Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona

Agenda What is Computer Forensics Trends in Computer Forensics Structure of a Computer Forensics Course Investigative Mindset Criminal Mindset Legal Aspects of Computer Forensics Ethics Highlights Questions & Answers

What is Computer Forensics

Trends in Computer Forensics

Structure of a Computer Forensics Course

Investigative Mindset

Criminal Mindset

Legal Aspects of Computer Forensics

Ethics

Highlights

Questions & Answers

What is Computer Forensics? Application of computer investigation and analysis in the interests of determining potential legal evidence Involves the identification, preservation, extraction, documentation, and interpretation of this digital evidence

Application of computer investigation and analysis in the interests of determining potential legal evidence

Involves the identification, preservation, extraction, documentation, and interpretation of this digital evidence

Trends in Computer Forensics Computer Information System/Information Technology 95% or world’s information is being generated and stored in a digital form Only about one-third of documentary evidence is printed out

Computer Information System/Information Technology

95% or world’s information is being generated and stored in a digital form

Only about one-third of documentary evidence is printed out

Structure Of Course Prerequisites Textbooks Used Group and Individual Projects Lab Environment/Facility

Prerequisites

Textbooks Used

Group and Individual Projects

Lab Environment/Facility

Quarter System Class Prerequisites Cal Poly – Junior/Senior level in a career track Textbooks Guide to Computer Forensics from Course Technology Recommended: Hacking Exposed: Computer Forensics Secrets and Solutions

Prerequisites

Cal Poly – Junior/Senior level in a career track

Textbooks

Guide to Computer Forensics

from Course Technology

Recommended: Hacking Exposed: Computer Forensics Secrets and Solutions

Topics Covered Applicable Laws Processing Crime and Incident Scenes Collecting Evidence Recovering Evidence Computer Forensic Tools Documenting the Investigation Communicating the Results

Applicable Laws

Processing Crime and Incident Scenes

Collecting Evidence

Recovering Evidence

Computer Forensic Tools

Documenting the Investigation

Communicating the Results

Cal Poly’s Computer Forensics Lab Allows hands-on experience Evidence lockers 3 separate hard drives Software available: EnCase Enterprise version 5 FTK Open source products Virtual PC

Allows hands-on experience

Evidence lockers

3 separate hard drives

Software available:

EnCase Enterprise version 5

FTK

Open source products

Virtual PC

Additional Software HexWorkshop Irfanview Paraben PC-Encrypt WinHex BitPim Stegdetect

HexWorkshop

Irfanview

Paraben

PC-Encrypt

WinHex

BitPim

Stegdetect

Group Project The goals are to: Follow a documented forensics investigation process Identify relevant electronic evidence associated with various violations of specific laws Identify probable cause to obtain a search warrant Recognize the limits of search warrants Locate and recover relevant electronic evidence Maintain a chain of custody

The goals are to:

Follow a documented forensics investigation process

Identify relevant electronic evidence associated with various violations of specific laws

Identify probable cause to obtain a search warrant

Recognize the limits of search warrants

Locate and recover relevant electronic evidence

Maintain a chain of custody

Group Project Parts Create the evidence Pick a crime and identify the elements Generate evidence to support that crime Write and execute a search warrant Analyzing the evidence seized Maintain chain of custody Analyze the digital medium for evidence Document the process and findings Presentation of findings

Create the evidence

Pick a crime and identify the elements

Generate evidence to support that crime

Write and execute a search warrant

Analyzing the evidence seized

Maintain chain of custody

Analyze the digital medium for evidence

Document the process and findings

Presentation of findings

Group Projects Created Bioterrorism of 80% of the world’s coconut supply on a fictitious island A Da Vinci Code takeoff where the curator interrupts the robbery of the Mona Lisa and is killed in the process Murder of a faculty member and where they are buried Counterfeit Anaheim Angel playoff tickets

Bioterrorism of 80% of the world’s coconut supply on a fictitious island

A Da Vinci Code takeoff where the curator interrupts the robbery of the Mona Lisa and is killed in the process

Murder of a faculty member and where they are buried

Counterfeit Anaheim Angel playoff tickets

Individual Projects (Labs) Acquiring an image for analysis Recovering deleted data Password and encryption methods Images and steganography Tracing emails Email analysis Cell phones PDA

Acquiring an image for analysis

Recovering deleted data

Password and encryption methods

Images and steganography

Tracing emails

Email analysis

Cell phones

PDA

Investigative Mindset Handling the Crime Scene Ears, Eyes, Hands Computer Evidence Digital Evidence Crime Scene investigation and boundaries Searching and Collecting evidence Do’s and Don’ts

Handling the Crime Scene

Ears, Eyes, Hands

Computer Evidence

Digital Evidence

Crime Scene investigation and boundaries

Searching and Collecting evidence

Do’s and Don’ts

Criminal Mindset Identify Theft Pornography Sexual Harassment Embezzlement Mail - Hate - Gambling across States - Drug Trafficking - Images Understanding anti-forensic techniques to hide evidence

Identify Theft

Pornography

Sexual Harassment

Embezzlement

Mail - Hate - Gambling across States - Drug Trafficking - Images

Understanding anti-forensic techniques to hide evidence

Legal Aspects of Computer Forensics Don’t commit a crime when manufacturing evidence Verify the tools Document everything

Don’t commit a crime when manufacturing evidence

Verify the tools

Document everything

Ethics Do your job Remove any personal agendas you may have about the case/investigation Knowing it and proving it are 2 different things State the facts as you see them It is not your job to be Judge and/or Jury Ethical Hacking

Do your job

Remove any personal agendas you may have about the case/investigation

Knowing it and proving it are 2 different things

State the facts as you see them

It is not your job to be Judge and/or Jury

Ethical Hacking

Highlights Professor in class challenges: Time available after class for lab work Student Technical Experience is varied Evidence created could be hit or miss Student creativity Training/Certifications Computer Usage Policy White Hacker Policy

Professor in class challenges:

Time available after class for lab work

Student Technical Experience is varied

Evidence created could be hit or miss

Student creativity

Training/Certifications

Computer Usage Policy

White Hacker Policy

Questions and Answer