Embed Size (px)
Citation preview
1
Why should we be teaching Linux Forensics?
Paul Stephens
1
22
Harmonisation of Computer Forensics Investigation
Training
Participants Include
3
4
AGIS Courses Developed
4
5
ISEC Developments (2008-2011)
5
Vista Forensics
6
Linux as a Forensic Tool
Initially run as a one week course
Following evaluations
Basics [online] – Week One
Forensic Features and Tools – Week Two
Currently being updated by a team of five
6
7
Advanced Scripting
Currently in development
One week course to be run at Microsoft Copenhagen!
7
Other Linux Forensics Courses
8
GNU/Linux Forensics
Data Recovery & Analysis
ICT and Forensic Investigation
Digital Forensics
Why should we be teaching Linux Forensics?
9
10
Why should we be teaching Linux Forensics? Scripting will allow investigators to carry out:
Large scale investigations on unusual data sets
Automation for routine tasks
Integration of various standalone tools into one process
Will also equip the investigator with advanced knowledge beyond pre-provided software functionality
Projects
Open SourceOpen Source10
11
Some of the Linux Forensic Tools
LibEWF
dcfldd and rdd
The Sleuth Kit
Autopsy Forensic Browser/PTK
ophcrack
QEMU
11
12
CCCU Forensic Lab Setup
Two PCs
Normal PC
Internet connection
‘HazardNET’ PC
Students have BIOS/Administrator control
Network linked to Windows server running RIS and Linux SSH/SFTP server
12
13
Teaching Materials (Basics) Linux
http://www.ss64.com/bash/
http://linuxcommand.org/
Linux Forensics
http://www.linuxleo.com/
Disk Images and other cool stuff
http://www.honeynet.org/
Distributions
Debian/Ubuntu?
http://www.e-fense.com/helix/
http://www.lnx4n6.be/
13
14
Development of Teaching Materials
Download other peoples evidence files
Create the test images/network dumps/etc yourself
Takes a loooooooooooooooong time
Get someone else to create resources
Spec what you want and set it for your current students as an assessment/project
Report/presentation on the task14
15
Some Current ProjectsAGIS/ISEC course developments
Analysis of the accuracy and usefulness of Linux Tools
Usability analysis of Autopsy/PTK
Presentation of computer-based evidence in an electronic format (MOD)
A triage toolkit for divisional examiners (Essex)
Using virtual technology in the presentation of digital evidence (Trading Standards)
15
3rd Annual International Conference on Cybercrime Forensics Education and Training - CFET 2009First Announcement and Call for Papers
The conference will take place in the Powell Building at the North Holmes Road campus of Canterbury Christ Church University on 1st and 2nd September 2009. The conference invites papers, practical workshop proposals, andposter presentations including the following:
Development of cybercrime forensics as a new disciplineHacking detection and preventionViruses and antivirus software Commercial training in cybercrime forensicsSupporting police investigationsDefining educational programmes and their objectivesEthical, Professional and legal issuesNew software tools for cybercrime forensicsInternational cooperation to develop standardsCareer pathways in cybercrime forensicsNetwork and mobile communication technologiesCooperation of commercial and academic partnersCase studies in cybercrime forensics
Deadline for papers 1st May 2009.Please contact Denis Edgar-Nevill [[email protected]] for details.
Sponsored by
17
Cybercrime Forensics SG
The Aim of the new SG is:
“Promoting Cybercrime Forensics and the use of Cybercrime Forensics; of relevance to computing professionals, lawyers, law enforcement officers, academics and those interested in the use of Cybercrime Forensics and the need to address cybercrime for the benefit of those Groups and of the wider public.”
17
18
Cybercrime Forensics SG
The interim committee:Denis Edgar-Nevill HoD Computing Canterbury Christ Church University - ChairAlastair Irons HoD Computing University Sunderland - Vice Chair Dr Abhaya Induruwa Canterbury Christ Church University - Treasurer Paul Stephens Canterbury Christ Church University - Membership Secretary Dr Richard Overill Kings College London Dr James Uhomoibhi University of Ulster Dr Bernd Carsten Stahl DeMontfort University Professor Margaret Ross MBE Southampton Solent University Geoff Staples Southampton Solent University Dr Liz Bacon HoD Computing University of Greenwich
18
19
Cybercrime Forensics SG
INAUGURAL MEETING
The SG will formally come into being with its first meeting at Canterbury Christ Church University Monday 15th December 2008 held at 1400. The current President of the BCS, Rachel Burnett, will open the inaugural meeting. The event will include a keynote presentation on “Tackling the Criminal Use of Technology” by Chris Simpson—High Tech Crime Training Manager NPIA. The event will be open to all. 19
