vnunet.com analysis: OU tackles computer forensics

Fears of corporate espionage, malicious staff and disputed trade deals has led to the Open University's first course on computer forensics to be heavily oversubscribed.

The post-graduate Computer Forensics and Investigations course starts today, and prospective students have been bumped to the November 2008 course since March.

Concerns over untrained IT staff destroying important evidence has fuelled interest in the course, which is intended to provide an introduction to digital evidence collection, forensic computing and IT incident management.

The course is described as enabling people to know what to do as the 'first responder' in the initial stages of an investigation. The view is that these cases may form the basis of criminal or civil actions.

Specially commissioned material has been written by Professor Peter Sommer, a legal and technical expert in the field, who has acted as an expert witness in cases ranging from terrorism and fraud, child abuse and hacking to corporate espionage, defamation and murder.

"One of the problems I and others have noticed, particularly within organisations, is that evidence that might have existed in computers gets wrecked the first hour or so after something has been discovered," said Professor Sommer.

"People just do not know what they are doing. They are floundering and destroying evidence."

OU students have already received a sealed replica of a police evidence bag as part of their course material. They can open it only when they have learned the skills to handle the evidence correctly.

Blaine Price, an OU lecturer and course chairman, said: "We will spend the first three weeks drumming in what it means to be forensically sound.

"A first responder is like a first-aider: you need someone who knows not to move the patient. That is the level of this course."

As well as using computer forensic tools during investigations of specially prepared scenarios, and reviewing landmark digital crime cases, students will be taught that understanding legislation is an important component.

Students need to get to grips with the Computer Misuse Act and the Regulation of Investigatory Powers Act, among others.

One of the cases students will look at is the 2005 conviction of computer consultant and penetration tester Daniel Cuthbert.

Cuthbert had gained unauthorised access to the Disaster Emergency Committee's Tsunami fundraising website, but claimed that he was checking to see whether the site was legitimate and sufficiently secure to hold his financial details.

The course has obviously tapped into a demand, but having an internal 'first responder' is not necessarily the best way to go, according to Tony Dearsley, computer forensics manager at corporate investigation group Kroll Ontrack.

"If you only have one of these [cases] every six months you are not going to have the continual hands-on experience," he said.

"It can be very difficult and stressful for people to remember everything they were taught months ago and put it into practice.

"There is a lot of peer and management pressure and it takes them away from their normal job. Most people are wearing two or three hats in an IT department, so it is a job best left to the professionals."

Dearsley sees 10 enquiries a month on cases of intellectual property theft where, for example, the sales database has "just gone out the door" through a want of proper procedures or security.

He suggests that companies should tighten up their employee exit policies to address such situations.

"One of the things we recommend is that, as soon as somebody leaves the company, you should secure a forensic image of their computer," said Dearsley.

"You do not have to do anything with it, but if something turns up later you can revert to it. It is like an insurance policy."

The OU course runs over six months and costs £945. The course is mainly conducted online and students have to complete three tutor-marked assignments plus an end-of-course assessment.

Students will use Helix forensic software. The industry standard is EnCase which is prohibitively expensive to use on the course.

Students are expected to be able to reboot a computer from a CD, which may require changing a Bios setting, and to install and de-install hard disks. Understanding of internet protocols is considered useful.

Professor Sommer was an expert witness in the Rome Labs/Datastream Cowboy hack in which two UK schoolboys penetrated USAF and Nasa systems.

He was also involved in NCS Operation Cathedral, which cracked the UK's first major internet paedophile ring, and Godfrey v Demon, an important defamation case which helped define the extent of the 'innocent dissemination' defence available to ISPs.