A COMPUTER FORENSICS MINOR CURRICULUM PROPOSAL

*
William Figg Department of Computer Information Systems Dakota State University Madison, SD 57042 605 256-5163 william.figg@dsu.edu Zehai Zhou Department of FACIS University of Houston - Downtown Houston, TX 77002 713 222-5376 zhouz@uhd.edu

ABSTRACT Computer and network security is a growing concern to all organizations and individuals worldwide. Information security is a critical part of information and communication technology infrastructure. Computer forensics can play an indispensable role in computer and network security, information assurance, law enforcement, national defense, etc. Computer forensics courses are a necessary addition to computer and network security education. This paper presents a proposal for a computer forensics minor curriculum, the rational behind the proposal and the course descriptions. INTRODUCTION Securing information assets of organizations is becoming more important as computer resources become more complex. Computer resources are an integral part of modern operations in business, government, military and academics. The need for computer and network security has existed for many decades and organizations have the responsibility to maintain complete control of their computer assets. This has given rise to internal computer forensics investigations, which creates an opportunity for forensics training. Since little training material has existed on computer forensic investigation outside of law enforcement, this proposed minor offering fills an important training void.

___________________________________________
*

Copyright © 2007 by the Consortium for Computing Sciences in Colleges. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the CCSC copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Consortium for Computing Sciences in Colleges. To copy otherwise, or to republish, requires a fee and/or specific permission. 32

CCSC: Central Plains Conference Computer and network security is a multidisciplinary field by nature. There are several model curriculum proposed (see Abernethy et al., 2006; Streff and Zhou, 2006; Whitman and Mattord, 2005; Bogolea and Wijekumar, 2005; Bacon and Tikekar, 2003). Computer forensics is relatively new and evolving. Benson (2004) discussed the increasing significance of computer forensics in litigation. Berghel (2003) addressed Internet forensics as a discipline. Brungs and Jamieson (2005) identified some of the legal issues for computer forensics. Dardick and Lau (2005) argued that an in-depth understanding of digital forensics is needed by college students who will enter the various fields with technology, business, criminal justice, law, and homeland security. Fernandez et al. (2005) deemed that computer forensics is a critical need in computer science programs. McGuire and Murff (2006) discussed issues in the development of a digital forensics curriculum. Gottschalk et al. (2005) presented a preliminary survey of computer forensics programs in North America. Soe et al. (2005) discussed the deployment of computer forensics classes at undergraduate/graduate levels in a shared classroom/lab environment. For other general introductions to computer forensics, please refer to [7, 9, 12, 13, or 15]. This paper presents a proposal for a computer forensics minor curriculum, the rational behind the proposal and the course descriptions. The authors attempt to identify curriculum with two basic attributes: (1) it possesses scholarly rigor, and (2) it is unique enough to offer a comparative advantage to existing programs. A minor program offering in Forensics meet these criteria at Dakota State University. The existing Computer Science program, Computer Information Security and Networking program, and the newly-created scientific forensic program create a group of skilled faculty who would be able to adapt to the new Forensics minor program offerings. The available base of students in these three programs offers a ready pool of students that would be interested in this new area of study. The Forensics minor would create new job opportunities for graduates in the programs. Forensics would be a natural addition to the Network Security courses and would offer additional opportunities for Computer Science major students as well. Degrees in which this proposed minor may be earned include (but are not limited to): Scientific Forensics, Information Assurance, Computer Information Systems, Computer Science, E-Commerce, and Criminal Justice, etc. How the proposed minor relates to the mission of the university? This minor will add depth to the Scientific Forensics Major offered by the College of Arts & Sciences. The addition of a Computer Forensics Minor will be a start point for a certification program and could possibly lead to the development of a Computer Forensics Major program offering. How will the proposed minor benefit students? This minor will give majors in the Arts & Sciences programs the opportunity to expand their learning experience into the area of computer forensics.

33

JCSC 22, 4 (April 2007) What is the rationale for the curriculum? The addition of this minor will give the students the opportunity to add a Digital Computer Forensics component to compliment the Scientific Forensics Degree program offered by the College of Arts and Sciences. Students in Technology degree programs in the College of Business and Information Systems will have an opportunity to expand their educational experience into an additional specialization area compatible with corporate and government needs. What outcomes will be expected for all students who complete the minor? Students will be able to operate in a corporate environment as a security analyst. The Computer Forensics Minor will offer a start point for students in the field of Digital Forensic Investigation. The minor will prepare students entering the business world with basic computer investigative training. Students will use the latest investigative tools including computer tablet technology. PROPOSED CURRICULUM The proposed curriculum relates to the specific need of the Dakota State University academic course of study. The proposal is, however, not restricted to this particular university or the academic environment. It can be easily adapted by other colleges and to the security training programs in the corporate environment. The purpose of security is to protect important computer assets of business, government, military, academic institutions or individuals. The concentration of efforts has been on prevention of exposure of secure information resources. This has evolved to include recovery of operations due to an intrusion or catastrophic event. The need for security has risen to another level which places the burden on the organizational entity to conduct investigations into illegal or harmful computer transmissions. The presumed liability cannot be excused by a lack of prior knowledge. Organizations must actively investigate suspected illegitimate activities. The goal of the proposed minor is to expand the knowledge base of security students which could lead to internal skills for investigating network intrusions and internal security breaches. The rising need in organizational security has resulted in development of this forensic minor proposal. While this course of study does not propose to create computer forensic experts, it will certainly give students the basis to conduct internal investigations and educate them in the use of forensic computer tools. Distribution of Credit Hours Computer forensics minor Requirements in Minor Electives in the Minor Total Credit Hours 12 12 Percent 50% 50% 100%

34

CCSC: Central Plains Conference Required Courses in the Minor Prefix CIS CIS CIS CIS Number Xxx Xxx Xxx Xxx Course Title Computer Forensic Fundamentals Defense and Forensic Countermeasures Advanced Computer Forensics Computer Forensics and Investigations Subtotal (required) New N Y Y Y Hours 3 3 3 3 12

Elective Courses in the Minor: Prefix CIS CIS BADM CIS Number Xxx Xxx 456 Xxx Course Title Management of Wireless Forensic Security Computer Forensics Project Cyberlaw Internet Forensics Subtotal (Electives) New Y Y N Y Hours 3 3 3 3 12

COURSE CONTENTS Computer Forensics Fundamentals In this course, students learn the fundamental principles and concepts in computer forensics. The topics include the classification of the digital evidences, the procedure of discovering and preserving evidences, types of computer and Internet crimes, and analyses of computer crime statistics and demographics. Students also learn how to search and retrieve information to find the evidences using some common tools. Related legal procedures, regulations, and laws are also discussed briefly. Defense and Forensic Countermeasures The focus of this course is on the use of tools to secure a network and how the tools integrate with the different operating systems and the methodologies necessary to protect a network through defensive measures. The forensic nature of network defense is intrusion investigation. The course includes an introduction to popular hacking techniques and the necessary reactions a system administrator follows. Case studies are used to describe actual attacks. Modern network instrumentation is significantly easier to implement, and can be accomplished with network sniffing software, preferably on a dedicated host, and ideally with the network transmit wire physically severed. This course prepares students for detection, investigation and systems audit procedures. Since the course is based on tool usage, there will be a constant change in the course materials implementing new techniques and introducing new concepts.
35

JCSC 22, 4 (April 2007) Advanced Computer Forensics This course deals with advanced and emerging topics in computer forensics. It introduces students to comprehensive analysis tools (such as EnCase 6) and covers how to use the tools and other applications for common forensic procedures. Special emphasis is placed on the NTFS capabilities of the tools (such as EnCase) to allow students exposed to the Windows file systems to become familiar with NTFS. The course is a combination of lecture, instructor-led demonstrations, and practical exercises that focus on the analysis tools (e.g., EnCase, FTK). Computer Forensics and Investigations Networks are transport, not storage elements. Therefore, all data must be captured and stored in real time, or it will be lost forever. This presents an opportunity for multiple types of investigations. There are requirements to audit logs to analyze traffic patterns and it applies to host as well as network traffic. This level of investigation leads to router forensics and Web attack investigations. The types of investigation expand to email and discovery of email crimes, steganography, and mobile devices. This course covers formal investigation requirements and investigative reports. Students are introduced to “Expert Witness” requirements including liabilities associated with evidence collection and courtroom testimony. Internet Forensics This course introduces students to a variety of internet-based evidences and software. Emphasis is placed on using common media analysis tools and techniques to locate and recover internet-based evidence in a forensically sound manner. This course presents solutions to problems that may be encountered during analysis. This course examines advanced digital forensic data recovery topics, tools, and practices to recover information and aid investigations. Students learn ways to defeat data hiding techniques such as steganography, encryption, and passwords on protected systems. Hands-on exercises that reinforce the learned techniques are included. Management of Wireless Forensic Security This is a course that examines wireless technologies from a forensic and investigative perspective. Students learn basic communication concepts that help them understand the capabilities and limitations of various technologies. A number of hands-on exercises reinforce lecture material while providing students with first-hand knowledge of various vulnerabilities. Evidence collection and handling will be emphasized. Focus is placed on the volatility of evidence and the need to secure crime scenes. Evidence handling and chain of custody issues are the central thread in managing an investigation.

36

CCSC: Central Plains Conference Computer Forensics Project This is a scenario-based course that teaches students how to conduct detailed data analysis in a laboratory environment. Conduct forensic media analysis and log file analysis to determine the specifics of a Linux-based (or other platform) intrusion. Students use tools and analysis techniques to analyze network traffic of an intruder and correlate the findings with forensic evidence found on a Linux (or other platform) victim machine. BADM 456 Cyberlaw Cyberlaw is a study of the legal (and ethical) aspects of managing technology both in the workplace and cyberspace. The course focuses on issues relating to electronic commerce, technology, intellectual property, and the Internet. Social, legal, ethical, and political issues are addressed with a global perspective. CONCLUSIONS AND DISCUSSION Information and communication technology is definitely one of the major driving forces for businesses of all sizes today. The impact of information and communication technology is indeed profound and revolutionary. It has dramatically changed our society in general, and the ways in which organizations conduct business and how people communicate in particular. Computer and network security is a growing concern to all organizations and individuals worldwide. Information security is a critical part of information and communication technology infrastructure. Computer forensics can play a prominent role in computer and network security, information assurance, law enforcement, national defense, etc. Computer forensics courses are an important (and often times necessary) addition to computer and network security training. The Computer Forensics Minor can be a starting point for further program development which could include certification training for local law enforcement agencies and the possibility of developing a Computer Forensics Major. The concept proposed has gained verbal support from some FBI and industry experts. REFERENCES [1] Abernethy, K., Treu, K., and Piegari, G., Assessing the impact of the emerging discipline of information technology on computing curricula: some experiences, Journal of Computing in Small Colleges, 22(2), 262-266, 2006. [2] Bacon, T. and Tikekar, R., Experiences with developing a computer security information assurance curriculum, Journal of Computing in Small Colleges, 18(4), 254-267, 2003. [3] Benson, Robert J., The Increasing significance of computer forensics in litigation, Intellectual Property & Technology Law Journal, 16(11), 1-4, November 2004.

37

JCSC 22, 4 (April 2007) [4] Berghel, H., The discipline of Internet forensics, Communication of the ACM, 46(8), 15-20, August 2003. [5] Bogolea, B. and Wijekumar, K., Information security curriculum creation: a case study, Proceedings of the 1st annual conference on Information security curriculum development, 59-65, 2005. [6] Brungs, A. and Jamieson, R., Identification of legal issues for computer forensics, Information Systems Management, 22(2), 57-66, spring 2005. [7] Carrier, B., File System Forensics Analysis, Upper Saddle River, NJ: AddisonWesley, 2005. [8] Dardick, G.S. and Lau, L.K., Interdisciplinary minor in digital forensics, security and law, Proceedings of the 6th conference on Information technology education (SIGITE '05), p.371, 2005. [9] Farmer, D. and Venema, W., Forensic Discovery, Upper Saddle River, NJ: Addison-Wesley, 2005. [10] Fernandez, J.D., Smith, S., Garcia, M., and Kar, D., Computer forensics – a critical need in computer science programs, Journal of Computing in Small Colleges, 20(4), 315-322, 2005. [11] Gottschalk, L., Liu, J., Dathan, B., Fitzgerald, S., and Stein, M., Computer forensics programs in higher education: a preliminary study, Proceedings of the 36th SIGCSE technical symposium on Computer science education (SIGCSE '05), 37(1), 147-151, 2005. [12] Mahey, G., Anderson, A., Collie, B., de Vel, O., and McKenmmish, Computer and Intrusion Forensics, Norwood, MA: Artech House, 2003. [13] Mandia, K., Prosise, C. and Pepe, M., Incident Response and Computer Forensics, 2nd edition, Emeryville, CA: McGraw Hill/Osborne, 2003. [14] McGuire, T.J., and Murff, K.N., Issues in the development of a digital forensics curriculum, Journal of Computing in Small Colleges, 22(2), 274-280, 2006. [15] Nelson, B., Phillips, A., Enfinger, F., and Steuart, C., Guide to Computer Forensics and Investigations, 2nd edition, Boston, MA: Course Technology, 2006. [16] Soe, L.L., Manson, D., and Wright, M., Establishing network computer forensics classes, Proceedings of the 1st annual conference on Information security curriculum development, 76-81, 2005. [17] Streff, K. and Zhou, Z., Developing and enhancing a computer and network security curriculum, Journal of Computing in Small Colleges, 21(3), 4-18, 2006. [18] Whitman, M.E., and Mattord, H.J., Designing and teaching information security curriculum, Proceedings of the 1st annual conference on Information security curriculum development, 1-7, 2005.

38