Computer Forensics in the Classroom

1
Computer Forensics in the Classroom

• Chris Eagle
• Naval Postgraduate School
• cseagle_at_nps.edu

2
The Challenge

• A one quarter course in computer forensics
• Appropriate number of hours
• Meaningful labs
• More than just a survey of current state of
  forensics field

3
Background

• The forensics process
• Pre-incident planning
• Incident recognition and response
• Evidence collection
• Evidence analysis
• Reporting of findings

4
Recognizing Overlap

• Much of forensics overlaps with other areas
• Introductory computer security
• Viruses, worms, steganography, cryptographic
  hashing, etc.
• Networking and network defense
• Secure management of systems
• Recognize and reinforce, but dont repeat

5
Technical vs. Non-technical

• What are the goals for your course?
• High level SANS style overview?
• Low level technically oriented?
• How much time to dedicate to non-technical
  material
• Legal issues
• Handling and presentation of evidence
• Could each be entire courses

6
Laboratory Setup

• Many considerations
• Shared lab?
• Windows vs. nix
• Open source vs. proprietary
• Expense
• VMware and its limitations
• VMware Player
• Use of hostile tools and/or content
• Unhappy system administrators

7
Lab Exercises

• O/S Familiarity
• Tool familiarization
• Evidence collection
• How do you plant evidence
• Evidence analysis
• Final project?
• Report style
• Case analysis
• Consider case development

8
Emphasizing Computer Science

• Education vs. training
• How does it all tie in to their studies
• What are the challenges in forensics?
• Binary analysis
• RAM and virtual memory analysis
• Steganalysis
• Others

9
Resources

• Honeynet Project
• Challenges and whitpapers
• http//www.honeynet.org
• SANS
• Courses, newsletters
• http//www.sans.org
• Sleuth Kit
• Collection and analysis tools and newsletter
• http//www.sleuthkit.org

10
Conclusion

• Questions
• Contact info
• Chris Eagle
• cseagle_at_nps.edu
• 831-656-2378