480 likes | 579 Views
Forensic Course Development. Yin Pan Bill Stackpole. Agenda. Forensic course development Definitions Procedures used for content selection & development Outcomes and feedback from students Improvements Our implementations Your suggestions. Definitions.
E N D
Forensic Course Development Yin Pan Bill Stackpole
Agenda • Forensic course development • Definitions • Procedures used for content selection & development • Outcomes and feedback from students • Improvements • Our implementations • Your suggestions
Definitions • “Forensics” & “Computer Forensics” • What’s involved in an investigation? • What information is available? • How to get to it? • Toolkits / techniques • Legal and privacy issues
Disclaimer • Many thorny legal and privacy issues • Consult legal counsel as necessary BEFORE using tools / techniques • We are NOT lawyers(Nor do we play them on television)
What is Forensics? Definition (Dictionary.com): • The art or study of formal debate; argumentation. • The use of science and technology to investigate and establish facts in criminal or civil courts of law.
What is Forensics? “Crime scene” a la Quincy CSI / Cold Case Sherlock Holmes Nancy Drew / Hardy boys
What is Forensics? • Investigation of a past activities to help reconstruct a version of what happened or may have happened.
What is Computer Forensics? • Investigation of computer / digital device to find evidence of activity • Crimes both digital & non-digital • Corroborating evidence • Data recovery
What is Computer Forensics • “Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system” Farmer and Venema, 1999.
Why computer forensics courses are needed (CNN) • Cyber-crime is obviously something that is a national priority," said Steve Bunnell, chief of the criminal division at the U.S. attorney's office in Washington, D.C • There is obviously a bottleneck of highly trained personnel to comb through evidence • Part of the biggest obstacles we've had to overcome is having to get savvy lawyers and judges to understand what we do • Police officials say that the U.S. war on terrorism may create a shortage of digital analysts at the local law enforcement level
From CNN • In the wired world, almost every crime intersects with the digital realm at one time or another.
Facts as we see them… • Few individuals (currently) have the skills and knowledge necessary to conduct a forensic investigation • Goal: train individuals specializing in digital forensics. • Need an answer to what should be taught to achieve this goal.
Goals of the Forensic Investigator • Confirms or dispels incident • Determine extent of damage • Answer: Who, What, When, Where, How and Why • Gather data in a forensically-sound manner • Handle, analyze and secure evidence • Generate appropriate records & reports • Present admissible evidence in court
What Belongs in a Forensic Course? • Procedures • Basic technical knowledge • Techniques • Ethics and legal issues
Wide range to consider • Hardware • Software • Networks • Systems
Wide range to consider • Many different elements • Processor/Hardware (x86, Sun, Mac, etc) • OS (Win/Unices/Mac/others) • Application (task-specific, general) • Filesystem (NTFS/UFS/ext/hpfs) • Storage (local, networked, NAS, SAN, raid) • Other (PDA / cellphones / cameras / memory sticks & cards / MP3 players / other / PLUS ubiquitous computing)
What Belongs in a Forensics course? So much to do – so little time We decided that “Our cup runneth over.” We needed help!
The questions • How can we learn enough about the topic? • So much material • How can we be sure we know the answers to the “standard” questions? (or “How can we minimize getting egg on our face?”) • Feedback usually too late - from students after we’ve given them a bad presentation.
Share the load of development Preview/review of materials Our potential solutions
Solutions explained (2) • Overlap • there will be some – more of “skills reinforcement” • The development • Multiple instructors • Each party takes part of the development load • Each brings a different expertise to the table • Co-teach the course first time • Preview the materials before presentation • Present to peers BEFORE presenting to students
What does it cost? • Standard costs: • Time and Effort – about the same as any other course development endeavor • Extra costs: • Difficulty scheduling free time on 3 calendars • Preparation and presentation of material multiple times
What’s the payoff? • Real, immediate feedback on: • Content • Presentation style • In-class exercises • Ideas from more experienced faculty • Camaraderie • Better materials, more self-confidence, and better presentations • And a feeling that you really are prepared for that new class
Undergraduate course goal • Identify and employ tools • Track intruders • Preserve and analyze evidence • Emphasize • fundamental techniques • hands-on experience • Ensure admissibility in court. • Chain of custody etc.
Undergrad Outcomes • Describe basic incident response procedure • Identify and utilize appropriate forensic and IDS tools • Multi-platform • Multi-device • Address social, legal and ethical issues
Graduate course goal • Effectively use and develop NEW tools • Not just “how to use it” but “how does it WORK (under the hood)”
Grad Outcomes • Identify and analyze tools used in computer forensics • Ensure admissibility of evidence & understand proper investigative procedures • Explain system basics, such as system startup/restart/shutdown procedures, processes, file systems, system log files • Write or modify programs for forensics investigation
The content of undergraduate course • Incident Response • Forensic Essentials • Unix Forensics • Window Forensics • Network Forensics • Legal issues
Labs for undergraduates • reinforcement of lecture material • Allow students for explore and discovery • Lab materials meet the outline of the lecture • introducing tools and techniques specific to certain operating systems • Can provide examples of lab exercises
Grad course content • Organized into four lecture parts plus student research • Techniques and procedures • The system in-depth • hardware devices and storage media, file systems, processes and threads, and the boot procedure • Programming refresher • Modify existing or develop new tool
Student research • Search for and learn about existing forensic tools (no overlap) • Evaluate and rank them based on • Open / closed source • Language in which they are written • “Improvability” • Other student-defined factors • Generate document describing findings • Share with peers
Techniques and Procedures • What are the existing tools for • Different file systems (FAT, NTFS, UNIX) • Different devices such as cameras, phones, PDAs, memory sticks/card • Machines that are running as well as those had been shutdown.
Techniques and Procedures (con’t) • Chain of custody • Collecting and preserving data in a forensically sound manner • Recovering deleted and hidden files • Analyzing data • MAC time • Log files • History files • Registry • email • Reporting
The system in-depth • Computer devices • File systems • Input/output • Memory Management • Boot Procedures • Processes
Programming basics in Computer Forensics • System Calls • Standard Library • Data Access and Physical Analysis • File Access and String Search • Deleted files and directories • Enscript • Dissection of existing tools
EnScript in EnCase Environmnet • Filter • EnScript
Techniques and Procedures • What are the existing tools for • Different file systems (FAT, NTFS, UNIX) • Different devices such as cameras, phones, PDAs, memory sticks/card • Machines that are running as well as those had been shutdown.
Tool development • Based on prior research exercise • Design and implementation • Modify existing tools or build new • Test! • Demonstration and presentation
How did it work (lecture)? • Lecture format was effective • Measure? • Very positive student feedback • High level of student participation • Format was “Traditional lecture PLUS” • Lawyer • Investigator • Recorded video • Student discussions
How did it work (labs)? • Undergrad lab assignments were too large • Too much material to complete in a reasonable time • We were overly ambitious! • Students gave us some good ideas to change lab assignments • Grad projects just right • Not too big, not too small • Learned lesson from undergrad course
LIKES: (quotes) • - The labs. Hands on learning was enjoyable and educational. I only wish there was more time. • - The professors. Each professor brought a unique "spin" to the class. • - The class itself. Learning the process and tools involved in a computer forensics investigation was fun and cool. • - I liked that it was Team taught, I feel I can draw much more from 3 teachers as opposed to one. Although this is not a realistic way to teach the class, it did allow me to draw on many years of skill. • - I liked the fact that it was split into Linux/Windows content in different weeks.... It’s much easier to focus on one OS as opposed to contrasting them and getting confused about the semantics. • - Although for much of the semester we had problems, I absolutely liked that we had dedicated forensics machines and I commend you and the lab staff for pushing for them. Hot swappable drives make all the difference in this kind of work as me and Mitch found out the hard way. • - The lectures weren't boring! Let me re-emphasize this point THE LECTURES WEREN'T BORING! And this is the key to most of RIT student’s education.
DISlikes: (quotes) • - The classroom. Having computers at every desk is a bit distracting and blocked my view of things. Unless there is a need to have computers in the lecture classroom, I would try to choose a room without PCs. • - The labs. I understand this was the first time this class was taught so take this with a grain of salt. The labs weren't written as well as they could have been and more time could have been spent "testing" the labs before making them "live". • - the lack of time. I know this is difficult to fix. The class moved so quickly and there is so much material to cover that we had to gloss over many things. I don't know if it would make more sense to break the class up into two classes. • “ … really liked the network forensics but … felt it was a little forced; It would be much more well suited for Data Net …” (it’s own class)
Lots of ideas and feedback Flexibility Leverage knowledge base >1 resource during lecture Students LOVED it! Time issues Partial load Redundant lectures We were lucky – had cooperative faculty! (Imagine if you were in a group that DIDN’T get along…) Positives / Negatives(group teaching format)
Some Modifications made… • Network portion moved to it’s own course • Lab contents split • Added new labs based on grad students research • Existing lecture materials expanded to improve coverage
Future direction • Macintosh investigation • Tools for PDA/cell/others • Have multiple courses collaborate to provide students with more lifelike experiences • Teamwork, honeypot images, grad/ugrad cooperation
What did we miss? • Suggestions? • Questions? Thank You!!!