20120911 delija kukina - education of digital forensics experts
1. sigurnost
integrirana
Digital Forensics Education
Damir Delija,
Irena Kukina
Bratislava , 23.9.2012. god.
2. Content 2
Digital forensics education and training
Relevant IT related knowledge and skills
Sources of knowledge and skills for digital
forensics
3. Why education for digital
forensic ? 3
Without training and education there is no
effective use of digital forensics tools and
methodology of digital forensics
The ability to use different tools does not mean
the ability to work reliably, especially from
legal point of view
With HW and SW training there is a need for
additional education and continuous
improvements and keeping up
4. Who needs digital forensics (1) 4
Police, prosecution, judiciary ...
People there have to understand digital forensics
Digital Forensics Education
5. Who needs digital forensic (2) 5
IT business is
looking for all
kind of digital
forensics
knowledge and
practice
6. Who needs digital forensics (3) 6
Academy needs people who can teach existing digital
forensics and who can develop and evaluate new digital
forensics techniques
7. Who needs digital forensics (4) 7
Policy-makers and
decision-makers in all
involved organizations
need to understand
meaning and
importance of digital
forensics and related
strategic issues like
permanent training
and education
8. Digital forensics path 8
Basic educaion and training
• Professionall, technical, legal
Keeping updated
• Keeping up tehnology
• Deeper specialisation
• Keeping up with global trends
• Permannet roles, role rotations and duty rotations
• Career path as part of skills improvement
Profesionall and technical certifications
• Proof of ability and qualifications
Continuous education and knowledge transfer
Part of the job basics and ethics
9. Knowledge Sources 9
Academy – long term things
• educational programs based on the recognized forensic curriculums
• seminars, technology, research, think-thank
• long-term projects and research that can not be carried out elsewhere
Vendors – targeted training / professional training
• HW / SW vendors with product trainings
• Education for certain forensic and other products, skills
• General training and education based on certified training material
10. Knowledge Sources 10
Internal, the "knowledge" of the organization -
continuous internal education
• Analytics, information about events as sources
• flow of information and use the information as a knowledge
Internet
• Digital forensic online resources
Other
• Conferences, trends local and global
11. Education and news 11
Digital Forensics follows the development of computer
technology and science, also it follows the evolution of
computer crime
New things are coming ....
Problem – how to keep up
Solution – continuous education, but how do it ?
Who is trainer and who is trainee, how training is done ?
Who is initiating a training / education ?
Where are knowledge sources ?
How long it will to fulfill training, how to measure success
• Who train trainers,
• Who evaluate results (and on which basis),
• who evaluate achieved knowledge
How expensive is new knowledge and how
expensive it to be “in dark”
12. IT areas of expertise 12
Operating systems
• windows, linux, mac, unix,
Hardware
• intel, mobile devices, sparc, powerpc, scada,
embedded systems
Applications
• sw which users use, even without their knowledge
• in broadest sense, even malware
Networking, network services and
infrastructure
• tcp/ip v4, v6 ...
• industrial networking protocols
13. Operating systems - desktops 13
Windows ~ 75%
Linux ~ 3%
Mac ~ 12%
Windows XP (35.21%)
Windows 7 (31.21%)
Windows Vista (11.27%)
Mac OS X (7.31%)
iOS (3.38%)
Android Linux (1.30%)
GNU/Linux (1.11%)
15. MS Windows 15
• win 3.11
• win nt, win 95, win 98,
• win2000
• win XP, win 2003
• vista
• win 7, windows 2008
• win 8
• windows mobile, windows ce
Each windows version something new, different
and undocumented, a bit of nightmare
• directory structure
• where are OS files, registry, configuration files
• HW platforms change (intel, alpha, powerpc, arm)
• File systems (FATxx, NFTS, exFAT)
• and all other artifacts recycle bin, print spooler, backup, index, mail,
vss, browser ...
•
17. Linux – UNIX derivate 17
Linux distributions – incredible number of
versions, sometimes important differences
OS with various applications
Can be for
• Servers
• Users (desktops etc)
Can be used on
• Mobile devices
• All HW platforms supported
• Embedded devices
• Robots
• And surely I’ve forget something
18. Apple Mac 18
Evolution like windows
• os 1 .... os 10.x
Different HW
• personal machines, servers
• mobile devices –today mostly
OS versions
• FS system differences
• OS differences path from mac to unix ..
• how data is stored in SQL and PLists
19. Mobile devices 19
It’s almost self-contained devices
Basically today - smartphones
• apple ios,
• android,
• windows
and GPS, tablets, old mobiles and many
other things
Various vendors (wars)
Various OS (private and open source)
Various FS, encryption, etc
More exception than rules
Forensic tools not too compatible ... (wars)
21. Mobile devices - Android OS 21
Android biggest one on the market
Version are different, artifacts and tools too
Android versions
Android versions - 2011
22. Network and net services 22
It is a special part of digital forensics –
network forensics
TCP/IP v4, v6
Legacy networking protocols (IBM SNA)
Wireless forensics
Broadband 3G / 4G
Malware analyses
23. Applications and programs 23
Email clients (outlook, webmail)
Email servers (exchange)
Chat, messengers, voip (skype)
web browsers
• Internet Explorer
• Mozilla
• Opera
• Chrome
Forensic artifacts depends on OS, version, configuration
Which tools can access this artifacts in forensically
sound way
24. What is our mission 24
Continuous digital forensics training to meet
our customer needs
Education is customer oriented, based on
tools and tasks
At user premises, in our training center or any
appropriate location
Consulting in various issues related to digital
forensics
25. What is important 25
Continious learning in
• Tools developement
• Evolution of computer related crime
• IT evolution
Feedback from real world what is missing and
what needs improvements
Keep up with tehnology
Keep up with digital forensics methodology
Keep up with legal issues
Certifications
26. Conclusion 26
Knowledge is expensive, but ignorance is even
more expensive (trivia, but true)
There must be system of continuous training
• internal resources are often overlooked and left to
fade away
Digital forensics is more important
• It is part of critical infrastructure defense
Because of limited resources
• Cooperation (very, very hard to achieve)
• As simple as possible internal organization
• Career path benefits
