A Term Project for a Course on Computer Forensics

WARREN HARRISON
Portland State University, Oregon
__________________________________________________________________________________________ The typical approach to creating an examination disk for exercises and projects in a course on computer forensics is for the instructor to populate a piece of media with evidence to be retrieved. While such an approach supports the simple use of forensic tools, in many cases the use of an instructor-developed examination disk avoids utilizing some key aspects of a digital investigation by overly focusing on the mechanics of retrieval. We recently developed a course on computer forensics that utilized a large-scale, teambased term project involving the forensics examination of a computer system. In this article we describe an approach for providing examination disks for student use in a term project that reinforces the investigative aspect of the process. Categories and Subject Descriptors: K.4.2 [Computers and Society]: Social Issues - Abuse and crime involving computers; K.3.2 [Computers and Education]: Computer and Information Science Education - Curriculum General Terms: Security, Legal Aspects Additional Key Words and Phrases: Student projects, computer crime, computer evidence __________________________________________________________________________________________

1. INTRODUCTION Over the past few years, computer departments have shown growing interest in both research and education dealing with computer forensics, which has led to the introduction of a large number of newly developed classes on the subject. A significant issue involves the use of practical exercises within a forensics curriculum. Most forensics classes involve at least the modest use of tools to extract evidence from a hard drive. Such exercises require an examination disk containing “evidence” that is to be discovered and retrieved by the student. The typical approach to creating an examination disk for exercises and projects is for the instructor to populate a piece of media (usually removable media such as a floppy disk or a CD) with the evidence to be retrieved. Probably the most common example is to require the student to find their certificate of completion or a document containing their name or grade through a forensic analysis of the media. While such an approach supports the simple use of forensic tools, we feel that in many cases the use of an instructordeveloped examination disk avoids utilizing some key aspects of a digital investigation by overly focusing on the mechanics of retrieval. We recently developed a course on computer forensics targeting upper-division computer science undergraduates. This class utilized a large-scale, team-based term project involving the forensics examination of a computer system. In this article we describe an approach to providing examination disks for student use in the term project that reinforces the investigative aspect of an examination.
__________________________________________________________________________________________ Author’s address: Warren Harrison, Department of Computer Science, Portland State University, Portland, OR 97207-0751 warren@cs.pdx.edu Permission to make digital/hard copy of part of this work for personal or classroom use is granted without fee provided that the copies are not made or distributed for profit or commercial advantage, the copyright notice, the title of the publication, and its date of appear, and notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Permission may be requested from the Publications Dept., ACM, Inc., 2 Penn Plaza, New York, NY 11201-0701, USA, fax:+1(212) 869-0481, permissions@acm.org © 2007 ACM 1531-4278/07/0600-ART1 $5.00. ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006. Article 6.

2

W. Harrison

2. RECOVERY VS. INVESTIGATION Exactly what the focus should be in a computer forensics course that is taught in a computer science department is unclear. Our class was designed to be oriented towards recovery of digital evidence in either civil or criminal legal proceedings, though our emphasis was clearly at the criminal end of the spectrum. We found the categories of computer forensics personnel identified in Yasinsac et al. [2003] helpful in identifying topical content: ● Technicians carry out the technical aspects of gathering evidence, so they must have sufficient technical skills to gather information from computers and networks. They must understand both software and hardware on host computers as well as the networks that connect them. Policy makers establish forensic policies that reflect the enterprise’s broad considerations. It is the policy maker’s responsibility to see the impact of forensics in the broader context of business goals and make the hard decisions that trade-off forensics capabilities against issues of privacy. Although these administrators focus on the big picture, they must be familiar with computing and forensic sciences. Professionals are the link between policy and execution. The computer forensic professional must have extensive technical skills as well as a broad and deep understanding of legal procedures and requirements gained through either a broader education or extensive experience. Moreover, the computer forensic professional must understand the organizational perspective, to ensure that policies are executed properly within the business context.

The goal of our course was to produce computer forensic professionals. Therefore, we believe that there are certain skills students should possess at the end of the class, as follows: the ability to ● identify relevant electronic evidence associated with various violations of specific laws, including, but not limited to, computer crimes. Relevant evidence is any evidence that makes the existence of a fact that is of consequence to the case either more or less probable than it would be without the evidence. Two of the skills that bear directly on this include (1) identifying the “elements of the crime” and relating electronic artifacts to these elements; and (2) presenting evidence to a nontechnical audience in a coherent, logical manner. identify and articulate probable cause as necessary to obtain a warrant to search for electronic artifacts and recognize the limits of warrants. We felt this was important because not only was there widespread misunderstanding of probable cause issues and 4th Amendment/statutory protections among the students, but there was also a serious misunderstanding of the criminal justice system and related processes. locate and recover relevant electronic evidence from computer systems using a variety of tools. This entails the use of actual forensics tools on “seized” media. We used the e-fense Helix Forensics Distribution (http://www.efense.com/helix/). Helix is a bootable CD containing many open source forensic tools, including Brian Carrier’s sleuthkit and autopsy (http://www.sleuthkit.org) that allows a “live” analysis of a computer system. It boots into a customized

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

A Term Project for a Course on Computer Forensic

3

Knoppix environment that does not impact the host computer or its drives in any way. recognize and maintain a chain of custody of electronic evidence. Any evidence that ultimately makes its way to judicial review must demonstrate tight controls over its access, commonly referred to as a “chain of custody.” At any given point in time, it should be possible to identify who had possession of the evidence, where it was, and what it was accessed for. Students need to understand the importance of, as well as become accustomed to, enforcing a chain of custody. follow a documented forensics investigation process. Students regularly report that when they perform their first forensic analysis, their approach to identifying evidence is very much “hit-and-miss.” Often times they could not even remember the strings for which they had already searched from session to session. Ultimately, this leads to an inefficient, unrepeatable ad-hoc process. Investigators should plan their investigation before attempting a forensic analysis of the evidence disk.

We wanted students to have an opportunity to exercise each of these skills, and we viewed the term project as the ideal vehicle to provide it. 3. THE ROLE OF THE PROJECT IN A COMPUTER FORENSICS COURSE Our course was designed for a 10-week quarter. When designing the class, we had the option of using either a set of weekly graded exercises, or a major project spread over 7 of the 10 weeks in which students could exercise the skills and knowledge being covered in class. While in theory, we could have selected both the graded exercises and the term project, we were reluctant to overwhelm the students with what might be considered redundant activities. Our view of the “exercise option” was that it would revolve around the traditional evidence discovery, recovery, and related activities; for example, imaging drives, recovering deleted files, keyword searches, and hashing and hash utilization. On the other hand, our vision of a term project was an exercise that would closely emulate a real investigation involving digital evidence. This would entail not only the discovery and recovery of evidence, but also planning the investigation, distinguishing between relevant and nonrelevant evidence, articulating probable cause, and observing the bounds of a search warrant. We decided to select a term project over weekly exercises because we felt weekly exercises would emphasize the technician aspect of computer forensics too much. We wanted students to understand the context within which a digital investigation exists, since this is important for the computer forensic professional. While we had not originally anticipated it, we also found that the use of a project gave students the time and opportunity to investigate tools and techniques that would not have been encountered in preplanned weekly exercises. For example, even though Helix was the de facto tool kit discussed in class (and used in in-class hands-on exercises), we invited students to investigate other open source forensics tools and tool kits as they carried out their project (e.g., http://www.opensourceforensics.org/). 4. PROJECT CHARACTERISTICS The project needed to possess a number of important characteristics because our focus was split between the technical aspects of evidence discovery and recovery, as well as the
ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

4

W. Harrison

Figure 1

Figure 2

investigatory aspects such as identifying relevant evidence, articulating probable cause, observing the limits of a search warrant, and maintaining a chain of custody. First, we wanted students to work within a realistic environment. This meant students needed to deal with a rich set of potential evidence—some relevant and some irrelevant to the investigation. We felt this would require access to evidence disks containing a large amount of data. In our case, we used 20-gigabyte (G) hard drives loaded with XP and Office XP as the evidence disks. Second, to truly motivate the chain of custody concept and illustrate its importance, we found that students had to believe that it was not only possible but in fact likely that others would have access to their evidence disks. We forced this situation by organizing the project around a set of three-person teams. Within this context, students rapidly understood the importance of the chain of custody and associated controls such as media hashing to verify that the contents of the evidence disk had not changed since the student last had custody of the media. This arrangement also encouraged communication and scheduling among team members, which is a major goal within the Portland State University computer science program. 5. A FORENSICS EDUCATIONAL LABORATORY The project was facilitated using the infrastructure provided by our Computer Forensics Educational Laboratory. This facility consists of 15 dedicated workstations with bays for removable drives (Fig. 1), and a set of evidence lockers (Fig. 2)—one locker per team— to illustrate chain of custody. This enabled members of a team to check their evidence
ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

A Term Project for a Course on Computer Forensic

5

disk out from their locker, install and analyze it on any free machine in the Lab, and return it to secure storage when they were done. In addition to the 15 workstations with single removable drive bays, there was also an “imaging station” consisting of a Linux-based PC with two removable drives so teams could use dd to image original evidence drives and create analysis drives. Thus, if the contents of a drive were to change, the team could reimage the original evidence drive. The dedicated nature of the Lab made access easy for our forensics teams. This was important, since imaging and doing string searches over a 20-G hard drive can take hours. However, an open Lab would have worked equally well as long as the workstations had removable drive trays, each team had secure locker storage, and either liberal access policies or scheduled signups were made available to allow extended sessions. Our removable bays and extra trays cost under $25 per computer and the lockers were obtained from a surplus furniture outlet for approximately $100. In addition, each team was assigned two 20-G hard drives (one for the original evidence disk and one for the image) at a cost of approximately $70 per team. A specia-purpose imaging machine can be assembled from surplus components for under $400. Given an existing computing capability, a forensics infrastructure upgrade can be put into place for approximately $100 per team, plus $500 for a dedicated imaging workstation and a set of secured evidence lockers. 6. THE PROJECT The project consisted of three phases. Phase I entailed the creation of an evidence disk. Phase II involved swapping the evidence disks among the teams and finding relevant evidence from the evidence disk. Phase III was a presentation to the rest of the class outlining the evidence retrieved in Phase II. Each of these phases is further explained below. Phase I. In the first phase of the project, each forensics team was provided with a 20G removable hard drive, formatted using FAT-32 and containing Windows XP and Office XP. The team was instructed to select two crimes from the list in Table I. These are Oregon state crimes (http://www.leg.state.or.us/ors) that frequently involve digital evidence. A similar list could be easily constructed for any other jurisdiction. Each team was to identify one primary crime and (at least) one secondary crime. The team would prepare a crime summary for the primary crime. The summary should clearly

Table I. Selected Oregon Crimes 164.125 Theft of services 164.345/354/365 Criminal mischief 164.377 Computer crime 165.007/013 Forgery 165.017/022 Criminal possession of a forged instrument 165.032 Criminal possession of a forgery device 165.055 Fraudulent use of a credit card 165.080 Falsifying business records 165.100 Issuing a false financial statement 165.800 Identity theft 165.810 Unlawful possession of a personal identification device 165.813 Unlawful possession of fictitious identification 163.732 Stalking

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

6

W. Harrison

Table II. ORS 165.055 Fraudulent Use of a Credit Card (1) A person commits the crime of fraudulent use of a credit card if, with intent to injure or defraud, the person uses a credit card for the purpose of obtaining property or services with knowledge that (a) the card is stolen or forged; or (b) the card has been revoked or canceled; or (c) for any other reason the use of the card is unauthorized by either the issuer or the person to whom the credit card is issued. (2) “Credit card” means a card, booklet, credit card number or other identifying symbol or instrument evidencing an undertaking to pay for property or services delivered or rendered to or upon the order of a designated person or bearer. identify the primary crime, the identity of the individuals involved (both suspects and victims), as well as indicating any relevant physical evidence. An example of a crime summary prepared by one of the forensic teams is provided in Appendix I. After preparing the crime summary, the team was to make use of the standard productivity tools found on the hard drive, as well as any freely available tools that could be downloaded from the Internet to manufacture evidence relevant to the crime at hand. In essence, the team was asked to “play the criminal.” The teams were instructed to make sure that the various pieces of evidence were manufactured in a number of forms: from obviously named files (e.g., “StolenCreditCardNumbers.xls”) stored in plaintext, to files that had been renamed and/or had improper extensions, and deleted files. This ensured that every team would achieve at least some level of success in finding some evidence. For example, if the primary crime involved ORS 165.055 Fraudulent use of a credit card (see Table II), and the crime summary indicated that a credit card was used to fraudulently purchase a particular item from the Internet, we might expect to find evidence (such as cookies, cached web pages from the online store at which the purchase was allegedly made, or an e-mailed invoice of such a purchase) on the computer’s hard drive. The team was also to perform a similar activity in the context of the secondary crime; however, no crime summary was to be prepared for the secondary crime. The point of the secondary crime was to provide an opportunity for the examination team to find evidence of a crime that would fall outside the scope of the associated search warrant. Students must understand the elements of the crime to effectively carry out this activity. If the elements of the particular crime were ignored, the team could spend a great deal of effort manufacturing irrelevant evidence while neglecting to manufacture any relevant evidence. For example, in the case of fraudulent use of a credit card, the elements of the crime are (see Table II): (1a) an intent to injure or defraud; (1b) the card is used to obtain property or services;
ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

A Term Project for a Course on Computer Forensic

7

(1c) the actor has knowledge that the card is stolen forged, revoked, canceled, or its use is otherwise unauthorized. The team could spend a great deal of effort generating spreadsheets of “stolen” credit card numbers, which could be absolutely irrelevant to the investigation of this crime while omitting proof the card was used to obtain property or services or that the actor had knowledge that use of the card was unauthorized. While important in Phase I of the project, recognition of the elements of a crime becomes essential in Phase II when the teams are tasked with finding relevant evidence. Not surprisingly, this was one of the aspects of an investigation with which technical students appeared to have the greatest trouble in both Phase I and Phase II. In addition to turning in their manufactured evidence disk and crime summary, each team also turned in an index of each piece of evidence deposited on the hard drive. For example, the location of all manufactured cookies and files, as well as their evidentiary significance would be listed. Phase II. At the beginning of Phase II, the evidence disks and associated crime summaries prepared by each team were randomly swapped among the other teams in the class. Each team was tasked with identifying and recovering relevant evidence within the context of the crime summary associated with the evidence disk. The disk swap was “double blind,” so it would be difficult for teams to solicit or volunteer hints as to where the evidence was located. Questions that were necessary due to shortcomings in the crime summary (e.g., what is the credit card number that was stolen?) were filtered through the instructor to maintain anonymity. The first step performed by each team was to study the crime summary and study the statutes from Table I. Based on their understanding and the statutes, the team could establish the most appropriate crime and enumerate the elements of the crime. Once the elements of the crime were identified, the team knew the facts to be proven, and consequently the types of evidence they should look for on the evidence disk. Each team began the examination process by imaging the original evidence disk to create the working investigation disk. The original disk was put into the custody of the instructor (to ensure it could be recovered if necessary) and the investigation disk was used by the team to obtain relevant evidence. Each team was provided with a combination lock to their lockers and a chain of custody check-out form (see Appendix II). Team members signed out the evidence disk from the locker and signed it back in when they were finished with it. In addition, the team was also provided with a bound Mead composition notebook in which to take notes describing each analysis session. At the very least, the notes were to document the time and date of each session as well as the operations carried out on the investigation disk and their results. The compilation of working notes was stressed as an important way to keep from repeating operations that had already been performed as well as preventing the team from overlooking an analysis that they had planned to carry out. The notes could also be crosschecked with the chain of custody to ensure team members adhered to the checkout and documentation procedures. Students were given a broad scope in the tools used to recover evidence. Each team was provided with a Helix CD, but they were invited to acquire or build other tools that they might need. Most teams used Altheide’s paper on forensic analysis of Windowsbased systems [Altheide 2004] as a starting point in their analysis of the evidence drive.

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

8

W. Harrison

Phase III. At the end of seven calendar weeks (approximately three weeks for Phase I, a one-week break to allow the instructor to administer the evidence disks, and three more weeks for Phase II), each team was to present the evidence they had obtained. Each team prepared a 20-minute PowerPoint presentation to document the evidence recovered by their examination, which included the following information: ● ● ● ● the crime and its elements location of the evidence how it was found its relevance to the crime under investigation.

This information was presented to the rest of the class and assessed on its technical correctness, how well the team was able to explain how they retrieved the evidence, and its significance. During the presentation, individual team members were also extensively questioned to determine their ability to articulate their activities and the details of their tools to a nontechnical audience, such as they would to a jury in a court proceeding. 7. ASSESSMENT Because the course is intended for upper division computer science majors, many of the technical issues involved in computer forensics, such as file system organization and file structures were assumed to pose no significant challenge to the students. Of first importance is the ability of students to recognize relevant evidence and understand the unique statutory and constitutional limitations involved in searching electronic artifacts [Harrison 2004]; of second importance is an awareness of, and the ability to use, common forensics tools. The students’ mastery in ● ● ● ● ● identifying relevant electronic evidence associated with various violations of specific laws including, but not limited to, computer crimes; articulating probable cause as necessary to obtain a warrant to search for electronic artifacts, and recognize the limits of warrants; locating and recovering relevant electronic evidence from computer systems using a variety of tools; recognizing and maintaining a chain of custody of electronic evidence; and following a documented forensics investigation process

was assessed using three artifacts: (1) the crime summary and evidence disk from Phase I; (2) the Phase III presentation detailing the evidence they found and how they went about finding it; and (3) a take-home examination distributed in week 8. In addition, because artifacts (1) and (2) assessed team vs. individual performance, a peer evaluation form was completed by each team member and the “working notes” were reviewed to aid in assigning individual grades. Assessment Artifact (1). In the evaluation of the evidence disk and crime summary, the evaluation centered on the team’s ability to accurately identify the elements of the selected crime and engineer plausible evidentiary objects. For example, in the case of fraudulent use of an individual’s own credit card, two elements of the crime are 1) the card is used to obtain property or services, and 2) the actor has knowledge that the card is stolen, forged, revoked, canceled, or its use is otherwise unauthorized. Evidence of the first element may involve cookies from an e-commerce site, an e-mail confirming a
ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

A Term Project for a Course on Computer Forensic

9

purchase, or a number of other objects; evidence of the second might consist of an e-mail from the credit card company indicating the card has been revoked, or conversely, an email from the actor to the credit card company prior to the purchase in question asking for the card to be canceled because it was stolen. Within the context of a computer forensics analysis, this ability is important, because if students know plausible and adequate evidence to engineer, they’ll also know not only where to look for this evidence, but what evidence is relevant. This can easily be determined by examining the index that is turned in with the manufactured evidence disk. Assessment Artifact (2). The investigation process and evidence recovery is documented in the teams’ presentations (PowerPoint slides), plus questioning during the presentation. This presentation should detail the procedures followed and the tools used. Unlike the first assessment artifact in which we looked for things the teams had done, the second assessment involved looking for things the teams had not done. The ability to find all relevant evidence was deemed less important than following a systematic, disciplined analysis procedure and accurate identification of whether evidentiary items were relevant or not. Consequently, we looked for evidence that a systematic procedure was not followed or that “evidence” located by the team was not relevant or adequate to prove the elements of the crime. We also were concerned that appropriate tools were used, and cogent explanations of what the tools actually identified (e.g., in the case of deleted files, could the team explain how the file was recovered?). Part of this can be gleaned from the PowerPoint slides and presentation, the rest can be obtained through questions and answers during the presentation. Assessment Artifact (3). Two weeks prior to the end of the term, a take-home examination was distributed to each student (see Appendix III). The examination provided an opportunity to assess each student’s knowledge of search and seizure issues, including probable cause, the Fourth Amendment and the Electronic Communications Privacy Act, as well as various technical details. In the final analysis, the course met all of its goals. The students came away with an enhanced understanding of both the role of electronic evidence in criminal prosecution, as well as the nontechnical limitations imposed on the forensic analyst by the courts and the law. This background will serve those students well who intend to enter the field (out of a class of 15, at least 2 have taken positions dealing with computer forensics upon graduation). 8. LESSONS LEARNED This article describes our first attempt at organizing a computer forensics term project. As can be expected, a number of important lessons were learned that we intend to use in our next offering. Commercial Sites Encode Cookies A great deal of digital evidence in a case involving credit card fraud or identify theft can involve Internet cookies that are placed on a hard drive as a by-product of visiting certain websites. Forensic teams had a great deal of difficulty decoding various proprietary cookie formats. For example, an Internet Explorer cookie might look like this: SITESERVERID=729d8ae906ae5f49258cfa9aa34db74echeapert handirt.com/153664285900831887777267732796829631142* Since there is not a convenient mechanism to decode these proprietary formats short of contacting the company as well as teams involved in extracting evidence.
ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

10

W. Harrison

We intend to overcome this problem in future forensics projects by providing specially engineered “electronic commerce sites” that store transaction info in plain text for ease of recovery. Proprietary File Formats As with cookies, there are a number of common productivity tools that use proprietary formats for files and logs. For example, Outlook artifacts cannot be read directly by most analysis tools. Because Helix was primarily used to analyze the contents of the evidence disk, many teams couldn’t interpret e-mails manufactured using Outlook. For example, an Outlook entry might look like this: ÿ×ÿÿÿø~x÷×?ÿ ü•ÿÿŸÿÿÿÿÿÿÀ ü•ÿÿûŸÿÿÿÿýÿÿþ•ÿÿûÿÿñÿÿÿÿÿþÿÿÿÿïÿÿÿÿÿÿ•ÿ¿ÿÿÀÿÿÿýÿÿÿþÿÿ ÿÿÿÿÿÿÿÿÿÿÿùÿÿÿÿÿóÿÿÿøÿÿÿçÿýÿÿçÿüÿÿûü?ÿÿüÿÿÿÿÿÿÿÿÿÿÿŸÿ ÿÇÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßÿÿñÿÿÿ•ÿÿŸÿ÷ÿÿÿÁÿÿÿŸÿÿÿÿÿ¿ÿÿÿÿø?ÿ ÿÿÿÿþÿÿÿÿÿð?ÿÿø ÿÿ ÿûÿÿüÿðÿÿÿÿÿÿÿÿÿÃÿþÿýÿÿÿÿÿÿÿü?ð ÿÿÿÿÿþø„„ D Žõ . ä•ž•F eß4ä) ´P "* èP " $* Q " Ä+ pS " ä+ ¤S ", ØS " $, T " D, TT " d, ˆT " „, ¼T " ¤, ðT " Ä, ,U " ä, tU " - °U " $- ìU " Ä- ÜV ‚€ “R“ âq ”ÔM € ²N ¤ ²<N À¦ ² tO @; AZ++M??????? To address this problem in future project offerings, we plan to use open source productivity tools that use plaintext for files and logs. For example, Mozilla stores its saved e-mail in plaintext so it is easy to process. Security by Obfuscation Isn’t Several student teams downloaded large amounts of irrelevant content to “pack” their evidence disk. For example, random images and databases all helped maximize the use of the 20-G hard drives. While the examination teams found the large amount of irrelevant data mildly annoying, the challenges it contributed to the analysis wasn’t worth the effort expended to obtain it. In future classes, teams will be cautioned to avoid investing inordinate amounts of effort in finding “random data” with which to pack the evidence disk. 9. CONCLUSION The project described in this article provides computer forensic students ample opportunity to carry out a realistic computer investigation. Most importantly, it avoids a fixation on the mechanistic recovery of data using automated forensics tools and helps the student focus on the significance of evidence. Nevertheless, we have learned some valuable lessons on how to improve the experience for future offerings.

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

A Term Project for a Course on Computer Forensic

11

APPENDIX I SAMPLE CRIME SUMMARY On the morning of Friday, October 29, 2004, Clackamas County Sheriff’s Deputies arrived at 1415 Redneck Way to serve a search warrant for Igor Sikorsky at that address. The Clackamas County Sheriff’s Department had received a tip from Detective Gates with the San Luis Obispo Police Department regarding a case wherein a resident of San Luis Obispo, Ms Regina Reginald, had reported illegal use of her Visa card to the Department. Follow-up work by Detective Gates had resulted in a subpoena being issued to Specialized Bicycle’s web sales department for their records, yielding the address to which the bicycle ordered with Ms Reginald’s credit card had been delivered. Deputy Sellers and Deputy Riggs served the warrant at 08:29 AM, knocking twice on the door. They reported hearing someone scrambling towards the back of the residence, away from the front door. At this time the deputies used an entry device to batter down the door and enter the residence. The deputies caught sight of Sikorsky running around a corner at the end of the main hallway, and gave chase. They caught up with him in the garage, where he was standing hunched over a computer desk, using the mouse. Upon hearing the deputies enter, Sikorsky dived underneath the desk and pulled the power cord to the computer, shutting it down. At this point the deputies quickly subdued Sikorsky. The deputies located a Specialized bicycle whose model matched the one that the information from Detective Gates indicated was the very one purchased with the stolen credit card. Also discovered in the garage were a George Foreman Grill™ and an X-Box gaming console, both in their respective boxes. The Foreman Grill still had a packing slip attached to the box from Amazon.com (see evidence item #138) with the name “Richard Stallman” listed as the recipient. It featured credit card and shipping information. Also discovered on a work bench in Sikorsky’s garage was an Oregon State Driver’s license, featuring Sikorsky’s photo but bearing the name of one “Paul Allen.” The suspect’s computer was seized along with the above-mentioned items and Sikorsky was taken into custody. He was booked into Clackamas County Jail at 09:38 AM.
ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

12

W. Harrison

APPENDIX II CHAIN OF CUSTODY FORM Digital Evidence Custody Form/Page 1 of 5 Evidence ID# ____________________________________ Case # _________________________________________ Investigation Team ________________________________ Date Time Out Time In Name/ID Remarks

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

A Term Project for a Course on Computer Forensic

13

APPENDIX III FINAL EXAMINATION 1. A reporter with the Vanguard (the PSU student newspaper) is working on a story involving the sale of crack on campus. The reporter has stored his interviews with campus crack users on the Vanguard server in Smith Center in anticipation of writing the story. (A) Portland police detectives obtain a search warrant that authorizes them to seize the contents of the servers’ hard drive in order to obtain the name of the primary PSU crack dealer that they believe appears in one of the interviews. When challenged, do you think this search will be ruled legal? Explain. (B) Assume the reporter is shocked by the information he uncovers in the process of interviewing PSU crack users. Several tell him that a local private university is selling crack to PSU students to augment declining budgets. He contacts the Portland Police Bureau vice squad and volunteers this information. Based on this “tip,” detectives request and receive a search warrant to seize information from that university’s institutional server, which contains financial information regarding the crack purchases and sales. When challenged, do you think this search will be ruled legal? Explain. 2. While investigating a stalking complaint, the victim, Suzie Queue, provides detectives with copies of two e-mails from a Yahoo user named pippi_longstalking: • E-Mail #1: Dear Suzie: I saw you in the forensics class last week. It was love at first sight. RD. • E-Mail #2: Dear Suzie: I own a very large knife. Some day I may show it to you. Especially if you won’t reciprocate my love for you. RD.

(A) The detective assigned to the case decides to contact Yahoo and see if they can supply the real name of pippi_longstalking. What does the detective need to supply in order to compel Yahoo to provide this information? Explain. (B) Assume the detective not only wants to obtain the real name of the user, but she also wants copies of all e-mails this user has sent over the past 90 days. What does the detective need to supply in order to compel Yahoo to provide this information? Is this answer different from the one from (A)? Explain. 3. In the stalking case discussed in Question 2, the detective has been able to obtain both the real name of the owner of the Yahoo login pippi_longstalking as well as all emails that have been sent from this account over the last 90 days. The owner of the account is named Rufus Dufus. The acquired e-mails include the two e-mails initially provided by Suzie Queue. (A) Do you believe this provides evidence of stalking? Explain. (B) After obtaining Rufus Dufus’ name and copies of the e-mails sent from the Yahoo account, the detective contacts Rufus at home. When confronted with the e-mails, Rufus explains that he had obtained the Yahoo account for a class in January, but had forgotten the password, so he created another Yahoo login: “stiletto”, and had let the pippi_longstalking account go unused since February. He doesn’t know who sent the e-mails, but he swears it wasn’t him. He gives the detective permission to search his home computer in response to the request “may we check your computer to verify that you no longer use the Yahoo login pippi_longstalking?” List the artifacts for which the detective should be looking for to either support or refute Rufus’ assertion that he no longer uses this Yahoo login. Explain. 4. While the detective has Rufus’ computer from Question 3, she decides to look for evidence that Rufus is the stalker. (A) What artifacts should she be looking for?
ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

14

W. Harrison

5.

6.

7. 8.

Explain. (B) Assuming she finds this evidence, do you think it would be considered a legal search if challenged? Explain. Rufus’ computer is running Windows 2000 with the FAT32 file system. Select two of the artifacts you identified in Question 4. Let’s say, Rufus deleted artifact #1, and emptied the recycle bin. Then, Rufus deleted artifact #2, but failed to empty the recycle bin. (A) Explain what the file system would look like – show an example. (B) What tools might be used to recover these two deleted files? How do they work? In the process of interviewing professors that have had both Suzie and Rufus in their classes, the detective finds that in one class, Suzie and Rufus were assigned a team project last January. However, Rufus did not follow through with the work he had promised, and as a result, both he and Suzie received a low grade in the class. Several other students said that Suzie was very angry with Rufus. The detective becomes suspicious that Suzie may have used Rufus’ dormant Yahoo account to send herself the e-mails. (A) Based on this theory, do you think the detective has probable cause to search Suzie’s computer? Explain. (B) If Suzie’s computer was searched, list the artifacts for which the detective should be looking. Explain. Let’s assume the detective could not get a warrant. (A) What could the detective look for that would not require a warrant to search Suzie’s computer? Explain. (B) What could this information be used for? Explain. In the process of searching a hard drive, the investigator may execute a “keyword search”. (A) Explain the difference between a logical and physical search. (B) Which is more accurate? Explain.directly for information on their formats, this caused significant problems for both teams in manufacturing evidence

ACKNOWLEDGMENTS Many thanks to the students in past and future computer forensics courses as well as to Golden Richard of New Orleans University who convinced me that others may be interested in using this approach. Thanks are also due to Anna Carlin and David Manson of the California State Polytechnic University, who adopted this approach to structuring a forensics class project [Carlin et al. 2005] after attending a presentation made by the author at the First Annual IFIP WG 11.9 International Conference on Digital Forensics at the University of Central Florida in February 2005. It is only through a willingness by others to replicate new ideas that the viability of any pedagogical technique can be truly evaluated. REFERENCES
ALTHEIDE, C. 2004. Forensic analysis of Windows hosts using UNIX-based tools. Digital Investigation (Sept), 197-212. CARLIN, A., CURL, S., AND MANSON, D. 2005. To catch a thief: Computer forensics in the classroom. In Proceedings of the 22nd Annual Information Systems Educators Conference (Columbus, OH, Oct.), Association of Information Technology Professionals, Chicago, IL. HARRISON, W. 2004. The digital detective: An introduction to digital forensics. In Advances in Computers, vol. 60, M. Zelkowitz, ed., Academic Press. YASINSAC, A., ERBACHER, R., MARKS, D., AND POLLITT, M. 2003. Computer forensics education. IEEE Security & Privacy (July/Aug.), 15-23. Received March 2005; revised January 2007; accepted January 2007

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.