A small group of us went all the way to Somerset to attend the Computer Forensics event that was being hosted by the Institute of Engineering and Technology. Sam Raincock, who has been involved in over 200 cases, and is probably THE expert on cell phone tracking, was presenting it. IET have definitely chose a good subject area and the right speaker for it.
Far from being the conference of professionals we’d expected, it was an overview of how forensics can be applied to business security, and best practices for the business people that made up most the audience. As for the forensic investigations themselves, it covered only a fraction of what’s involved.
There was a patchy introduction of how EnCase could be used, which I reckon should have really been a start-to-finish demo of a device being imaged, hashed and analysed in various ways with the software, plus a quick talk on incident response to help clear up the difference of opinion over whether to perform a live analysis at a crime scene, or to follow the ACPO guidelines and pull the plug on a running system. It’s a very tricky question I’m not qualified to answer yet, given the huge implications which I’ll outline in a future post.
But I think that’s down to the fact Raincock is coming from a slightly different background where evidence is already acquired and provided by corporate clients, and sometimes having a good idea what to look for.
Raincock has the rare talent of knowing which files to look at first and being able to pick out specific information while scanning through the raw output window in EnCase, and from this we picked up a couple of extra tricks, such as how the passwords for some online accounts and Microsoft document encryption can be obtained, which is definitely useful, considering how many people re-use passwords.
An example was given of where she managed to solve a murder case after looking through the computer. At first it threw up something really strange – two very different patterns of activity on the same user account, and two keyloggers installed at different points. Many investigators would have difficulties here, but she managed to determine what happened – two people were spying on each other, which led one to murder the other.
But would Timeline help build a better reconstruction of the events leading up to the murder? How did she know other methods weren’t being used to hide information? Does she use other tools to confirm her findings and ensure nothing’s being overlooked?
Raincock makes good us of the 6Qs (a few people have noticed this), which is always a good starting point for any research or investigation. What happened? Who was involved? Where were they? How was something done? When was it done? Why did something happen? A good report addresses and answers those 6 questions.
Unfortunately Raincock didn’t go into more detail for those of us already familiar with EnCase, such as EnScripts (she’s also a programmer) and its many lesser-known features. This was understandable, given the audience she was presenting to. But I guess this event showed the field of digital forensics can’t really be condensed into a two hour presentation.