Sam Raincock: Introducing the Field of Computer Forensics
Sunderland University recently hosted an event for the ‘British Chartered Institute for IT’ Newcastle upon Tyne branch with guest speaker Sam Raincock (from Sam Raincock Consultancy) introducing the topic of Computer Forensics.
Sam covered a variety of topics on the subject of Computer Forensics. Sam Discussed how computer forensics is about how and why something happened, as appose to just finding ‘data’ and what the information the investigator has found, actually means. Such as log files, stating a certain event occurred, discovering how, why, when it occured and by whom or what.
Sam also discussed how companies should implement policies and codes of practice for employees, especially with regards to Intellectual Property, in order to secure an organisations data and assets. It was clear from Sam’s talk, that it is very often that companies ‘should’ implement intellectual property policies as appose to ‘do’ implement intellectual property policies.
Sam then discussed in which area of law Computer Forensics can be used, explaining how this varies dramatically from a criminal, civil, employment or family case, quite rightly as Sam stated ‘Where is computer forensic not used?’ involving anything from a memory stick to a network server as well as mobile phones and portable communication devices. Investigating cases ranging from murder, proving or disproving intent, for example, someone researching online methods for killing someone or a colleague becoming to friendly and sending too many messages too often to another as well corporate fraud and computer misuse in the work place.
Sam quoted ‘Edwin Lockhart’, believed to be the founder of forensics, stating ‘Every contact leaves a trace’ back in the early 1900’s, a long time prior to digital evidence being created. Sam then went on to discuss how each computer or computer account is individual and bespoke to it’s user or users, with regards to usage patterns, websites visited, usage times and the tasks carried out on that computer as well as the files and folders accessed, how, when and why.
During Sam’s talk, Sam was very keen to get audience participation which was received very well by the attendee’s. Sam was able to engage the audience into thinking about the key areas of a computer forensic investigation, such as:
What – What can be classed as evidence on a suspect medium, simple, everything…browsing history, emails, database files, documents, images. The list could be endless.
When – When did something occur, how can you determine the date and time information is accurate and how can this be verified. If the date and time stamp of the computer system is deemed as being incorrect, what methods can be used to determine how inaccurate this his and to determine the true timeline of events.
Where – Where something occurred and/or where something ‘occurred’ (originated) from. Sam also discussed geo-tagging technology and how many electronic devices contain geo-tagging today, such as digital cameras, GPS devices and mobile phones in order to work with social networking sites, such as Facebook and Twitter.
Who – Is this impossible to answer? Who was physicall at the keyboard…? Sam discussed how usage and behaviour patterns can be created to determine the most likely user of a PC at a point in time, such as what websites were accessed and what types of websites and how the usage between the different users were different, especially when behaviour patterns are compared to information already known about a group or an individual, such as hobbie, interests and lifestyle choices.
It may also be that a suspect uses remote access tools to create an alibi of when they were ‘physically’ at their PC, this can be reinforced by determining what physical tasks were carried out at the PC itself, such as an optical drive being used and disc media being inserted as well as USB storage devices being inserted and removed from the physical computer.
How – How did something occur? How did files get from one place to another, such as from an employees workplace to their home laptop or PC during an intellectual property breach investigation. What methods were used to transfer the data and what can be done in the future as a ‘lessons learnt’ exercise for the organisation to prevent it re-occurring. Could things have been put in place prior to the breach, such as policies and technical restrictions to prevent a ‘closing the door after the horse has bolted’ situation. Were files downloaded using file sharing or bit torrent sites, if so, are there any users names, email address, unique identifiers associated with these sites.
Sam raised a quite obvious, yetnot very often considered point, just because an event log says event ‘X’ occurred, it doesn’t actually mean that the event which is recorded as having occurred, did actually occur, or in the order the event log says it did. At the end of the day, that software and code was programmed by a human, so just because a log states x,y and z were deleted, is that really true? Sam explained how assurances can be sought from functionality testing, or, at the very least, suspicions/concerns can be confirmed.
Another realistic question which was raised by Sam was about how reliable software can be which is used to carry out digital investigations. Sam asked the question of:
‘How many people would fly in the plane which they had programmed the software for?’ Not many!
Software does contain bugs and errors do occur, software can and is affected by the ‘human factor’ as it is humans who programme them. One option may be to verify results using another application, but just because the two applications produce the same results, does that necessarily mean the original application was correct, it may, however, it is also possible that both applications have the same bug, or different bugs which produce the same results or errors. Never assume anything, test thoroughly! As we are all tempted by the free utilities out there……
Sam then offered a scenario for the audience to consider and discuss about how they would go about carrying out an investigation. During the scenario, Sam presented a demonstration of the very popular computer forensic acquisition suite, enCase and how this could be used to assist in an investigation, the example given, theft of intellectual property.
The talk also discussed the ‘weakest link’ approach with regards to interrogating things such as encrypted storage mediums and how it may be possible to acquire a password from a less secure encrypted medium, such as a word 2000 file and once sourced, see if that password provides access to newly encrypted items, in the likelihood that the user has used the same password more than once and for along duration. No matter how good the encryption may be, weather it be a Word 2000 file or a Truecrypt 256bit AES encrypted file container, if the password is the same for both, the human is the weakest link.
Sam also discussed the often controversial topic of ‘Incident Response’ and how the IT Support team can make things a whole lot more complicated and expensive, if not digital forensic aware. As not only does the ‘trained’ forensic investigator need to investigate what originally happened, however, they now also need to investigate what the IT team did which may have impacted upon the original incident which occurred. This would also need to be documented in the event a case went to a court of law, which could lead to evidence becoming inadmissible.
Finally, Sam discussed ‘Incident’ recording and how data loss/breach incidents should be recorded. Ranging from a window in an office being left open over night, to a lost/stolen memory stick or laptop. Long term, it is more beneficial to plan, acknowledge and understand what incidents occur, in order to learn from them and prevent them from occurring as best as possible in the future and to have the policies to back the organisation up, prior to an incident occurring. Data and information security, is down to education.
Overall the Talk from Sam Raincock was very informative, offering topics from both the text book perspective as well as real world ‘field’ experiences which, I believe are vital, having come from a primarily IT industry learning environment myself and having benefited greatly from it after having only recently entered the academic arena over the previous two years in order to begin studying my degree in Digital Forensics. I believe strongly that you cannot just source all of knowledge and information from one source, such as just turning up to tutorials each week and expecting the words and the know-how to be fed to you, you have to find it yourself, from multiple sources, all with different, experiences, opinions and backgrounds. The pre and post refreshments at the event were very impressive also!
I look forward to the next Bsc event!!!
You can keep up to date with the Bsc Newcastle branch and Sam Raincock via the links below –