1 / 1

Framework for Design and Implementation of Digital Forensics Labs

2.5 Managing Labs

shelly
Download Presentation

Framework for Design and Implementation of Digital Forensics Labs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2.5 Managing Labs We are hoping to manage the files on the World Wide Web, using an intelligent based system. Intelligence of a Web-based educational system means the capability of demonstrating some form of knowledge-based reasoning in curriculum sequencing, in analysis of the student's solutions, and in providing interactive problem-solving support (possibly example-based) to the student, all adapted to the Web technology. • Abstract • The expanding wave of Internet connectivity and digital technologies offers tremendous opportunities for crime. Digital forensic (DF) plays an important role in crime reconstruction. Digital forensic education and training has been experiencing radical growth in the past ten years. The core of these training and academic programs is to develop a set of suitable hands-on digital forensic labs. • The main step to training students, who are preparing to be computer forensic professionals, lies in creating a comprehensive approach to computer forensics education. The goal of this project work is to establish a series of hands-on computer forensic labs, which help students prepare to accede seamlessly into the law enforcement workforce. This research project focuses on designing and implementing hands-on computer forensic labs for students (majors and non-majors) or law enforcement professionals. Through this research project, we will design labs that help the students or trainees to better understand digital forensics step by step. In addition, we aim to manage the labs for different levels of students via web services. 2.3 Tool Assessment As mentioned before there are many forensic tools available on the market and to examine all of them would be extremely time consuming, therefore, selecting which tools to examine was the second step. Using online resources, a list of the most popular software on the market as well as open source freeware available were retrieved. Using documentation and review articles on the list of tools given, it was possible to then minimize the list for further research. Encase Forensic by Guidance software, Helix by e-fense and Forensic Toolkit by Access Data, were the three remaining tools left for further investigation. Each tool mentioned is a software suite with several functionalities and this presented the task of identifying each function of each tool and comparing them to one another. Encase was chosen because it is one of the most popular forensic tools on the market and served as a good comparison.. 2.3.3 Helix Helix is a customized distribution of the Knoppix Live Linux CD. Helix is a bootable live CD specially designed to not interact with the host computer in any way and it is forensically sound. Helix is used for live analysis, which involves analysis of a running system in real time. Helix is not just for Linux as it comes equipped with a special Windows auto-run side for Incident Response and Forensics. Helix requires a lot of RAM, the more RAM the better it runs. Below is a list of just a few tools included in Helix. • Live Windows side: • FTK Imager • Access PassView • IECookiesView • IEHistoryView • MessenPass • Network Password Recovery • File Recovery • RegScanner 2.3.1 Encase Encase is an integrated Windows-based graphical user interface (GUI) suite of tools. While it is simple to operate and use, this tool does not perform significantly better than most of its competitors but is much more costly. The program comes with plenty of documentation – a large paper manual and PDF manual that are clear, organized, easy to read and include a lot of screenshots and illustrations. There is an organized user interface that makes viewing media contents straightforward. These views include a gallery of picture and image evidence and hex and file tree views. EnCase Forensic can also acquire many different media, including Palm Pilots and most types of removable media. While it ranks high next to other software, so does its price. It gets a three out five star rating for “Value for the Money” on SC Magazine. 1. Introduction The computer forensics process requires a vast knowledge of computer hardware and software in order to avoid the accidental invalidation or destruction of information and to preserve the information for later analysis. Software tools are needed to perform the critical analysis of digital storage devices . Learning computer forensics, like many other computer subjects, can not be thought simply by using theory. Hands-on training is required to complement the theory and help students get the full learning experience of the subject. This is especially so with computer forensics as uncovering information from a digital storage devices is something that requires practice and experience to know where to look, what to look for and how to look for it in the most efficient, effective way. This is where lab exercises play an important role in providing the necessary experience and practice to enhance the learning experience of computer forensics. Figure 1.2 The option screen shot for Helix. 2.4 Designing Labs It is important to design labs according to the level of the student. Creating simpler, easier general labs for inexperienced students and more advanced, complicated labs for more experienced students. Of course there are levels between easy and hard to pace the student and gradually have them ready for the more advanced labs. In addition, we categorize the labs by different digital forensics tools. Template for Digital Forensic Hand-on lab Author: Version: Type of Investigation: Goal of lab: Software: Hardware: Operating Systems: Ref: Semester: Date: Detail Procedure: *here is the step by step procedure including screen shot if necessary Questions to answer: Final Report NOTES: Items Discussed: Additional Comments: Sample Lab Goal: The purpose of this lab is to practice using both tools—FTK and FTK Imager for establishing the image of the local drive---such as USB or floppy disk. In digital investigation collection and analysis process, imaging disk is the first step of collecting the e-evidences safely and completely. Imaging will be the first most important job. The two tools we select are very popular in practice. Tools: FTK and FTK Imager are both trademark tools of AccessData Corp. Task: 1. YOU NEED to bring one of your own USB drives with three or five different form files. 2. YOU WILL COMPLETE two steps: imaging process with USB drive and Analyzing your imaging Step: 1. Wipe your USB driver first and ask lab assistant to help to do it if you donot know how to do it by yourself. 2. Recording your information from your own USB. 3. Create an image and record the hash value for the image 4. Conduct a simple analysis and record what you found pertaining to the files on the USB Figure 1.3 The setting for Web-based Lab. We hope to develop an online lab generator that assess a students capability by having a student profile stored in a database. This student progress will be monitored by the system and based on their level of expertise a lab will be assigned to them from another database using complex algorithms and reasoning. • Some of Encase Features: • Automated Analysis • Multiple Sorting Fields • Filter Conditions • Queries • View "Deleted" Files • Built-in Registry Viewer • Encrypted Volumes • Hardware Analysis • Log File Analysis • Event File Analysis • File Signature Analysis Framework for Design and Implementation of Digital Forensics Labs K.R. Lawrence, H. Chi, Dept. of Computer Information & Sciences, Florida A&M University, Tallahassee, FL 32307 • Goals • Assess tools to identify the most efficient for student learning, complying with other factors such as those listed above. • Identify functionalities of tools. Properly install tools and confirm its working condition • Adapt for use in hands-on labs for specific environment • Develop hands-on labs to enhance learning experience for students 3. Results Figure 1.0 Encase Screenshot EnCase is an integrated Windows-based graphical user interface (GUI) suite of tools. Examining each suite functional capability and reading the reviews and documentation on them, it can be deduced that these tools , specifically the ones readily available, such as Helix and FTK, may be used for designing labs. They are user friendly and would be sufficient for the teaching environment. These labs are designed so that at completion, the student takes away with him/her vital skills and knowledge that will build their forensic skills. • Methodology 2.3.2 AccessData Forensic Toolkit AccessData Forensic Toolkit or simply referred to as FTK is easy to use if you are familiar with forensic tools. FTK contains the full suite of password recovery tools, drive and media wipers, a registry viewer and other useful products. it is strong in Windows files systems and does handle Linux file systems. It has a slight disadvantage when compared with products that can acquire and analyze more file system types. Although FTK comes with its own disk imaging software it can read the images produced by Encase, Linux DD, Safeback and others. FTK has other disadvantages but has still received four out of five stars for “Value for the Money” on SC Magazine. Discussion/Future Research In the future, my research will be completed with creating and implementing labs for undergraduate students or trainees to better understand computer forensics step by step.. It will benefit Florida A&M University Computer Information and Sciences department and its students. It will enhance the learning experience for current students and future students to and help shine light on a fascinating field that is taken off in the industry. Learning computer forensics, like many other computer subjects, can not be thought simply using theory. Training by hands-on application must be implemented to fully grasp the topic. There are many schools in the country that teaches computer forensics and some of their methods are readily available online. This is our next step; having labs available online. Methods of designing labs were outlined on websites and online power point presentations, which focused on teaching computer forensics and the challenges in doing so. Knowing and understanding the tasks a computer forensic professional may be called to do, provide a sufficient guide as to how to design a lab. Some lab assignments may include: Acquiring an image for analysis Recovering deleted data Dead and Volatile Analysis Removable media analysis Utilizing operating system’s preinstalled tools e.g., event log and event viewer Password and encryption methods Decrypting files Identifying images and steganography Finding hidden data 2.1Literature Review Understanding what computer forensics is about was the first step towards the research goals. An e-Book, Computer Forensic Jumpstart, provided the material needed to quickly but efficiently understand what computer forensics is, and what it involves, from a legal as well as from a scientific aspect. Websites, which provided PDF files, power point presentations, articles and more aided in the information gathering process and opened to door to begin examining tools used as well as designing labs where these tools would be put to use. • 2.2 Tool Selection Criteria • To perform computer forensic tasks, one needs software tools to gain access and uncover information that is not readily available such as files that are deleted, stored in slack space or unallocated space and files that are hidden or encrypted. In addition, other tools may be needed to perform tasks such as imaging, searching, documenting, decrypting and much more, which are all needed to successfully, critically and properly analyze digital storage media. These tools are available individually, that is, with one specific capability, and they are also available in software suites that contain several tools with diverse capabilities. Forensic software suites basically reduce the hassle of searching, gathering and using individual tools for analysis. They also eliminate the problem of compatibility as some individual tools may not work with one another. Although software suites are efficient, some are very expensive and may not contain all the tools you need or contain some you don’t. Therefore selecting the right forensic tools depends on many factors, including: • Expected types of use (law enforcement investigations, corporate industry investigations, graduate lab training, undergraduate lab training) • Type of operating system (Windows, Mac, Unix/Linux) • Budget • Ease of use Some of FTK Features: • Easy to use • Advanced Searching • E-mail Analysis • Zip file Analysis • File Filter • Register Figure 1.1 AccessData Forensic Toolkit FTK runs in Windows operating systems and provides a very powerful tool set to acquire and examine electronic media. ACKNOWLEDGEMENTS This work was partially funded by NSF Awards CNS-0424556 and HRD-0703510.

More Related