever run before. I pushed on though and every step was very painful but I reached the stadium, where after half a lap I crossed the finishing line with massive relief and a sense of great achievement!

The Dutch crowds and bands along the route were an enormous help and very motivating. I finished in 2 hours and 31 minutes which I was quite happy with. The run has really helped raise awareness of cystinosis and people have been so generous.

For more information please go to or

Thank you all once again.

David Benford
Managing Director
Blackstage Forensics Limited
T: 01283 762559

Thursday, October 21, 2010

Digital Forensics and ‘self-tracking’

by Forensic Focus columnist, Dr Chris Hargreaves

Chris Hargreaves
About the Author

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

This month's article is based very loosely around a recent 5-minute talk from Gary Wolf (link here) which explores the concept of ‘self-tracking’ (the trend for people to record aspects of their life) and how this can now be performed to a much greater extent than was previously possible due to changes in technology. The talk discusses the monitoring of heart rates, sleep patterns, consumption of caffeine, food and alcohol etc. While many of these could be recorded simply with a pen and paper, the talk also introduces a variety of new digital devices that automate the collection, recording and in some cases transmission of this ‘self-tracking’ data. This article ponders the implications of such devices for digital forensics.

Several technologies are mentioned in the referenced TED talk, including general purpose technologies such as Twitter and iPhones that can be used for ‘self-tracking’ of diet or exercise, but it also discusses dedicated devices. This includes technologies such as such as Nike+ (tracking distances and times), Fitbit (for fitness and sleep monitoring), Polar WearLink+ (heart rate) and Zeo Sleep Tracker (sleep monitoring). Outside of those covered in the talk, additional technologies that are already commonly in use that record information about our lives include games consoles such as the Nintendo Wii (amount of time playing a particular game or using other features such as the web browser) and GPS devices (locations visited). There are also other upcoming technologies, for example those which capture and record the total electrical power consumption of your home.

It does not require too much imagination to foresee how data from such devices could be potentially useful (particularly as evidence related to alibis, for example). Really, any additional source of potential digital evidence should be welcomed, and this is particularly true for devices that are difficult to tamper with (there is not yet an evidence eliminator for electricity usage monitors as far as I am aware). There is also an additional benefit from using digital evidence in this way – rather than relying on digital evidence from a single PC or device, multiple, independent devices can be examined for evidence that supports (or refutes) the current working hypothesis of what events occurred. More data sources can only increase the accuracy of any inferences drawn from the evidence...


Wednesday, October 20, 2010

It’s not always what you find...

by Forensic Focus columnist, Sam Raincock

Sam Raincock from SRC is an IT and telecommunications expert witness specialising in the evaluation of digital evidence. She also provides training and IT security consultancy.
In digital forensics we are often asked to determine the presence of evidence. However, what happens when we do not find anything? How do we prove something wasn’t there?

Proving something is present is generally a trivial problem – you find it, it’s there. Of course the complex part is explaining how it came to reside on a digital device and the circumstances surrounding it….that’s what the field of digital forensics is all about. However, proving something isn’t there and/or was never there are also questions we are asked to comment on. Take the following for example:

· Examine this laptop and establish if it has accessed the website

· Examine this mobile telephone and determine if it sent a text message with the content “Forensic Focus”.

Let’s look at the first example. In the event there is “no evidence of access to found”, what remains is proving (or commenting on) a negative. However, just because you do not find any evidence of connections to the site, does this imply no connections ever occurred?

There are three main possibilities to consider. Firstly, the techniques used in your examination did not facilitate finding the evidence even though it is present. For example, if we simplistically relate this to an examination where only the live Internet history is examined initially, it is possible that a subsequent examination could determine some deleted Internet history and further evidence may be established.

Secondly, you did find the evidence but were unable to determine how to interpret it so you didn’t establish its meaning. For example, you found a partial registry file in deleted space but did not have the knowledge to interpret it and extract the evidence.

Thirdly, there is no evidence on the device of any connections occurring to So no connection ever occurred?

Even given the last situation, with a computer, often the absence of any evidence is not evidence that it was never present. This is due to the fact that on a computer, data can be deleted and overwritten. Hence, it is possible that an event occurred but evidence of it is no longer available...


Friday, October 15, 2010

How to seduce your (potential) computer forensics employer

by Forensic Focus columnist, David Sullivan

David Sullivan
About the Author

David Sullivan has over 15 years recruitment experience and has spent the last 6 years running his own computer forensics recruitment consultancy, Appointments-UK

We all over-complicate things and this is certainly true when seeking a new job. Essentially, to be successful at a Computer Forensics interview you just need to demonstrate two things:

1. You have the technical skills needed to perform to a high standard;

2. You are a likeable person. This is described in numerous ways such as interpersonal skills, company fit etc, etc, but when it comes down to it I would argue strongly that essentially it comes down to whether the interviewer likes you. This is especially important in CF where you are likely to be working long hours, maybe in a hostile environment and often in stressful situations where personality clashes can cause real problems.

In this article we are going to focus on the second point - making sure we are as likeable as possible as, after all, if two people have very similar technical skills guess who gets the job? Think about it like this - when you have contacted a company or a recruiter, or when you have sat in an interview, how much have you thought about helping the potential employer to actually like you?

Who is David Herron?

This whole process starts way before you get to the interview room which I will demonstrate with the example of a CV I received a couple of months ago with the following cover note:

‘I have just finish my degree in BSc (Hons) Forensic Computing with Third Class Honours awarded and I am seeking employment. I heard of your agency when one of your reps who I think was called David Herron or David Sullivan came into our university 2 years ago to give a talk on your agency.’

Who is David Herron?!! I thought he was a line-backer at Kansas – I am David Sullivan. Agency?! We aren’t an agency, we are a Professional Search firm! Although my initial reaction was to laugh out loud that somebody had taken so little care in their cover note my next thought was that I was not going to make any effort at all to help this person. Maybe I just have issues about needing to be loved due to being ignored by my parents when I was five, but I bet that you too can remember a time when you bristled due to somebody having made no effort to know anything about you before they made contact.

On the other hand I do occasionally (very occasionally I should add) receive an email from a prospective jobseeker saying how much they have enjoyed my articles. OK, so having read my articles we both know that is unlikely to be strictly true but it doesn’t really matter – straight away I am keen to help this person purely as they have made me feel good about myself. Even if I can’t help them I am happy to spare the time to talk about the market and help them improve their CV – it is just human nature...


Thursday, October 14, 2010

A cloud by any other name...

by Forensic Focus columnist, Simon Biles

Simon Biles
About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

“You have to know the past to understand the present” – Dr. Carl Sagan

If you have been kind enough to read some of the other articles that I’ve written here on Forensic Focus, you may have noticed that I have a bit of a penchant for historical references ( and quotes, and clich├ęs, but for now – please focus on the references ! ) – something that some of my History teachers might be astonished by, given how long they spent trying to get me to learn who killed who in 1066, possibly nothing compared to the amazement from my English teachers that I’m writing anything at all - but we’ll move on from that swiftly – we are operating in a field that has only been around for, by all counts ( ok, let’s leave Babbage out of it ) not even a century, yet we seem to have run out of innovation. It’s a bit embarrassing actually – we cover it up nicely by making things a bit smaller, or a bit shinier – but really we’re all aware of the fact that, nice as these superficial improvements are – we’re no closer to innovation than a fresh coat of paint on a room is to a Van Gogh.

I’ve known this for a while – not that it stops me from wanting shiny things – but it really came to my attention with “cloud computing”. I don’t know how many of you are aware (or for that matter how many of you would care, really, when it comes down to it) but the British Government has, in its published ICT Strategy (PDF here) proposed the “g-cloud”. This was created by our previous, Labour, government and published January this year, but it doesn’t seem to have gone away under our current, ConDem (I _love_ that abbreviation), rule. I don’t know who’s to blame for the daft name, or for the fact that, whilst “g-cloud” is number 2 in the strategy “Information Security” is number 10 – but nonetheless we have it, and so, as a fully paid up consultant, I was trying to figure out what is required to jump on the bandwagon and charge good money to secure “clouds”.

Fortunately, what I discovered was that I’d already been securing “clouds” for the last 10 years, and, as I pointed out earlier – there is nothing new, just a nice new shiny name, and some (ranging in quality) pretty web interfaces. Now, as a bit of a UNIX head and command line aficionado, the latter is of no great interest to me, so I’m left with a new name …