This is a short blog to summarise my visit to the 7th Annual Teaching Computer Forensics Workshop that I attended on 10 November. The event was held at the University of Sunderland, a university that I have never visited before. In fact, my first real visit to the Tyne and Wear area was only earlier this year, and was also one that was very brief, so I was travelling in unfamiliar territory.
If someone were to tell me that I would be taking two trips to 'the north' this year, I wouldn't have believed them. During this most recent trip not only was I able to learn more about the domain of computer forensics, but I was also able to experience my first journey on the Tyne and Wear metro: this was a fun experience for someone based in London who is overly familiar with the rigours of the tube.
All delegates were welcomed to the forensics workshop by David Blackwell, Assistant Dean for student experience. David's welcome gave way to an introduction by Alistair Irons who outlined the objectives for the day. Alistair played the key role of chair and master of ceremonies throughout the whole of the workshop.
Rather than to summarise everything in sequence, what I'm going to do in this blog is to connect the different talks by themes (and hope it makes sense!) I call for the organisers' forgiveness in taking this liberty. This said, I'm going to break this plan the moment I've introduced it by starting with the first presentation, which was all about geo-positional forensics.
The first presentation of the day was by Harjinder Lallie from the University of Warwick. Harjinder introduced geo-positional forensics, the subject of a book that Harjinder has been invited to edit. The subject is an interesting one. Given the title, I originally imagined smart phones which contained GPS devices which were used to collect data, but like so many things, there is so much more lurking under the surface.
Geo-location data can be extracted from satellite navigation systems, for instance. Location information might also be obtained from mobile telephone networks by identifying which base stations a mobile phone used to connect to a network. Another route to location might be to make use of techniques to identify the location of devices that are physically connected to the internet, such as routers. The more you begin to think about this subject, the more you begin to uncover. There are, of course, important legal issues that relate to the gathering of location evidence (legal issues being one of the themes that are exposed later on during the day).
If you're interested, or would like to find out more about Harjinder's book, there is a web page which you might find of interest.
The second presentation of the day, and the first of a bunch of presentations that relate to the teaching of computing forensics, was by Michelle Govan, Glasgow Caledonian University. Michelle's presentation had the title 'Developing active learning in digital forensics'. I liked Michelle's presentation since it referenced both a learning strategy and a method that is important to digital forensics at the same time: the making of notes. Notes, it is argued, can be used as a reflective tool that can help to facilitate learning and improve comprehension and understanding. When it comes to digital forensics, notes are an essential tool to help record how, for example, how evidence was secured (the use of contemporaneous notes, as it is known, features quite extensively within the Open University M889 module). Michelle also referenced something called Pendley's lego exercise which I had never heard of before. This led to a discussion about the extent to which notes, within a real forensic environment, are used.
Another interesting aspect of Michelle's presentation was that she covered a significant number of different pedagogic approaches in what was a very short time: experiential, reflective, inquiry based, problem based, critical exploration, constructivist, action, and so on... I also was introduced to a new term: 'nintendo forensics'. Whilst the forensic analysis of gaming consoles is likely to be a subject in its own right, the term refers to tools where buttons are pressed and results are gained with relative ease.
Xiaohua Feng, from Bedfordshire University gave a talk entitled 'Incident response teaching strategy'. She presented what is known as the DRRP security model. DRRP is an abbreviation for Detect, Respond, Report and Prevent. Frameworks and models have, of course, the ability to represent the essence of useful ideas which might be able to either affect practice or develop further understandings. We were also introduced to something called the BERR 2008 report. Aspects of Xiaohua's presentation reminded me of some of the themes from a postgraduate information security management module, M886, which covers an international standard that offers structured guidance about how to protect information systems. Security and forensics, I sense, are very easily spoken in the same breath.
Craig Thurlby and Caroline Langensiepen from Nottingham Trent University presented a very compelling way to teach one of the most fundamental aspects of computing forensics, which is, how to effectively seize digital evidence. The essence of their presentation lies in its title: 'use of a crime scene house to enhance learning'. Nottingham Trent University own a former student house which has been kitted out with a set of hidden video cameras. These cameras record how students gather evidence from a 'crime scene'. We were treated to a small number of clips where students were shown to be rummaging through arm chairs (on multiple occasions) looking for mobile devices and puzzling over whether a couple of laptops were turned on. I can clearly see how the use of video material can be used to facilitate reflection and learning: one's own mistakes can be laid bare for all to see!
The discussions that followed were really interesting. I never knew, for example, that some universities have their own mock law courts (but on further reflection, perhaps I ought to be surprised if they didn't!) This exposed some of the difficulties that many subjects face, namely, the issue of interdisciplinary and how to get different people from different subjects working together, such as Computing and Law, for instance, to share resources.
What makes a computer forensics project? This was the question that Diane Gan and David Chadwick from the University of Greenwich asked. Diana and David described a number of postgrad projects. These included a flash memory tool to extract data from volatile memory (a utility that was written in Perl), a prototype for investigating GPS devices (which nicely links back to Harjinder 's earlier presentation on geo-positional forensics), a system that helps students to understand the ACPO guidelines (Wikipedia), and an analysis of attacks on a honeypot. Regarding the honeypot project, my understanding is that honeypots are computers that can be used to uncover the ways in which hackers may attack systems. Forensic methods are necessary to determine what has been done to them and potentially uncover how attacks may have been perpetrated.
It was interesting to see that some of these project required students to write software as opposed to just performing an analysis of digital media, such as hard disk drives. This connected to the broader debate of whether or not forensic analysts need to be able to write software, and the extent to which the understanding of software development might help investigators in their roles.
After Diana and David's presentation, a discussion emerged that centred on the question of 'what makes a good project?' and whether different institutions might be able to share project ideas. This reminded me of a debate in an earlier HEA workshop where participants were discussing the possibility of sharing forensic images (which can be quite time consuming to create).
Keeping on the theme of projects, Maurice Calvert from Leeds Metropolitan University gave a presentation entitled 'Final year projects for computer forensics students'. Maurice outlined four different types of products: the forensic analysis of storage media, examination of media to determine what artefacts different types of software leave behind (which is an important skill to understand how things work), investigate security issues and considering incident response plans, and finally, design some kind of system that is relevant to computer forensics (which might mean implementing a system of some kind).
Maurice highlighted a number of different issues that (broadly) relate to the teaching of digital forensics. These were (according to my notes): is the traditional computing project suitable (for forensics students), and to what extent might we need different project guidelines? Also, should digital forensics be separate from computing (or computer science)? The issue of employability was also raised (but more of this later).
The law is one of those subjects that is fundamentally important to digital forensics. It is so important that some of the necessary nitty gritty technical issues are almost secondary. There are two points that were clearly underlined from this workshop. Firstly, if you don't capture evidence in a way that is appropriate and in line with good practice, your evidence may be inadmissible in court. Secondly, digital investigators need to be aware of legal issues since the actions that they take during an investigation may potentially open themselves up to prosecution.
Rita Esen, from the University of Northumbria, gave a very clear presentation about the importance of different types of legislation. Rita outlined the different laws that that digital investigators need to be aware of, such as the fraud act, data protection act, computer misuse act, sexual offenses act, police and justice act, human rights act and the regulation of investigatory powers act (I'm sure there were others too!) Rita also told us about a very new development, which was the UK government's ratification of the cybercrime convention (wikipedia).
Richard Overill, from King's College London introduced us to a term known as the CSI effect (wikipedia), which is about how high profile TV shows influence broader public perception of forensic science. In his presentation, which is entitled, 'the inverse CSI effect in digital forensics' Richard considers whether 'the effect' might change the behaviour of cyber criminals. Richard's talk reminds me of the term 'anti-forensics' that I discovered whilst studying M889.
One of the last presentations of the day was by Ali Al-Sherbaz from Northampton University. Ali directed us to an interesting web page which is entitled, The Evolution of Privacy on Facebook which has a really nice graphic. (Digital privacy is one of those issues that is addressed on an Open University module called TU100, My Digital Life). Ali also introduced us to a pedagogic tool called Dale's cone of experience.
Forensics and Employability
Alistair Irons gave the final presentation of the day on the topic of forensics and employability. Employability was one of those workshop themes that featured almost continuously throughout the day; it is something that is certainly on everyone's minds. One thing was clearly apparent: digital forensics is a very popular subject amongst students, but there are not enough vacancies in the industry for the number of graduates that the university sector is providing.
There was, therefore, a really important question that was asked, which was: do digital (or computer) forensics students end up in a position where they can do other jobs? There seems to be a consensus that this certainly seems to be the case.
I remember having a chat with a psychology lecturer a number of years ago. He was ruminating on a very similar question, i.e. how many of his students ended up being employed as professional psychologists. There is a difference between doing something as a career, and choosing a subject which gives you general skills that can be used in other areas. Psychology, it was argued is a fabulous subject since it enables students to gain a firm understanding of scientific method, learn how to think critically about evidence, gain skills dealing with statistics and enables students to hone their writing skills.
Similar things can be said about digital forensics: it enables students to gain a detailed technical understanding of computing devices, allows students to begin to grapple (and understand) the intricacies of legal frameworks, appreciate how to solve problems and assess (digital) evidence, and learn how to communicate their findings in a clear and effective way.
All these important benefits of a forensics education relate to a very important issue: the difference between education and training, and the extent to which a university level education should equip students with the precise needs of industry. This issue is particularly important since the needs of the digital forensics industry are continually evolving due to the relentless march of technology. Industry requires well trained people who can do particular jobs, whereas universities provide fundamentals that enable learners to become quickly and effectively trained in particular roles. Education can facilitate training, but there is, of course, frequent cross over between one and the other, and debates about what universities should be doing and what industry expects will run and run.
Connections with other workshops
Throughout the day I could see clear connections to a number of other HEA workshops. One of the most obvious one was with the recent BotShop that was held in Derby. There was a connection in the sense that some robotic systems are embedded systems. Devices such as smart phones and Satellite Navigation Systems are embedded devices. You need similar skills and tools to both extract data from (and to debug) embedded systems.
Another connection that I could make (apart from the recent distance education workshop that was held within the OU), was to the e-learning workshop that was held in the University of Greenwich. During the Greenwich workshop, there was also a reference to the use of peer assessment . Technology can has the potential to enable learners to comment (and learn from) the work of others.
One of the most interesting comment from the day was along the lines of, 'seeing that video of the crime scene house has got me thinking about what I might be able to do it my own class... obviously I don't have a house, but perhaps I might be able to do something similar in the rooms that I could use'. This comment clearly shows the benefits of getting people together to share ideas and practice experience.
Rita's presentation, to me, emphasised the fact that digital forensics is very much an interdisciplinary subject. Not only is law is fundamentally important, but so are domains such as software development and embedded systems. When it comes to social networking systems, social science disciplines have the potential to play a role too.
One of the biggest themes of the day was, of course, employability. Although I am very much an outsider to the world of digital forensics (although I do remain a curious computer scientist), I certainly have the sense that it's a subject that equips students with a broad range of skills. Debates about the extent to which software development should feature are likely to continue, along with the extent to which university level modules should explicitly support the needs of industry (particularly when it comes to commercial tools such as EnCase, FTK and mobile phone tools).
All in all, an expertly organised, fun and interesting event that had a real buzz about it. It was great to recognise a number of familiar faces and also to bump into my former Open University forensics tutor. My interest in digital forensics remains as strong as ever.