With the correct software, operated by a trained investigator, mobile data can be extracted and analysed very quickly. It’s vital that this process isn’t a lengthy one, as investigators can sometimes be operating in life or death situations. A single device that has both the capability to extract as well as analyse mobile data is far more efficient and accurate than freezing the phone first and then processing the data in a separate computer.

The data that’s stored on a user’s mobile phone such as sent messages, browsed websites and recent calls can help investigators build a fairly accurate picture of a case. Devices such as the UFED device from Cellebrite, can not only retrieve this data but can also salvage data that’s been deleted by the user.

This can be critical to an investigation. Criminals could be mistaken for thinking that by deleting sensitive data they are removing it from the reach of the investigator.

Although digital technology has made criminal coordination easier, it has also made criminals more vulnerable to being caught. Before the age of the mobile phone, criminals would communicate via a landline telephone and, before that, through a telegram or a written letter. These methods of communication could be easily erased to avoid discovery.

Research into data extraction and analysis methods for the latest technology is of vital importance to law enforcement agencies. But, people should be aware of the technology that’s out there and at the disposal of investigators.

People should also be aware that due to the critical nature of digital forensics, taking a ‘DIY approach’ to data extraction is not the way forward. Investigators must use technology for accuracy’s sake, in addition to the fact that it saves a considerable amount of time.

Yuval Ben-Moshe, senior forensics technical director at Cellebrite (361)

And the story is similar with encryption keys and certificates. Look around any mid to large size organisation and you will find SSL, SSH and Symmetric keys and digital certificates scattered around – and each type will also have several variants. Then there are all the different “utensils” which use the keys, from applications to a myriad of appliances, as well as a host of built-in ‘tools’ to manage each variety.  The result is more management systems than the average household’s coffee machines.

Today SSL and SSH keys and certificates are found littered across virtually all systems, applications and end-user computing devices. In most cases no one knows who caused the ever-proliferating and expanding landscape of encryption “litter,” and since these keys and certificates are used to protect critical systems and sensitive data, ineffective and siloed management means that organisations are increasingly susceptible to failed audits, security risks, unexpected systems outages, compromises to systems applications and most importantly, critical data. Of course, each of these comes with its own costly financial and reputational consequences.

The Dark Side

And just as I’m told that there’s a dark side to my caffeine addiction, there is a definite dark side to the unmanaged and unquantified encryption keys and certificates that we’ve become so dependent on—which now act as the infrastructure backbone of all online trust and security. Today as never before, everyone from governments to private individuals is under attack. The use of malware for criminal, ideological and political aims is growing at an alarming rate. Stuxnet opened Pandora’s Box when the use of valid, stolen SSL certificates as a means to authenticate the malware and allow it to remain hidden and undetected became common knowledge. Since then there has been an explosion of malware using digitally signed certificates.

Can we defend ourselves against state-sponsored attacks?

Today we are faced with cyber-attacks on a scale never imagined, and the question that has to be asked is whether or not there is anything we can do to protect our infrastructure, enterprises and ourselves.

But I believe the reality is that we are responsible in large part for the ease with which cyber-terrorists, regardless of their ideology or motivation, are attacking us. In effect, we are supplying the weapons that are being used against us. The collective failure of enterprises to protect keys and certificates is resulting in these very keys and certificates being used against us.

The Flame attack for example, which masqueraded as a Windows update, was successful because of Microsoft’s continued use of MD5 algorithms, years after they themselves had identified that they were compromised. A surprisingly small amount of money needed to be spent to create a duplicate certificate. Shaboom, which attacked Aramco and RasGas, leveraged a certificate stolen from a company called Eldos, and issued by Globalsign. The fact that it was issued by Globalsign is not the problem; the problem is that the key and certificate were reportedly stolen from Eldos. And it goes on and on. Cyber-Terrorists are literally helping themselves to keys and certificates from global business because they know that no one manages them. When organisations don’t ensure proper controls over trust, business stops. End of story.

So the first step in defending ourselves is to protect our key and certificate arsenal. Having effective management so that access to any key or certificate is controlled is a first step in ensuring that you don’t become the next unsuspecting collaborator. And that management has to be unbiased, universal and independent if it’s going to work—not caring who issues the encryption or in what departmental silos it resides (one cannot be both the issuer and manager of encryption simultaneously—too many inerrant conflicts of interest).  No one wants to have their name associated with a cyber-attack that at the very least results in significant financial loss for the victim, but even more seriously results in the loss of life.

Secondly, enterprises are not responding to the attacks. There is massive investment in perimeter security but when we are told repeatedly that the threat is as much from within as outside, we need to act.

Can we still protect critical infrastructure from attack in the digital age?

If malware is the Cyber-terrorist weapon of the 21^st century, then organisations need to reduce the risk as much as possible. At last count there are in excess of 1500 Trusted Third Parties who issue certificates globally. Many of these are in every system in the infrastructure, and the result is that if a system trusts the issuer, it will by default trust the “messenger”, in this case malware.

So like your firewall in the 20th Century, which you used to reduce the access points through your perimeter, effective management of trusted issuers and instruments similarly reduces your risk of malware infection. If a system doesn’t know the issuer, it’s not going to trust the messenger. So although you can never completely remove the risk because you have to trust some people, you will significantly reduce the number of possible attacks. But this requires the determination of an organisation to take steps to protect itself. The management of trust stores in every system becomes an absolute necessity in the fight against cyber-terrorism, regardless of what group, enterprise, or nation state is behind it

According to US Defence Secretary Leon Panetta, the Pentagon and American intelligence agencies are seeing an increase in cyber threats that could have devastating consequences if they aren’t stopped. “A cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyse the nation.”

The question is: when will start to see individuals and organisations being held culpable for these attacks? In the Cyber-Terrorism war, it is a big business selling valid SSL certificates, whether stolen, lost or sold, to “terrorists” – and it is likely to play a significant be a part of a major incident, and ignorance will not be a defence!

So my advice is, as George Orwell wrote in “1984” -  “If you want to keep a secret, you must also hide it from yourself.”

Calum MacLeod has over 30 years of expertise in secure networking technologies, and is responsible for developing Venafi’s business across Europe as well as lecturing and writing on IT security.

www.venafi.com (342)

To download this survey please visit the following links:

Background

Traditional Digital Forensics activities involve the recovery and investigation of material found in digital devices. Such data is at rest on static devices such as hard drives and in solid-state memory on camcorders, mobile phones, GPS navigation devices etc. The market for this activity was driven by Law Enforcement and other public sector organisations, hence it was necessary for all activities to be conducted in line with UK evidential criteria so that it was admissible in a court of law.

Our digital age has seen requirements evolve. With the ubiquitous use of email came a requirement for a new field of expertise – that known as “e-discovery”. E-discovery refers to discovery in civil litigation, which deals with the exchange of information in electronic format (electronically stored information or ESI). This data is subject to local rules and processes and is often reviewed for privilege and relevance before being turned over to opposing counsel, where the burden of proof rests on the balance of probability.

However our digital evolution has not remained static. The growth of cyberspace, the trend towards mobile devices (BYOD) and cloud services has seen data take on a far more transitory nature, and the physical location of data at rest can be difficult if not impossible to determine. Data is versioned, distributed and stored across differing networks, devices, borders and boundaries.

The traditional digital forensics practice of imaging and extracting information from disparate physical devices no longer suffices for incident investigation in cyberspace. There is an increasing requirement from businesses in the private sector, and emerging capabilities are required to keep pace so that these requirements can be met.

The team will produce a report detailing the current stakeholders, existing capabilities and challenges. This will enable the identification of areas in which there are capability gaps. Attention will then be paid to how these gaps may be reduced and any specific challenges which will need to be overcome in order to do so. Further, a glossary of terms of key digital forensics concepts with simple definitions will be produced to assist with knowledge transfer both within and outside of the FoSci community.

Your involvement

You can assist with this first stage of the survey by completing the attached questionnaire and returning it to DFCA@n-gate.net no later than Monday, 4th March please. All responses will be treated in strictest confidence and your answers will be anonymised before they are included in the report(s).

Digital Forensics Capability Analysis – Questionnaire

If you are willing to assist with this phase of the project, please complete and return to DFCA@n-gate.net by Monday 4th March 2013

1) What do you understand by the term “Digital Forensics”. (one or two sentence answer)

2) In which context do you use digital forensics (e.g. law enforcement, civil law, criminal law, private sector, internal investigation, information security)

3) What types of technology do you deal with in the context of digital forensics ?

4a) What is the single greatest DF challenge you, personally,  face in your everyday activities ?

4b) How do you think this challenge could be addressed ?

4c) What is the single greatest DF challenge that your organisation faces in its everyday activities ?

4d) How do you think this challenge could be addressed ?

5a ) What challenges do you think you will face in the near (1-2 years) and medium-term (2-5 years) future ?

5b) How do you think these challenges could be addressed ?

6) When you are looking for solution to digital forensics problems, who do you turn to for

a) off-the shelf solutions ?

b) bespoke solutions/product customisation ?

7) Who would you consider to be the key people or organisations relevant to your experience and usage of digital forensics ?

8) What other innovations, relating to technology, services or any other issues affecting digital forensics, do you think would be beneficial ?

9) May we contact you again for more information ?

(If “Yes”, please also provide your name and a contact phone number or email)

Forensic Science Special Interest Group

For more information about the FSSIG, and to get involved in the community, please see https://connect.innovateuk.org/web/forensics

(%count%) (853)

To gather this list, Cellebrite interviewed a number of prominent experts from law enforcement, corporations and universities, as well as industry analysts, familiar with mobile forensics, information security and e-discovery and the most advanced mobile forensic products available today. They highlighted the following nine trends as the most critical for investigative and legal professionals to prepare for the upcoming year:

1. BYOD impacts the forensics industry. While “Bring Your Own Device” (BYOD) seemed to infiltrate the enterprise in 2012, the mobile forensics industry will confront the impact of this growing trend in the year ahead. BYOD adoption across the enterprise means that forensics professionals will encounter a greater number of compromised phones. According to John Carney, Chief Technology Officer, Carney Forensics, “For e-discovery experts, BYOD will mean contending with more devices that contain both personal and corporate evidence as well as an increase in legal challenges related to device access and privacy during corporate investigations.”

2. Critical data: there’s an app for that. According to a 2012 Nielsen report, the average smartphone user has approximately 41 apps installed on a single device. “Whether it’s mobile messaging, personal navigation, social media or improving productivity – apps are going to dominate smartphones and tablets in 2013,” said Carney. “The ability to extract critical data stored in apps will become the new measuring stick by which investigators gauge the superiority of mobile forensics tools.”

3. Smarter phones mean tougher encryption. “Expect to see more encryption of data on smartphones to protect personal privacy and corporate data, which will make forensic examination more challenging,” said Eoghan Casey, founding partner at CASEITE. Password technology, too, has advanced; pattern-screen locks have hindered forensic data extraction efforts. In 2013, look for mobile forensics tools to continue to find ways to bypass a greater number of passwords and device locks, as well as address advanced encryption technology.

4. Investigators can’t put all their eggs into one mobile operating system. Though Android took 75 per cent of the market in Q3 of 2012, for mobile forensics professionals, market share isn’t everything. As Paul Henry, security and forensics analyst, vNet Security, noted, “While Android is the predominant operating system, the bulk of the bandwidth is still taking place on Apple devices, making them critical to many investigations.” In addition, despite BlackBerry’s decline in recent years, Carney said: “Their popularity for over a decade will make them an important legacy device pertinent to investigations for years to come.”

5. Windows 8 is the wildcard. Notwithstanding all the attention garnered by Android and Apple, the real wildcard for 2013 will be the rise of Microsoft in the mobile device market. While questions remain regarding how prevalent Microsoft devices will become, Cellebrite’s panel of experts predicts that the need for mobile forensic tools providing support for Windows 8 will increase in the New Year.

6. Mobile devices advance as witnesses. Look for mobile devices and the data they contain to take centre stage in both civil and criminal investigations in the year ahead. “Civil litigators are discovering that mobile device evidence is just as important as digital documents and email evidence,” said Carney. According to Heather Mahalik, mobile forensics technical lead at Basis Technology, “Now, more than ever before, e-discovery experts need comprehensive training in order to ensure the proper extraction of all relevant data from mobile devices.”

7. The regulatory and legislative landscape remains uncertain. “Lawmakers and judges are looking at cell phones much more critically than they did computers,” said Gary Kessler, associate professor, Embry-Riddle Aeronautical University and a member of the ICAC North Florida Task Force. “However, because few understand the nature of the technology, they are erring greatly on the side of caution. This speaks to the need for greater education regarding the scope and possibilities of mobile forensics and what it means for privacy and pre-trial discovery.”

8. Mobile malware’s incidence will rise. In 2013, look for malware on smartphone platforms and tablets to increase exponentially, particularly on Android devices. According to Cindy Murphy, detective, computer crimes/computer forensics, Madison Wisconsin Police Department, “The intended uses of mobile malware will be very similar to non-mobile malware – steal money, steal information and invade privacy. For law enforcement and forensics professionals, mobile malware means dealing with potentially compromised devices that may help perpetrators cover their tracks, making it increasingly difficult for investigators to meet the threshold of reasonable doubt.”

9. Data breaches via mobile will rise. “Mobile forensics vendors should resolve to provide stronger capabilities for enterprise wide smartphone investigations to support the investigation of data breaches targeting smartphones and the needs of e-discovery,” said Casey. Malware together with large-scale targeted intrusions into smartphones (targeting sensitive data) will raise enterprises’ risks for data destruction, denial of service, data theft and espionage.

“From the increasing use of mobile evidence to challenges stemming from the rise in tougher encryption methods, there are a number of areas that will demand the attention of mobile forensics professionals in the year ahead,” said Ron Serber, Cellebrite co-CEO. “As the industry continues to evolve, it will be critical for the law enforcement community, as well as the enterprise, to invest in proper training and ensure that their budgets allow them to meet the growing demand for comprehensive device analysis and data extraction.”

Cellebrite’s UFED provides cutting-edge solutions for physical, logical and file system extraction of data and passwords from thousands of legacy and feature phones, smartphones, portable GPS devices, and tablets with ground-breaking physical extraction capabilities for the world’s most popular platforms – BlackBerry®, iOS, Android, Nokia, Windows Mobile, Symbian and Palm and more. The extraction of vital evidentiary data includes call logs, phonebook, text messages (SMS), pictures, videos, audio files, ESN IMEI, ICCID and IMSI information and more.

Cellebrite’s panel of experts included:
· Eoghan Casey, Founding Partner, CASEITE
· John Carney, Chief Technology Officer, Carney Forensics; Attorney at Law, Carney Law Office
· Paul Henry, Leading Security and Forensics Analyst, Principle at vNet Security; Vice President at Florida Association of Computer Crime Investigators; SANS Senior Instructor
· Gary Kessler, Associate Professor, Embry-Riddle Aeronautical University; ICAC Northern Florida Task Force
· Heather Mahalik, Mobile Forensics Technical Lead, Basis Technology; SANS Certified Instructor
· Cindy Murphy, Detective Computer Crimes/Computer Forensics, Madison Wisconsin Police Department
· Ron Serber, co-CEO, Cellebrite

http://www.cellebrite.com/collateral/WhitePaper_MF_2013_Trends.pdf

(203)

One of the more revolutionary forensic artifacts to emerge in recent years is geo-location data. Geo-location gives us an accurate means to identify the physical location of an item on Earth. It is now possible to determine where in the world a laptop or mobile phone has been, solely using host-based forensics. In a world of increasingly mobile devices, geo-artifacts can provide a crucial extra dimension to our investigations. With it, we now have the potential to answer who, what, when, why,and where.

The trend towards mobile computing is unmistakable, with laptop computers outselling desktops for several years. Forrester Research estimates tablets, netbooks, and laptops to be 73% of computer sales in 2011. While an increasing number of smartphones contain Global Positioning System (GPS) radios, the technology has been slower to be adapted to mobile computers. However, devices can be geo-located and store location artifacts even if they do not contain a GPS capability. In fact, in urban locales and particularly indoors, GPS can be highly unreliable. Technologies like WiFi network positioning and cell tower triangulation often augment or replace GPS. If a device is connected to the Internet and has access to GPS, a cellular modem, or a wireless network card, geo-location data in some form is likely already being generated and stored. This capability has sparked a creative gold rush, with an ever-increasing number of software applications racing to become “location aware”. At stake is a slice of the $billion mobile marketing industry. Envision walking by a restaurant and being alerted to a half price lunch special via your mobile device; or arriving at a conference and immediately pinpointing the bars and restaurants where your contacts are located. These applications exist and digital forensic examiners can use the data generated to pinpoint the location of a device at a specific time.

This is an update to an article previously published in Digital Forensics Magazine and is posted on and cross posted from the Authors blog by agreement. You can read the rest of the 1st installment here:

Ed (187)

XBOX 360 Forensics offers a fairly in-depth introduction into the world of Games Console Forensics and the tools and techniques required to carry out investigations into Next-Generation Games Consoles.

As popular gaming platforms become more and more sophisticated, using their own operating systems and accessing the Internet for various types of transactions, the potential for illegal and malicious activity is dramatically increasing.

Bolt starts the book with a detailed description of the XBOX 360 system, the setup process and how to sign up, and connect to, the social aspects of the XBOX 360 gaming experience: XBOX Live. It is this social outlet that is the main cause of concern for the population with news reports about paedophilia and child abuse stemming from meetings organised using the mail and chat functions inbuilt into the online portal.

Bolt does not provide much information on other crimes that can be committed using the console such as malicious activity as the result of installing a secondary operating system (for example, Linux), but the emphasis of the malicious potential is made quite clear and the need for a set method of investigating consoles is prominent.

With very little documentation on the investigation of consoles available to the investigator, Bolt has provided the perfect starter guide for forensic investigation all the way from acquisition through to analysis. Rather than just provide the tools and techniques, however, Bolt takes the reader along the journey of investigation and provides a very detailed walkthrough of the baseline contents of the XBOX 360 Hard Drive, explaining the various different file types (such as PIRS, LIVE and CON files) and sector locations of valuable information.

The guide describes the use of only a few tools but within this provides an in-depth and efficient investigation method to analyse the Hard Disk Drive. The tool that takes the spotlight in the investigation, Xplorer 360, is not strictly a Forensic tool but more of a console management tool used to connect the XBOX 360 to a Computer via the network and interact with it. it is interesting that this piece of software should provide a solution to the investigator to find artifacts previously unfound by the standard Forensic tools such as Guidance Software’s EnCase and AccessData’s Forensic Toolkit Imager. A criticism of the guide is that its main focus is on the Hard Disk Drive, which, while holding some of the user information and game saves, does not contain information of the operating system or memory stack. Bolt mentions that this information is held within specific hardware inside the console itself and it would seem prudent to provide methods to investigate these artifacts, especially when the need for Live Analysis is increasing.

Summary

The book does seem quite basic throughout, providing technical details that most investigators would probably be able to figure out for themselves, however, it is an easy read and one that would prove interesting to most who do not know much about the investigation of games consoles.

Willem Knot

Book Title:   XBOX 360 Forensics

Book Subtitle:   A Digital Forensic Guide to Examining Artifacts

Author(s):   Steven Bolt (Samuel Liles – Technical Editor)

Publisher:   Syngress/Elsevier

Date of Publishing:   7th February 2011

ISBN-13: 978-1597496230

Price:   £36.99 (UK), $59.95 (USA) (221)

Rating *****

Despite being over six years old now, this book is certainly not outdated in the slightest. While most network security books and guides would focus on perimeter defence from outsider threats, Bejtlich concentrates on attacks launched within the organisation. At the time of publishing, this book was unique in its approach to defensive practices and is aimed to go hand in hand with Bejtlich’s ‘Tao of Network Security’, picking up where Tao left off and concentrating solely on defence, where Tao started from the point of view of the attacker.

First thing to notice about this book is the foreword by Marcus Ranum, which, unusual to most books, consists of an interview with the author and highlights how different Extrusion Detection is from other Network Security Guides.

The book is aimed at all those who have an intermediate to advance knowledge of network security and so should be used by those just starting out in the industry, especially as Bejtlich talks about tools and techniques that, at the time of writing, were not common practices amongst professionals. However, it holds great potential value as an addition to anyone’s security/information assurance library.

Traditionally, the main focus of network security has been about keeping the hackers and malicious users out. The book is split into three specific sections, Detecting and Controlling Intrusions, Network Security Operations and Internal Intrusions, taking the reader on a journey from the reasons to look for Extrusions through to the various types of Extrusion, such as Malicious IRC Bots. Bejtlich uses various technologies, such as Proxies and IDS/IPS, as demonstrations using commands that can easily be adapted into organizations’ own technologies.

To those specifically interested in Network Forensics, Bejtlich devotes an entire chapter to just this and discusses the links between the security practices discussed throughout the book and the forensics practices used within the chapter. Incident Response is also explained prior to Forensics. Bejtlich gives a detailed introduction to Network Forensics and describes it as being different from Digital Forensics in that it is focused on Packet Capture, using tools such as Wireshark/Ethereal. The emphasis here, however, is the Network Forensics is a valuable and crucial part in the defence of a network infrastructure both from internal and external threats.

Followers of Richard Bejtlich’s Tao security blog will instantly recognise his unique method of describing and demonstrating the various tools and techniques required to put Extrusion Detection into practice. Throughout the book there are valuable diagrams, screenshots and actual packet captures that help the reader to fully understand each point that is made, a feature that is often overlooked in many security guides.

Summary

This book is a valuable read for anyone interested, or working, in the security and forensics industry. Betjlich provides a refreshing approach to defensive methods and illuminates the potential damage of insider threats. Highly recommended as a partner guide to ‘The Tao of Network Security’, which together provide an ultimate guide to Network Security.

Reviewer Name:   Willem Knot

Book Title:   Extrusion Detection

Book Subtitle:   Security Monitoring for Internal Intrusions

Author(s):   Richard Bejtlich (Foreword by Marcus Ranum)

Publisher:   Addison-Wesley

Date of Publishing:   8th November 2005

ISBN-13: 978-0321349965

Price: £39.99 (UK), $54.99 (USA) (71)

Researchers at CCL-Forensics have developed an innovative application for presenting the data held in XML format – a common data storage format, found on a wide range of digital devices and platforms including PCs, phones and SatNavs. The development in complex data interpretation is set to significantly speed up digital forensic investigations by enhancing the presentation of evidence from a range of commonly used devices.

Although XML is a text-based format, it’s not user-friendly in its raw format, meaning digital investigators often have to manually manipulate large amounts of data to locate evidence relevant to their enquiry.  XML files can contain, for example, internet history, web searches, SatNav recent locations, social networking history – and more.

CCL-Forensics has developed “PIP” to eradicate this problem.  PIP is a software tool which parses data from XML files, using the XPath query language and presents the investigator with a results in a user-friendly, easy-to-interpret form.  This saves a considerable amount of time, and means costs to investigators are kept to a minimum.

In addition, PIP natively supports AppleTM’s property list (“plist”) file format, both in their XML and binary forms.

“An XML file shown both in its raw form and when presented using PIP”

A regularly updated library of XPath queries is included within PIP and CCL-Forensics is constantly researching opportunities for new additions to the library, however, for the advanced practitioner, PIP allows bespoke queries to be written for new data types which may be uncovered during the course of an investigation.

The team behind PIP also recognised the need for investigators to process a number of similar files simultaneously, and therefore developed a batch processing capability.

PIP was created in response to demand from Law Enforcement Agencies to streamline the presentation from the increasingly complex range of digital devices – for little additional cost to the taxpayer.

Alex Caithness, the developer of PIP says “One of the biggest frustrations of any digital examiner is the fact that their tools extract data which they have to manually interpret to turn into a reportable format. PIP is designed to eradicate this problem for XML and plist files.

These files are used in many different devices and applications – the iPhone to name just one.  Investigators are seeing a great deal more of these devices, and without a tool like PIP, they may spending time manually processing them.

This is doubly unfortunate, because they have already carried out the first step – by extracting the data.  They just now need to interpret it.  PIP does this effortlessly.”

PIP is a constantly evolving tool and the developers would welcome suggestions for future functionality.  For more information, please contact Marketing Manager Andy Holmes on +44 1789 2621200 or email aholmes@ccl-forensics.com.

  (177)

The suggestions below focus on the early part of your career, i.e., your degree and entry into the profession. Others may contribute suggestions regarding being successful as you join the profession.

1.    Get your degree from an established, respected and well connected institution. Ask your university who they work with, what visiting lectures did they have last year, what national and international initiatives are they involved in? Research into who these people are, what their organisations do and what the initiatives are. Building up your knowledge of the UK and USA forensic IT landscape is important.

2.    Get qualified. The importance of training and qualifications in this business is well known and documented. Academic awards are highly prized as is evidenced by the popularity of MScs amongst members of the profession.

3.    Get connected. Register with as many forensic IT professional bodies, forums and blogs as you can manage and monitor their work.

4.    Ask your university to provide you with some suggested preparatory materials and or activities. At De Montfort University we hope that you are already hungry for knowledge and motivated enough to seek it out; we expect you to be pushing us to provide you with work you can be doing before joining us. A list of technical skills that new entrants to our courses can develop prior to starting is provided at: http://www.cse.dmu.ac.uk/~rgh/MSc_FC_MSc_CS_FAQs.htm#q16

5.    If your university doesn’t provide pre-course guidance then  consider the following:

• There are many very good text books on this subject and many come with an extensive set of investigative exercises. They take you through the process of ‘static’ PC based forensics very well. All the software, cases and evidence files you need are usually included on a DVD –a great resource. For recommendations email me.
• Seek to understand ‘live’ forensics including malware analysis, reversing, live network forensics, memory forensics and virtualisation. Many good online and text based resources exist to support your study of these topics.
• Other emerging concerns that you should seek information about include small scale mobile devices, e-discovery and massive data sets, the ‘cloud’, etc.
• Mobile phone forensics is very popular and worth looking into – partly because some of the major software companies provide free trial versions of their software with online tutorials.

6.    Linking academic and professional practise include issues such as continued professional development, research design and implementation and report writing.

• Your degree is the first step in a process of life-long learning; forensic IT never stands still and as such the learning you undertake prior to starting and during your degree will provide you with independent study skills that will serve you well throughout your entire career.
• Whilst your course and profession may appear predominantly technical never underestimate the importance of the social, ethical and legal context of your work. You will cover this at university and your knowledge and consideration of it should be updated and applied throughout your career.
• When you start work in the field you will quickly discover that the text books don’t have all the answers. You will need to identify and research new solutions to novel situations. This will involve designing experiments and implementing them to explore and inform your evidential hypothesis – this classic academic/research process has huge relevance to your later professional practise, so don’t underestimate it and take every opportunity to practice and develop these skills whilst at university and after.
• Writing essays or reports and giving presentations at university are not just academic exercises. It is direct training in skills that the forensic IT professional needs. You must be able to write concisely, persuasively, accurately, with precision and in an evidenced based manner. The same is true of public speaking and presentation, i.e., giving evidence. The more frightening you find the prospect of public speaking – the more you must do it! Start in a gentle way; asking questions in class or contributing to discussions is a first step in public speaking, so do try and take part. Take every opportunity to develop and practice these skills – we can all improve no matter how experienced we are.

7.    Finally, in the profession you will be expected to know multiple operating systems (Windows and Linux extensively), file systems, hardware, connection protocols, cables, devices, etc. So get an old machine or two, a screwdriver, a bunch of operating systems and play (carefully!) – and learn!

It’s a great profession – good luck on your degree course and in the profession that follows.

Dr. Richard Howley
MSc Forensic Computing and MSc Computer Security Course Leader
De Montfort University (236)

The first annual (ISC)² Security Congress offers invaluable education to all levels of information security professionals, not just (ISC)² members. This event will provide information security professionals with the tools to strengthen their security without restricting their business. (ISC)² and ASIS International have teamed up to bring you the largest security conference in the world, with five days of education and networking opportunities. Don’t miss out. Register today! To make your selection from over 200 conference sessions, free education and special pricing on official CISSP and CSSLP Intensive education. For more information, please visit:
www.isc2.org/congress2011 (90)