1 / 24

Forensic Lab Development

Forensic Lab Development. Rochester Institute of Technology Yin Pan Bill Stackpole. Agenda. The challenges we are facing in cyber forensics investigation The goal of our lab component Procedures used in developing basic forensics labs

raya-chaney
Télécharger la présentation

Forensic Lab Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensic Lab Development Rochester Institute of Technology Yin Pan Bill Stackpole Secure IT 2006

  2. Agenda • The challenges we are facing in cyber forensics investigation • The goal of our lab component • Procedures used in developing basic forensics labs • The strategies of creating new lab contents through multiple courses collaboration • Outcomes and feedback from students Secure IT 2006

  3. What is Forensics? • Investigation of a past activities to help reconstruct a version of what happened may have happened Secure IT 2006

  4. What is Computer Forensics? • Investigation of computer / digital device to find evidence of activity • Crimes both digital & non-digital • Corroborating evidence • Data recovery Secure IT 2006

  5. What is computer forensics • “Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system” Farmer and Venema, 1999. Secure IT 2006

  6. In the wired world, almost every crime intersects with the digital realm at one time or another. (CNN) Secure IT 2006

  7. Targeted learners • FACT: Few individuals have the skills and knowledge necessary to conduct a forensic investigation • Our goal is to train the individuals specializing in digital forensics for government, private and public sectors. Secure IT 2006

  8. Goals of the forensic Investigator • Confirms or dispels the compromise • Determine extent of damage • Answer: Who, What, when, where, how and why • Gathering data in a forensically sound manner • Handle and analyze evidence • Present admissible evidence in court Secure IT 2006

  9. Challenges • How to choose the appropriate tools and techniques • Retaining the admissible information stored in computers and other devices • NOT running into the risk of losing important information and/or destroy data. • How to effectively enhance our lab materials with new exposures of threats and technologies as well. Secure IT 2006

  10. The goal of the lab component • Produce technical professionals who is capable of performing forensics investigations with appropriate tools and procedure. • Identify and employ tools used for tracking intruders, gathering, preserving and analyzing evidence of their activities. • Emphasize on applying the classroom knowledge to real world applications through hands-on exercises in a controlled environment. • Learn the procedures used to gather and preserve this evidence to ensure admissibility in court. Secure IT 2006

  11. What to focus on? • Procedures • Basic knowledge • Techniques • Ethics and legal issues Secure IT 2006

  12. Procedures • Incident Response process • Chain of custody • Collecting data in a forensically sound manner • Recovering deleted and hidden files • Analyzing data • MAC time • OS-specific analyses • Data recovery • String search • email • Reporting Secure IT 2006

  13. Wide range to consider • Many different elements • Processor/Hardware (x86, Sun, Mac, etc) • OS (Win/Unices/Mac/others) • Application (task-specific, general) • Filesystem (NTFS/UFS/ext/hpfs) • Storage (local, networked, NAS, SAN, raid) • Other (PDA / cellphones / cameras / memory sticks & cards / MP3 players / etc) Secure IT 2006

  14. Lab Design • Closely tight with lecture content • Incident Response / procedure • OS-specific forensics techniques • Bit-by-bit imaging a drive and persevering the integrity of the image • Recovering, categorizing and analyzing data • Reporting • Select appropriate tools • Windows – EnCase and Forensics Acquisition tools • Wide use in the legal, law enforcement and governmental arenas. • Linux – Autopsy, Sleuthkit, TCT • Well tested and are accepted in the legal community as well Secure IT 2006

  15. Lab topics • Lab 1: Incident response lab - collect and record data/information/physical evidence in forensically sound manner • Lab 2: Capture drive - dd/md5/mount/tct • Lab 3: Autopsy/sleuthkit/foremost/netcat • Lab 4: Linux frame buffer image capture and analyze • Lab 5: Encase and open sources tools /dd/netcat/acquisition • Lab 6: Analyze an image using Encase or Linux tools Secure IT 2006

  16. How did labs work? • Overall, the labs were effective at conveying and applying the concepts discussed and discovered in lecture. • Student comments in quotes • Hands on learning was enjoyable and educational. I only wish there was more time. • Learning the process and tools involved in a computer forensics investigation was fun and cool. • I liked the fact that it was split into Linux/Windows in different weeks.... It’s much easier to focus on one OS as opposed to contrasting them and getting confused about the semantics. • I absolutely liked that we had dedicated forensics machines. Hot swappable drives make all the difference in this kind of work as me and xxx found out the hard way. Secure IT 2006

  17. Important things students gained • I discovered performing a successful computer/network forensic investigation is not a trivial task and learning about many of the methods and tools used to perform a successful investigation was extremely interesting. I learned how to properly perform a forensic investigation while maintaining chain of custody and the integrity of the investigation, skills that will help me in my future endeavors in the computer field weather they involve computer/network security or not. Secure IT 2006

  18. Things can be improved (quotes) • More real case studies • The lack of time. I know this is difficult to fix. The class moved so quickly and there is so much material to cover that we had to gloss over many things. I don't know if it would make more sense to break the class up into two classes. Secure IT 2006

  19. Create self-evolving labs through multiple courses collaborations • Why this idea • To meet the challenges described before and students’ needs as well • Is this feasible? • YES • The courses are involved in this process • System Security • Network Security and Network Forensics • Advanced Computer System Forensics (Graduate) • Computer System Forensics • Computer Viruses and Malicious Software • Wired and Wireless Security Secure IT 2006

  20. A potential model • System security students build secure systems • Computer Viruses students might build tools to attack the secure systems • Forensics students work with Network and System security students to handle the incidence • Advanced Forensic students develop tools to address new techniques and needs raised by forensics students Secure IT 2006

  21. Our strategy to create new lab materials • Collect images of different operating systems with different levels of patches • Collect appropriate Honeynet projects • Collect students’ work • from involved courses • By hosting a legal event of the InfoSec Talent Search (ISTS) or "weekend hackfest" in a relatively controlled environment. Secure IT 2006

  22. Foreseeable Benefits • Allow students from multiple courses to interact and share content and experience. • Allow the labs to be self-evolving and require minimalfaculty maintenance to remain current. • Help students gain exposure to newest real world threats and get practice on finding or developing suitable tools and conducting investigation with appropriate procedures. • Keep students up front in the technology and help prepare them to meet challenges in the computer security field. Secure IT 2006

  23. Future direction • Tools for investigating cameras, phones, personal digital assistant (PDAs), memory sticks/cards, TiVo, etc., as sources of evidence. • MAC investigation Secure IT 2006

  24. What did we miss? • Suggestions? • Questions? Secure IT 2006

More Related