1 / 24

Forensic Lab Development

Forensic Lab Development. Rochester Institute of Technology Yin Pan Bill Stackpole. Agenda. The challenges of cyber forensics investigation Goals of the lab component Procedures used to develop basic forensics labs

niveditha
Download Presentation

Forensic Lab Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensic Lab Development Rochester Institute of Technology Yin Pan Bill Stackpole Rochester Institute of Technology Secure IT 2006

  2. Agenda • The challenges of cyber forensics investigation • Goals of the lab component • Procedures used to develop basic forensics labs • Strategies for creating new lab content through multiple courses collaboration • Outcomes and feedback from students Rochester Institute of Technology Secure IT 2006

  3. What is Forensics? • Investigation of a past activities to help reconstruct a version of what happened may have happened Rochester Institute of Technology Secure IT 2006

  4. What is Computer Forensics? • Investigation of computer / digital device to find evidence of activity • Crimes both digital & non-digital • Corroborating evidence • Data recovery Rochester Institute of Technology Secure IT 2006

  5. What is computer forensics? • Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. • As a forensic discipline, nothing since DNA technology has had such a large potential effect on specific types of investigations and prosecutions as computer forensic science. (www.fbi.gov) Rochester Institute of Technology Secure IT 2006

  6. “The nature of digital forensic investigation is changing.” Communications of the ACM – Feb 2006 Rochester Institute of Technology Secure IT 2006

  7. Goals of the forensic Investigator • Confirms or dispels the compromise • Determine extent of damage • Answer: Who, What, when, where, how and why • Gathering data in a forensically sound manner • Handle and analyze evidence • Present admissible evidence in court Rochester Institute of Technology Secure IT 2006

  8. Practice makes perfect • Must become skilled in the use of computer forensic tools and techniques • Practice allows them to obtain the skills and knowledge necessary • Must be familiar enough to address testing of tools • Our goal is to train the individuals specializing in digital forensics for government, private and public sectors. Rochester Institute of Technology Secure IT 2006

  9. Challenges • How to choose the appropriate tools and techniques • Retaining the admissible information stored in computers and other devices • Minimizing the risk of losing important information or destroying data. • How to effectively enhance our lab materials with new exposures of threats and technologies as well. Rochester Institute of Technology Secure IT 2006

  10. The goal of the lab component • Produce technical professionals capable of performing forensics investigations using appropriate tools and procedures. • Identify and employ tools used for tracking, gathering, preserving and analyzing evidence. • Emphasis on applying classroom knowledge to real world applications through hands-on exercises in a controlled environment. • Learn the procedures used to gather and preserve this evidence to ensure admissibility in court. Rochester Institute of Technology Secure IT 2006

  11. What is important? • Process of investigation • Techniques and tools • Ethics, privacy, and legal issues Rochester Institute of Technology Secure IT 2006

  12. Specific Content • Incident Response (CSIRT responsibilities) • Data Collection and preservation • Analyzing data • Timeline analysis • OS-specific • Data recovery • String search • Reporting Rochester Institute of Technology Secure IT 2006

  13. Many different elements • Processor/Hardware (x86, Sun, Mac, etc) • OS (Win/Unices/Mac/others) • Application (task-specific, general) • Filesystem (NTFS/UFS/ext/hpfs) • Storage (local, networked, NAS, SAN, raid) • Other (PDA / cellphones / cameras / memory sticks & cards / MP3 players / etc) Rochester Institute of Technology Secure IT 2006

  14. Lab Exercise Design • Closely tracks lecture content • Incident Response / procedure • OS-specific forensics techniques • Bit-by-bit imaging a drive and persevering the integrity of the image • Recovering, categorizing and analyzing data • Reporting • Select appropriate tools • Linux – Autopsy, Sleuthkit, TCT • Well tested and are accepted in the legal community as well • Windows – EnCase and Forensics Acquisition tools • Wide use in the legal, law enforcement and governmental arenas. Rochester Institute of Technology Secure IT 2006

  15. Lab topics • Lab 1: Incident response lab - collect and record data/information/physical evidence in forensically sound manner • Lab 2: Capture drive - dd/md5/mount/tct • Lab 3: Autopsy/sleuthkit/foremost/netcat • Lab 4: Linux frame buffer image capture and analyze • Lab 5: Encase and open sources tools /dd/netcat/acquisition • Lab 6: Analyze an image using Encase or Linux tools Rochester Institute of Technology Secure IT 2006

  16. Physical Lab Design • Dedicated machines • Lots of I/O, removable drives, etc. • Encase Forensic Edition v5 • Open source products (TCT / sleuthkit / autopsy / etc) • VMWare • Helix / BackTrack / etc • Imaging system • Air-gap capability Rochester Institute of Technology Secure IT 2006

  17. How did labs work? • Labs are effective at conveying and applying concepts discussed and discovered in lecture. • General Student Feedback • Enjoyed hands-on learning • Thought it was fun and cool. • Liked that content was split into Linux/Windows in different weeks – found it easier to focus on one OS @ a time • Appreciated the dedicated forensics machines • Framebuffer lab made them think “outside the box” (alternatives to 'traditional' investigation techniques) Rochester Institute of Technology Secure IT 2006

  18. Things can be improved • More real case studies • Lack of time was an issue (insufficient time for great depth of study.) • Other non-linux forensics exercises (BSD/Solaris/?) • Labs need further tweaking Rochester Institute of Technology Secure IT 2006

  19. Create self-evolving labs through multiple courses collaborations • Why? • To meet the challenges described before and students’ needs as well • Is this feasible? • We believe so! • Courses involved: • System Security • Network Security and Network Forensics • Advanced Computer System Forensics (Graduate) • Computer System Forensics • Viruses and Malicious Software • Wired and Wireless Security • Auditing??? Rochester Institute of Technology Secure IT 2006

  20. A potential model • System security students build secure systems • Malware students might build tools to attack the secure systems • Forensics students work with Network and System security students to handle the incident • Advanced Forensic students develop tools to address unmet needs raised by forensics students Rochester Institute of Technology Secure IT 2006

  21. Our strategy to create new lab materials • Collect images of different operating systems with different levels of patches • Collect appropriate Honeynet projects • Collect students’ work • from involved courses • By hosting a legal event of the InfoSec Talent Search (ISTS) or "weekend hackfest" in a relatively controlled environment. • Try the “student-generated images” outlined yesterday by Anna Carlin from CalPoly? Rochester Institute of Technology Secure IT 2006

  22. Foreseeable Benefits • Allow students from multiple courses to interact and share content and experience. • Allow the labs to be self-evolving and require minimalfaculty maintenance to remain current. • Help students gain exposure to newest real world threats and get practice on finding or developing suitable tools and conducting investigation with appropriate procedures. • Keep students up front in the technology and help prepare them to meet challenges in the computer security field. Rochester Institute of Technology Secure IT 2006

  23. Future direction • Remote lab systems • Collaboration with local LEA • Training of other faculty Rochester Institute of Technology Secure IT 2006

  24. What did we miss? • Suggestions? • Questions? Rochester Institute of Technology Secure IT 2006

More Related