High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006. Article 6.
A Term Project for a Course on Computer Forensics
WARREN HARRISON
Portland State University, Oregon
__________________________________________________________________________________________ The typical approach to creating an examination disk for exercises and projects in a course on computer forensics is for the instructor to populate a piece of media with evidence to be retrieved. While such anapproach supports the simple use of forensic tools, in many cases the use of an instructor-developedexamination disk avoids utilizing some key aspects of a digital investigation by overly focusing on themechanics of retrieval. We recently developed a course on computer forensics that utilized a large-scale, team- based term project involving the forensics examination of a computer system. In this article we describe anapproach for providing examination disks for student use in a term project that reinforces the investigativeaspect of the process.Categories and Subject Descriptors: K.4.2
[Computers and Society]
: Social Issues -
Abuse and crime involvingcomputers
; K.3.2
[Computers and Education]
: Computer and Information Science Education -
Curriculum
General Terms: Security, Legal AspectsAdditional Key Words and Phrases: Student projects, computer crime, computer evidence __________________________________________________________________________________________
1. INTRODUCTION
Over the past few years, computer departments have shown growing interest in bothresearch and education dealing with computer forensics, which has led to the introductionof a large number of newly developed classes on the subject.A significant issue involves the use of practical exercises within a forensicscurriculum. Most forensics classes involve at least the modest use of tools to extractevidence from a hard drive. Such exercises require an examination disk containing“evidence” that is to be discovered and retrieved by the student.The typical approach to creating an examination disk for exercises and projects is for the instructor to populate a piece of media (usually removable media such as a floppydisk or a CD) with the evidence to be retrieved. Probably the most common example is torequire the student to find their certificate of completion or a document containing their name or grade through a forensic analysis of the media. While such an approach supportsthe simple use of forensic tools, we feel that in many cases the use of an instructor-developed examination disk avoids utilizing some key aspects of a digital investigation by overly focusing on the mechanics of retrieval.We recently developed a course on computer forensics targeting upper-divisioncomputer science undergraduates. This class utilized a large-scale, team-based term project involving the forensics examination of a computer system. In this article wedescribe an approach to providing examination disks for student use in the term projectthat reinforces the investigative aspect of an examination.
__________________________________________________________________________________________ Author’s address: Warren Harrison, Department of Computer Science, Portland State University, Portland, OR 97207-0751warren@cs.pdx.edu Permission to make digital/hard copy of part of this work for personal or classroom use is granted without fee provided that the copies are not made or distributed for profit or commercial advantage, the copyright notice,the title of the publication, and its date of appear, and notice is given that copying is by permission of the ACM,Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Permission may be requested from the Publications Dept., ACM, Inc., 2 Penn Plaza, New York, NY 11201-0701, USA, fax:+1(212) 869-0481, permissions@acm.org © 2007 ACM 1531-4278/07/0600-ART1 $5.00.
2
●
W. Harrison
ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.
2. RECOVERY VS. INVESTIGATION
Exactly what the focus should be in a computer forensics course that is taught in acomputer science department is unclear. Our class was designed to be oriented towardsrecovery of digital evidence in either civil or criminal legal proceedings, though our emphasis was clearly at the criminal end of the spectrum. We found the categories of computer forensics personnel identified in Yasinsac et al. [2003] helpful in identifyingtopical content:
●
Technicians
carry out the technical aspects of gathering evidence, so they musthave sufficient technical skills to gather information from computers andnetworks. They must understand both software and hardware on host computersas well as the networks that connect them.
●
Policy makers
establish forensic policies that reflect the enterprise’s broadconsiderations. It is the policy maker’s responsibility to see the impact of forensics in the broader context of business goals and make the hard decisionsthat trade-off forensics capabilities against issues of privacy. Although theseadministrators focus on the big picture, they must be familiar with computingand forensic sciences.
●
Professionals
are the link between policy and execution. The computer forensic professional must have extensive technical skills as well as a broad and deepunderstanding of legal procedures and requirements gained through either a broader education or extensive experience. Moreover, the computer forensic professional must understand the organizational perspective, to ensure that policies are executed properly within the business context.The goal of our course was to produce computer forensic
professionals
. Therefore, we believe that there are certain skills students should possess at the end of the class, asfollows: the ability to
●
identify relevant electronic evidence associated with various violations of specific laws, including, but not limited to, computer crimes.
Relevant evidenceis any evidence that makes the existence of a fact that is of consequence to thecase either more or less probable than it would be without the evidence. Two of the skills that bear directly on this include (1) identifying the “elements of thecrime” and relating electronic artifacts to these elements; and (2) presentingevidence to a nontechnical audience in a coherent, logical manner.
●
identify and articulate probable cause as necessary to obtain a warrant tosearch for electronic artifacts and recognize the limits of warrants.
We felt thiswas important because not only was there widespread misunderstanding of probable cause issues and 4th Amendment/statutory protections among thestudents, but there was also a serious misunderstanding of the criminal justicesystem and related processes.
●
locate and recover relevant electronic evidence from computer systems using avariety of tools.
This entails the use of actual forensics tools on “seized” media.We used the e-fense Helix Forensics Distribution (http://www.e-fense.com/helix/). Helix is a bootable CD containing many open source forensictools, including Brian Carrier’s
sleuthkit
and
autopsy
(http://www.sleuthkit.org)that allows a “live” analysis of a computer system. It boots into a customized
A Term Project for a Course on Computer Forensic
●
3
ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.
Knoppix environment that does not impact the host computer or its drives in anyway.
●
recognize and maintain a chain of custody of electronic evidence.
Any evidencethat ultimately makes its way to judicial review must demonstrate tight controlsover its access, commonly referred to as a “chain of custody.” At any given point in time, it should be possible to identify who had possession of theevidence, where it was, and what it was accessed for. Students need tounderstand the importance of, as well as become accustomed to, enforcing achain of custody.
●
follow a documented forensics investigation process.
Students regularly reportthat when they perform their first forensic analysis, their approach to identifyingevidence is very much “hit-and-miss.” Often times they could not evenremember the strings for which they had already searched from session tosession. Ultimately, this leads to an inefficient, unrepeatable ad-hoc process.Investigators should plan their investigation
before
attempting a forensicanalysis of the evidence disk.
We wanted students to have an opportunity to exercise each of these skills, and weviewed the term project as the ideal vehicle to provide it.
3. THE ROLE OF THE PROJECT IN A COMPUTER FORENSICS COURSE
Our course was designed for a 10-week quarter. When designing the class, we had theoption of using either a set of weekly graded exercises, or a major project spread over 7of the 10 weeks in which students could exercise the skills and knowledge being coveredin class. While in theory, we could have selected
both
the graded exercises and the term project, we were reluctant to overwhelm the students with what might be consideredredundant activities.Our view of the “exercise option” was that it would revolve around the traditionalevidence discovery, recovery, and related activities; for example, imaging drives,recovering deleted files, keyword searches, and hashing and hash utilization. On the other hand, our vision of a term project was an exercise that would closely emulate a realinvestigation involving digital evidence. This would entail not only the discovery andrecovery of evidence, but also planning the investigation, distinguishing between relevantand nonrelevant evidence, articulating probable cause, and observing the bounds of asearch warrant.We decided to select a term project over weekly exercises because we felt weeklyexercises would emphasize the
technician
aspect of computer forensics too much. Wewanted students to understand the context within which a digital investigation exists,since this is important for the computer forensic
professional
.While we had not originally anticipated it, we also found that the use of a project gavestudents the time and opportunity to investigate tools and techniques that would not have been encountered in preplanned weekly exercises. For example, even though Helix wasthe
de facto
tool kit discussed in class (and used in in-class hands-on exercises), weinvited students to investigate other open source forensics tools and tool kits as theycarried out their project (e.g., http://www.opensourceforensics.org/).
4. PROJECT CHARACTERISTICS
The project needed to possess a number of important characteristics because our focuswas split between the technical aspects of evidence discovery and recovery, as well as the
Add a Comment