Slideshare.net (beta)

Home My Slidespace Upload Community Tags Widgets

Latest | Most Viewed | Most Embedded | Featured | Most Favorited | Most Downloaded | Slidecasts

 
Post: 
Myspace Hi5 Friendster Xanga LiveJournal Facebook Blogger Tagged Typepad Freewebs BlackPlanet gigya icons

Download not available Question_markThe user has chosen not to allow download of this file. If you need it badly, send a request on his/her slidespace.




All comments

Add a comment on Slide 1

If you have a SlideShare account, login to comment; else you can comment as a guest


Showing 1-50 of 2 (more)

Forensic Lab Development

From amiable_indian, 1 year ago

Forensic Lab Development

2576 views  |  0 comments  |  2 favorites  |  2 embeds (Stats)
Share this slideshow
 

Tags

forensic lab development cognitive forensics

 
 

Groups/Events

Not added to any group/event

 
 

Privacy InfoNew!

This slideshow is Public

 
Embed in your blog
Embed (wordpress.com)
custom

Slideshow Statistics
Total Views: 2576
on Slideshare: 2563
from embeds: 13* * Views from embeds since 21 Aug, 07

Most viewed embeds:

Slideshow transcript

Slide 1: Forensic Lab Development Rochester Institute of Technology Yin Pan Bill Stackpole Rochester Institute of Technology Secure IT 2006

Slide 2: Agenda The challenges of cyber forensics investigation  Goals of the lab component  Procedures used to develop basic forensics labs  Strategies for creating new lab content through  multiple courses collaboration Outcomes and feedback from students  RIT .. Rochester Institute of Technology Secure IT 2006

Slide 3: What is Forensics? Investigation of a past  activities to help reconstruct a version of what happened may have happened RIT .. Rochester Institute of Technology Secure IT 2006

Slide 4: What is Computer Forensics? Investigation of computer / digital device to  find evidence of activity Crimes both digital & non-digital   Corroborating evidence  Data recovery RIT .. Rochester Institute of Technology Secure IT 2006

Slide 5: What is computer forensics? Computer forensic science is the science of  acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. As a forensic discipline, nothing since DNA  technology has had such a large potential effect on specific types of investigations and prosecutions as computer forensic science. (www.fbi.gov) RIT .. Rochester Institute of Technology Secure IT 2006

Slide 6: “The nature of digital forensic investigation  is changing.” Communications of the ACM – Feb 2006 RIT .. Rochester Institute of Technology Secure IT 2006

Slide 7: Goals of the forensic Investigator Confirms or dispels the compromise  Determine extent of damage  Answer: Who, What, when, where, how and why  Gathering data in a forensically sound manner  Handle and analyze evidence  Present admissible evidence in court  RIT .. Rochester Institute of Technology Secure IT 2006

Slide 8: Practice makes perfect Must become skilled in the use of computer  forensic tools and techniques Practice allows them to obtain the skills and  knowledge necessary Must be familiar enough to address testing of  tools Our goal is to train the individuals specializing in  digital forensics for government, private and public sectors. RIT .. Rochester Institute of Technology Secure IT 2006

Slide 9: Challenges How to choose the appropriate tools and  techniques Retaining the admissible information stored in  computers and other devices  Minimizing the risk of losing important information or destroying data. How to effectively enhance our lab materials  with new exposures of threats and technologies as well. RIT .. Rochester Institute of Technology Secure IT 2006

Slide 10: The goal of the lab component Produce technical professionals capable of  performing forensics investigations using appropriate tools and procedures. Identify and employ tools used for tracking,  gathering, preserving and analyzing evidence.  Emphasis on applying classroom knowledge to real world applications through hands-on exercises in a controlled environment.  Learn the procedures used to gather and preserve this evidence to ensure admissibility in court. RIT .. Rochester Institute of Technology Secure IT 2006

Slide 11: What is important? •Process of investigation •Techniques and tools •Ethics, privacy, and legal issues RIT .. Rochester Institute of Technology Secure IT 2006

Slide 12: Specific Content Incident Response (CSIRT responsibilities)  Data Collection and preservation  Analyzing data  Timeline analysis  OS-specific  Data recovery  String search  Reporting  RIT .. Rochester Institute of Technology Secure IT 2006

Slide 13: Many different elements Processor/Hardware (x86, Sun, Mac, etc)  OS (Win/Unices/Mac/others)  Application (task-specific, general)  Filesystem (NTFS/UFS/ext/hpfs)  Storage (local, networked, NAS, SAN, raid)  Other (PDA / cellphones / cameras / memory  sticks & cards / MP3 players / etc) RIT .. Rochester Institute of Technology Secure IT 2006

Slide 14: Lab Exercise Design Closely tracks lecture content  Incident Response / procedure  OS-specific forensics techniques  Bit-by-bit imaging a drive and persevering the integrity of the image  Recovering, categorizing and analyzing data  Reporting  Select appropriate tools  Linux – Autopsy, Sleuthkit, TCT  Well tested and are accepted in the legal community as well  Windows – EnCase and Forensics Acquisition tools  Wide use in the legal, law enforcement and governmental arenas.  RIT .. Rochester Institute of Technology Secure IT 2006

Slide 15: Lab topics Lab 1: Incident response lab - collect and record  data/information/physical evidence in forensically sound manner Lab 2: Capture drive - dd/md5/mount/tct  Lab 3: Autopsy/sleuthkit/foremost/netcat  Lab 4: Linux frame buffer image capture and analyze  Lab 5: Encase and open sources tools  /dd/netcat/acquisition Lab 6: Analyze an image using Encase or Linux tools  RIT .. Rochester Institute of Technology Secure IT 2006

Slide 16: Physical Lab Design Dedicated machines  Lots of I/O, removable drives, etc.   Encase Forensic Edition v5  Open source products (TCT / sleuthkit / autopsy / etc)  VMWare  Helix / BackTrack / etc Imaging system  Air-gap capability  RIT .. Rochester Institute of Technology Secure IT 2006

Slide 17: How did labs work? Labs are effective at conveying and applying concepts  discussed and discovered in lecture. General Student Feedback  Enjoyed hands-on learning  Thought it was fun and cool.  Liked that content was split into Linux/Windows in different  weeks – found it easier to focus on one OS @ a time Appreciated the dedicated forensics machines  Framebuffer lab made them think “outside the box”  (alternatives to 'traditional' investigation techniques) RIT .. Rochester Institute of Technology Secure IT 2006

Slide 18: Things can be improved More real case studies  Lack of time was an issue (insufficient time for  great depth of study.) Other non-linux forensics exercises  (BSD/Solaris/?) Labs need further tweaking  RIT .. Rochester Institute of Technology Secure IT 2006

Slide 19: Create self-evolving labs through multiple courses collaborations Why?  To meet the challenges described before and students’ needs  as well Is this feasible?  We believe so!  Courses involved:  System Security  Network Security and Network Forensics  Advanced Computer System Forensics (Graduate)  Computer System Forensics  Viruses and Malicious Software  Wired and Wireless Security  Auditing???  RIT .. Rochester Institute of Technology Secure IT 2006

Slide 20: A potential model System security students build secure systems  Malware students might build tools to attack the  secure systems Forensics students work with Network and  System security students to handle the incident Advanced Forensic students develop tools to  address unmet needs raised by forensics students RIT .. Rochester Institute of Technology Secure IT 2006

Slide 21: Our strategy to create new lab materials Collect images of different operating systems with  different levels of patches Collect appropriate Honeynet projects  Collect students’ work  from involved courses  By hosting a legal event of the InfoSec Talent Search (ISTS)  or "weekend hackfest" in a relatively controlled environment. Try the “student-generated images” outlined yesterday  by Anna Carlin from CalPoly? RIT .. Rochester Institute of Technology Secure IT 2006

Slide 22: Foreseeable Benefits Allow students from multiple courses to interact and  share content and experience. Allow the labs to be self-evolving and require  minimal faculty maintenance to remain current. Help students gain exposure to newest real world  threats and get practice on finding or developing suitable tools and conducting investigation with appropriate procedures. Keep students up front in the technology and help  prepare them to meet challenges in the computer security field. RIT .. Rochester Institute of Technology Secure IT 2006

Slide 23: Future direction Remote lab systems  Collaboration with local LEA  Training of other faculty  RIT .. Rochester Institute of Technology Secure IT 2006

Slide 24: What did we miss? Suggestions?  Questions?  RIT .. Rochester Institute of Technology Secure IT 2006

© 2008 SlideShare Inc. All Rights Reserved.
Vidya-ss is serving you.