The document discusses the development of a forensic lab at Rochester Institute of Technology. It outlines the goals of providing hands-on experience for students to learn forensic investigation procedures and tools. Challenges in choosing appropriate tools and preserving evidence are discussed. The lab curriculum covers topics such as incident response, drive imaging, data recovery and analysis using both open-source and commercial tools. Students provided positive feedback, enjoying the practical learning experience, though some asked for more real-world case studies and more time for in-depth exploration. The document proposes expanding inter-course collaboration to continuously evolve lab materials and keep pace with new threats.

1. Forensic Lab Development Rochester Institute of Technology Yin Pan Bill Stackpole

2. Agenda The challenges of cyber forensics investigation Goals of the lab component Procedures used to develop basic forensics labs Strategies for creating new lab content through multiple courses collaboration Outcomes and feedback from students

3. What is Forensics? Investigation of a past activities to help reconstruct a version of what happened may have happened

4. What is Computer Forensics? Investigation of computer / digital device to find evidence of activity Crimes both digital & non-digital Corroborating evidence Data recovery

5. What is computer forensics? Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. As a forensic discipline, nothing since DNA technology has had such a large potential effect on specific types of investigations and prosecutions as computer forensic science. (www.fbi.gov)

6. “ The nature of digital forensic investigation is changing.” Communications of the ACM – Feb 2006

7. Goals of the forensic Investigator Confirms or dispels the compromise Determine extent of damage Answer: Who, What, when, where, how and why Gathering data in a forensically sound manner Handle and analyze evidence Present admissible evidence in court

8. Practice makes perfect Must become skilled in the use of computer forensic tools and techniques Practice allows them to obtain the skills and knowledge necessary Must be familiar enough to address testing of tools Our goal is to train the individuals specializing in digital forensics for government, private and public sectors.

9. Challenges How to choose the appropriate tools and techniques Retaining the admissible information stored in computers and other devices Minimizing the risk of losing important information or destroying data. How to effectively enhance our lab materials with new exposures of threats and technologies as well.

10. The goal of the lab component Produce technical professionals capable of performing forensics investigations using appropriate tools and procedures. Identify and employ tools used for tracking, gathering, preserving and analyzing evidence. Emphasis on applying classroom knowledge to real world applications through hands-on exercises in a controlled environment. Learn the procedures used to gather and preserve this evidence to ensure admissibility in court.

11. What is important? Process of investigation Techniques and tools Ethics, privacy, and legal issues

12. Specific Content Incident Response (CSIRT responsibilities) Data Collection and preservation Analyzing data Timeline analysis OS-specific Data recovery String search Reporting

13. Many different elements Processor/Hardware (x86, Sun, Mac, etc) OS (Win/Unices/Mac/others) Application (task-specific, general) Filesystem (NTFS/UFS/ext/hpfs) Storage (local, networked, NAS, SAN, raid) Other (PDA / cellphones / cameras / memory sticks & cards / MP3 players / etc)

14. Lab Exercise Design Closely tracks lecture content Incident Response / procedure OS-specific forensics techniques Bit-by-bit imaging a drive and persevering the integrity of the image Recovering, categorizing and analyzing data Reporting Select appropriate tools Linux – Autopsy, Sleuthkit, TCT Well tested and are accepted in the legal community as well Windows – EnCase and Forensics Acquisition tools Wide use in the legal, law enforcement and governmental arenas.

15. Lab topics Lab 1: Incident response lab - collect and record data/information/physical evidence in forensically sound manner Lab 2: Capture drive - dd/md5/mount/tct Lab 3: Autopsy/sleuthkit/foremost/netcat Lab 4: Linux frame buffer image capture and analyze Lab 5: Encase and open sources tools /dd/netcat/acquisition Lab 6: Analyze an image using Encase or Linux tools

16. Physical Lab Design Dedicated machines Lots of I/O, removable drives, etc. Encase Forensic Edition v5 Open source products (TCT / sleuthkit / autopsy / etc) VMWare Helix / BackTrack / etc Imaging system Air-gap capability

17. How did labs work? Labs are effective at conveying and applying concepts discussed and discovered in lecture. General Student Feedback Enjoyed hands-on learning Thought it was fun and cool. Liked that content was split into Linux/Windows in different weeks – found it easier to focus on one OS @ a time Appreciated the dedicated forensics machines Framebuffer lab made them think “outside the box” (alternatives to 'traditional' investigation techniques)

18. Things can be improved More real case studies Lack of time was an issue (insufficient time for great depth of study.) Other non-linux forensics exercises (BSD/Solaris/?) Labs need further tweaking

19. Create self-evolving labs through multiple courses collaborations Why? To meet the challenges described before and students’ needs as well Is this feasible? We believe so! Courses involved: System Security Network Security and Network Forensics Advanced Computer System Forensics (Graduate) Computer System Forensics Viruses and Malicious Software Wired and Wireless Security Auditing???

20. A potential model System security students build secure systems Malware students might build tools to attack the secure systems Forensics students work with Network and System security students to handle the incident Advanced Forensic students develop tools to address unmet needs raised by forensics students

21. Our strategy to create new lab materials Collect images of different operating systems with different levels of patches Collect appropriate Honeynet projects Collect students’ work from involved courses By hosting a legal event of the InfoSec Talent Search (ISTS) or "weekend hackfest" in a relatively controlled environment. Try the “student-generated images” outlined yesterday by Anna Carlin from CalPoly?

22. Foreseeable Benefits Allow students from multiple courses to interact and share content and experience. Allow the labs to be self-evolving and require minimal faculty maintenance to remain current. Help students gain exposure to newest real world threats and get practice on finding or developing suitable tools and conducting investigation with appropriate procedures. Keep students up front in the technology and help prepare them to meet challenges in the computer security field.

23. Future direction Remote lab systems Collaboration with local LEA Training of other faculty

24. What did we miss? Suggestions? Questions?