Saturday, October 23, 2010

Interview with Dr. Gary Kessler

Future of Digital Forensic Tools Follow Up

Thanks for all of the comments both in public and private relative to my last post about the future of digital forensic tools. In a nutshell, we’re going to be approaching the point where digital forensic leaders like myself are going to have to make hard choices about where we spend our limited resources.  If I have five head count available to me, do I really want to devote the equivalent of one FTE to the care and feeding of increasingly sophisticated and complex enterprise sized digital forensic tools? That is going to cost me twenty percent of my analytical productivity.  Outsourcing the administration of my enterprise level tools through a Software-as-a-Service (SaaS) model in a cost effective manner will be a compelling option and I think it’s one that will be coming relatively soon.

CEIC 2011

‘Tis the season to start thinking about 2011 digital forensics training conferences and Guidance Software has worked very hard to make CEIC a very compelling choice.  I attended my first CEIC last year and enjoyed it immensely. The CFP period is open with a November 15th deadline.   I will be putting into present on a couple of different topics.  Hopefully, one will get accepted and I’ll see you there in Orlando.

SANS Forensics and Incident Response Summit 2011

Rob Lee has done an absolutely fantastic job turning this event into an amazing offering.  Because he is so well known in the community and has so many relationships with the A list digital forensics and incident response people, he has the ability to put together the best lineup of presenters that you’ll find at any digital forensics conference.  I’m hoping that I’ll be able to attend this event which will be held in Austin, Texas.

Dr. Gary Kessler Interview

I decided one of the best ways to follow up the “Take Vienna” blog post was to interview someone who has a background as both an academic and a practitioner in the field. I’m a big Gary Kessler fan and since he is both a skilled academic and sharp digital forensics examiner he was the clear choice.  It’s hard not to like him and he’s done a considerable amount of work over the years advancing the cause of digital forensics as a science, including being heavily involved with the creation of the digital forensic program at Champlain.   While Gary is no longer with Champlain, he continues to contribute to the digital forensics community through through a variety of ways which you can read about at his website.  Gary is a very active in several efforts to organize and professionalize the practice of digital forensics.

AFoD: What attracted you to the field of digital forensics?

GK: I have been involved with information security, in general, since the late-1970s. Computer forensics, as a form of infosec incident response, seemed to come into vogue in the late-1990s.

Meanwhile, the Internet Crimes Against Children (ICAC) Task Force was being formed in VT and the leadership all knew me and thought that having a computer techie (my M.S. is in Computer Science) helping out might be useful. So, in 1999 or so, I was asked to join the VT ICAC as a pro bono consultant.

As I got more involved with the DF community -- in 2002, it was mostly law enforcement -- I found myself meeting some of the finest folks I have ever worked with professionally. And I like investigative work, problem solving, working puzzles, and helping others understand what the computer has to tell you...

AFoD: What lead to you to getting involved in digital forensics in the academic world?

GK: I joined the faculty at Champlain College as an adjunct in early 2000 and full-time in the summer of 2000. I was already involved with the ICAC and participated in training activities.

In late 2001, the Task Force commander and I thought that it would be interesting to teach a course at the college in CF. The course was offered in the fall 2002 semester and filled during preregistration. During that semester, we became aware of a variety of NIJ studies that, among other things, suggested a gap between what LEOs actually knew about CF and what
they needed to know. At the same time, we were getting questions about our CF "program" -- yet we only had one course!

That lead to the development of an undergraduate CF program that started in 2003 and the online undergrad program in 2004. CC started a graduate program in CF management in 2009.

This all said, there is work afoot to come up with curriculum guidelines for DF. The project started about five years ago, sponsored by NIJ. For some reason, the output from that group never got published. After the AAFS adopted DF as a forensic science, the work started again and should be adopted/published, I would guess, within the next six months.

AFoD: What was your role at Champlain college and what makes that program unique from other digital forensics programs?

GK: I was the program director of the undergrad CF programs at their inception. Eventually, the online division took over the online CF program (in about 2007) and then I moved into managing the graduate program (2009). I was the
program director of the M.S. in Digital Investigation Management when I left the college in the summer of 2010.

I think the thing that made our undergrad program unique in 2003 was a) I don't know of another undergrad program that existed at the time and b) it combined computer courses, criminal justice courses, and CF courses.

AFoD: What makes up an ideal digital forensics academic program?

GK: This is hard to answer because it depends so much on the goals of the program. At the undergraduate level, I think that academia needs to prepare students for life-long learning. The undergrad of today might well have three or more *careers* -- not merely *jobs* -- in their lifetime so higher ed.'s first responsibility, IMO, has to be to make sure that students know how to learn.

Second, the curriculum should prepare the student both to enter the workplace or graduate school. So this is a bit long but I think that a CF/DF program needs to teach some general education to round out a student, and a broad spectrum of computer science (including fundamentals of operating systems), law, networking, and, of course, CF (processes, file systems, mobile devices, cyberlaw, cybercrime, e-discovery, testimony, etc.).

Graduate programs are a bit harder to nail down. At the graduate level, a technical program, IMO, is advanced, specialized computer science. This is a program for individuals who will be next generation tool creators, process
developers, tool testers, etc., etc. A management program, such as the one at CC, is designed for those aspiring to manage CF labs and people, and understand the business aspects of such activities.

In either case, DF students need to know how to write well, speak well, and *read*!

AFoD: What should the end goals be for an academic digital forensics program?

GK: Pretty much as stated above. Produce generalist learners, specialists in DF as a multidisciplinary science, and prepared for life, the universe, and everything!

Since I got this far, *I* have never taken the posture that CF graduates could be able to immediately walk into a CF shop and be able to work on exams unsupervised. I have always felt that the programs should concentrate on the process and introduce a plethora of tools rather than produce a student who is expert in one tool. The latter is the purpose of training. I observe that students getting a CJ degree still go to a police academy and
then get additional on-the-job training prior to pushing a cruiser on their own. A CF graduate should be able to quickly get up to speed but will still need some training.

AFoD: Other than teaching, what role should academic digital forensics program play in advancing digital forensics?

GK: I think that academicians can play a critical role in advancing the science. They should also be practitioners so that they are aware of the real problems faced by people in the field. They can then be in a good position to help work with the practitioner community to advance standards, tools, research, legislation, local training efforts, and more.

AFoD: Is digital forensics a science? Is it an art? Both?

GK: DF had better be a science now that the AAFS has adopted Multimedia and Digital Forensics as a new branch! :-) Sure, there is some art to the practice but we *MUST* define and adopt processes for DF that are, in fact, based upon science. For this, it's worth reading Fred Cohen's books and learning about information physics!

AFoD: You mentioned the American Academy of Forensic Science (AAFS) has added a Digital and Multimedia Sciences section.  Why is that significant for the digital forensics community?

GK: If the DF community wants to be taken seriously as a forensic science, then this nod from the AAFS is incredibly important. DF is the only forensic science that has been largely driven by the practitioner community rather than the computer science community. But the examination of computers is,
fundamentally, computer science.

That is *not* to say that one needs to be a formally trained computer scientist in order to practice computer forensics. Not only do I not believe that but it would fly in the face of the reality of the profession today. But DF needs to become more of a science and less of an art!

AF0D: What digital forensic programs other than Champlain could you recommend to students who are interested in studying digital forensics?

GK: There are now a bunch of program depending upon where you want to study and what approach you'd like to take to your studies. Certainly the undergrad programs at Daytona State, Defiance College, Bloomsburg University, University of Rhode Island, Utica College, Univ. of Alabama Birmingham, Univ. of Mississippi, Johns Hopkins, Fountainhead College of Technology, and Univ. of Advancing Technology are well-known and worth
investigating. There are others, too: see
http://www.e-evidence.info/education.html

There are also grad program worth looking into... programs at
Daytona/UCF, Purdue, John Jay, Univ, of Maryland University College, and California Sciences Institute leap immediately to mind.

And these are just the programs in the U.S.!

AFoD: Is there a career path for people interested in digital forensics,  but who want to practice it as a full time academic discipline?

GK: Yes, I believe so... but accreditation requirements of colleges and universities will demand that anyone with a full-time job in academia hold at least a masters degree and, preferably, a doctorate.

AFoD: What should be the role of the scientific method in digital forensics?

GK: Well, that couples with the question above. The Daubert and Kumho Tire rulings guide the introduction of scientific and technical evidence in federal courts and about half of the state courts. We need to have a science that answers the tests. One Daubert requirement is that the procedures have a known, or knowable, error rate. It is unclear that we even know how to
calculate the error rates in DF practices.

Again, I am *not* saying that DF work is sloppy or error-prone or anything like that. I am suggesting that we know that we're not seeing 100% of everything and we have no way to prove that what we're misisng doesn't change the bottom line.

We need more science and more research.

AFoD: What is your view on the role of digital forensics certifications?

GK: I think that certifications are ONE part of professional credentialing but, in the end, speak to one's training. I also think that academic credentialing is important, as well. Unfortunately, an academic degree may not demonstrate one's practical knowledge/skills and certifications don't demonstrate a person's fundamental and theoretical knowledge -- things that
I believe are essential for life-long learning and professionalism.

GK: I think that professionals need to demonstrate a combination of appropriate training and education. Certification is a part of that.

AFoD: Should the digital forensic community standardize on just one digital forensics certification or continue to have multiple
certifications from different organizations?

GK: Even if I felt that one standardized certificate was the right thing to do, I don't see how we could choose which one, given that the barn door is already open! (If I can mix the metaphors.)

I would like to see some standardization is what the generic industry certs actually show. In response to the NAS report from 2009 about forensics, I think it imperative that any DF certification include a practical portion. I think that being able to communicate one's findings in a report need to be a part of the certification. I think that for our own credibility, the certs that are respected demonstrate experience and practical competence and NOT be ones that you could read a book for and pass. Vendor neutrality, IMO, is key as well as being available industry-wide.

I also see different levels of cert coming. A general DF cert is
great. I see specialty certs also coming, such as mobile forensics and e-discovery.

AFoD: What advice would you give to those who want to break into the digital forensics field?

GK: Well, it would depend up the age of the person and the area where they live. DF is no easier a profession to break into than information security; you can't just get some training, hang up a shingle, and start working. If I were 40 years younger, I would say go to school. If making a career change, I would survey the local practitioner landscape and try to find a mentor. So many people say, "I want to learn CF and volunteer with local police and
catch child perpetrators." Well, that may be noble but it is very hard to find in practice! It's easier to find a private firm. Look for local DF organizations, such as a local HTCIA chapter; it's a great way to learn and to network. In some cases, it means thinking about moving; there are a lot of CF jobs but they are not equally distributed geographically.

3 comments:

  1. GK mention's 'Fred Cohen's book'. Which book is that?

    ReplyDelete
  2. I had the opportunity to take a short class Dr. Cohen presented at the 1999 HTCIA convention. I find keeping up with him impossible; he will challenge every last brain cell you have and I think my brain actually hurt by the time he was finished. What he has to say is well worth reading.

    Start with http://all.net and follow the "Digital Forensics and Electronic Discovery" link to get a feel for the prolific documentation he presents for free. You can also check out the link below for an interesting paper which you can also find on all.net by following the "info-physics" linke on the left column after following the first link above, then click on the "peer review requested" link.

    F. Cohen, "Digital Forensic Evidence Examination", ASP Press, 2009,
    ISBN#1-878109-44-8

    Jake

    ReplyDelete
  3. Per Gary, these are the recommended Fred Cohen books:

    Cohen, F. (2008). Challenges to digital forensics evidence. Livermore, CA:
    ASP Press.

    Cohen, F. (2010). Digital forensic evidence examination (2nd ed.).
    Livermore, CA: ASP Press.

    ReplyDelete