Wednesday, 1 June 2011

Interview with Angus Marshall

In this blog I am delighted to publish an interview with Angus Marshall.  

I first met Angus a number of years ago when he was inspiring large numbers of students through running the digital forensics course at Teesside University.  Nowadays, although still involved in academia, Angus is active in a wide range of work within the digital evidence/forensic computing sector including representing the Forensic Science Society on the Forensic Science Regulator's digital evidence advisory group.

This broad mix of experience gives Angus a unique perspective as you can see from his answers below:

1, How did you become involved in the digital forensics sector?

Almost by accident. About 10 years ago I was a lecturer at the Centre for Internet Computing in Scarborough and also managed the network for staff machines & our labs. One day someone spotted that all the campus bandwidth was being used by one of our Linux servers. I spent some time analysing that and my then girlfriend (now wife) suggested that I should write it up for the Forensic Science Society. After I presented the paper, on some theories about malware & incident analysis, Pat Wiltshire (forensic palynologist) suggested I should contact the old National Crime Faculty to become an expert on their register. A couple of months after that process was complete, I found myself working on a missing person case that soon turned out to be a murder.

I'd had an interest in forensic computing for a while before that happened, but it was always difficult to convince my employers to let me run a course. Fortunately, the success with the casework at Scarborough allowed me to at least put some forensic content into a final year module on the Internet Computing degree. It wasn't perfect, but it gave some insights into how to handle evidence.

2, Do you think students looking to move into this area are better taking a broader IT degree or a more specialised forensics course?

That's a very difficult one to answer. My own first degree was in Computer Studies & Microsystems and I still find myself falling back on principles that I learnt in the 80s. Of course, it's not enough to be just technically competent - you need to know something about applicable law, general forensic & crime scene science and a lot about how to write clearly & concisely.

There's a lot to be said for having a good general computing BSc followed by one of the specialist MSc courses, but there are some very good BSc programmes out there too. I think the key is to find one which combines the technical with the investigative & legal aspects properly - has them running as themes through the whole programme, rather than a course where the "forensic" element is almost bolted on as an afterthought through one or two modules added for marketability.

3, Course accreditation vs competence.  Your  thoughts?

Ouch! Well - since I've just finished a project with the Forensic Science Society to create their component standards (working with practitioners and academics) for accreditation of academic courses, I have to say that course accreditation is a good thing. I think it gives employers and students an assurance that an independent assessment has been made of the content, and that means that good students should be competent when they graduate. The scheme has been running for a few years now in the "conventional" forensic sciences and I know that employers particularly find it useful.

The problem is, of course, that not everyone in the industry will go through an accredited course and that skills in our area change rapidly - we're up against the ingenuity of other human beings after all. So I see an independent certification of competence as an important element too. This is something that the work on regulation & standards is turning into a requirement.

I think we need an independent body which can periodically test practitioners and give a certification of competence in particular skills which are relevant to them and the enquiries they deal with. That would also allow for new skills to be developed and shown to be fit for purpose. Quite how we achieve that, I'm not sure - but I have some ideas and am working with some partners to put together a project which should go a long way towards providing such an independent certification.

4, Why did you leave the world of academia ?

That's a complicated one to answer. Part of it came from increasing frustration caused by constant pressure on the HE sector to do more and more with less and less. It was becoming impossible for me to continue to carry out research and casework alongside managing some very successful courses. It wasn't a decision taken lightly - it took over 12 months before I finally made the leap and I still miss the contact with students and colleagues. Fortunately, I'm not completely out of academia yet. I still deliver a distance-learning module for Ulster, am a visiting lecturer at De Montfort (where some very exciting things are happening) and external examiner for the OU as well.

5, As a recruiter, I talk to a lot of people in the sector who are experiencing very difficult times.  What is your view on the current state of digital forensics?

Times are hard. The austerity measures put in place to deal with deficits has meant that a lot of casework is no longer being outsourced. I think that only the best and the highly specialised are likely to survive.

Having said that, we're seeing some interesting developments outside the law-enforcement sector, not least with the launch of new insurance products designed to cover businesses in the event that they need a digital investigation of some sort. To me, that suggests that digital forensics is coming of age and being recognised as an essential part of business incident response planning.

6, I know you recently attended the ISO/IEC SC27 meeting in Singapore.  What is your involvement with this?

Well, as some people know, I'm the Forensic Science Society's representative on the Forensic Science Regulator's digital evidence advisory group. As part of activity there, the regulator has an interest in some projects that the ISO Information Security Committee (SC27) is working on which related to digital evidence. Since I have some time to spare, I agreed to represent the UK at the meetings where this work is progress. In October I was in Berlin for my first meeting and then Singapore in April for the second. The main project to date is ISO/IEC 27037,not published yet, which will be a standard for handling of digital evidence from first response through to acquisition & preservation prior to analysis. It aligns quite well with the existing ISO17025 which has been adopted by forensic science laboratories, but clarifies some points and is more applicable to all types of digital evidence, particularly in the context of incident response.

I'm also leading the UK proposals to add 3 new standards to complement 27037. We think we need to complete the set with something on investigative models & processes, analysis of digital evidence and validation of digital evidence methods & tools. The validation problem is a big one and one that some parts of the industry seem to be trying to hide from.

None of this is paid work, by the way, I'm lucky if my expenses are covered - and it's definitely not a holiday - we spend a week sitting in committee rooms from 8-5 every day.

7, Tell me about the other work you are doing now?

I can't tell you about all of it - that's the nature of what we do! For me, though, apart from the casework, the most exciting area is around the three pillars of quality within the standards - proficiency, competence and validation. I've been fortunate enough to be commissioned to visit a few labs. and produce reports on their state with regard to applying for ISO accreditation. Most are very good at what they do, but not so good at keeping evidence of how they achieve their hight quality. It's not much fun being the bearer of bad news, but it's something which we all need to bear in mind as compliance is expected by 2014.

I have a lot of ideas about how we can help the industry solve some of the biggest problems and generally demonstrate their quality to a level which should satisfy even the strictest judge. The end result of that will be a much smoother passage through the post-investigtion phase (court, tribunal, disciplinary hearings etc.).

8, What does the future hold for you?

I thought you had the crystal ball ;) I've given some hints in my answers already, I think maybe I should let the readers see if they can work it out for themselves. I can guarantee, though, that the world will run out of pies before I run out fingers to stick into them.

Whatever it is, it had better be challenging, I hate not having a problem to work on - which probably explains why drive an old Lotus as my everyday car.

n-gate ltd. is going to seize every opportunity that comes our way, and try to make a few for ourselves too. We're always open to new ideas and difficult problems in particular. I think my ideal is for us to become known as "the experts' experts".

Angus Marshall can be contacted in the following ways:

Twitter: @marshalla99

No comments:

Post a Comment