Forensic lab development l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

Forensic Lab Development PowerPoint PPT Presentation


  • 386 Views
  • Updated On :
  • Presentation posted in: General

Forensic Lab Development. Rochester Institute of Technology Yin Pan Bill Stackpole. Agenda. The challenges of cyber forensics investigation Goals of the lab component Procedures used to develop basic forensics labs

Related searches for Forensic Lab Development

Download Presentation

Forensic Lab Development

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Forensic lab development l.jpg

Forensic Lab Development

Rochester Institute of Technology

Yin Pan

Bill Stackpole

Rochester Institute of Technology Secure IT 2006


Agenda l.jpg

Agenda

  • The challenges of cyber forensics investigation

  • Goals of the lab component

  • Procedures used to develop basic forensics labs

  • Strategies for creating new lab content through multiple courses collaboration

  • Outcomes and feedback from students

Rochester Institute of Technology Secure IT 2006


What is forensics l.jpg

What is Forensics?

  • Investigation of a past activities to help reconstruct a version of what happened may have happened

Rochester Institute of Technology Secure IT 2006


What is computer forensics l.jpg

What is Computer Forensics?

  • Investigation of computer / digital device to find evidence of activity

    • Crimes both digital & non-digital

    • Corroborating evidence

    • Data recovery

Rochester Institute of Technology Secure IT 2006


What is computer forensics5 l.jpg

What is computer forensics?

  • Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media.

    • As a forensic discipline, nothing since DNA technology has had such a large potential effect on specific types of investigations and prosecutions as computer forensic science.

      (www.fbi.gov)

Rochester Institute of Technology Secure IT 2006


Slide6 l.jpg

  • “The nature of digital forensic investigation is changing.”

    Communications of the ACM – Feb 2006

Rochester Institute of Technology Secure IT 2006


Goals of the forensic investigator l.jpg

Goals of the forensic Investigator

  • Confirms or dispels the compromise

  • Determine extent of damage

  • Answer: Who, What, when, where, how and why

  • Gathering data in a forensically sound manner

  • Handle and analyze evidence

  • Present admissible evidence in court

Rochester Institute of Technology Secure IT 2006


Practice makes perfect l.jpg

Practice makes perfect

  • Must become skilled in the use of computer forensic tools and techniques

  • Practice allows them to obtain the skills and knowledge necessary

  • Must be familiar enough to address testing of tools

  • Our goal is to train the individuals specializing in digital forensics for government, private and public sectors.

Rochester Institute of Technology Secure IT 2006


Challenges l.jpg

Challenges

  • How to choose the appropriate tools and techniques

    • Retaining the admissible information stored in computers and other devices

    • Minimizing the risk of losing important information or destroying data.

  • How to effectively enhance our lab materials with new exposures of threats and technologies as well.

Rochester Institute of Technology Secure IT 2006


The goal of the lab component l.jpg

The goal of the lab component

  • Produce technical professionals capable of performing forensics investigations using appropriate tools and procedures.

    • Identify and employ tools used for tracking, gathering, preserving and analyzing evidence.

    • Emphasis on applying classroom knowledge to real world applications through hands-on exercises in a controlled environment.

    • Learn the procedures used to gather and preserve this evidence to ensure admissibility in court.

Rochester Institute of Technology Secure IT 2006


What is important l.jpg

What is important?

  • Process of investigation

  • Techniques and tools

  • Ethics, privacy, and legal issues

Rochester Institute of Technology Secure IT 2006


Specific content l.jpg

Specific Content

  • Incident Response (CSIRT responsibilities)

  • Data Collection and preservation

  • Analyzing data

    • Timeline analysis

    • OS-specific

    • Data recovery

    • String search

  • Reporting

Rochester Institute of Technology Secure IT 2006


Many different elements l.jpg

Many different elements

  • Processor/Hardware (x86, Sun, Mac, etc)

  • OS (Win/Unices/Mac/others)

  • Application (task-specific, general)

  • Filesystem (NTFS/UFS/ext/hpfs)

  • Storage (local, networked, NAS, SAN, raid)

  • Other (PDA / cellphones / cameras / memory sticks & cards / MP3 players / etc)

Rochester Institute of Technology Secure IT 2006


Lab exercise design l.jpg

Lab Exercise Design

  • Closely tracks lecture content

    • Incident Response / procedure

    • OS-specific forensics techniques

      • Bit-by-bit imaging a drive and persevering the integrity of the image

      • Recovering, categorizing and analyzing data

      • Reporting

  • Select appropriate tools

    • Linux – Autopsy, Sleuthkit, TCT

      • Well tested and are accepted in the legal community as well

    • Windows – EnCase and Forensics Acquisition tools

      • Wide use in the legal, law enforcement and governmental arenas.

Rochester Institute of Technology Secure IT 2006


Lab topics l.jpg

Lab topics

  • Lab 1: Incident response lab - collect and record data/information/physical evidence in forensically sound manner

  • Lab 2: Capture drive - dd/md5/mount/tct

  • Lab 3: Autopsy/sleuthkit/foremost/netcat

  • Lab 4: Linux frame buffer image capture and analyze

  • Lab 5: Encase and open sources tools /dd/netcat/acquisition

  • Lab 6: Analyze an image using Encase or Linux tools

Rochester Institute of Technology Secure IT 2006


Physical lab design l.jpg

Physical Lab Design

  • Dedicated machines

    • Lots of I/O, removable drives, etc.

    • Encase Forensic Edition v5

    • Open source products (TCT / sleuthkit / autopsy / etc)

    • VMWare

    • Helix / BackTrack / etc

  • Imaging system

  • Air-gap capability

Rochester Institute of Technology Secure IT 2006


How did labs work l.jpg

How did labs work?

  • Labs are effective at conveying and applying concepts discussed and discovered in lecture.

  • General Student Feedback

    • Enjoyed hands-on learning

    • Thought it was fun and cool.

    • Liked that content was split into Linux/Windows in different weeks – found it easier to focus on one OS @ a time

    • Appreciated the dedicated forensics machines

    • Framebuffer lab made them think “outside the box” (alternatives to 'traditional' investigation techniques)

Rochester Institute of Technology Secure IT 2006


Things can be improved l.jpg

Things can be improved

  • More real case studies

  • Lack of time was an issue (insufficient time for great depth of study.)

  • Other non-linux forensics exercises (BSD/Solaris/?)

  • Labs need further tweaking

Rochester Institute of Technology Secure IT 2006


Create self evolving labs through multiple courses collaborations l.jpg

Create self-evolving labs through multiple courses collaborations

  • Why?

    • To meet the challenges described before and students’ needs as well

  • Is this feasible?

    • We believe so!

    • Courses involved:

      • System Security

      • Network Security and Network Forensics

      • Advanced Computer System Forensics (Graduate)

      • Computer System Forensics

      • Viruses and Malicious Software

      • Wired and Wireless Security

      • Auditing???

Rochester Institute of Technology Secure IT 2006


A potential model l.jpg

A potential model

  • System security students build secure systems

  • Malware students might build tools to attack the secure systems

  • Forensics students work with Network and System security students to handle the incident

  • Advanced Forensic students develop tools to address unmet needs raised by forensics students

Rochester Institute of Technology Secure IT 2006


Our strategy to create new lab materials l.jpg

Our strategy to create new lab materials

  • Collect images of different operating systems with different levels of patches

  • Collect appropriate Honeynet projects

  • Collect students’ work

    • from involved courses

    • By hosting a legal event of the InfoSec Talent Search (ISTS) or "weekend hackfest" in a relatively controlled environment.

  • Try the “student-generated images” outlined yesterday by Anna Carlin from CalPoly?

Rochester Institute of Technology Secure IT 2006


Foreseeable benefits l.jpg

Foreseeable Benefits

  • Allow students from multiple courses to interact and share content and experience.

  • Allow the labs to be self-evolving and require minimalfaculty maintenance to remain current.

  • Help students gain exposure to newest real world threats and get practice on finding or developing suitable tools and conducting investigation with appropriate procedures.

  • Keep students up front in the technology and help prepare them to meet challenges in the computer security field.

Rochester Institute of Technology Secure IT 2006


Future direction l.jpg

Future direction

  • Remote lab systems

  • Collaboration with local LEA

  • Training of other faculty

Rochester Institute of Technology Secure IT 2006


What did we miss l.jpg

What did we miss?

  • Suggestions?

  • Questions?

Rochester Institute of Technology Secure IT 2006


  • Login