Forensic Lab Development Rochester Institute of Technology Yin Pan Bill Stackpole

Agenda The challenges of cyber forensics investigation Goals of the lab component Procedures used to develop basic forensics labs Strategies for creating new lab content through multiple courses collaboration Outcomes and feedback from students

The challenges of cyber forensics investigation

Goals of the lab component

Procedures used to develop basic forensics labs

Strategies for creating new lab content through multiple courses collaboration

Outcomes and feedback from students

What is Forensics? Investigation of a past activities to help reconstruct a version of what happened may have happened

Investigation of a past activities to help reconstruct a version of what happened may have happened

What is Computer Forensics? Investigation of computer / digital device to find evidence of activity Crimes both digital & non-digital Corroborating evidence Data recovery

Investigation of computer / digital device to find evidence of activity

Crimes both digital & non-digital

Corroborating evidence

Data recovery

What is computer forensics? Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. As a forensic discipline, nothing since DNA technology has had such a large potential effect on specific types of investigations and prosecutions as computer forensic science. (www.fbi.gov)

Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media.

As a forensic discipline, nothing since DNA technology has had such a large potential effect on specific types of investigations and prosecutions as computer forensic science.

(www.fbi.gov)

“ The nature of digital forensic investigation is changing.” Communications of the ACM – Feb 2006

“ The nature of digital forensic investigation is changing.”

Communications of the ACM – Feb 2006

Goals of the forensic Investigator Confirms or dispels the compromise Determine extent of damage Answer: Who, What, when, where, how and why Gathering data in a forensically sound manner Handle and analyze evidence Present admissible evidence in court

Confirms or dispels the compromise

Determine extent of damage

Answer: Who, What, when, where, how and why

Gathering data in a forensically sound manner

Handle and analyze evidence

Present admissible evidence in court

Practice makes perfect Must become skilled in the use of computer forensic tools and techniques Practice allows them to obtain the skills and knowledge necessary Must be familiar enough to address testing of tools Our goal is to train the individuals specializing in digital forensics for government, private and public sectors.

Must become skilled in the use of computer forensic tools and techniques

Practice allows them to obtain the skills and knowledge necessary

Must be familiar enough to address testing of tools

Our goal is to train the individuals specializing in digital forensics for government, private and public sectors.

Challenges How to choose the appropriate tools and techniques Retaining the admissible information stored in computers and other devices Minimizing the risk of losing important information or destroying data. How to effectively enhance our lab materials with new exposures of threats and technologies as well.

How to choose the appropriate tools and techniques

Retaining the admissible information stored in computers and other devices

Minimizing the risk of losing important information or destroying data.

How to effectively enhance our lab materials with new exposures of threats and technologies as well.

The goal of the lab component Produce technical professionals capable of performing forensics investigations using appropriate tools and procedures. Identify and employ tools used for tracking, gathering, preserving and analyzing evidence. Emphasis on applying classroom knowledge to real world applications through hands-on exercises in a controlled environment. Learn the procedures used to gather and preserve this evidence to ensure admissibility in court.

Produce technical professionals capable of performing forensics investigations using appropriate tools and procedures.

Identify and employ tools used for tracking, gathering, preserving and analyzing evidence.

Emphasis on applying classroom knowledge to real world applications through hands-on exercises in a controlled environment.

Learn the procedures used to gather and preserve this evidence to ensure admissibility in court.

What is important? Process of investigation Techniques and tools Ethics, privacy, and legal issues

Process of investigation

Techniques and tools

Ethics, privacy, and legal issues

Specific Content Incident Response (CSIRT responsibilities) Data Collection and preservation Analyzing data Timeline analysis OS-specific Data recovery String search Reporting

Incident Response (CSIRT responsibilities)

Data Collection and preservation

Analyzing data

Timeline analysis

OS-specific

Data recovery

String search

Reporting

Many different elements Processor/Hardware (x86, Sun, Mac, etc) OS (Win/Unices/Mac/others) Application (task-specific, general) Filesystem (NTFS/UFS/ext/hpfs) Storage (local, networked, NAS, SAN, raid) Other (PDA / cellphones / cameras / memory sticks & cards / MP3 players / etc)

Processor/Hardware (x86, Sun, Mac, etc)

OS (Win/Unices/Mac/others)

Application (task-specific, general)

Filesystem (NTFS/UFS/ext/hpfs)

Storage (local, networked, NAS, SAN, raid)

Other (PDA / cellphones / cameras / memory sticks & cards / MP3 players / etc)

Lab Exercise Design Closely tracks lecture content Incident Response / procedure OS-specific forensics techniques Bit-by-bit imaging a drive and persevering the integrity of the image Recovering, categorizing and analyzing data Reporting Select appropriate tools Linux – Autopsy, Sleuthkit, TCT Well tested and are accepted in the legal community as well Windows – EnCase and Forensics Acquisition tools Wide use in the legal, law enforcement and governmental arenas.

Closely tracks lecture content

Incident Response / procedure

OS-specific forensics techniques

Bit-by-bit imaging a drive and persevering the integrity of the image

Recovering, categorizing and analyzing data

Reporting

Select appropriate tools

Linux – Autopsy, Sleuthkit, TCT

Well tested and are accepted in the legal community as well

Windows – EnCase and Forensics Acquisition tools

Wide use in the legal, law enforcement and governmental arenas.

Lab topics Lab 1: Incident response lab - collect and record data/information/physical evidence in forensically sound manner Lab 2: Capture drive - dd/md5/mount/tct Lab 3: Autopsy/sleuthkit/foremost/netcat Lab 4: Linux frame buffer image capture and analyze Lab 5: Encase and open sources tools /dd/netcat/acquisition Lab 6: Analyze an image using Encase or Linux tools

Lab 1: Incident response lab - collect and record data/information/physical evidence in forensically sound manner

Lab 2: Capture drive - dd/md5/mount/tct

Lab 3: Autopsy/sleuthkit/foremost/netcat

Lab 4: Linux frame buffer image capture and analyze

Lab 5: Encase and open sources tools /dd/netcat/acquisition

Lab 6: Analyze an image using Encase or Linux tools

Physical Lab Design Dedicated machines Lots of I/O, removable drives, etc. Encase Forensic Edition v5 Open source products (TCT / sleuthkit / autopsy / etc) VMWare Helix / BackTrack / etc Imaging system Air-gap capability

Dedicated machines

Lots of I/O, removable drives, etc.

Encase Forensic Edition v5

Open source products (TCT / sleuthkit / autopsy / etc)

VMWare

Helix / BackTrack / etc

Imaging system

Air-gap capability

How did labs work? Labs are effective at conveying and applying concepts discussed and discovered in lecture. General Student Feedback Enjoyed hands-on learning Thought it was fun and cool. Liked that content was split into Linux/Windows in different weeks – found it easier to focus on one OS @ a time Appreciated the dedicated forensics machines Framebuffer lab made them think “outside the box” (alternatives to 'traditional' investigation techniques)

Labs are effective at conveying and applying concepts discussed and discovered in lecture.

General Student Feedback

Enjoyed hands-on learning

Thought it was fun and cool.

Liked that content was split into Linux/Windows in different weeks – found it easier to focus on one OS @ a time

Appreciated the dedicated forensics machines

Framebuffer lab made them think “outside the box” (alternatives to 'traditional' investigation techniques)

Things can be improved More real case studies Lack of time was an issue (insufficient time for great depth of study.) Other non-linux forensics exercises (BSD/Solaris/?) Labs need further tweaking

More real case studies

Lack of time was an issue (insufficient time for great depth of study.)

Other non-linux forensics exercises (BSD/Solaris/?)

Labs need further tweaking

Create self-evolving labs through multiple courses collaborations Why? To meet the challenges described before and students’ needs as well Is this feasible? We believe so! Courses involved: System Security Network Security and Network Forensics Advanced Computer System Forensics (Graduate) Computer System Forensics Viruses and Malicious Software Wired and Wireless Security Auditing???

Why?

To meet the challenges described before and students’ needs as well

Is this feasible?

We believe so!

Courses involved:

System Security

Network Security and Network Forensics

Advanced Computer System Forensics (Graduate)

Computer System Forensics

Viruses and Malicious Software

Wired and Wireless Security

Auditing???

A potential model System security students build secure systems Malware students might build tools to attack the secure systems Forensics students work with Network and System security students to handle the incident Advanced Forensic students develop tools to address unmet needs raised by forensics students

System security students build secure systems

Malware students might build tools to attack the secure systems

Forensics students work with Network and System security students to handle the incident

Advanced Forensic students develop tools to address unmet needs raised by forensics students

Our strategy to create new lab materials Collect images of different operating systems with different levels of patches Collect appropriate Honeynet projects Collect students’ work from involved courses By hosting a legal event of the InfoSec Talent Search (ISTS) or "weekend hackfest" in a relatively controlled environment. Try the “student-generated images” outlined yesterday by Anna Carlin from CalPoly?

Collect images of different operating systems with different levels of patches

Collect appropriate Honeynet projects

Collect students’ work

from involved courses

By hosting a legal event of the InfoSec Talent Search (ISTS) or "weekend hackfest" in a relatively controlled environment.

Try the “student-generated images” outlined yesterday by Anna Carlin from CalPoly?

Foreseeable Benefits Allow students from multiple courses to interact and share content and experience. Allow the labs to be self-evolving and require minimal faculty maintenance to remain current. Help students gain exposure to newest real world threats and get practice on finding or developing suitable tools and conducting investigation with appropriate procedures. Keep students up front in the technology and help prepare them to meet challenges in the computer security field.

Allow students from multiple courses to interact and share content and experience.

Allow the labs to be self-evolving and require minimal faculty maintenance to remain current.

Help students gain exposure to newest real world threats and get practice on finding or developing suitable tools and conducting investigation with appropriate procedures.

Keep students up front in the technology and help prepare them to meet challenges in the computer security field.

Future direction Remote lab systems Collaboration with local LEA Training of other faculty

Remote lab systems

Collaboration with local LEA

Training of other faculty

What did we miss? Suggestions? Questions?

Suggestions?

Questions?