Your SlideShare is downloading. ×
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Forensic Lab Development
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Forensic Lab Development


Published on

Forensic Lab Development

Forensic Lab Development

Published in: Technology, Education
  • Great. The explanation is so clear.

    Roy Jan
    Are you sure you want to  Yes  No
    Your message goes here
  • hey there,could you please mail this across to me,it will really assist me for my function.thank you very much.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Transcript

    • 1. Forensic Lab Development Rochester Institute of Technology Yin Pan Bill Stackpole
    • 2. Agenda
      • The challenges of cyber forensics investigation
      • Goals of the lab component
      • Procedures used to develop basic forensics labs
      • Strategies for creating new lab content through multiple courses collaboration
      • Outcomes and feedback from students
    • 3. What is Forensics?
      • Investigation of a past activities to help reconstruct a version of what happened may have happened
    • 4. What is Computer Forensics?
      • Investigation of computer / digital device to find evidence of activity
        • Crimes both digital & non-digital
        • Corroborating evidence
        • Data recovery
    • 5. What is computer forensics?
      • Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media.
        • As a forensic discipline, nothing since DNA technology has had such a large potential effect on specific types of investigations and prosecutions as computer forensic science.
          • (
    • 6.
      • “ The nature of digital forensic investigation is changing.”
        • Communications of the ACM – Feb 2006
    • 7. Goals of the forensic Investigator
      • Confirms or dispels the compromise
      • Determine extent of damage
      • Answer: Who, What, when, where, how and why
      • Gathering data in a forensically sound manner
      • Handle and analyze evidence
      • Present admissible evidence in court
    • 8. Practice makes perfect
      • Must become skilled in the use of computer forensic tools and techniques
      • Practice allows them to obtain the skills and knowledge necessary
      • Must be familiar enough to address testing of tools
      • Our goal is to train the individuals specializing in digital forensics for government, private and public sectors.
    • 9. Challenges
      • How to choose the appropriate tools and techniques
        • Retaining the admissible information stored in computers and other devices
        • Minimizing the risk of losing important information or destroying data.
      • How to effectively enhance our lab materials with new exposures of threats and technologies as well.
    • 10. The goal of the lab component
      • Produce technical professionals capable of performing forensics investigations using appropriate tools and procedures.
        • Identify and employ tools used for tracking, gathering, preserving and analyzing evidence.
        • Emphasis on applying classroom knowledge to real world applications through hands-on exercises in a controlled environment.
        • Learn the procedures used to gather and preserve this evidence to ensure admissibility in court.
    • 11. What is important?
      • Process of investigation
      • Techniques and tools
      • Ethics, privacy, and legal issues
    • 12. Specific Content
      • Incident Response (CSIRT responsibilities)
      • Data Collection and preservation
      • Analyzing data
        • Timeline analysis
        • OS-specific
        • Data recovery
        • String search
      • Reporting
    • 13. Many different elements
      • Processor/Hardware (x86, Sun, Mac, etc)
      • OS (Win/Unices/Mac/others)
      • Application (task-specific, general)
      • Filesystem (NTFS/UFS/ext/hpfs)
      • Storage (local, networked, NAS, SAN, raid)
      • Other (PDA / cellphones / cameras / memory sticks & cards / MP3 players / etc)
    • 14. Lab Exercise Design
      • Closely tracks lecture content
        • Incident Response / procedure
        • OS-specific forensics techniques
          • Bit-by-bit imaging a drive and persevering the integrity of the image
          • Recovering, categorizing and analyzing data
          • Reporting
      • Select appropriate tools
        • Linux – Autopsy, Sleuthkit, TCT
          • Well tested and are accepted in the legal community as well
        • Windows – EnCase and Forensics Acquisition tools
          • Wide use in the legal, law enforcement and governmental arenas.
    • 15. Lab topics
      • Lab 1: Incident response lab - collect and record data/information/physical evidence in forensically sound manner
      • Lab 2: Capture drive - dd/md5/mount/tct
      • Lab 3: Autopsy/sleuthkit/foremost/netcat
      • Lab 4: Linux frame buffer image capture and analyze
      • Lab 5: Encase and open sources tools /dd/netcat/acquisition
      • Lab 6: Analyze an image using Encase or Linux tools
    • 16. Physical Lab Design
      • Dedicated machines
        • Lots of I/O, removable drives, etc.
        • Encase Forensic Edition v5
        • Open source products (TCT / sleuthkit / autopsy / etc)
        • VMWare
        • Helix / BackTrack / etc
      • Imaging system
      • Air-gap capability
    • 17. How did labs work?
      • Labs are effective at conveying and applying concepts discussed and discovered in lecture.
      • General Student Feedback
        • Enjoyed hands-on learning
        • Thought it was fun and cool.
        • Liked that content was split into Linux/Windows in different weeks – found it easier to focus on one OS @ a time
        • Appreciated the dedicated forensics machines
        • Framebuffer lab made them think “outside the box” (alternatives to 'traditional' investigation techniques)
    • 18. Things can be improved
      • More real case studies
      • Lack of time was an issue (insufficient time for great depth of study.)
      • Other non-linux forensics exercises (BSD/Solaris/?)
      • Labs need further tweaking
    • 19. Create self-evolving labs through multiple courses collaborations
      • Why?
        • To meet the challenges described before and students’ needs as well
      • Is this feasible?
        • We believe so!
        • Courses involved:
          • System Security
          • Network Security and Network Forensics
          • Advanced Computer System Forensics (Graduate)
          • Computer System Forensics
          • Viruses and Malicious Software
          • Wired and Wireless Security
          • Auditing???
    • 20. A potential model
      • System security students build secure systems
      • Malware students might build tools to attack the secure systems
      • Forensics students work with Network and System security students to handle the incident
      • Advanced Forensic students develop tools to address unmet needs raised by forensics students
    • 21. Our strategy to create new lab materials
      • Collect images of different operating systems with different levels of patches
      • Collect appropriate Honeynet projects
      • Collect students’ work
        • from involved courses
        • By hosting a legal event of the InfoSec Talent Search (ISTS) or "weekend hackfest" in a relatively controlled environment.
      • Try the “student-generated images” outlined yesterday by Anna Carlin from CalPoly?
    • 22. Foreseeable Benefits
      • Allow students from multiple courses to interact and share content and experience.
      • Allow the labs to be self-evolving and require minimal faculty maintenance to remain current.
      • Help students gain exposure to newest real world threats and get practice on finding or developing suitable tools and conducting investigation with appropriate procedures.
      • Keep students up front in the technology and help prepare them to meet challenges in the computer security field.
    • 23. Future direction
      • Remote lab systems
      • Collaboration with local LEA
      • Training of other faculty
    • 24. What did we miss?
      • Suggestions?
      • Questions?