The document discusses how social media and social software can enhance digitally-mediated adult education. It notes that social software allows for cooperative and collaborative learning across distances by supporting interactive methods and multimedia. Social software empowers designers to better accommodate adult learning principles like self-directed learning, collaboration, and problem-based learning. Features of social media like social networking sites provide tools that can facilitate rich interaction, collaboration, and multiple learning opportunities among online students. When incorporated effectively into instructional design, social software aligns well with principles of adult education by supporting learner autonomy, relationships, informal/lifelong learning, and experience-based learning.
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
By Marvin LeNoue, Tom Hall,Myron A. EighmyMarvin LeNoue .docx
1. By Marvin LeNoue, Tom Hall,
Myron A. Eighmy
Marvin LeNoue is an ABD doctoral
candidate in Occupational and Adult
Education at North Dakota State
University, Fargo, ND. He is currently
serving as an instructor at the University
of Oregon American English Institute,
Eugene, OR. His research interests
include technology-enhanced education
delivery and the use of educational
social software.
(Email: [email protected])
Tom Hall has an Ed. D. in Adult and
Higher Education from the University
of South Dakota. He is currently
serving as an Assistant Professor in the
Educational Leadership Program at
North Dakota State University, Fargo,
ND. His research interests include
adult education in the 21st Century, the
impact of different generational cohorts
in today's workplace, and community
education in rural America.
(Email: thomas.e. [email protected] edu)
Myron A. Eighmy is a professor and
program coordinator for the Education
Doctoral Program at North Dakota State
University. Research interests include
2. alternative delivery modes, learning
communities, and graduate student
self-efficacy.
(Email: [email protected])
Adult Education and the
Social Media Revolution
The advent of Web 2.0 and the spread of social software tools
havecreated new and exciting opportunities for designers of
digitally-medi-
ated education programs for adults. Whether working in fully
online, blended,
or face-to-face learning contexts, instructors may now access
technologies that
allow students and faculty to engage in cooperative and
collaborative learning
despite being separated in space and time. By supporting the use
of interactive
methods and multi-media materials, social software offers
educators more ways
to engage learners than any preceding educational technology.
Social software
also empowers curriculum designers to more effectively
accommodate many
of the core principles of adult learning than was possible with
earlier e-learning
technologies. This article offers a basic introduction to some
new possibilities
in the design and delivery of digitally-mediated education, and
an overview of
the compatibility between the capabilities of social software and
the principles
of adult education.
Digitally Mediated Learning
3. Self-directed learning is largely unconstrained in terms of time
and
location and has traditionally been a primary affordance of
distance education
(Holmberg, 1995). From its inception, distance education has
been marketed
as a solution for adults whose occupational, social, and/or
family commitments
limit their ability to pursue educational goals (Holmberg). In
the decades since
the 1970s, demand for distance programs has increased as the
globalization
of national economies creates a competitive atmosphere that
drives people to
become life-long learners in order to be successful in the
workplace (Merriam,
Caffarella, & Baumgartner, 2007).
For many people, the term distance education now conjures up
images of
computers, the Internet, and online learning. In fact, with
advances in mobile
technology, the delineation between computers and various
other electronic
devices (e.g. mobile phones, music players, personal digital
assistants, digital
tablets) is blurring, and what was once termed e-learning or
computer-mediated
learning has become more commonly referred to as digitally
mediated learning
(DML). This term implies that a medium for learning is
provided by digital
technology of some sort, and that interaction between
participants and between
participants and learning materials is not direct but rather
4. carried out through
the technology (Grudin, 2000). The use of networked devices,
local networks,
and the Internet is a key facet of DML, and online networked
technologies
are the delivery systems of choice for distance education
offerings (Allen &
Seaman, 2006).
The accessibility and convenience of online DML is positioning
the online
environment as the primary context for adult/post-secondary
education and
training in general (Allen & Seaman, 2007; Kim & Bonk, 2006;
McLoughlin
& Lee, 2007). A Sloan Foundation study of more than 2,500
colleges and
universities found online enrollments growing substantially
faster than overall
higher education enrollment, and the 17% growth rate in online
enrollments
A 4 Adult Learning
far exceeds the 1.2% growth rate in the overall higher
education population (Allen & Seaman, 2010). Allen and
Seaman classified an online course as one in which more
than 80% of content is delivered online and reported that
over 4.6 million students were taking such courses during
the fall 2008 term.
Whether working in fully online, blended, or face-
to-face learning contexts, instructors may now
access technologies that allow students and
5. faculty to engage in cooperative and collaborative
learning despite being separated in space and
time.
There has also been a trend toward the use of blended
learning or approaches that combine online and face-to-
face delivery modes. As part of efforts to enrich students'
learning experience, maximize efficiencies in time and
facilities use, and enhance program marketability, many
institutions are increasing their offerings of blended
courses (Mossavar-Rahmani & Larson-Daugherty, 2007).
This method is becoming increasingly common in K-12,
higher education, corporate, healthcare, and governmental
training settings (Allen, Seaman, & Garrett, 2007; Bonk,
Kim, & Zeng, 2005; Watson, 2008). The overall result is a
blurring of the boundaries between traditional classifica-
tions of instructional approaches. Palloff and Pratt (2007)
comment on the changes that digitally-mediated delivery
has wrought on our definition of distance learning:
Today we know that distance learning takes
several forms, including fully online courses,
hybrid or blended courses that contain some face-
to-face contact time in combination with online
delivery, and technology-enhanced courses,
which meet predominantly face-to-face but in-
corporate elements of technology into the course,
(p. 3)
A future is visible in which schooling is dominated by
delivery models that feature multiple instructional modes
fluidly combined within the affordances of technology-
enhanced delivery and interaction (Bonk, 2009; Kim &
Bonk, 2006). The scalability of these delivery models
allows for the design of courses that can accommodate
larger numbers of participants than has ever been possible
6. in the past (Siemens & Downes, 2008). As experience with
the operation of mega-universities demonstrates, these
models combine human, technological, and organizational
I
aspects in a powerful way (Daniel, 2003). Technology-
enhanced delivery revolutionizes education by offering
greatly expanded access to quality educational resources
delivered at a much lower per-student cost (Daniel, 2003;
Jung, 2005).
The Social Media Revolution
Designers of online education have tended
toward an emphasis on constructivist models
of education, with a focus on skills considered
to be essential in a knowledge-based economy,
including knowledge construction, problem-
solving, collaborative learning, critical thinking,
and autonomous learning (Bates, 2008; Sanchez,
2003). There is a need for delivery systems that
can maximize learner independence and freedom
by supporting open-enrollment and self-paced
learning while providing the capabilities for com-
munication and collaboration demanded by constructivist
pedagogies (Anderson, 2005).
Learning management systems (LMS) that integrate
geographically dispersed learners in asynchronous educa-
tional interactions have been widely available for several
years. However, they tend to be institution- and content-
centric, lacking in support for the affordances that lead
to the establishment of flattened communication networks
and collaborative information flows (Dalsgaard, 2006;
7. Siemens, 2004), An LMS is well suited for managing
student enrollment, exams, assignments, course descrip-
tions, lesson plans, messages, syllabi, and basic course
materials. However, these systems are developed for
the management and delivery of learning, not for sup-
porting the self-governed and problem-based activities
of students. Therefore, an LMS does not easily support
a social constructivist approach to digitally-mediated
learning. It is necessary to move beyond learning man-
agement systems to engage students in active use of the
web itself as a resource in self-governed, problem-based
and collaborative activities (Dalsgaard, 2006).
Web 2.0 technology can facilitate this move. This tech-
nology consists of Internet applications (small software
tools that can deliver active and interactive content to
a browser window) that support interaction between
mobile devices and the Internet, and allow interactivity
between the user, the web, and the tool itself (O'Reilly,
2005). These applications have provided Internet users
with the ability to easily create, contribute, communicate,
and collaborate in the online environment without need
for specialized programming knowledge. Applications of
this type have become known as social media or social
software. Comprised of a suite of tools that can support
5 A
learner choice and self-direction (McLoughlin & Lee,
2007), social software can be used to create open-ended
learning environments that provide multiple possibilities
for activities, and surround the student with different
tools and resources which support the problem-solving
process (Dalsgaard, 2006; Land & Hannafin, 1996).
8. Anderson (2008) referred to social software technology
as a new genre of distance education software emerging
from the intersection between earlier technologies that
generally support delivery and engagement with content,
and new interactive technologies that support multimodal
digitally-mediated human communication.
Social software can "create opportunities for radically
new conceptions of independence and collaboration in
distance education" (Anderson, 2008, p. 169).
Social software takes many forms, encompassing but
not limited to (a) groupware, (b) internet forums, (c) online
communities, (d) RSS feeds, (e) wikis, (f) tag-based folk-
sonomies, (g) podcasts, (h) e-mail, (i) weblogs, (j) virtual
worlds, (k) social network sites, (1) instant messaging,
texting, and microblogging; (m) peer-to-peer media-shar-
ing technologies, and (n) networked gaming (boyd, 2008;
Greenhow, Robelia, & Hughes, 2009; McLoughlin & Lee,
2007). Well-known applications include Google Groups,
Wikipedia, MySpace, Facebook, YouTube, Second Life,
Flickr, and Twitter. The use of social software centers on
contacts between people (Shirky, 2003). Social software
supports fluid interaction among people, and between
people and data, that may lead to the creation of user-
generated online content (boyd, 2007).
Among social media, social network sites (SNS)
are particularly useful in digitally-mediated education
delivery. SNS are defined by boyd & Ellison (2007) as
web-based services that allow individuals to (a) construct
a public or semi-public profile within a bounded system,
(b) articulate a list (network) of other users with whom
they share a connection, and (c) view and traverse their
list of connections and those made by others within
the system. Although SNS users may be able to meet
9. strangers online and make connections that would not
have been made otherwise, this networking function is
not the primary feature of these sites. The unique aspect
of an SNS is that it allows users to articulate and make
visible their social networks (boyd & Ellison, 2007).
In educational contexts, articulation and visibility may
recede in importance, giving way to other common SNS
features including (a) a suite of associated social media
tools that support interaction, communication, and col-
laboration, (b) provisions for the storage and display of
audio and video media, and (c) hosting for customizable
personal profile pages that support the establishment and
maintenance of individual presence in the online learning
environment. A well-designed SNS offers course partici-
pants multi-modal and multi-media communication and
content delivery capabilities that facilitate and stimulate
broad and dense interaction patterns, collaborative in-
formation discovery and processing, and multiple-style
learning opportunities.
Andragogy and the Internet Age
An array of technological media can be an ideal
educational tool when correctly deployed within effective
instructional designs. However, instructors working in
technology-enhanced learning environments must under-
stand that it does not replace good teaching (Stammen &
Schmidt, 2001). To maximize learning, instructors must
be able to accommodate the needs of a student population
that is becoming more and more diverse due to factors
including increased access to learning, lifelong learning
pursuits, recertification needs, immigration, longer
life spans, and better course marketing (Bonk, 2009),
Instructors also need to be equipped to meet the demands
of teaching in an age when "the Internet is, inexorably,
10. becoming the dominant infrastructure for knowledge -
both as a container and as a global platform for knowledge
exchange between people" (Tapscott & Williams, 2010,
para. 6).
Trainers and educators today will encounter cohorts
of learners who have come of age in the presence of the
Internet. They make up what Tapscott (1999) termed as
the net generation, and are "forcing a change in the model
of pedagogy, from a teacher-focused approach based on
instruction to a student-focused model based on collabo-
ration" (Tapscott, 2009, p. 11). Students today want to
participate in the learning process; they look for greater
autonomy, connectivity and socio-experiential learning,
have a need to control their environments, and are used
to instant connectivity and easy access to the staggering
amount of content and knowledge available at their fin-
gertips (Johnson, Levine, & Smith, 2009; McLoughlin &
Lee, 2007; Oblinger, 2008; Tapscott, 2009).
A world increasingly characterized by high digital
connectivity and a need for life-long, demand-driven
learning calls for the development of andragogies
(Knowles, 1980) specialized to DML environments. In
a context of limitless access to information, instructors
must take on the role of guides, context providers, and
quality controllers while simultaneously helping students
make their own contributions to content and evaluations
of the learning experience (Prensky, 2009). Palloff and
Pratt (2007) note that "In effective online learning, the in-
structor acts as a facilitator, encouraging students to take
A 6 Adult Learning
11. charge of their own learning process" (p. 125). Quality
online instruction will include learners as active partici-
pants or co-producers rather than passive consumers of in-
structional content, and frame learning as a participatory,
social process intended to support personal life goals and
needs (McLoughlin & Lee, 2007; Tapscott & Williams,
2010).
Social Software and Adult Education
The ideals of quality online education as noted
above can be seen to mesh well with the basic principles
of effective adult education. Drawing on the work of
Knowles (1980), Knowles, Holton, and Swanson (2005),
Tough (1979), Mezirow (1991 ), and MacKeracher (2004),
some of the primary principles of adult education can be
summarized:
• Adults develop readiness to learn as they experience
needs and interests within their life situations.
• Adult learners in general are autonomous individuals
capable of identifying their personal learning needs
and planning, carrying out, and assessing learning
activities.
• Adults have a need to be self-directing in their
learning processes.
• In adult education, the teacher should be positioned
as a facilitator engaged in a process of mutual
inquiry rather than as a transmitter of knowledge.
• Relationships and collaborations with others make
important contributions to the adult learning process.
12. • Adults learn throughout their lifetime and engage in
many informal learning projects outside of educa-
tional institutions and programs.
• Individual differences among people increase with
age; therefore, adult education must make optimal
provision for differences in style, time, and pace of
learning.
• Adults bring life experience and prior learning
to bear on current learning projects.
"As individuals mature, their need and capacity to
be self-directing, to use their experience in learning, to
identify their own readiness to learn, and to organize
their learning around life problems increases steadily"
(Knowles et al., 2005, p. 62). Adults learn most effectively
when new knowledge, understandings, skills, values, and
attitudes are presented in the context of application to
real-life situations (Knowles et al.). Thus, the problem-
based, constructivist, collaborative approaches to learning
that have become prevalent in online education delivery
are suitable to adult learning styles (Knowles et al.;
Merriam et al., 2007; Palloff & Pratt, 2003; Täte, 2004).
Adults generally adapt well to active roles as co-creators
of the instructional process; they learn best when they
(a) have a role in selecting content and developing the
learning experience, and (b) are able to build immediate
relevance between learning activities and the necessities
of their daily lives (Knowles, 1980; Täte, 2004).
Open-ended learning environments built on the af-
fordances of the Web itself allow for self-direction and
individualized adaptation/creation of content and in-
struction, while social software use is often centered on
13. collaboration. For an example, social bookmarking and
tagging tools like Delicious allow learners to develop
and share personalized resource sets, while tools such as
Google Docs, Wikispaces, and VoiceThread are expressly
designed to support collaborative work by allowing
multiple users to work together either synchronously or
asynchronously in the creation of text documents, slide-
shows, spreadsheets, and audio/video productions.
For adults, learning is an interactive phenomenon,
not an isolated internal process (Jarvis, 2006). Adult
learners generally value learning as a way to meet a
need for associations and friendships. They need regular
feedback from peers and instructors, and readily involve
others in their learning projects (Billington, 1996; Lieb,
1991; Merriam et al., 2007; Zemke & Zemke, 1984).
Connection, interaction, and dialogue can be considered
crucial elements of the adult learning context. These
are also primary aspects of community membership,
implying that adult learners are predisposed to favor work
and study as members of a community. It is now clear
that learners build and maintain communities of learning
in online environments by engaging in many of the
processes and behaviors associated with offline commu-
nities (Haythornthwaite, Kazmer, Robins, & Shoemaker,
2004; Kazmer, 2000). These processes and behaviors
include (a) sharing common meeting places and histories
(e.g. course discussion boards or chat rooms), (b) support-
ing common goals and commitment to the purposes of
the community, (c) establishing identity and membership
markers and rituals, (d) taking positions iñ hierarchies of
expertise, and (e) socially constructing rules and behaviors
(Haythornthwaite et al., 2004).
Ongoing interaction is the foundational theme
underlying all of these community-building behaviors.
14. The media chosen by instructors as the main means
of contact for the class will play the dominant role in
establishing and shaping the interactions among all
class members (Haythornthwaite & Bregman, 2004).
Successful course designs for adult online learning will
deploy tools and activities that facilitate and encourage
interaction (Billington, 1996; Hill, 2001). To this end, a
class social network site built on a platform such as Ning,
7 A
ELGG, or Social Media Classroom, can provide a virtual
community space where participants can meet and take
part in various formal and informal interactions centered
on shared learning objectives. This type of social space
can be a positive component of an online course (Palloff
& Pratt, 2003), and can encourage the development of the
object-centered social structures (Engstrom, 2005) that
arise naturally around the content, activities, and learning
objectives that constitute the commonalities shared by
course participants. Along with providing personal profile
pages that afford the establishment of emotional and
cognitive presence in the online environment (Dalsgaard,
2008; Garrison & Anderson, 2003; Rovai, Ponton, &
Baker, 2008), an SNS will commonly include useful com-
munication tools such as chat rooms, discussion boards,
support for blogging, and private messaging capabilities,
all of which empower extensive interaction.
A varied set of presentation tools can support dense
interaction, and allow participants to establish what
Haythomthwaite and Bregman (2004) referred to as
visibility in the online learning environment. From the
available means of communication, participants must
15. choose the mediums through which they will present
themselves to others in the community. More options
mean more opportunities for all participants. According
to Haythomthwaite & Bregman (2004), it is "important
when supporting collaborative activity to provide multiple
means of communication so that individuals and subgroups
within the full set of participants can use means that suit
their needs and preferences" (p. 137). Adult learners have
fully-developed personas, and are facile and diverse in
their use of self-expression to negotiate social interactions
(Knowles, 1980; Merriam et al., 2007). They will readily
make use of alternative modes of individual expression
including choice in the design of personal pages or spaces,
the ability to produce and display digital photographs and
art forms, the capability to play and share music, and so
forth. Instructors must also go beyond text to make use
of all available tools and delivery modalities as appropri-
ate to content and context. Meeting the requirement for
providing a diverse set of tools for expression, communi-
cation, and content delivery will help ensure a successful
experience for adult online learners.
Informal learning happens naturally in numerous
and varied places in the lives of adults as they engage
in a wide variety of activities to satisfy needs or provide
solutions in everyday life (Merriam et al., 2007). Adults
are capable of independently choosing and constructing
their own learning experiences in whole or part, and often
prefer to do so (Knowles et al., 2005; Zemke & Zemke,
1984). They are self-motivated to engage in the learning
process to the extent that the learning will help them
perform tasks or deal with problems that they confront in
their life situations (Knowles et al., 2005). Therefore, in-
structional designs for digitally-mediated learning should
exploit the adult propensity for self-directed informal
16. learning. This can be accomplished by offering dynamic
learning environments where students may go beyond
content presented by the instructor to explore, interact
with, comment on, modify, and apply the set content and
additional content they discover or create through the
learning process (Reynard, 2007).
Dynamic learning environments can be constructed
from suites of social software tools by instructors
working within the Personal Learning Environment
(PLE) paradigm. In general, PLEs are digitally-mediated
front-ends, or what may be thought of as dash-boards or
homepages, that serve as organizers and access points
through which students interact with an online informa-
tion cloud that offers nearly infinite resources for knowl-
edge-building and training of all sorts. Workable PLEs
can be built upon individual participant profile pages on a
class social network site, or around blogs/web pages such
as those offered by Word Press or Blogger. Another pos-
sibility is the use of the online portfolio concept, as with
Digication, online educational software that combines
elements of e-Portfolios and learning networks.
An important characteristic of mature learners is the
wealth of life experience that they bring to the learning
process (Knowles, 1980; Knowles et al., 2005; Merriam et
al., 2007). While this experience is the richest resource for
their learning, it is also a source of mental habits, biases,
and presuppositions that tend to make it difficult for adults
to open up to new ideas, fresh perceptions, and alternative
ways of thinking (Knowles et al.). Mature learners may
be resistant to the use of new technologies. They may also
simply lack experience, skill, or access. Even younger
students, those generalized as the net generation, should
not be presumed to be fluent in the tools and techniques
needed to take advantage of social software-powered
17. online learning (Vaidhyanathan, 2008). Although many
desirable social software tools are very easy to learn and
use, instructors must be ready with systems of support and
plans for scaffolding that will help all course participants
get the maximum benefit from the learning opportunities
being presented. While this may initially seem to be a
substantial downside to deploying these new online tools,
any negative effect is easily outweighed by the secondary
learning represented by gaining proficiency in the use of
the technology tools that are becoming prominent and
permanent fixtures in modem life.
As an indication of their accessibility, consider the
A 8 Adutt Learning
fact that social software tools have literally swept over
the online world, in the span of a few short years coming
into worldwide use by hundreds of millions of people of
all ages. This is a phenomenon of deep import for the way
people live, learn, and work. The power of social software
is concisely reflected in boyd's (2008) comment that it
has "affected how people interact with one another and,
thus, it has the potential to alter how society is organized"
(p. 93). In net-infused societies, new communities are
being created that are native to the new social software
technologies. Accessing these new communities requires
a new form of online education in which educators are
challenged to create and sustain learning opportunities
that leverage the learning affordances speciflc to the
technologies upon which these communities are built
(Anderson, 2008).
Conclusion
18. Technology now offers the potential for customiza-
tion of the learning process to the needs of each student
(Reynard, 2007) and for accommodation of any adult
learning style. The course interface in an internet-based
class is a portal to a literally inñnite expanse of material
and opportunities, and a correctly designed course will
leverage this fact by including a variety of elements that
mix formal, informal, and information-based models of
learning (Palloff & Pratt, 2007; Russell, 1999). Social
software tools empower students and instructors to
interact with, and within, the online environment, and
efflciently use and beneflt from the wealth of resources
available in that environment. The flexibility and adapt-
ability of social software applications are driving new
paradigms in digitally mediated education delivery and
have the potential to support organized approaches to
life-long learning.
Teaching in a digital world calls for expansion of the
vision of andragogy. In this new vision, learners actively
create their own learning process rather than passively
consume content, and realize learning as a participatory,
life-long social process embarked upon in support of in-
dividual goals and needs (McLoughlin & Lee, 2007). The
use of social software applications in digitally-mediated
education delivery encourages collaboration, while sup-
porting self-direction and individuation. In contrast to
standard content management systems that are teacher/
institution centric and emphasize content handling and
two-way communication (Siemens, 2004), social software
offers increased opportunities for interactivity and a dis-
tributed web of communication paths. In this way, social
software fosters interaction, a sense of community, and
group motivation. Connection and dialogue are supported.
19. offering the potential for transformation and lifelong
competence development (Marenzi, Demidova, Nejdl,
Olmedilla, & Zerr, 2008). Transformation and lifelong
learning are core ideals of the practice of adult education.
Proper use of Web 2.0 technologies and social media can
contribute to the achievement of these ideals in the design
and delivery of digitally-mediated adult learning.
References
Allen, I. E., & Seaman, J. (2006, November). Making the
grade: Online education in the United States, 2006.
Needham, MA: Sloan-C. Retrieved December 9,
2010, from http://sloanconsortium.org/publications/
survey/index, asp
Allen, I. E., & Seaman, J. (2007, October). Online
nation: Five years of growth in online learning.
Retrieved December 9, 2010, from http://sloancon-
sortium.org/publications/survey/index.asp
Allen, I. E., & Seaman, J. (2010, January). Learning
on demand: Online education in the United States,
2009. Retrieved December 9, 2010, from http://
sloanconsortium.org/publications/survey/index.asp
Allen, I. E., Seaman, J., & Garrett, R. (2007, March).
Blending in: The extent and promise of blended
education in the United States. Retrieved December
9, 2010, from http://sloanconsortium.org/publica-
tions/survey/i ndex. asp
Anderson, T (2005). Distance learning - social
software's killer ap? Retrieved December 9, 2010,
from http://auspace.athabascau.ca:8O8O/dspace/
handle/2149/2328
20. Anderson, T. (2008). Social software technologies in
distance education: Maximizing learning freedoms.
In T. Evans, M. Haughey, & D. Murphy (Eds.),
International handbook of distance education
(pp. 167-184 ).West Anglia, UK: Emerald Group
Publishing.
Bates, T. (2008). Transforming distance education
through new technologies. In T. Evans, M. Haughey,
& D. Murphy (Eds.), International handbook of
distance education (pp. 217-235 ). West Anglia, UK:
Emerald Group Publishing Limited.
Billington, D. D. (1996). Seven characteristics of
highly effective adult learning programs. Retrieved
December 9, 2010, from www.uwex.edu/erc//Word/
SevenCharacteri sties .doc
Bonk, C. J. (2009). The world is open: How technology
is revolutionizing education. San Francisco, CA:
Jossey-Bass.
9 A
Bonk, C , Kim, K., & Zeng, T (2005). Future direc-
tions of blended learning in higher education and
workplace learning settings. In P. Kommers & G.
Richards (Eds.), Proceedings of World Conference
on Educational Multimedia, Hypermedia and
Telecommunications 2005 (pp. 3644-3649),
Chesapeake, VA: AACE. Retrieved December 9,
2010, from http://www.editlib.Org/p/20646
21. boyd, d. (2007), The significance of social software.
Retrieved December 9, 2010, from http://www.
danah.org/papers/
boyd, d. (2008). Taken out of context: American teen
sociality in networked publics. Unpublished doctoral
dissertation. University of California-Berkeley,
School of Information. Retrieved December 9, 2010,
from http://www.danah.org/papers/
boyd, d. m., & Ellison, N. B. (2007). Social network
sites: Definition, history, and scholarship. Journal
of Computer-Mediated Communication, 13{).
Retrieved December 9, 2010, from http://jcmc.
indiana.edu/voll3/issuel/boyd.ellison.html
Dalsgaard, C. (2006, December 7), Social software:
E-Iearning beyond learning management sys-
tems. European Journal of Open, Distance and
E-Learning. Retrieved December 9, 2010, from
http://www.eurodl.org
Dalsgaard, C. (2008, June). Social networking sites:
Transparency in online education. ENUIS 2008
Proceedings, Arhus, Denmark, June 24-27, 2008.
Retrieved December 9, 2010, from http://eunis.dk/
papers/p41.pdf
Daniel, J. S. (2003, November). Mega-universities =
Mega-impact on access, cost and quality. Keynote
address presented at the Eirst Summit of Mega-
universities, Shanghai, PRC. Retrieved December 9,
2010, from http://portal.unesco.org
Engstrom, J. (2005, April 13). Why some social network
services work and others don't- Or: the case for
22. object-centered sociality [blog post]. Retrieved
June 30, 2010, from http://www.zengestrom.com/
blog/2005/04/why_some_social.html
Garrison, D. R., & Anderson, T. (2003). E-learning in
the 21st century [Questia Media online version].
Retrieved December 9, 2010, from http://www.
questia.com/Index.jsp
Greenhow, C , Robelia, B., & Hughes, J. E. (2009).
Learning, teaching, and scholarship in a digital age:
Web 2.0 and classroom research: What path should
we take novjl Educational Researcher, 38{A), 246-
259. doi: 10.3102/0013189X09336671
Grudin, J. (2000). Digitally mediated interaction:
Technology and the urge system. In G. Hatano, N.
Okada & H. Tanabe (Eds.), Affective minds: The
13th Toyota Conference (pp. 159-167). Amsterdam,
The Netherlands: Elsevier Science B. V.
Haythornthwaite, C , & Bregman, A. (2004).
Affordances of persistent conversation: Promoting
communities that work. In C. Haythornthwaite & M.
M. Kazmer (Eds.), Learning, culture, and commu-
nity in online education: Research and practice (pp.
129-143). New York, NY: Peter Lang Publishing.
Haythornthwaite, C , Kazmer, M. M., Robins, J., &
Shoemaker, S. (2004). Community development
among distance learners: Temporal and technologi-
cal dimensions. In C. Haythornthwaite & M. M.
Kazmer (Eds.), Learning, culture, and community in
online education: Research and practice (pp. 35-57).
New York, NY: Peter Lang Publishing.
23. Hill, J. R. (2001). Building community in web-based
learning environments: Strategies and techniques.
Retrieved December 9, 2010, from http://ausweb.
scu.edu.au/awOl/papers/refereed/hill/paper.html
Holmberg, B. (1995). Theory and practice of distance
education. New York, NY: Routledge.
Jarvis, P. (2006). Towards a comprehensive theory of
human learning. New York, NY: Routledge/Falmer
Près.
Johnson, L., Levine, A., & Smith, R. (2009). The 2009
Horizon Report. Retrieved December 9, 2010, from
http://www.nmc.org/publications/2009-horizon-
report Perspectives on distance education: Lifelong
learning and distance higher education (pp. 79-95).
Retrieved December 9, 2010, from http://unesdoc.
unesco.org/images/0014/001412/141218e.pdf
Kazmer, M. M. (2000). Coping in a distance environ-
ment: Sitcoms, chocolate cake, and dinner with a
friend. First Monday, 5(9). Retrieved December 9,
2010, from http://firstmonday.org/
Kim, K. J., & Bonk, C. J. (2006). The future of online
teaching and learning in higher education: The
survey says... EDUCAUSEQuarterly, 29(4).
Retrieved December 9, 2010, from http://www.
educause.edu
Knowles, M. S. (1980). The modern practice of adult
education: From pedagogy to andragogy (2nd ed.).
New York, NY: Cambridge Books.
Knowles, M. S., Holton, E. F., & Swanson, R. A. (2005).
24. The adult learner: The definitive classic in adult
education and human resource development. San
Diego, CA: Elsevier Inc.
A 1 0 Adult Learning
Land, S. M., & Hannafin, M. J. (1996). A conceptual
framework for the development of theories-in-action
with open-ended learning environments. Educational
Technology Research and Development, 44(3),
37-53. Retrieved December 9, 2010, from http://
www.aect.org/Intranet/Publications/index.asp
Lieb, S. (1991, Fall). Principles of adult learning. Vision.
Retrieved December 9, 2010, from http://honolulu.
hawaii.edu/intranet/committees/FacDevCom/
gu idebk/teachtip/adu 1 ts-2. htm
MacKeracher, D. (2004). Making sense of adult learning
(2nd ed.). Toronto, Canada: University of Toronto
Press.
Marenzi, I., Demidova, E., Nejdl, W., Olmedilla, D., &
Zerr, S. (2008). Social software for lifelong compe-
tence development: Challenges and infrastructure.
Internationaljournal of Emerging Technologies in
Learning, 3, 18-23. Retrieved December 9, 2010,
from http://www.online-journals.org/i-jet
McLoughlin, C , & Lee, M. J. W. (2007). Social software
and participatory learning: Pedagogical choices
with technology affordances in the Web 2.0 era. In
R. J. Atkinson, C. McBeath, S. K. A. Soong, & C.
Cheers (Eds.), ICT: Providing choices for learners
25. and learning. Proceedings of ASCILITE, Singapore
2007. Retrieved December 9, 2010, from http://
www.ascilite.org.au/conferences/singapore07/procs/
mcloughlin.pdf
Merriam, S. B., Caffarella, R. S., & Baumgartner, L. M.
(2007). Learning in adulthood. San Francisco, CA:
Jossey-Bass.
Mezirow, J. (1991). Transformative dimensions of adult
learning. San Francisco, CA: Jossey-Bass.
Mossavar-Rahmani, F., & Larson-Daugherty, C. (2007).
Supporting the hybrid learning model: A new
proposition. MERLOT Journal of Online Learning
and Teaching, i ( l ), 67-78. Retrieved December 9,
2010, from http://jolt.merlot.org/
Oblinger, D. G. (2008, March). Growing up with
Google: What it means to education. In Emerging
technologies for learning. 3, pp. 11-29. Retrieved
December 9, 2010, from http://www.becta.org.uk/
O'Reilly, T (2005, September). What is web 2.0: Design
patterns and business models for the next generation
of software [Weblog post]. Retrieved July 8, 2009,
from http://oreilly.com/pub/a/web2/archive/what-is-
web-20.html?page=l
Palloff, R. M., & Pratt, K. (2003). The virtual student:
A profile and guide to working with online learners.
San Francisco, CA: Jossey-Bass.
Pallof, R. M., & Pratt, K. (2007). Building online learn-
ing communities: Effective strategies for the virtual
26. classroom. San Francisco, CA: Jossey-Bass.
Prensky, M. (2009). H. Sapiens digital: From digital
immigrants and digital natives to digital wisdom.
Innovate Journal of Online Education, 5(3).
Retrieved December 9, 2010, from http://innovateo-
nline.info/
Reynard, R. (2007, May). Hybrid learning: Challenges
for teachers. THE Journal. Retrieved December 9,
2010, from http://thejournal.com
Rovai, A. P , Ponton, M. K., & Baker, J. D. (2008).
Distance learning in higher education: A program-
matic approach to planning, design, instruction,
evaluation, and accreditation. New York, NY:
Teachers College Press.
Russell, M. (1999). Online learning communities:
Implications for adult learning. Adult Learning, 10,
28.
Sanchez, F. (2003). Skills for a knowledge-based econ-
omy. Leadership, 33(2), 30-33. Retrieved December
9, 2010, from http://www.bnet.com/
Shirky, C. (2003, March). Social software and the
politics of groups [Weblog post]. Retrieved July
25, 2008, from http://www.shirky.com/writings/
group_politics.html
Siemens, G. (2004, November 22). Learning
Management Systems: The wrong place to start
learning. Elearnspace. Retrieved December 9, 2010,
from http://www.eleamspace.org/Articles/index.htm
27. Siemens, G., & Downes, S. (2008). Connectivism and
connective knowledge: A rather large open online
course... Retrieved December 9, 2010, from http://
ltc.umanitoba.ca/connectivism/
Stammen, R. M., & Schmidt, M. A., (2001, November).
Basic understanding for developing distance educa-
tion for online instruction. NASSP Bulletin, 55(628),
47-50.
Tapscott, D. (1999). Growing up digital. New York, NY:
McGraw-Hill.
Tapscott, D. (2009). Grown up digital. New York, NY:
McGraw-Hill.
Tapscott, D., & Williams, A. D. (2010). Innovating the
21st-century university: It's time! EDUCAUSE
Review, 45(1), 16-29. Retrieved December 9, 2010,
from http://www.educause.edu/er
Täte, M. L. (2004). Sit and get won't grow dendrites:
20 professional learning strategies that engage the
adult brain. Thousand Oaks, CA: Corwin Press.
11 A
Tough, A. (1979). The adult's learning projects: Afresh
approach to theory and practice in adult learning
(2nd ed.). Toronto, Canada: Ontario Institute for
Studies in Education.
Vaidhyanathan, S. (2008, September 19). Generational
myth. The Chronicle of Higher Education. Retrieved
28. December 9, 2010, from http://chronicle.com/free/
v55/i04/04b00701.htm
Watson, J. (2008). Blended learning: The convergence
of online and face-to-face education. Retrieved
December 9, 2010, from http://www.inacol.org/
Zemke, R., & Zemke, S. (1984, March). 30
things we know for sure about adult learning.
Innovation Abstracts, 6(8).
A 1 2 Adult Learning
Copyright of Adult Learning is the property of American
Association for Adult & Continuing Education and its
content may not be copied or emailed to multiple sites or posted
to a listserv without the copyright holder's
express written permission. However, users may print,
download, or email articles for individual use.
ITEM 1
ITEM 2
29. ITEM 3
EVIDENCE / PROPERTY CUSTODY DOCUMENT
The proponent agency for this document is OHMR-PM
CONTROL NUMBER
REPORT CROSS-REFERENCE NUMBER
RECEIVING AGENCY
Makestuff IT Security
LOCATION
Makestuff Remote Office #4
NAME, GRADE AND TITLE OF PERSON FROM WHOM
RECEIVED OWNER Former work area of Mr. YOURPROP
OTHER
ADDRESS (Includes ZIP Code)
Bldg# 47, Martin Blvd, Faketown, NJ 12345
LOCATION FROM WHERE OBTAINED
Desk near west wall of office
REASON OBTAINED
Evaluation as evidence
30. TIME / DATE OBTAINED
1430, 04/01/2014
ITEM NO.
QUANTITY
DESCRIPTION OF ARTICLES
(Include model, serial number, conditions, and any unusual
marks or scratches)
1
2
3
---------
1
1
1
--------------
Voice recorder, small, silver, Olympus.
Western Digital, 1TB, silver and black with a green label,
roughly rectangular, affixed with a torn sticker on the front.
Thumb drive, USB, PNY-brand, 64GB in size, unknown serial
number, grey and black in color, approximately 1” x 2.5” x
0.5”, metal and plastic-type construction, printed with “PNY…
64GB”, with small hole on the side (which appears to be for a
lanyard.
--------------------------///LAST ITEM///-----------------------------
----------------------------------
CHAIN OF CUSTODY
ITEM NO.
DATE
31. RELEASED BY
RECEIVED BY
PURPOSE OF CHANGE OF CUSTODY
1-3
04/01/2014
SIGNATURE
CRIME SCENE
SIGNATURE
///original signed///
Evaluation as evidence
NAME, GRADE, TITLE
N/A
NAME. GRADE, TITLE
I.M. Helpful, Security Specialist
SIGNATURE
SIGNATURE
NAME, GRADE, TITLE
NAME. GRADE, TITLE
SIGNATURE
SIGNATURE
NAME, GRADE, TITLE
NAME. GRADE, TITLE
32. SIGNATURE
SIGNATURE
NAME, GRADE, TITLE
NAME. GRADE, TITLE
NAME, GRADE, TITLE
NAME. GRADE, TITLE
SIGNATURE
SIGNATURE
OHMR FORM 4137 front (Jul 91)
Please you have to answer them thoroughly by making sure your
answers reach in-depth answer related to the questions. Each
question must be answered in well detailed format. Also the
APA must be formatted perfectly. If possible, more than a
paragraph explanation should be answered on each question. I
have also provided the Project 1 paper to the attachment so as
for you to understand how you are going to approach this
Project 2. I have also provided each chapter’s text book from
chapter 1 to the stand point of answering this Project 2. All of
which will help to answer this project 2 question. SO MAKE
SURE YOU READ THIS STATEMENT CLEARLY AND USE
THE TEXTBOOK TEXT I HAVE PROVIDED TO ANSWER
THE QUESTIONS. ALSO, YOU CAN INCLUDE
33. ADDITIONAL OUTSIDE SOURCES. All Citations must be
formatted perfectly. Thank you
Project 2
For the purpose of this Project, you are still the InfoSec
Specialist for the Makestuff Company. Consider this project a
continuation of the work you performed in Project 1.
With the scenario in mind, thoroughly answer the following
questions (in paragraph format, properly citing outside research,
where appropriate):
1. What permissions/authorities should you have before you
search Mr. Yourprop’s former Company work area, and how
would you document that authority? Thoroughly explain,
discuss and support your answer.
2. (Looking at the photo of Mr. Yourprop’s work area,
provided for Project 2 in the Course Content area) Identify three
(3) potential items of digitalevidence you see in the photo. For
EACH item of digital evidence you identified, explain what
potential use that item would be to your investigation (e.g.,
what type of data that item might hold) AND how you would
collect that item as evidence (with emphasis on your care and
handling of that item consistent with digital forensic best
practices described in your textbook).
3. (Looking at the photo of Mr. Yourprop’s work area,
provided for Project 2 in the Course Content area) Identify three
(3) potential items of non-digitalevidence you see in the photo.
For EACH item of non-digital evidence you identified, explain
what potential use that item would be to your investigation
AND how you would collect that item as evidence.
4. (Looking at the Evidence Custody Document and item
photographs, provided for Project 2 in the Course Content area)
- Read the Evidence Custody Document prepared by one of your
co-workers, in which he is attempting to seize the three items
34. pictured in the accompanying photos. Did your co-worker
adequately describe each item? What could you add to the
descriptions, and for which items (based on what you see in the
photos), to make them more complete and serve as an example
to your co-worker of what they SHOULD look like?Thoroughly
explain, discuss and support your answer.
5. How should the items you collected as evidence be stored
in your evidence room. Describe any environmental conditions
or concerns for your evidence room (digital evidence can
require some unique considerations!), as well as any security
procedures that should be in place. Thoroughly explain, discuss
and support your answer.
Project Requirements:
· Each questions should be answered with a minimum of 1-2
paragraphs, so do your research, be specific, be detailed, and
demonstrate your knowledge;
· Answers to the above questions should be submitted in a
single document (.DOC/.DOCX, .RTF, or .PDF), with answers
separated and numbered so as to make it clear which question is
being answered;
· The submission should have a cover page, including course
number, course title, title of paper, student’s name, date of
submission;
· Format: 12-point font, SINGLE-space, one-inch margins;
It is mandatory that you do some research, and utilize outside
resources! References page: APA citation style (see
https://owl.english.purdue.edu/owl/resource/560/01/ for help).
Instructions
Project 1
For the purposes of this project, imagine you are an Information
Security (InfoSec) Specialist,an employee of the Makestuff
Company, assigned to the company’s Incident Response Team.
35. In this case, you have been notified by Mr. Hirum Andfirum,
Human Resources Director for the Makestuff Company, that the
company has just terminated Mr. Got Yourprop, a former
engineer in the company’s New Products Division, for cause.
Mr. Andfirum tells you that at Mr. Yourprop’s exit
interviewearlier that day, the terminated employee made several
statements to the effect of “it is okay because I have a new job
already and they were VERY happy to have me come from
Makestuff, with ALL I have to offer.” Mr. Yourprop’s
statements made Mr. Andfirum fear he might be taking
Makestuff’s intellectual property with him to his new employer
(undoubtedly a Makestuff competitor). In particular, Mr.
Andfirum is worried about the loss of the source code for
“Product X,” which the company is counting on to earn millions
in revenue over the next three years. Mr. Andfirum provides
you a copy of the source code to use in your investigation.
Lastly, Mr. Andfirum tells you to remember that the Company
wants to retain the option to refer the investigation to law
enforcement in the future, so anything you do should be with
thought about later potential admissibility in court.
The Fourth Amendment to the U.S. Constitution reads, “The
right of the people to be secure in their persons, houses, papers,
and effects, against unreasonable searches and seizures, shall
not be violated, and no warrants shall issue, but upon probable
cause, supported by oath or affirmation, and particularly
describing the place to be searched, and the persons or things to
be seized.” The Fourth Amendment is most commonly
interpreted to only affect/restrict governmental power (e.g., law
enforcement). In fact, in Burdeau v McDowell, 256 U.S. 465
(1921), the U.S. Supreme Court reviewed the use of
documentary evidence (in a potential criminal case) stolen from
McDowell’s office. The Supreme Court held that the Fourth
Amendment’s protection against unreasonable searches and
seizures related only to governmental intrusion. When evidence
is gained by the police or the government in ways that are
considered illegal and unreasonable and violate the Fourth
36. Amendment, that evidence may be inadmissible in court. That
sanction, known as the “exclusionary rule” was developed by
the courts to punish the police when they flagrantly violate the
Fourth Amendment and other constitutional rights.
Here is another wrinkle in this area of the law: IF the police
request a private individual to do something on their behalf that
the police do NOT have a constitutional right to do, that private
person becomes an agent of the police and anything gained as a
result of such action may risk the sanction of having the
evidence inadmissible in court.
But courts, including the Burdeau Court, will also consider
other actions, or rights of redress, against private individuals
who illegally seize another’s private property (i.e. civil suit or
criminal charges if taking amounted to a theft). Privacy rights
are considered by the courts based on constitutional language
found in several amendments including the due process clause
of the Fourteenth Amendment. Note also that individual states
often have their own privacy laws.
Now, with all of this in mind, based on the above scenario, the
fact that a formal criminal investigation is a possibility and that
your Company has no desire to be named in a civil lawsuit,
answer the following questions in paragraph format properly.
Remember to properly cite outside research where appropriate.
There is NO need to research areas of Forth Amendment search
and seizure law that affect the police (government) only, such
as exigent circumstances, the plain view doctrine, car searches,
search incident to arrest, etc. Please thoroughly discuss the
answer ONLY from your role given in the scenario. I am
looking for you to take a position in your response to the
questions and defend it based on course material, outside
research and common sense. These types of issues, as well as
search and seizure law in general, are litigated everyday in
courts around the country and often have no clear-cut answers.
1. There is a page in the Company’s “Employee Handbook”
that states that anything brought onto the Company’s property,
including the employees themselves, is subject to random search
37. for items belonging to the Company. There is a space for the
employee to acknowledge receipt of this notice. Mr. Yourprop
has a copy of the handbook but never signed the page. Does that
matter? Explain.
2. Can you (or Mr. Yourprop’s supervisor) search
Yourprop’s assigned locker in the Company’s on-site gym for
digital evidence? Support your answer.
3. Can you (or Mr. Yourprop’s supervisor) use a master key
to search Yourprop’s locked desk after he has left the premises
for digital evidence? Support your answer.
4. Makestuff Company uses a security checkpoint at the
entrance to the building. A sign adjacent to the checkpoint
states that the purpose of the checkpoint is for security staff to
check for weapons or other materials that may be detrimental to
the working environment or employee safety. Screening is
casual and usually consists of verification of an employee’s
Company ID card. Can security staff at this checkpoint be
directed to open Mr. Yourprop’s briefcase and seize any
potential digital evidence? Support your answer.
5. Can you (or Mr. Yourprop’s supervisor) search
Yourprop’s personal vehicle currently parked in the Company
parking lot for digital evidence? Support your answer.
6. If evidence of the theft of intellectual property is found,
Makestuff Company may seek to pursue criminal prosecution.
Can Mr. Yourprop’s supervisor require local police
investigators to search his personal vehicle which is parked on
the Company parking lot? Support your answer.
Project Requirements:
· Each question should be answered with a minimum of 1-2
paragraphs, so do your research, be specific, be detailed, and
demonstrate your knowledge;
· Answers to the above questions should be submitted in a
single document (.DOC/.DOCX, .RTF, or .PDF), with answers
separated so as to make it clear which question is being
answered;
· The submission should have a cover page, including course
38. number, course title, title of paper, student’s name, date of
submission;
· Format: 12-point font, double-space, one-inch margins;
· It is mandatory that you do some research, and utilize outside
resources! References page: APA citation style
(see https://owl.english.purdue.edu/owl/resource/560/01/ for
help).
Running head: REACTION PAPER
1
REACTION PAPER
3
Rubric Name: 25 Points A-F Grading Rubric for Participation
Criteria
Equivalent to an A
Equivalent to a B
Equivalent to a C
Equivalent to a D - F
Overall quality of the response(s) Value: 5 points
5 points
39. The primary responses and follow-up comments are very
perceptive, demonstrating full understanding of the topic and
related concepts
Points available: 4.5 - 5.0
4 points
The primary response is quite insightful, considering issues and
elements beyond the fundamental question.
Points available: 4.0 - 4.49
3.99 points
The primary response is responsive to the question and provides
a logical, thoughtful answer.
Points available: 3.5- 3.99
2 points
The student failed to answer this question.
The primary response is not responsive to the question and/or
the response does not provide a logical, thoughtful answer
Points available:
D = 3.0 - 3.49
F= 0 - 2.99
Overall evidence of critical thinking Value: 5 points
5 points
The student clearly demonstrates superior critical thinking using
analysis, assessment, application, etc. The student respectfully
challenges the responses/opinions of others and/or defends the
40. positions taken by other students
Points available: 4.5 - 5.0
4 points
Some effort on the part of the student to analyze/assess the
question is obvious. Alternatives are presented as well as the
underlying rational for the response.
Points available: 4.0 - 4.49
3.99 points
The response indicates that the student understood the question
and provided a sensible and related response
Points available: 3.5 - 3.99
2 points
The student failed to answer this question.
The response indicates that the student did not understand the
question and/or the student did not provided a sensible response
related to the question
Points available:
D = 3.0 - 3.49
F= 0 - 2.99
Quantity of responses and comments Value: 5 points
5 points
The student submits responses to all of the questions presented
by the instructor and contributes significantly (beyond mere
affirmation) with multiple comments in each Discussion
41. Points available: 4.5 - 5.0
4 points
The student submits more than the minimum required number of
responses and comments
Points available: 4.0 - 4.49
3.99 points
The student provided a primary response to each question and
the required number of comments on the responses/commnets
submitted by fellow students.
Points available: 3.5 - 3.99
2 points
The student did not provide a primary response to each
question.; or the student failed to submit the required number of
comments on the responses/comments submitted by fellow
students.
Points available:
D = 3.0 - 3.49
F= 0 - 2.99
Timelyness of responses Value: 3 points
3 points
The student is present in the Discussions soon after the question
is available.
The students adds meaningful (not mere affirmations)
responses/comments throughout the Discussion period and does
not limit their input to the very end.
42. Points available: 2.7 - 3.00
2.69 points
The student submits their responses and comments early in the
Participation period, thus enabling fellow students the
opportunity to read and react to the information provided.
Points available: 2.40 - 2.69
2.39 points
The student's responses/comments were posted within the time
frame set by the instructor
Points available: 2.10 - 2.39
1.79 points
The student's responses/comments were not posted within the
time frame set by the instructor. As a result the student allowed
little opportunity for fellow-students to read, learn from and and
comment on their work.
Points available:
D = 1.8 - 2.09
F= 0 - 1.79
Evidence of research 5 points
5 points
The student's response and comments are supported by relevant
outside resources when it is not required, or beyond the
requirement set by the instructor.
Supportive resources are appropriately cited using APA format
standards
43. Points available: 4.5 - 5.0
4 points
Research is obvious in the response.
Any requirement for outside supportive resources is surpassed
with appropriate materials.
Points available: 4.0 - 4.49
3.99 points
The student met the research requirement (outside supportive
sources) set by the instructor.
Points available: 3.5 - 3.99
2 points
The student did not meet the research requirement (outside
supportive sources) set by the instructor.
NOTE: If no supportive resources were required, these points
should be added to the Overall Quality category above.
Points available:
D = 3.0 - 3.49
F= 0 - 2.99
Grammar/Mechanics Value 2 point
2 points
No or minor English and grammar usage errors.
Points available 1.8-2.0
1.79 points
44. Only few minor/inconsequential mistakes in English and
grammar.
Points available 1.60-1.79
1.59 points
A few minor/ inconsequential mistakes in English and grammar.
Errors do not interfere with understanding the student's
response or comments
Points available: 1.40 -1.59
1.39 points
Many mistakes evident in English/grammar usage, indicating a
lack of proofreading or comprehension.
It is unclear if the student understands the issue because of the
English/grammar errors.
Points available for D: 1.20 - 1.39
Points available for F: 0 - 1.19
Overall Score
Equivalent to an A
16.1 or more
Equivalent to an B
14.1 or more
Equivalent to an C
12.1 or more
Equivalent to a D or F
0 or more
45. DIGITAL FORENSIC 25
In this chapter, you'll learn more about:
· Encryption basics
· Common encryption practices
· Weaknesses of encryption
· What to do when you find encrypted data
Computer forensics is all about perspective and process. A
forensic investigator's main perspective must be as a neutral
party in all activities. Approach each investigation the same
way, ensuring that it is repeatable and sound. After evidence is
identified and preserved, analyze it to determine its impact on
your case. In many situations, forensic investigators don't have
the authority to disclose any evidence except to authorized
individuals. It all depends on who owns the computer and who
is paying for the investigation. As a forensic investigator, you
need to know how to exercise your authority and access
protected data properly. The two most common controls that
protect data from disclosure are access controls and data
encryption. This chapter covers the most common type of access
control—the password—and the general topic of encryption.
You will learn basic techniques to obtain passwords to gain
access to evidence. You will learn about basic encryption
methods and how to recover encrypted evidence.
Passwords
Computer users must commonly provide a user ID to log on to,
or otherwise access, a system. User IDs identify a specific user
and tell the security subsystem what permissions to grant to that
user. Unfortunately, some computer users attempt to
impersonate other users by fraudulently providing another
person's user ID. By doing so, the impersonator can perform
46. actions that will point back to the stolen user ID owner's
account when audited. As a forensic investigator, you'll need to
determine the difference between actions taken using a valid
user ID and actions conducted by an impersonator using a stolen
or otherwise compromised user ID.
user ID
A string of characters that identifies a user in a computing
environment.
Real word Scenario
Who Are You, Really?
Fred is an enterprising university student who enjoys testing the
limits of his school's computer use policy. The policy clearly
states that users may only use their own user IDs to access the
computer system. If Fred wants to create some mischief on the
university's computer system, he could ignore the policy and
use Mary's user ID to access the system. In effect, he could
pretend to be Mary. With no controls in place to stop him, Fred
could cause many problems and to the untrained eye, it would
appear that Mary was the guilty party. A control is anything that
stands between Fred and his unauthorized actions. In this case,
there actually is at least one control to deter him—the
university's computer use and access policy. The university's
computer use policy is an administrative control. While
administrative controls dictate proper behavior and the penalty
of noncompliance, they don't stop unauthorized actions by those
who are determined to ignore such policies (as in Fred's case).
There is a simple solution. User IDs provide identification for
users. Another piece of information that only the real user
should know provides authentication that the user is who he or
she claims to be. The most common method of authentication is
a password. To authenticate using a password, users provide not
only a user ID, but the proper password as well during login.
The security system then validates that the password provided
47. matches by comparing it to the stored value for that user ID. If
the two match, the security system authenticates and trusts the
user and allows access to the computer system.
password
A string of characters that security systems use to authenticate,
or verify, a user's identity. Security systems compare passwords
a user provides during login to stored values for the user
account. If the value provided (password) matches the stored
value, the security subsystem authenticates the user. Most
operating systems store passwords when users create login
accounts.
There are two main reasons for investigators to crack
passwords. First, you may need a password to log in to a
computer or access a resource. Second, you may need a
password or key to access encrypted data that may be vital to
the success of the investigation.
During an investigation, forensic investigators commonly need
access to one or more computer accounts. When a suspect or
other knowledgeable user cooperates with an investigation,
obtaining a user ID and password can be as easy as asking for
it. Never forget to try the simple approach: When users
cooperate, it can save valuable time. Always ask for any needed
user IDs and passwords. When passwords aren't readily
available, here are three alternative methods to acquire them:
· Find passwords
· Deduce passwords
· Crack passwords
Forensic investigators not only understand what each of these
three techniques is, but know when and how to use each one as
well.
Although passwords are the most common user authentication
technique, they aren't always secure. In the next sections, we'll
examine each password recovery technique and show you how
quickly and easily some passwords can become available.
Finding Passwords
By far, the easiest way to obtain a password is simply to ask
48. someone who knows the password to provide it to you. If asking
nicely doesn't work, try social engineering. Build trust with a
person who knows information you need to further the
investigation. This person could be anyone who knows the
password. The password or other information sought could be as
simple as a phone call away.
For example, you could call and pretend to be a member of the
network administrator team. A simple statement like, "Hi, this
is Tom from network support. Your computer looks like it is
sending out a virus to other computers. I need to log on to stop
it. What is the user ID and password you used to log on this
morning?" Fortunately for the forensic investigator, far too
many people are only too willing (and in fact, often eager) to
help and quickly provide the requested information. Mission
accomplished! When using social engineering techniques to
gather information, experienced forensic investigators will
ensure they have permission to conduct these types of activities
before proceeding. As long as you abide by any applicable
security policies, encouraging a suspect to give you the
information you need is perfectly fine. Law enforcement
officials are good at doing this. Ask them for help, especially if
this is a criminal investigation.
If social engineering isn't an option, or the person who knows
the password won't cooperate, then there are other simple
approaches you can try. There are two basic types of passwords:
those that are easy to remember and those that are hard to
remember. With more people becoming aware of security issues,
passwords now tend to be more secure than in the past. Most
people equate password complexity with security. That is, long,
hard-to-remember passwords appear to be more secure than
simple ones.
Tip
Longer passwords can be less secure than shorter ones.
Passwords that expire frequently can be less secure as well. The
reason is that when a user must use a password that is too hard
49. to remember, he will often write it down. The hassle of
retrieving a lost password often encourages users to keep sticky
notes with passwords written on them. When encouraging the
use of strong passwords, allow users to create ones they can
remember.
Because a password is a string of characters that authenticates a
user's identity, it is important that the user always have access
to the password. The more complex a password is, the more
likely it is that the user has it written down or otherwise
recorded somewhere. Look around the computer for written
notes. It's not uncommon for forensic investigators to find
sticky notes with passwords written on them in plain sight, or in
some cases, even taped to the computer system itself. You'll
find that this phenomenon occurs in a surprisingly large
percentage of the sites you investigate. As a forensic
investigator, you'll become an expert at recognizing common
"hiding places" for password notes, such as:
· On the monitor (front, sides, top, etc.)
· Under the keyboard
· In drawers (look under pencil holders and organizers)
· Attached to the underside of drawers
· Anywhere that is easily accessible from the seat in front of the
computer but not readily visible
· Personal digital assistants (PDAs) and smartphones
· Obvious files on the hard disk (such as passwords.txt)
While this approach may seem too simple and obvious, never
dismiss this important method for finding passwords. Few
people trust their memories for important passwords. There is a
good chance some users you'll be investigating wrote down their
passwords and put them somewhere handy.
Deducing Passwords
So, you've looked all around the physical hardware and desk but
you still can't find the password you are looking for. What next?
Don't worry—there are still other options available to obtain
passwords. In spite of all the common rules for creating
"strong" passwords, many users routinely break the rules. If you
50. are trying to guess a password, try the obvious ones. The more
the forensic investigator knows about the user, the better the
chances of guessing the password. Try some of these ideas:
· User ID
· Birth date
· Social security number
· Home address
· Telephone number
· Spouse/children/friend name
· Pet name
· Favorite team name or mascot
· Common word or name from a hobby
Note
Use this section as a lesson for creating your own passwords.
Because so many people ignore password best practices, take it
upon yourself to be unique. Take the time to create strong
passwords and keep them secure. Passwords can also easily be
secured through the use of password vault programs such as
RoboForm Pro (www.roboform.com).
Although guessing a password is possible, it isn't very
productive in most cases. Don't spend a lot of time trying to
guess a password. This method is most effective if you have a
strong hunch that you will be successful. It may be possible for
forensic investigators to solve password puzzles by piecing
several pieces of information together. People often hide the
real password but leave clues that can help you to guess the
password contents. For example, during an investigation, a note
was found that read "me 4 her -7." After trying several
combinations, we hit on a password that consisted of the
subject's initials, "ajd," and his wife's initials, "rgd." The
password was "ajd4rgd7. (Just in case you're wondering, this
wasn't the actual password—the initials were changed to protect
the innocent!)
Even though you might get lucky occasionally, really
"guessing" a password isn't very common. It looks good in the
51. movies, but it doesn't happen that often in the real world.
Deduced passwords normally come from piecing several pieces
of information together. For instance, when analyzing a
subject's activity, keep track of visited Web sites and locally
protected applications. Cookies for recently visited Web sites
may be left behind that store an unprotected password. People
are creatures of habit and many tend to use the same passwords
repeatedly, so if you find an unprotected password for one
resource, try it in other areas.
As much as it violates good security practices and common
sense, the same password is often used to protect both secured
servers and to subscribe to a Web site's news services. If you
find a password, see if the user also uses it elsewhere.
Note
When poking around and guessing passwords, forensic
investigators might end up locking the resource they are
attempting to access owing to excessive failed logon attempts.
Always make sure you have at least two copies of media. If one
copy is corrupted, you can always make a new working copy
from your second image. You never want to explain to the judge
that you had to check out the original media from the evidence
locker twice because you messed up the first copy.
Up to now, our password discussion has focused on nonspecific
strategies. Finding, guessing, or deducing a password is more of
an art than a science. It involves knowing your subject and
knowing how people think. It might take a lot of homework, but
it is fun and can yield that gold nugget that opens up the
evidence you need.
Cracking Passwords
The last method of obtaining a password is the most technical
and complete. When a password can't be obtained by any other
means, forensic investigators try a process known as password
cracking. Cracking a password involves trying every possible
combination, or every combination in a defined subset, until the
right one is found.
52. password cracking
Attempting to discover a password by trying multiple options
and continuing until you find a successful match.
Different utilities allow forensic investigators to crack
passwords online or offline. These utilities employ several
different methods. Because older UNIX systems stored encoded
passwords in a single file, the /etc/passwd file, several utilities
emerged that tried different combinations of password strings
until they found a match for each line in the file. All forensic
investigators had to do was copy the /etc/passwd file to their
own computer, launch the password cracker, and let it run.
This approach became so popular and dangerous that newer
flavors of UNIX, and now Linux, go to great lengths to hide
encoded passwords in another file. Most UNIX and Linux
systems store passwords in the /etc/shadow file. This file has
highly restricted access permissions and requires super user
permission to access. If you are investigating a computer system
running UNIX or Linux, look at the /etc/passwd file. An x
character between two colons indicates that the actual password
is stored in the shadow file. For example, here is what a line
from the /etc/passwd file looks like if password shadowing is in
use (notice the "x" after the user name, msolomon):
msolomon:x:517:644::/home/msolomon:/bin/bash
Real word Scenario
Tales from the Trenches: The Contract Ends Now!
Several contractors were working at a manufacturing plant in
southern California. These contractors filled various functions,
including project management and application development. The
project goal was to modify a manufacturing software package to
meet the client's specific needs. One morning, the company's
system administrator noticed that his assigned IP address was in
use when he booted his computer. After a couple comments
under his breath, he rebooted again and found that the IP
address was available. He took note of the people who were in
53. the office that morning and started doing a little investigative
work on his own to find out if anyone was using his IP address.
He found that a particular contractor had installed a common
password cracker in his home directory. A further look at the
contractor's history file showed that he had been engaging in
attempts to crack the system's password file.
The system administrator immediately removed the contractor's
access and had him terminated. The company's policy regarding
appropriate use of computing systems forbade any use of
password-cracking software and provided grounds for
immediate termination.
There are many password-cracking utilities available to forensic
investigators. Some commons ones include:
· Cain and Abel (http://www.oxid.it/cain.html)
· Cain and Abel is a free (donation requested) password
recovery utility for Microsoft Windows operating systems that
uses several techniques to find passwords.
· John the Ripper (http://www.openwall.com/john/)
· John the Ripper is an open source password cracker that
reveals weak passwords in most operating systems.
· Hydra (http://freeworld.thc.org/thc-hydra/)
· Hydra is a free, fast network authentication cracker. Hydra can
attack the most common network protocols.
· ElcomSoft (http://www.elcomsoft.com/)
· ElcomSoft produces a variety of commercial software that
recovers passwords from operating systems and application
software.
· LastBit (http://lastbit.com/)
· LastBit produces a variety of commercial software that
recovers passwords from operating systems and application
software.
· L0phtCrack (http://www.l0phtcrack.com/)
· L0phtCrack is a commercial tool that recovers passwords and
more from computers running multiple operating systems.
54. · RainbowCrack (http://project-rainbowcrack.com/)
· RainbowCrack is a free tool for cracking Linux and Windows
passwords using precomputed hash tables, called rainbow
tables.
Anytime passwords are found stored in a file or database,
forensic investigators can use offline password-cracking
techniques. Online password cracking methods are used if the
password repository can't be found or you don't have access to
it (it might reside on another system). Online password cracking
is much slower and may fail more frequently (and for more
reasons) than offline cracking. Online password-cracking
utilities attempt to pass logon credentials to target systems until
it finds a successful user ID/password pair. The number of
attempts that are necessary to find a password is the same as an
offline cracking utility, but the act of passing the logon
credentials to another process requires substantially more time.
If the target computer is remote to the client password-cracking
utility, network propagation further slows the process and adds
to the possibility of failure.
Unauthorized Password Cracking is Illegal
Never attempt to crack passwords unless you have specific, and
written, authority to do so. The person or organization who
owns the computer system can provide the necessary
permission. Without written permission, you may be at risk of
substantial civil and criminal penalties. Ensure that the
permission you receive comes from someone with the authority
to give it to you, is in writing, and is specific about what you
can (and can't) do.
The main reason to crack a password is to obtain password-
protected evidence. Permission to crack a password is obtained
from the computer owner or a court. In cases where the
computer's owner is unwilling to provide permission to crack a
password, a court order will suffice.
55. Regardless of the type of utility used, there are three basic
approaches, or "attack types," that password-cracking utilities
commonly employ.
Dictionary Attack
A dictionary attack is the simplest and fastest attack. The
cracking utility uses potential passwords from a predefined list
of commonly used passwords. The password dictionary stores
the list of passwords. The larger the dictionary, the higher the
probability the utility will succeed (but the longer it will take to
attempt the entire dictionary file). A little research on the
Internet will yield several dictionaries of common passwords.
dictionary attack
An attack that tries different passwords defined in a list, or
database, of password candidates.
An offline dictionary attack calculates hashed values of
passwords from a password dictionary. The utility compares the
hashed value with stored passwords to find a match. Since the
cracking utility spends most of its time calculating hash values,
there is an opportunity to speed up the process. If you plan to
use a password dictionary for several attempts at password
cracking, you can precompute the password hashes from the
password dictionary. These precalculated password hashes, or
rainbow tables, make offline dictionary attack processes much
faster. As a forensic investigator you'll find that passwords are
statistically located halfway through any given process. For
example, if given the choice to choose a password between 1
and 100, 50 percent of people will choose a password below the
number 50 while the other half will choose a password above
50.
The reason this type of attack works so well lies in human
nature. People tend to use common, easy-to-remember
passwords. Most would be surprised to find their favorite
password in a password dictionary. Any passwords found in a
password dictionary are too weak and should be changed.
AccessData's Password Recovery Toolkit offers a great benefit
when used with their FTK software. The investigator exports a
56. "dictionary" file from FTK and then uses it as the dictionary file
to crack encrypted files found on the suspect hard drives. The
dictionary file is made up of every word found on the suspect
hard drive. This enables you to crack a password by using a list
of every word on the suspect computer, potentially including
when the user entered the password (as is the case with a
password that was cached from memory).
Brute Force Attack
On the other end of the spectrum is the brute force attack. A
brute force attack simply attempts every possible password
combination until it finds a match. If the utility attempts to use
every possible combination, it will eventually succeed.
However, the amount of time required depends on the
complexity of the password. The longer the password, the more
time it will take to crack.
Brute force attacks should never be your primary method for
cracking passwords for two reasons. First, brute force attacks
are slow. They can take a substantial amount of investigative
time. Also, the length of the password may not be known. In
this case, the utility will have to try many, many combinations
that won't succeed before finding the right one.
Second, the client, resource server, or authentication credentials
(passwords) may be located on different computers. If so, the
brute force attack will generate a huge volume of network
traffic. Excessive network traffic and multiple failed logon
attempts may make a tangible impact on the network. Unless
you can set up a copy of the suspect network in your lab, you
may not be able to secure permission to launch a brute force
attack.
Hybrid Attack
The final type of attack, the hybrid attack, combines the
dictionary and brute force attack methods. In a hybrid attack,
the utility starts with a dictionary entry and tries various
alternative combinations. For example, if the dictionary entry
were "lord," the hybrid attack utility would look for these
possible alternatives:
57. · Lord
· l0rd
· 1ord
· 10rd
hybrid attack
A modification of the dictionary attack that tries different
permutations of each dictionary entry.
And many, many others. As you can see from this list, it is
common to obscure passwords derived from dictionary words by
replacing the letter "l" with the digit "1," or replacing the letter
"o" with the digit "0." Don't do this with your own passwords.
Even simple cracking utilities know this trick.
Regardless of the type of utility used, there are tools that can
help you get the passwords you need to access evidence.
The next section addresses one of the methods of protecting
data from disclosure—encryption.
Encryption Basics
After they gain access to the file that contain needed evidence,
forensic investigators may well find that the file itself is
unreadable. As computer investigators begin to use more
sophisticated tools, both regular and malicious users are taking
more sophisticated steps to hide information. One method used
to hide information is to modify a message or file in such a way
that only the intended recipient can reconstruct the original.
Note
This chapter does not cover the mathematics behind encryption
in any detail (such a discussion is beyond the scope of this
book).
Cryptography scrambles the contents of a file or message and
makes it unreadable to all but its intended recipient. In the
context of a computer investigation, a forensic investigator is an
unintended recipient. The word cryptography comes from Greek
words krypto, which means "hidden," and graphein, which
means "to write."
cryptography
58. The science of hiding the true contents of a message from
unintended recipients.
Although cryptography's importance has become more widely
acknowledged in recent years, its roots are traced back 5,000
years to ancient Egypt. The Egyptians used hieroglyphics to
document many rituals and procedures. Only specially trained
agents could interpret these early hieroglyphics.
Around 400 B.C., the Spartans used an innovative method to
encrypt, or hide, the meaning of military communication from
unauthorized eyes. They would wrap a strip of parchment
around a stick in a spiral, similar to a barber's pole. The scribe
would write the message on the parchment and then unwind it
from the stick. With the parchment stretched out, the message
was unintelligible. In fact, the only way to read the message, or
decrypt it, was to wrap the parchment around another stick of
the same diameter and equal, or greater, length. The "secrets" to
reading the message were the dimensions of the stick and the
knowledge of how to wrap the parchment. Anyone who
possessed these two components could read the secret message.
encrypt
To obscure the meaning of a message to make it unreadable.
decrypt
To translate an encrypted message back into the original
unencrypted message.
Roman Emperor Julius Caesar was the first to use a
cryptography method, or cipher, similar to the decoder rings
popular as children's trinkets. He used a method called a
substitution cipher, to send secret messages to his military
leaders. This cipher encrypts a message by substituting each
letter of the original message with another letter. A substitution
table provides the static mapping for each letter. For example,
here is a simple Caesar cipher mapping table:
Original:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Mapped:
DEFGHIJKLMNOPQRSTUVWXYZABC
59. cipher
An algorithm for encrypting and decrypting.
substitution cipher
A cipher that substitutes each character in the original message
with an alternate character to create the encrypted message.
For each character in the original message, read the character
directly below it in the mapped character string. The string
"HELLO" would become "KHOOR."
The recipient decrypts the message by reversing the process.
The recipient translates each letter from the encrypted message
to the original letter by reading the mapping table backward.
The resulting message is identical to the original. One must
possess the translation table to encrypt and decrypt messages
using a simple substitution cipher. The main weakness of the
cipher is the table itself. Anyone who discovers or acquires the
translation table can decrypt messages.
Although the algorithms used in current encryption
implementations are far more complex than the Caesar cipher,
the basic approach and goals are the same. Next, we'll examine
some common encryption practices.
Common Encryption Practices
In general, encryption provides:
· Confidentiality Assurance that only authorized users can view
messages
· Integrity Assurance that only authorized users can change
messages
· Authentication Assurance that users are who they claim to be
· Nonrepudiation Assurance that a message originated from the
stated source
To a forensic investigator, the most common exposure to
encryption occurs when confronted with encrypted files.
Encryption is becoming more common for hiding file contents.
Though there are other valuable uses for cryptography, such as
securing communication transmissions and authenticating the
originator of a message, they are beyond the scope of this
discussion.
60. As a forensic investigator, you must understand cryptography
basics and how you should react when you encounter encrypted
files.
Usually you'll recognize encrypted files when an attempt to
open a file with a known extension fails. For example, you
might attempt to open an encrypted Microsoft Word document
in Microsoft Word, but you receive an error message instead.
The text of the error message tells you that you need a converter
to read the file. In other words, Microsoft Word doesn't
recognize the contents of the encrypted file.
Another sign of encrypted files is a collection of meaningless
filenames. Many encryption utilities change filenames to hide
the meaning and type of the file.
There are two main types of encryption algorithms. (An
algorithm is the detailed sequence of steps necessary to
accomplish a task.) Each type has strengths and weaknesses, but
they both serve the same function.
· Private key algorithms use the same value to encrypt and
decrypt the original text. Private key algorithms are sometimes
referred to as symmetric key algorithms because the same key is
used to encrypt and decrypt files.
· Public key algorithms (also known as asymmetric key
algorithms) use one value to encrypt the text and another value
to decrypt it. One implementation is to use public and private
key pairs.
Encryption algorithms transform an original message, called
plaintext, into an encrypted message, called ciphertext. The
algorithm also generally provides a method for reversing the
process by translating the ciphertext back into the original
plaintext message. We looked at the Caesar cipher, which is a
substitution cipher, in the previous "Encryption Basics" section.
Another type of cipher is a transposition cipher. For example,
suppose you want to send a message to a particular recipient
that no one else can read. You choose a block transposition
cipher to change the order of the letters in the original message.
First, write the original message in a block with a specific
61. number of columns. Next, you create the ciphertext by reading
down each column.
Transposition cipher
An encryption method in which the positions of plaintext
characters are shifted by a defined number of places to produce
ciphertext. Ciphertext created with a transposition cipher is a
permutation of the plaintext.
Our plaintext message is:
I would like to meet with you in private at pier 42 tonight at
midnight.
Using a block width of 10, you rewrite the message:
iwouldlike
tomeetwith
youinpriva
teatpier42
tonightatm
idnightxxx
You can add specific characters to make the message fill up the
last row.
Next, construct the ciphertext by reading down the columns.
Our encrypted message is:
ityttiwooeodomuannueitiilenpggdtpihhlwrettiiiraxktv4txeha2mx
All you have to do to decrypt the message is to rewrite it in a
block and read the message across the rows. The key to the
process is knowing that the original block used 10 columns.
Once you know the number of columns in the original block,
simply divide the length of the ciphertext, 60, by the number of
columns, 10. This tells you there are six rows in the original
plaintext block. Write the ciphertext in columns using six rows
and you can read the original message.
All algorithms use some type of value to translate the plaintext
to ciphertext. Each algorithm performs steps using the supplied
value to encrypt the data. The special value that the algorithm
uses is the encryption key. Some encryption algorithms use a
single key, while others use more than one. The Caesar cipher
uses a single key value. The key value tells how many positions
62. to add to the plaintext character to encrypt and the number to
subtract from the ciphertext character to decrypt. As long as the
sender and receiver both use the same algorithm and key, the
process works.
encryption key
A code that enables the user to encrypt or decrypt information
when combined with a cipher or algorithm.
Private, or Symmetric, Key Algorithms
The easiest type of encryption to understand and use is the
private key algorithm, also referred to as a symmetric key
algorithm. It is symmetric because the decrypt function is a
simple reversal of the encrypt function. In other words, it looks
the same on both sides. (See Figure 7.1.)
Figure 7.1: Symmetric key algorithm
private key algorithm
An encryption algorithm that uses the same key to encrypt and
decrypt. Also known as symmetric key algorithm.
This type of algorithm is simple, fast, and a frequent choice for
encrypting data. The key and the algorithm are all that is
required to decrypt the file. (Sounds simple doesn't it? And it is,
if you have the key and algorithm.) Although this type of
algorithm is common for encrypting files, it can be more
difficult to use for message encryption. The problem is
managing the encryption key. The key is required to decrypt a
file or message. Plus, you have to find a way to get the key to
the recipient in a secure manner.
If someone is eavesdropping on all communication between you
and your intended recipient, then he or she will likely intercept
the encryption key as well as any encrypted data. With the key,
they will be able to decrypt files at will. For the purposes of
computer forensics, you will more likely find symmetric
algorithm—encrypted files on media. The simple reason for this
is that symmetric algorithms are fast and easy to use. Because
you have only a single key, you don't need to specifically
generate keys and then keep up with multiple values. That
63. means you need the single key.
Note
Don't assume that computer investigators only deal with file
encryption using symmetric keys. You will encounter various
types of encryption and algorithms. Encryption is a discipline in
itself. This section just highlights those issues you are most
likely to encounter.
Key discovery is similar to password discovery. Forensic
investigators need to find, deduce, or crack the encryption to
get to the key. The biggest difference between cracking
passwords and cracking encryption keys is that cracking
encryption keys is usually much harder and takes far longer.
The simple explanation is that the plaintext for a password is
generally limited to a couple dozen characters. The plaintext for
a file could be gigabytes. Cracking the encryption key takes
substantially longer than cracking a password.
Many well-known symmetric encryption algorithms exist. Here
are a few of the more common ones forensic investigators are
likely to encounter:
· Data Encryption Standard (DES)
First published in 1977
Adopted by the U.S. government standard for all data
communications
Uses 56-bit key (plus eight parity bits)
Old and weak by today's standards
· Triple DES (3DES)
More secure than DES
Uses three separate DES encryption cycles
· Blowfish
Stronger alternative to DES
Key size can vary from 32 bits to 448 bits
· Advanced Encryption Standard (AES)
The latest, strongest standard adopted by the U.S. government
after an exhaustive competition among algorithms designs
developed by leading world experts in cryptography
64. Based on the Rijndael cipher
Key sizes are 128, 192, or 256 bits
· Serpent
Came in second place in the AES competition
Similar block sizes and key sizes to AES
· Twofish
Related to the Blowfish algorithm
One of the five finalists in the AES competition
Advanced Encryption Standard (AES) competition
Sponsored by the National Institute for Standards and
Technology (NIST), the AES competition was for an encryption
standard to replace DES. The competition began in 1997 and
culminated with the announcement in 2000 that the winner of
the Advanced Encryption Standard was the Rijndael cipher.
Each algorithm in the previous list can effectively encrypt files.
For more security, use a newer algorithm and a secure key.
Research some of the common encrypt/decrypt utilities and
compare the algorithms they support.
Public, or Asymmetric, Key Algorithms
The other type of encryption algorithm is the public key
algorithm. This type of algorithm is also called asymmetric
because the decrypt process differs from the encrypt process.
An asymmetric encryption algorithm addresses the issue of key
distribution by requiring two keys to complete the encrypt-
decrypt process.
public key algorithm
An encryption algorithm that uses one key to encrypt plaintext
and another key to decrypt ciphertext. Also called asymmetric
algorithm.
The process starts with key generation. The software that
encrypts plaintext will also have a utility to generate keys.
When asked, the user supplies a passcode and the utility uses
the passcode to generate a private key and a public key. This is
called a key pair. Private keys are meant to be secret and should
not be disclosed to anyone. On the other hand, public keys can
be distributed to anyone. The encryption algorithm uses the
65. private key to encrypt plaintext and the public key to decrypt
resulting ciphertext. (See Figure 7.2.)
Figure 7.2: Asymmetric algorithm
passcode
A character string used to authenticate a user ID to perform
some function, such as encryption key management.
The resulting process allows you to encrypt data with your
private key. Anyone who has the public key can decrypt the file
or message. This process lets anyone verify that a file or
message originated from a specific person. If you can decrypt a
file with Fred's public key, Fred had to encrypt it with his
private key. Although this is great for sending messages and
verifying the sender's identity, it doesn't add much value if all
you want to do is encrypt some files.
The most common type of encryption you will run into during
evidence analysis is file encryption. For that reason, we focus
on symmetric key algorithms.
Steganography
Both symmetric and asymmetric encryption algorithms share
one common trait: Encrypted files can be recognized by
examining their contents. The fact that a file has encrypted
content draws attention to its value. A forensic investigator may
want to decrypt a file just because it contains encrypted content
and, therefore, probably contains some data of value or other
evidence.
Encrypt It All!
If you are going to use encryption, then it's generally a good
practice to encrypt everything to avoid drawing attention to
particular encrypted files. As an analogy, if every letter mailed
was written on a post card, and you suddenly found a post card
placed inside of an envelope, you'd want to know why. Placing
the post card in an envelope would draw attention to the fact
that something might be hidden in that message. The same is
true for encrypting files. If forensic investigators find encrypted
66. files when all other files are unencrypted, they'll want to know
what the user is hiding in the encrypted file.
There is another approach. Steganography is the practice of
hiding one message in another, larger message. The original
message, or file, becomes the carrier and the hidden message is
the payload. Large pictures and sound files make good carriers
because the payload can be inserted without changing the
original file in an obvious way. Steganographic utilities insert
payload bytes into the carrier by slightly changing bytes in the
carrier file. If the original data in the carrier separates the
changed bytes by wide enough margin, changes are
unnoticeable. If you change every 100th pixel in a picture by a
single shade of color, the resulting picture appears almost
identical to the original.
Steganography allows users to embed desired data into
seemingly innocent files and messages. A secret message
embedded in a picture file can be sent via e-mail as an
attachment and raise no suspicion. Or better yet, the user can
simply post the picture on a Web site and there won't be a direct
connection between the user and the person they are
communicating with. The ease with which anyone can obtain
steganographic utilities makes covert data communication and
storage easy.
Real World Scenario
Keeping Secrets
Intelligence experts suspect that the terrorists who planned and
carried out the attacks on New York and Washington, D.C. on
September 11, 2001, may have used steganography to
communicate with one another. Investigators suspected the
terrorists of embedding messages in digital pictures and then e-
mailing the pictures (and embedded messages) as attachments to
normal e-mail messages. The messages looked like common e-
mails with attached pictures. The pictures could have been