Forensic Lab Development

1
Forensic Lab Development

• Rochester Institute of Technology
• Yin Pan
• Bill Stackpole

2
Agenda

• The challenges of cyber forensics investigation
• Goals of the lab component
• Procedures used to develop basic forensics labs
• Strategies for creating new lab content through
  multiple courses collaboration
• Outcomes and feedback from students

3
What is Forensics?

• Investigation of a past activities to help
  reconstruct a version of what happened may have
  happened

4
What is Computer Forensics?

• Investigation of computer / digital device to
  find evidence of activity
• Crimes both digital non-digital
• Corroborating evidence
• Data recovery

5
What is computer forensics?

• Computer forensic science is the science of
  acquiring, preserving, retrieving, and presenting
  data that has been processed electronically and
  stored on computer media.
• As a forensic discipline, nothing since DNA
  technology has had such a large potential effect
  on specific types of investigations and
  prosecutions as computer forensic science.
• (www.fbi.gov)

6

• The nature of digital forensic investigation is
  changing.
• Communications of the ACM Feb 2006

7
Goals of the forensic Investigator

• Confirms or dispels the compromise
• Determine extent of damage
• Answer Who, What, when, where, how and why
• Gathering data in a forensically sound manner
• Handle and analyze evidence
• Present admissible evidence in court

8
Practice makes perfect

• Must become skilled in the use of computer
  forensic tools and techniques
• Practice allows them to obtain the skills and
  knowledge necessary
• Must be familiar enough to address testing of
  tools
• Our goal is to train the individuals specializing
  in digital forensics for government, private and
  public sectors.

9
Challenges

• How to choose the appropriate tools and
  techniques
• Retaining the admissible information stored in
  computers and other devices
• Minimizing the risk of losing important
  information or destroying data.
• How to effectively enhance our lab materials with
  new exposures of threats and technologies as
  well.

10
The goal of the lab component

• Produce technical professionals capable of
  performing forensics investigations using
  appropriate tools and procedures.
• Identify and employ tools used for tracking,
  gathering, preserving and analyzing evidence.
• Emphasis on applying classroom knowledge to real
  world applications through hands-on exercises in
  a controlled environment.
• Learn the procedures used to gather and preserve
  this evidence to ensure admissibility in court.

11
What is important?

• Process of investigation
• Techniques and tools
• Ethics, privacy, and legal issues

12
Specific Content

• Incident Response (CSIRT responsibilities)
• Data Collection and preservation
• Analyzing data
• Timeline analysis
• OS-specific
• Data recovery
• String search
• Reporting

13
Many different elements

• Processor/Hardware (x86, Sun, Mac, etc)
• OS (Win/Unices/Mac/others)
• Application (task-specific, general)
• Filesystem (NTFS/UFS/ext/hpfs)
• Storage (local, networked, NAS, SAN, raid)
• Other (PDA / cellphones / cameras / memory sticks
  cards / MP3 players / etc)

14
Lab Exercise Design

• Closely tracks lecture content
• Incident Response / procedure
• OS-specific forensics techniques
• Bit-by-bit imaging a drive and persevering the
  integrity of the image
• Recovering, categorizing and analyzing data
• Reporting
• Select appropriate tools
• Linux Autopsy, Sleuthkit, TCT
• Well tested and are accepted in the legal
  community as well
• Windows EnCase and Forensics Acquisition tools
• Wide use in the legal, law enforcement and
  governmental arenas.

15
Lab topics

• Lab 1 Incident response lab - collect and record
  data/information/physical evidence in
  forensically sound manner
• Lab 2 Capture drive - dd/md5/mount/tct
• Lab 3 Autopsy/sleuthkit/foremost/netcat
• Lab 4 Linux frame buffer image capture and
  analyze
• Lab 5 Encase and open sources tools
  /dd/netcat/acquisition
• Lab 6 Analyze an image using Encase or Linux
  tools

16
Physical Lab Design

• Dedicated machines
• Lots of I/O, removable drives, etc.
• Encase Forensic Edition v5
• Open source products (TCT / sleuthkit / autopsy /
  etc)
• VMWare
• Helix / BackTrack / etc
• Imaging system
• Air-gap capability

17
How did labs work?

• Labs are effective at conveying and applying
  concepts discussed and discovered in lecture.
• General Student Feedback
• Enjoyed hands-on learning
• Thought it was fun and cool.
• Liked that content was split into Linux/Windows
  in different weeks found it easier to focus on
  one OS _at_ a time
• Appreciated the dedicated forensics machines
• Framebuffer lab made them think outside the box
  (alternatives to 'traditional' investigation
  techniques)

18
Things can be improved

• More real case studies
• Lack of time was an issue (insufficient time for
  great depth of study.)
• Other non-linux forensics exercises
  (BSD/Solaris/?)
• Labs need further tweaking

19
Create self-evolving labs through multiple
courses collaborations

• Why?
• To meet the challenges described before and
  students needs as well
• Is this feasible?
• We believe so!
• Courses involved
• System Security
• Network Security and Network Forensics
• Advanced Computer System Forensics (Graduate)
• Computer System Forensics
• Viruses and Malicious Software
• Wired and Wireless Security
• Auditing???

20
A potential model

• System security students build secure systems
• Malware students might build tools to attack the
  secure systems
• Forensics students work with Network and System
  security students to handle the incident
• Advanced Forensic students develop tools to
  address unmet needs raised by forensics students

21
Our strategy to create new lab materials

• Collect images of different operating systems
  with different levels of patches
• Collect appropriate Honeynet projects
• Collect students work
• from involved courses
• By hosting a legal event of the InfoSec Talent
  Search (ISTS) or "weekend hackfest" in a
  relatively controlled environment.
• Try the student-generated images outlined
  yesterday by Anna Carlin from CalPoly?

22
Foreseeable Benefits

• Allow students from multiple courses to interact
  and share content and experience.
• Allow the labs to be self-evolving and require
  minimal faculty maintenance to remain current.
• Help students gain exposure to newest real world
  threats and get practice on finding or developing
  suitable tools and conducting investigation with
  appropriate procedures.
• Keep students up front in the technology and help
  prepare them to meet challenges in the computer
  security field.

23
Future direction

• Remote lab systems
• Collaboration with local LEA
• Training of other faculty

24
What did we miss?

• Suggestions?
• Questions?