160 likes | 285 Views
Problem Solving in Computer Forensics. Dr John Haggerty Distributed Multimedia and Security Group, Liverpool John Moores University J.Haggerty@livjm.ac.uk http://www.cms.livjm.ac.uk/cmpjhagg/index.htm. Outline of talk. Introduction to Liverpool JMU Module background My philosophy
E N D
Problem Solving in Computer Forensics Dr John Haggerty Distributed Multimedia and Security Group, Liverpool John Moores University J.Haggerty@livjm.ac.uk http://www.cms.livjm.ac.uk/cmpjhagg/index.htm
Outline of talk • Introduction to Liverpool JMU • Module background • My philosophy • Problems I have encountered • My teaching approach • Some examples • Findings and conclusion
Background to JMU • Lecturer in Computer Security and Forensic Computing • Computer security background • Academic research • Practical experience • Liverpool JMU reputation in computer security research (Distributed Multimedia and Security Group) • Requirement for wider knowledge of security and forensic issues
Module background • Run first time 2004/2005 • Initial expectation to complement mainstream Forensics programme at JMU • Different levels of expectation and ability • Forensic Computing • BSc (level 3) • Approx. 50 students (up from approx. 40 2004/2005) • IS, MMS, CS and SE options (2005/2006 extended to MMS)
Module aims and objectives • Forensic Computing • Aims • To develop an understandingof the theory and practice of computer forensics. • Objectives • Understand the fundamental technical concepts, implementation, and restrictions of computer forensics in the organisation. • Analyse and evaluate physical and data evidence in computer forensics. • Develop practical skills in computer forensics.
My Forensic Computing philosophy • Relationship between computer security and computer forensics – related but distinct • Same tools but different outcomes • Computer forensics beyond the legal arena • Application of tools and techniques within other areas • e.g. businesses, public sector organisations, national security, etc.
Problems I have found • Computer forensics as “art” not science • Trying to teach analysis • Students from across the computing spectrum • University policies and no dedicated lab space • No control over machines within university • Not able to put own software on machines • Not able to use computer forensics programs • Creativity required to adhere to restrictions whilst at the same time providing practical learning experience for students • Countering student “fantasies” • Forensic Computing – “its just like CSI”
Three strands of teaching • Three strands of teaching used on the course • Principles of forensic computing • Focus on academic issues • Traditional lecture format (summative) • Guest lectures • Marry what students have learnt with practitioner experience • Practical applications of forensic computing • Marrying academic issues to practical issues (formative) • Tutorial-based format using PBL • Coursework providing practical experience through PBL
Teaching practical applications • A challenging problem as university network administrators are “nervous” about teaching forensics applications • Security incidents • More interesting for the lecturer! • Practical teaching required • As laid out in proforma set by PPA • To reinforce theoretical learning • Approached in two ways • Tutorial-based PBL • Coursework PBL
Tutorial-based PBL – example 1 • “What would you take” tutorial – computer forensics in law enforcement • At the “light” end of PBL • Present students with a real-world problem based on the subject matter discussed during the lecture
Tutorial-based PBL – example 2 • “Network diagrams” tutorial – computer forensics beyond law enforcement • Used by organisations, national security, etc. • Technique used in network security to track network connections and hosts • Useful as analytical exercise
Teaching practical forensics • Students not allowed to forensically analyse university computers • Encourage use of forensic Knoppix distros on home machines • Partnership with Guidance Software and their EnCase suite • Limited version disk used to allow students to gain hands on experience with industrial standard software • Runs from CD only • Tutorial cases • Additional relevant white papers
PBL-based Coursework • Combine theoretical/practical student experience • Build on practical labs • Use of tools for file analysis • Understanding of wider tools • Restricted use/built (Knoppix) distros • Gives students opportunity to write own job description for forensic computing within an organisation • (Hopefully) brings course together!
Findings and recommendations • Student comments having undertaken the forensic computing module have provided extremely positive responses • Felt they have learned a real skill (PBL) • The level of engagement in lectures was high • Deeper level of understanding – analytical toolkit • Invest the time in exploring tools that can be used • Guest lectures enhance learning experience • Bridge gap between academic subject and its practical application • Use techniques that demonstrate the idea or concept
Summary • Computer forensics is increasingly used beyond the legal arena • A number of problems have been encountered which have affected my approach • A mix of practical and theoretical learning via problem setting does work • The practical does not necessarily require ‘unpleasant’/ ‘unwanted’ access • For me, it has been a positive experience!