LUDWIG SLUSKY
CALIFORNIA STATE UNIVERSITY, LOS ANGELES, U.S.A. LSLUSKY@EXCHANGE.CALSTATELA.EDU
PARVIZ PARTOW-NAVID
CALIFORNIA STATE UNIVERSITY, LOS ANGELES, U.S.A. PPARTOW@EXCHANGE.CALSTATELA.EDU
Development of Computer
Forensics Course Using EnCase
1
E-LEARN 2009
World Conference on E-Learning in Corporate, Government, Healthcare & Higher Education
Vancouver, Canada: October 26-30, 2009 Best Practices Session
Forensic Sciences
10/27/2009 11:55am
E-Learn 2009. Ludwig Slusky and Parviz
Partow-2
Originated in Medicine
Expanded … Arson, Chemistry, … and Digital Evidence.
Forensic Sciences is “a broad spectrum of sciences to
answer questions of interest to a legal system.” (Wikipedia)
Computer Forensics
- use of analytical and investigative techniques …
to identify, collect, examine and preserve information … magnetically stored or encoded …
to provide digital evidence of a specific or general activity.”
Investigation of Computer Attacks
3Investigations of computer attacks, hacker intrusion,
fraud and abuses:
Salami attack Data Diddling
Excessive (elevation of) privileges
Password sniffing on a network
IP spoofing
Eavesdropping
Emanation
Wiretapping
Recovery of Computer Information
10/27/2009 11:55am
E-Learn 2009. Ludwig Slusky and Parviz
Partow-4
International principles
Recognition of evidence
Handling in various courts consistently in the same manner.
The common evidence for such investigation include:
Violations of Information Security
Penetration of Computer Access Control Breaching Information Accountability Penetration of Network Security
Cryptanalysis
Penetration of Operational Security of Computer Systems Penetration of Application and Database Security
Hacking
Preventing Recovery - Crashed Hard Disks
5
Hard Disk Destruction
10/27/2009 11:55am
E-Learn 2009. Ludwig Slusky and Parviz
Partow-6
Sensitive information on a hard disk requires
decommissioning.
After being crushed by the Hard Disk Crusher, the data can never be recovered again. It drills through the hard disk's spindles and physically creates ripples in the platters making it
impossible to recover the data.
Reformat ting a disk or using a degausser are other options, albeit could be less reliable.
http://edrsolutions.com/solution.asp
Forensic Investigation Process
Computer forensics
software collects data into evidence files
Remote Forensic Investigation
10/27/2009 11:55am
E-Learn 2009. Ludwig Slusky and Parviz
Partow-8
Forensic investigation
Traditional – physical access to a target machine
Remote – across network access - new technique
Target machine can be located anywhere
Accessible via the Internet or dedicated communication lines
EnCase Enterprise Edition supports remote investigation
Recommendations for Remote Investigation
9
Keep system resource usage down
Disguise the remote investigative agent software
Make sure that a personal firewalls active on the target
machine is open for inbound connections
Keep Log file free from recoding any forensic activities
Start an agent on the target machine systematically when
the machine starts
Do forensics during the non-business hours or when a
large hard drive activity is expected (e.g., antivirus scans)
Be extra careful targeting laptop for investigation: a
prolong hard drive activity can be suspicious
High-speed network connection is better than slow WAN.
Covert Collection Avoidance Techniques
10/27/2009 11:55am
E-Learn 2009. Ludwig Slusky and Parviz
Partow-10
Review Task Manager periodically - increased and
persistent hard drive activity at odd times
Identify and stop the remote agent’s system process
Enable blocking the inbound connection in a personal
firewall (to block the agent’s tool).
Be alert to performance degradation noticeable while
copying a large file over network.
Computer Forensics Certifications
11
EnCase Certified Examiner (
EnCE
)
Certified Computer Forensic Technician (
CCFT
)
Certified Computer Forensic Examiner (
CFCE
)
GIAC Certified Forensics Analyst (
GCFA
)
AccessData Certified Examiner (
ACE
)
Certified Computer Examiner (
CCE
)
Introductory Course: Topics
10/27/2009 11:55am
E-Learn 2009. Ludwig Slusky and Parviz
Partow-12
1. Computer Forensics and Investigation as a Profession
2. Understanding Computing Investigations
3. The Investigator's Office and Laboratory
4. Processing Crime and Incident Scenes
5. Computer Forensics Tools Concepts
6. Computer Forensics Analysis and Validation
7. Acquiring Digital Evidence
8. Searching for and Bookmarking Data
9. File Signature and Hash Analysis
10. Creating Reports for High-Tech Investigations
11. Expert Testimony in High-Tech Investigations
12. Ethics for the Expert Witness Source: Bill Nelson, Amelia Phillips, Frank Enfinger
Pre-Requisites for Study
13Students must have senior standing
Pre-requisite courses by majors include:
Computer Information Systems - information architecture,
common business applications, and organizational context of computer-based information systems.
Criminal Justice - methodologies and techniques
appropriate for application in criminal justice environments
Accounting - Accounting Information Systems including
internal controls and tools.
Pre-requisite focus - understanding of types of digital
evidence and how computers work
Computer Forensic Software: EnCase
10/27/2009 11:55am
E-Learn 2009. Ludwig Slusky and Parviz
Partow-14
EnCase® Forensic - makes an image of a hard drive in a
forensically-prudent EnCase evidence file format de facto standard application for computer forensics
Used in the proposed course
EnCase® Enterprise – for remote investigation of internal and
external threats from a central console
EnCase Data Audit & Policy Enforcement - search for
information on the laptops, desktops, file servers, and email servers … from a central location
EnCase Cybersecurity - for national information security policy
(identifying/responding to threats, remediating malware).
EnCase® eDiscovery - a pocket-sized kit to search and collect
electronically stored information across the network.
Practicing EnCase Forensic
10/27/2009 11:55am
E-Learn 2009. Ludwig Slusky and Parviz
Partow-16
Hands-on Practicum with EnCase
Understanding of Case Management, EnCase Forensics
software, and evidence file structure
Team project
Depending on major, emphasis on different phases
Information systems - emphasis on identification, preservation,
and collection of data of various types from various devices.
Accounting - emphasis on data collection, examination, and
analysis.
Criminal Justice - emphasis on data analysis, presentation, and
decision.
Computer Forensics case study in the context of a
Hands-on Practicum with EnCase
17Viewing FAT Entries
Navigating EnCase
Maintaining Data Integrity
Searching for Data; Bookmarking the Results
File Signature Analysis
Windows Artifacts Recovery
Partition Recovery
Email and Registry Examination
Forensics Lab vs. Open Access Lab
10/27/2009 11:55am
E-Learn 2009. Ludwig Slusky and Parviz
Partow-18
Dedicated Computer Forensics Lab with support of
technical assistants (desirable, not required)
Online remote dedicated Computer Forensics Lab (goal) Common-use Open Access Labs on campus (sufficient)
Computers are shared between forensics studies and other
courses and applications that use internal disk drives
Information Assurance and privacy concerns
Student can recover any information previously deleted by
another users .
Prevent access to hard drive as a target of investigation
Online/Hybrid/In-Class Learning
19E-Learning of Information Security and preparation for
certification exams (like Certified Information Systems Security
Professional [CISSP®]) is common practice.
American InterContinental University - Bachelor of Information
Technology (BIT) with a concentration in Computer Forensics.
Champlain College - BS in Computer and Digital Forensics Other major online universities
University of Phoenix, Liberty University, DeVry University's Keller
Graduate School of Management, Strayer University Online. Etc.
A limited demo version of EnCase Forensic is included in
some professional training books
Works only with the evidence file included on the CD; prevented
from accessing any other media
Opens two opportunities: practicing EnCase at home and shifting
Encryption for Online Studies
10/27/2009 11:55am
E-Learn 2009. Ludwig Slusky and Parviz
Partow-20
TrueCrypt (http://www.truecrypt.org/)
Powerful open-source encryption software Windows Vista/XP, Mac OS X, and Linux
Encrypts a partition or the entire storage – hard disk
Mobile data protection - USB flash drive
Plausible deniability for a user using a hidden volume
Presence cannot be easily detected
Data cannot be distinguished from random residual data
Used to secure information transmitted in Online studies Password/encryption cracking to reveal intentionally
hidden information (with EnCase)
Student can originate an attack on a computer; typical methods are
Skills, Tutorials, Teamwork
21Emphasis on skills using Computer Forensics software
Online instructions for Computer Forensics skills are well
suited
Extensive Online EnCase tutorials to reduce the need for
F2F instructions
Hybrid learning - best option
Teamwork vs. Individual work
Teamwork in a dedicated Forensic Lab with F2F instructions
Individual work in e-learning with no dedicated Forensic Lab
Challenges of Teaching Course Online
10/27/2009 11:55am
E-Learn 2009. Ludwig Slusky and Parviz
Partow-22
Instructional technical challenges
Responding to students’ creativity
Inappropriate use of the software by students
Multi-disciplinary audience
Dissemination of controlled knowledge and software
Risks of privacy and information security violations
Risks of instructor’s liability
Is the target computer permitted for computer investigation?
Do online participants impersonate a legitimate student?
Compliance with Laws and Regulations
Development of Computer Forensics Course Using EnCase
23