This article is a recap of some of the main highlights from TDFCon held at Teesside University, Middlesbrough (UK) on the 15th of May 2015.
TDFCon presents an opportunity for students from Teesside University and elsewhere to come together and discuss their research with industry professionals, law enforcement representatives and fellow students.
The theme for this year’s programme was ‘The Future of Digital Forensics’, and the topics discussed certainly fulfilled the brief, looking at how current trends in computer crime are informing digital forensics and vice versa, as well as how digital forensics education is changing and shaping the development of future forensic examiners.
The day began with a discussion of SCADA security in the UK and whether it is sufficient to protect against network security breaches. Jack McIntyre spoke about how SCADA is unprotected at the device level, and uses web applications which are often vulnerable to attacks such as authentication bypass or SQL injection. One of the main challenges is that SCADA was not originally designed to be secure; instead, the design was based around connectivity and reliability. Neither of these are bad in themselves, McIntyre elaborated, but new standards such as encryption and a lack of plain text passwords are needed. With the UK sharing one power connection and two gas connections with no backup, the level at which national infrastructure would be affected in the case of a breach could be catastrophic.
The following discussion by Rowan Knight centred around cyber warfare and the changes likely to be seen in this area in the future. Highlighting the importance of collaboration between law enforcement, academia and industry, Knight cited recent research into current trends in warfare both online and offline, and recommended that forensic examiners remain alert to the various ways in which an increasingly connected world boosts the potential for crime on an international level.
Some of the subjects Knight called attention to included how the internet can be used as a recruitment tool for extremist groups and how robots and drones, which are currently being developed for use in human battles, could be susceptible to cyber attacks. Other areas of concern included food processing, chemical plants and national infrastructure, taking up the theme of the prior SCADA discussion in the light of potential cyber war.
Do UK law enforcement have sufficient training to engage with cyber warfare threats? This was one of the main questions posed by Knight’s presentation, and it was suggested that particularly in the area of digital forensics, where trends change so quickly from day to day, law enforcement do not often have the time or the budget to sufficiently defend against the threat of cyber warfare.
The conference then broke out into workshops, with attendees splitting up into smaller groups to discuss different aspects of digital forensics in the future.
The first of these was run by Arron Martin Zeus-Brown, who provided a glimpse into the current state of digital forensics education on the whole, then introduced a participatory discussion in which attendees could put forward their suggestions for elements to be included in future courses at Teesside specifically.
One of the main areas of interest was the mismatch between the perceptions students have regarding what potential employers are looking for, and those employers’ actual requirements for graduate job entrants. Due to the ever-changing nature of the tools and methods employed in digital forensics as a discipline, employers often prize a reliable, conscientious personality profile over experience with a specific forensic tool.
Degree classification varies greatly between subjects, and digital forensics is no exception to this rule, Zeus-Brown added. This led to a discussion regarding whether degree classifications ought to be changed, updated or even replaced by qualifications that could break the subject down into more specific modules.
Jordan Madden then led a workshop on Tor malware, including case studies of OnionDuke network attacks, CryptoWall ransomware and Tor-based point-of-sale malware Chewbacca. This was followed by a presentation from Timmi Lee Strand Jaeger, a Norwegian researcher who gave an overview of the Whonix operating system and the forensic challenges it brings. The session covered best practices for users of the Tor network and how these are often ignored even by those who purport to require anonymity, and Jaeger concluded with a discussion of how forensic examiners can make use of Whonix’s Debian base to conduct investigations.
The following session was presented by Jessica Eastell and Peter Lowery, providing an insight into the effect of fictional media on cybercrime, both in terms of criminals’ ambitions and the expectations of a court jury. Case studies were taken from popular television series and video games, with Eastell and Lowery discussing which of the scenarios given in these media were potentially possible or likely to occur, and how investigation of such crimes would differ from the way it is presented in fiction.
The session provoked a significant level of discussion from the audience, and the discussion also turned to how the media in general report on cybercrimes and digital investigations. It was widely agreed that public education in the area was needed, particularly for members of the jury in cybercrime cases.
Big data was the next topic of the day, with Tom Robinson looking into the ethical and security concerns of companies using big data solutions, and of investigations that require big data triage. The presentation covered the more philosophical areas of the subject as well as the usual practical points of discussion; Robinson raised the question of how much data individuals are willing to share, and who is responsible for its safekeeping?
Janice Rafraf continued the afternoon sessions with an exploration of cloud environments and how digital forensic analysts can come up against new legal challenges when investigating them. Jurisdictional issues were of particular interest, with cloud hosting often not being tied to one specific legal territory. Lack of system activity logs and storage elasticity can also bring challenges: whilst it may be difficult even in the case of analysing a home computer to verify whether a particular individual was using a device at any given time, the problem is amplified in cloud environments, and this challenge will only grow larger as more and more people move their data onto the cloud.
The next TDFCon will be held in Middlesbrough on the 13th of May 2016. Anyone interested in attending should consult the official website for details.