A Practical Guide to Teaching Digital Forensics

Brett Shavers © 2013 Teaching Digital Forensics

Page 1 of 35


Page 2 of 35

Table of Contents Introduction .............................................................................................................................................. 3

Chapter 1 – The Goals and Objectives of Your Course ............................................................................. 4

Type of Program .................................................................................................................................... 4

Your students ........................................................................................................................................ 5

Topic of Instruction ............................................................................................................................... 6

Chapter 2 – Your Digital Forensics Lab ..................................................................................................... 9

Hardware Needs ................................................................................................................................... 9

Software Needs ................................................................................................................................... 10

Chapter 3 – The Curriculum .................................................................................................................... 16

Textbooks ............................................................................................................................................ 18

Reference Materials ............................................................................................................................ 19

Chapter 4 – Course Delivery ................................................................................................................... 22

Classroom Lecture ............................................................................................................................... 22

Online Lecture ..................................................................................................................................... 23

Guest Speakers.................................................................................................................................... 23

Chapter 5 - Practical Exercises ............................................................................................................... 24

Rules of Going Hands-on ..................................................................................................................... 24

Practice and Test Evidence ................................................................................................................. 24

Chapter 6 – Conclusion ........................................................................................................................... 30

Appendix I – Curriculums ........................................................................................................................ 31

Appendix II - Software Comparisons ....................................................................................................... 33

Appendix III – Test Data Sets .................................................................................................................. 34


Page 3 of 35

Introduction

This guide describes methods on how to teach digital forensics in the classroom. The reason for writing

on this topic was to create an easy method for the instructors and professors to read and get started

teaching. This guide gives enough practical advice and information that can be applied to high school

education through university as well as intensive training courses. Rather than give tons of statistics

and surveys, this guide gets down to the nuts and bolts of creating a digital forensics program.

I wrote this guide based on more than a few years of teaching digital forensics at a university, a

community college, by hire of private vendors, and by hire of companies to design and teach their

internal digital forensics staff. I base some of this also on presenting in numerous digital forensics

conferences, including arranging a digital forensics conference as a project manager. Just as important, I

base much of this guide as a student of more than two dozen forensic courses across the country and

several colleges over the past decade. However, I do not profess this guide to be the only way to teach,

but certainly, it is one way based on personal and professional experiences. As with anything, your

mileage may vary depending upon your situation and needs.

As those that have created teaching programs in this field will tell you, there are no hard set rules to

follow, other than sticking to a budget and filling the seats. Many instructors1 at colleges and

universities are adjunct instructors who work in the digital forensics field and have been asked to create

and teach a digital forensics program. Some of these practitioners may not even have a college degree,

but have years of expertise gained over years of practice. Full time college instructors may actually

primarily teach subjects other than digital forensics (such as computer science or information

technology) and might not have ever worked in the digital forensics field. However, both of these types

of instructors are capable to provide quality instruction.

One thing this booklet doesn’t provide is a digital forensics program outline. There are too many

variables to consider in being able to provide a course in digital forensics that fits everyone’s needs. But,

this booklet will give you what you need to set up your program, fit to your needs. And that is the

objective of this eBook- to get your program up and running quickly with a system that works.

1 I use the term “instructors” as a generic description of teacher, professor, or instructor without regard to the

person’s educational background or job description.


Page 4 of 35

Chapter 1 – The Goals and Objectives of Your Course

The starting place for any project is to know your goals and objectives. I will cover several different

types of programs and include methods you can use in each of these programs, but only you know what

you need based on your individual program. I recommend looking at everyone else’s digital forensics

programs, but also suggest using other programs as ideas or guides, not absolutes. Like I mentioned,

everyone has different needs, so make the program yours.

Type of Program

Since your program may be different than someone else’s, consider that your needs will also be

different from someone else. Some of the many types of programs you may be involved are below.

College/University level -Associates/Bachelor/Graduate programs -Continuing education programs -Special coursework within another program (criminal justice,etc…)

Intensive Courses -Short courses in specific subjects (1 day to several days)

Vendor-based Courses -Software focused training, using one specific software

Online Courses -Combination of any of the above

Although each type of course may have the same number of comparable hours of instruction, the

organization of the instructions hours will be different. A college level, continuing education program

may have 30 hours of instruction spread out over months where an intensive course of 30 hours may be

completed within a week. However, just because the number of hours is the same, the manner of

instruction and testing is not. Because of the differences in hours of instruction (1 hour per week for

months compared to 8 hours per day for a week), the organization of topics will be different. A college

level course can afford to spend more time on lecture and less hands on for the sole reason that

students can be given out of class assignments on a weekly basis. An intensive course does not have the

luxury of months of homework assignments.

College/University level Daily or weekly classes 1-4 hours per class More time for study, research, homework

Intensive Courses Daily classes 6+ hours per class Less time for study, research, homework

Vendor-based Courses Daily classes 6+ hours per class Less time for study, research, homework

Online Courses Self-paced Self-paced More time for study, research, homework

In each of these situations, you will need to decide on the topics to focus in class and the topics for

students to study and practice outside of class. As you can see, the time available varies greatly.


Page 5 of 35

Theoretically, courses which allow more outside time for research and assignments should result in a

better understanding of the material. However, this is dependent upon you assigning worthwhile

homework and ensuring the students are actually doing the work.

Course Restrictions

Each of these programs has its own restrictions and requirements. For example, restrictions can include

use of specific software and hardware, required textbooks, length of each instruction period and entire

course, and focus on specific content. A vendor-based course may typically use only its software for the

entirety of a course whereas another course may use a potpourri of software. An intensive course may

not provide any legal training whereas legal training may be a mandatory requirement for a college level

course. All programs are restricted by a budget, whether it is a small budget or large budget, there is

always a limit of expenditures. No matter the budget, you have to make do with what you have unless

you can increase your budget.

Your students

The types of students are a major factor in your goals and objectives. This area covers perhaps the

widest range of possibilities and unknowns in any program. Are there prerequisites for your program?

Are the experiences and training similar with all your students? If you don’t know where your students

are coming from, you will have such a diverse range of abilities that some will not be able to catch up in

the class and others will be held back.

Preferably, you have some control of entry into your program by ensuring the students meet any

prerequisite necessary. In a digital forensics program, it doesn’t make much sense to allow students to

attend who have no computer education, training, experience, or ability. Students must already be

capable of installing and uninstalling programs and be able to identify computer components at a

minimum. Any student unable to do at least this will require time teaching the basics of computer

operations. Unless the program includes computer troubleshooting (A+ as an example), include basic

computer skills as a requirement.

Frustration Saver

Have clear prerequisites for your students for entry into the program. You will be happier that the class moves along at the same pace. Your students will also be happier that they are not left behind or held back.


Page 6 of 35

Another factor regarding your students is their work or academic background. Is your class primarily IT

students or law enforcement investigators? If there is a mix of IT and law enforcement, both will receive

redundant information covered in computer technology and legal issues. A law enforcement only

program requires only minimal time discussing evidence and chain of custody while an IT experienced

only program requires a minimal time discussing computer troubleshooting. There are exceptions, but

generally, those with both a legal and computing professional background are rarer than most.

Students Positives Negatives

Law Enforcement/Legal Professionals

Usually well versed in evidence and legal procedures. Experienced in enforcing laws, testifying, writing reports.

Minimal, if any, experience or training in computer systems.

IT Professionals/IT Students Knowledgeable in computer systems, computer programming, troubleshooting

Minimal, if any, experience in the legal field.

Non-IT and Non-Legal Students NA Lacking in both legal and computer skills

Topic of Instruction

Lastly, the focus of the information affects your program. Digital forensics covers a lot of ground. In

fact, digital forensics encroaches into other areas such as electronic discovery and incident response.

Within each of these areas, there are countless sub-topics. Within digital forensics, complete courses

can be given on each operating system, such as Windows, Mac, and Linux. Entire courses can also be

given on each type of electronic storage device ranging from a computer workstation to a smartphone.

Incident response can range from intrusion to reverse engineering of malware. Even specifics of a

digital forensics exam can be the sole topic for days such as registry forensics or Internet forensics.

In the following figure, you can see where scope creep in designing your course can be overwhelming

without a clear goal and objective. In the marketing of your program, you (or your employer) should be

clearly stating the goals of the training to potential students. Unrealistically promising to teach

everything about digital forensics in a short period of time will frustrate your students once they begin

to see the reality of the scope of the field.


Page 7 of 35

Figure 1 Overlapping topics in the field of forensics/ediscovery/security and overlapping topics within digital forensics Choose wisely or you may never accomplish your course objectives

The type of program you teach may make it easy to determine what subjects you teach. In a vendor-

based program, you may be only teaching the operation of a software product. In an intensive course,

you may be teaching a specific topic such as registry forensics. If you are given latitude in creating a

program, you’ll need to consider each of the above factors to decide which topics to incorporate. Since

the field of digital forensics grows with every new discovery and method of analysis, there is not a

shortage of topics or specialty courses to develop.

Forensic imaging Registry forensics Internet forensics Data carving

Malware analysis Log files Cryptography Data hiding

File system analysis Network forensics Cloud forensics Chat forensics

P2P forensics GPS forensics Windows forensics Mac forensics

Linux forensics iPad/iPhone forensics Database forensics Timelines

Reverse engineering Testimony Anti-forensics Memory forensics

USB forensics Virtualization forensics Time Stamp forensics And more!


Page 8 of 35

In regards to the topics, it may be easier to break your program down into one of three areas: basic,

intermediate, and advanced. From there, you can tailor your topics to fit your time allowed, budget

given, and attending students. The days of a 5-day computer forensic course meeting the needs to

train a new forensic examiner are gone. Today, forensic examiners specialize in one or more areas

within the field rather than being a generalized ‘computer forensics examiner’. An entire career can be

spent solely on smartphone forensics and still never have the opportunity to know everything about

smartphones.

In summary, to design your program, you need to know your;

Type of program and budget

Type of students and their ability/education/experience

Focus of instruction

Digital forensics allows for a wealth of topics to teach but you have to tailor the topics to fit the needs of

your program within your budget and time allowed as well as accounting for the existing skills of your

students.


Page 9 of 35

Chapter 2 – Your Digital Forensics Lab

In a digital forensics program, you need computers. Slideshow presentations and lecture only go so far

without having computers for hands-on practice. However, you do not need to have the latest and

greatest, fastest and most powerful workstations available. You just need reliable computers, one for

each student, whether it is a laptop or desktop. Requiring students to bring their own systems asks for

time to be spent troubleshooting, virus issues, malfunctioning USB ports, Internet connectivity issues,

and software conflicts.

The basic computer system should have at least one USB port, a CD/DVD drive, and enough RAM to run

the applications needed for the course. The better (faster) systems will help with processing data during

class which will save time. Older computers with slower processors will restrict how much processing

can be done in class and possibly cause problems running processor intensive applications.

Internet connectivity will also be important as students will need to download software applications.

Access to a shared drive or network will be helpful for you to store software for student access. In a

best case scenario, your school or company providing the training will have a classroom configured with

one computer per student, Internet and network access preconfigured, all with the same software

installations. Having a spare system for a student to replace a failing system is better than

troubleshooting a computer during class. This will save you more time than you can imagine. Whether

you choose Windows, Mac, or Linux as the operating system depends upon your goals and budget.

Regardless of the operating system, every student should use the same OS and the same version of OS

to minimize issues during the course.

The goal for your forensic lab is not spending time to ‘run’ the lab, but have computers that can run the

forensic applications without issue. Broken or defective items can be placed aside, including entire

workstations as long as a student can be handed a new system. A digital forensics course typically is not

a computer troubleshooting course as this should be a prerequisite for students.

Hardware Needs

Hardware, other than the actual computer system, consists of adaptors, connectors, cables, write-

blockers, and imaging devices. These items add exponentially to the cost of a program especially if

every student is expected to have their own set of items to work with. These also increase the odds of

equipment failure, lost items, and unfortunately, stolen items. Some instructors choose to play

‘pretend’ with students to avoid having to hand out expensive hardware items. Playing pretend, such


Page 10 of 35

as “pretend you are using a write blocker” is perhaps the worst training to give anyone as it will lead

to mistakes in the field. There are options to playing pretend when you don’t have everything you need.

With any scenario where you may consider playing pretend, it is better to come up with an alternative

option. For example, a lack of write blocking devices does not mean students cannot image hard drives.

Using forensic boot discs, such as a Linux forensics boot disc (DEFT2, etc…) or a Windows forensics boot

disc (WinFE3), students can create valid forensic images using valid means. It is obviously necessary to

show students physical hardware write blocking devices and allow them to experiment; however, with

homework assignments and in-class assignments, the forensic boot disc is just as valid a training tool

and practical method.

Software Needs

Software is one of the main sources of conflict in digital forensic programs for the sole reason of cost.

Commercial digital forensics applications range from a few dollars to several thousand dollars, per

license. Worst still, most of these expensive commercial applications are not intuitive and require hours

of instruction in the basic operation of the software. To make things even more difficult, most of these

applications have licenses tied to a software protection device, or dongle, in that the software only

functions when the dongle is plugged into the computer’s USB port. The loss of a dongle typically means

the full cost of the software to be paid. It is easy to see in a class of twenty students, one forensic

application can cost upwards of $50,000 for the class. And that is just for one software application.

As mentioned, many commercial forensic software suites are not intuitive. Also, since these suites

provide dozens or hundreds of specific functions, the time involved to teach the software before being

able to teach forensics can be an issue. One solution is to use narrowly focused software to accomplish

specific tasks. Usually, the smaller tools are more intuitive simply because the tools have fewer options.

An example of overkill with a forensic suite would be using a commercial tool such as Encase or X-ways

to examine the Windows registry when something like RegRipper4 may be able to accomplish your task.

The price, ease of use, and speed of results of using a smaller and narrowly focused software application

may be best in this situation to avoid unnecessarily purchasing software.

2 DEFT http://www.deftlinux.net/

3 WinFE http://winfe.wordpress.com

4 RegRipper http://code.google.com/p/regripper/

http://www.deftlinux.net/

http://winfe.wordpress.com/

http://code.google.com/p/regripper/


Page 11 of 35

Figure 2 X-Ways Forensics, a complete forensic suite application

For a digital forensic program that is vendor-based, the software is not usually an issue as the vendor is

typically the software developer. In this instance, you may only be using that one software in the course

and have no need (or be allowed) to teach using any other tool.

Another consideration with your selection of software is that not every forensic software application will

accomplish every task you need. Most times, you will need another application. And another. And

another. This is the area where you need to be the most creative and resourceful. There is no need to

purchase every software application for every student, especially since for most instances; the

software may only be needed to demonstrate a single point.

Students may also tend to bring their own software to class, especially if they are already working in the

digital forensics field. Although this may sound cost effective, it will be a detriment to your course. All

students should use the same software in order for the lecture to match the practical exercises. This will

keep the entire class moving along at the same speed, on the same tasks, using the same tools.


Page 12 of 35

Less Expensive Solutions

In the real world of digital forensics, budgets exist in every office just as they do in the classroom. To

meet the needs of forensics beyond the budget, free and open source software (FOSS) is the solution.

FOSS is available to anyone, freely, to use, copy, study, and improve. Demo versions of programs are

also helpful in the classroom. A demo program is usually a time restricted or limited feature version of a

commercial program. For purposes to demonstrate a point and allow students hands-on experience,

demo programs may work well. The demo programs also allow the students to try a program to help

decide if it is something they would consider purchasing or requesting their employer to purchase for

their job. For the instructor, demo versions and FOSS are great ways to avoid having to purchase

expensive software for training.

Figure 3 FOSS example, RegRipper, a registry analysis tool

Examples of free and open source software that can benefit a program are seen in the following table.

Keep in mind that since these software tools are free, each tool reduces the need to purchase

commercial tools in the classroom. When planned reasonably, a commercial application (an entire

forensic suite) can be purchased with the FOSS tools filling in any gaps of functionality of that

commercial tool. Or, an entire program can be taught using FOSS tools at no cost of commercial

licenses. This is completely up to you, unless you are teaching a vendor-based course. Practically, any

software application that works, works.


Page 13 of 35

Software Purpose

FTK Imager http://www.accessdata.com

Forensic imaging

Guymager http://guymager.sourceforge.net/

Forensic imaging

Encase Forensic Imager http://www.guidancesoftware.com

Forensic imaging

ArcPST http://guymager.sourceforge.net/

Email analysis

Gmail Parser http://www.woanware.co.uk/

Email analysis

DEFT http://www.deftlinux.net/

Forensic boot disc with many forensic utilities

CAINE http://www.caine-live.net/

Forensic boot disc with many forensic utilities

analyzeMFT https://github.com/dkovar/analyzeMFT

Parses MFT records

Encryption Analyzer http://www.lostpassword.com/

Finds and reports encryption complexity

Digital Forensics Framework http://www.digital-forensic.org/

Suite of forensic tools

SANS SIFT http://computer-forensics.sans.org/

Suite of forensic tools

Free and Open Source Software solutions

To counter arguments as to the validity of FOSS tools, Brian Carrier has a terrific paper available at

http://www.digital-evidence.org/papers/opensrc_legal.pdf that addresses any legal concerns such as

court admissibility of evidence obtained using FOSS tools.

A good listing of forensic software applications can be found at: https://en.wikipedia.org/wiki/List_of_digital_forensics_tools A list of FOSS specific software can be found at: http://forensiccontrol.com/resources/free-software/ http://www2.opensourceforensics.org

Functional Needs of Software

When purchasing forensic software, it is imperative to know the functions of the software to determine

if it fits the needs of your class. A full forensic software suite will accomplish the majority of the basic

forensic exam. Software applications such as Encase5, FTK6, and X-Ways Forensics7 fill this need as an

5 Encase http://www.guidancesoftware.com

http://www.digital-evidence.org/papers/opensrc_legal.pdf

https://en.wikipedia.org/wiki/List_of_digital_forensics_tools

http://forensiccontrol.com/resources/free-software/

http://www2.opensourceforensics.org/

http://www.guidancesoftware.com/


Page 14 of 35

all-in-one tool. Software that fulfills one specific need usually does only one or a few specific tasks and

will not be able to conduct a basic forensic exam.

Software applications such as the Paraben Device Seizure8 will only fulfill needs for mobile devices, not

computers. If you program focuses solely on registry forensics, there are several commercial and FOSS

tools available, developed specifically for this task, such as RegRipper. Purchasing specific tools reduces

your overall expenses. These smaller toolsets also reduce the amount of time required to present a

topic, mostly because of the ease of use of a small tool. RegRipper, as one example, has less than a

handful of features (buttons) whereas Encase Forensic has dozens upon dozens of buttons, right-click

and left-click functions, and multiple dropdown menus.

Tip

For educational institutions, it never hurts to ask a developer for any discounts, limited trials, demonstration licenses, or specials for your students.

An important note on using software is not focusing too much on the software itself. It is more

important to focus on the data and data analysis with the software being a means to that end. Teaching

students about electronic data and evidence is the goal. There are many avenues to that goal, from

examining the binary values of data through using graphical user interfaces (GUI) push button software

tools. Students that understand digital forensics can use several methods to access the electronic data.

Students that only understand a forensic software tool will face obstacles when that tool is ineffective

for their task.

Virtualization in the Classroom

Virtual machines are a time saver. They are a great teaching tool. They are inexpensive. They should be

part of nearly every digital forensics course. A virtual machine is an operating system which runs within

a software application as guest system on a host operating machine. The virtual guest can be nearly any

operating system and the host can be nearly any operating system.

6 FTK http://www.accessdata.com

7 X-Ways Forensics http://www.x-ways.net

8 Paraben Device Seizure http://www.paraben-forensics.com

http://www.accessdata.com/

http://www.x-ways.net/

http://www.paraben-forensics.com/


Page 15 of 35

Virtual machine software includes both commercial and FOSS software, such as vmware9 and

VirtualBox10. Either of which allows an installation of an operation system to run as if it were its own

host machine. The benefits to a virtual machine are many, such as testing theories, forensic analysis

practice, imaging practice, and learning about an operating system through a virtual machine. A virtual

machine can be cloned and distributed to each student, so that each student has the exact operating

system and software for classroom exercises and demonstrations. Virtual machines reduce the amount

of time to install an operating system, rebuild a system, and teach concepts related to specific types of

operating systems.

More information on virtual machines related to forensics, to include the analysis of a virtual machine,

can be found at http://www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf.

Figure 4 A Windows OS guest virtual machine running in a Windows OS host

The EULAs

Software licenses are just that: licenses. Each use requires acceptance of the End User to agree to the

License Agreement. Commercial licenses most always do not permit copying, reverse engineering,

sharing, or multiple installations of the software. This includes commercial operating system licenses. It

is vital to ensure that you as the instructor do not violate any licensing agreement and that you reinforce

the importance of this to the students. It is risky business to violate any licensing agreement

9 Vmware http://www.vmware.com

10 VirtualBox http://www.virtualbox.org

http://www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf


Page 16 of 35

professionally and financially as the credibility of the future examiner (your students) are at stake with

the use of pirated software or violated license use.

Again, a solution to avoid this risk is using FOSS as much as possible. One point about FOSS to make is

that just because the software is free does not mean it is not as good as a commercial product. There

are more benefits to FOSS than the cost as some FOSS tools can accomplish tasks that commercial tools

cannot. Features change with each version of both commercial and FOSS tools, but generally, every task

in digital forensics can be done with commercial tools or FOSS tools.

Chapter 3 – The Curriculum

Like everything else covered so far, the curriculum is based on your goals and objectives. The

curriculum should be flexible and allow for updates at any time. New software releases, developments

and improvements in technology, and changes in case law affect the curriculum in real time just as it

affects the field of digital forensics in real time. Keep in mind that a digital forensics program is about

teaching data analysis as it relates to cybercrime, security issues, and policy violations. Digital forensics

does not occur in a vacuum as the examiner/analyst needs to be aware of the objective of each

examination. Data recovery by itself is only data recovery. Digital forensics involves the interpretation

of data analysis. This is not always easy to teach in a classroom.

For a generalized digital forensics curriculum, the topics are typically the same between different

programs (ex..one college compared to another college). The time spent on each topic varies with the

expertise of the instructor and the background skills of the students. The following figure is a

simplified example of how student backgrounds drastically affect a curriculum.

Figure 5 Time to be spent on varied topics, based on the type of student


Page 17 of 35

Depending upon the student, more or less time can be spent on each topic. Having a diverse mixture of

student levels of ability requires an almost equal amount of time to be spent on every topic. This most

certainly results in students losing interest in the program if redundant material is covered which they

already have experience or education. If a system of prerequisites is maintained, this issue is avoided.

Otherwise, be prepared for students to be frustrated in being behind in lecture or feeling held back in

the program. As an example, teaching basic computer operating system to IT professionals would be

time better spent teaching legal concepts. Conversely, law enforcement students would not benefit as

much with legal concepts than they would with computer technology topics.

Among the goals to determine for your program is meeting the expectations of the students. A

continuing education program may be designed to increase skills of current professionals in their job or

prepare professionals in a new career in digital forensics. An intensive course may be designed to dive

deep into a highly specialized sub-field of digital forensics in a short period of time for current digital

forensics professionals. The goals of your program’s marketing should match the goals of your students.

Two examples of curriculum differences are:

Digital Forensics Fundamentals – 24 hours Windows Registry Analysis – 24 hours

Overview of the digital forensics field Legal issues Evidence handling Report writing and testifying Types of electronic evidence Identification, preservation, and collection of data Types of electronic evidence (email, documents) Overview of forensic software and hardware

In-depth look of the Windows registry Decoding registry hives Searching for registry values Differences between Windows versions User activity analysis in the registry Malware analysis in the registry Password recovery/breaking USB data recovery

Two different courses, requiring the same number of hours, but depth and breadth are different

Both of these examples encompass a 24 hour course. Students without any forensic

education/experience would be best served in a fundamental course, even though the course would not

practically prepare the student to conduct a thorough examination. Your particular program depends

on all the factors previously mentioned.

College/university degree programs will always have coursework (math, English, etc…) required in its

programs which will not be required in non-higher educational programs to be awarded a degree.

Intensive, vendor-based, and online courses will usually only have coursework specific to the program

(only digital forensics related courses). One of the drawbacks to college/university level digital forensics

programs are the limitations in course length imposed by the school calendar of either a quarter or


Page 18 of 35

semester session. As an example, a class in “law” might be taught for an entire quarter or semester

while practically may not be necessary.

Drawbacks to vendor-based or intensive courses include not having time to teach important topics such

as legal issues and investigative methods. Students may learn the practical aspects of a forensic

analysis, but not the legal considerations or case management needed for the work in the field.

Examples of different types of curriculum are in Appendix I of this booklet.

Textbooks

Ask any student what they do not like about school and purchasing textbooks ranks in the top ten.

Mostly, this is due to the high cost of textbooks, instructors not using the textbooks for class when

requiring students to purchase the textbooks, and textbooks being outdated. However, some books are

usually needed, but which books?

The answer is, ‘it depends’. It depends on the course topic. In a program where the basics of digital

forensics is presented over the course of a week or semester, books on specific topics such as “registry

forensics” would not be reasonable. Courses on these specific topics would benefit from these

specialized books. Before requiring any books for your program, read the book. Figure out how the

book will benefit your program, the target audience of the book, and the relevance. And make sure you

use it in class; otherwise, your students will face the frustration of purchasing a book that was not

needed or used.

The following is a list of some of the many books available, shown as examples of how general

(fundamental) and specific topics can be chosen. There is certainly no shortage of books from which to

choose, based mostly on personal preference and goal of your program.

Book Target

The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics by John Sammons (Mar 9, 2012)

Fundamentals

Digital Evidence and Computer Crime, Third Edition: Forensic Science, Computers, and the Internet by Eoghan Casey BS MA (May 4, 2011)

Fundamentals

Digital Forensics Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best by David Watson and Andrew Jones (Sep 24, 2013)

Fundamentals

E-Discovery: An Introduction to Digital Evidence (with DVD) by Amelia Phillips, Ronald Godfrey, Christopher Steuart and Christine Brown (Aug 7, 2013)

Fundamentals

http://www.amazon.com/gp/product/1597496618/ref=as_li_qf_sp_asin_tl?ie=UTF8&camp=211189&creative=373489&creativeASIN=1597496618&link_code=as3&tag=xwayspracguid-20

http://www.amazon.com/John-Sammons/e/B005XS4M4E/ref=sr_ntt_srch_lnk_1?qid=1378156529&sr=1-1








Page 19 of 35

Computer Forensics and Cyber Crime: An Introduction (3rd Edition) by Marjie T. Britz (May 26, 2013)

Fundamentals

Cybercrime by Gráinne Kirwan and Andrew Power (Jul 4, 2013)

Fundamentals

Computer Forensics: Cybercriminals, Laws, and Evidence by Marie-Helen Maras (Feb 1, 2011)

Fundamentals

Guide to Computer Forensics and Investigations by Bill Nelson, Amelia Phillips and Christopher Steuart (Sep 28, 2009)

Fundamentals

Crime Scene Investigation, Third Edition by Jacqueline T. Fish, Larry S. Miller, Michael C. Braswell and Edward W Wallace (Oct 9, 2013)

Fundamentals

Placing the Suspect Behind the Keyboard: Using Digital Forensics and Investigative Techniques to Identify Cybercrime... by Brett Shavers (Mar 12, 2013)

Investigation focused

X-Ways Forensics Practitioner's Guide by Brett Shavers and Eric Zimmerman (Aug 10, 2013)

Forensic tool focused

Digital Forensics with Open Source Tools by Cory Altheide and Harlan Carvey (Apr 28, 2011)


EnCase Computer Forensics -- The Official EnCE: EnCase Certified Examiner Study Guide by Steve Bunting (Sep 11, 2012)


Cloud Storage Forensics by Raymond Choo, Darren Quick and Ben Martini (Jan 5, 2014)

Specialty focused

Computer Incident Response and Forensics Team Management: Conducting a Successful Incident Response by Leighton Johnson (Dec 6, 2013)

Specialty focused

The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich (Aug 2, 2013)

Specialty focused

System Forensics, Investigation And Response by Chuck Easttom (Aug 16, 2013)

Specialty focused

Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides by Cameron H. Malin, Eoghan Casey and James M. Aquilina (Dec 29, 2013)

Specialty focused

Cryptography InfoSec Pro Guide (Beginner's Guide) by Sean-Philip Oriyano (Aug 16, 2013)

Specialty focused

Windows Forensic Analysis Toolkit, Third Edition: Advanced Analysis Techniques for Windows 7 by Harlan Carvey (Feb 10, 2012)

Specialty focused

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry by Harlan Carvey (Feb 7, 2011)

Specialty focused

Reference Materials

Reference materials, many of which can supplement your textbooks, can be found online. Experts in the

field of digital forensics, both in academia and practitioners, continually write papers on every topic in




http://www.amazon.com/Andrew-Power/e/B00E73A92A/ref=sr_ntt_srch_lnk_80?qid=1378157100&sr=1-80



http://www.amazon.com/Marie-Helen-Maras/e/B004G2ADKA/ref=sr_ntt_srch_lnk_2?qid=1378157135&sr=1-2



http://www.amazon.com/Bill-Nelson/e/B003556DXU/ref=sr_ntt_srch_lnk_3?qid=1378157135&sr=1-3

http://www.amazon.com/Crime-Scene-Investigation-Third-Jacqueline/dp/1455775401/ref=sr_1_31?s=books&ie=UTF8&qid=1378157275&sr=1-31&keywords=computer+forensics

http://www.amazon.com/Jacqueline-T.-Fish/e/B003ZFN94G/ref=sr_ntt_srch_lnk_31?qid=1378157275&sr=1-31

http://www.amazon.com/Edward-W-Wallace/e/B00E0NKLH0/ref=sr_ntt_srch_lnk_31?qid=1378157275&sr=1-31



http://www.amazon.com/Brett-Shavers/e/B00C8B490Q/ref=sr_ntt_srch_lnk_3?qid=1378156529&sr=1-3



http://www.amazon.com/Brett-Shavers/e/B00C8B490Q/ref=sr_ntt_srch_lnk_60?qid=1378157048&sr=1-60

http://www.amazon.com/Eric-Zimmerman/e/B00EW0JS9S/ref=sr_ntt_srch_lnk_60?qid=1378157048&sr=1-60



http://www.amazon.com/Cory-Altheide/e/B004MD0240/ref=sr_ntt_srch_lnk_6?qid=1378157135&sr=1-6


http://www.amazon.com/Steve-Bunting/e/B001IQXJ8A/ref=sr_ntt_srch_lnk_10?qid=1378157135&sr=1-10



http://www.amazon.com/gp/product/159749996X/ref=as_li_qf_sp_asin_tl?ie=UTF8&camp=211189&creative=373489&creativeASIN=159749996X&link_code=as3&tag=xwayspracguid-20

http://www.amazon.com/gp/product/159749996X/ref=as_li_qf_sp_asin_tl?ie=UTF8&camp=211189&creative=373489&creativeASIN=159749996X&link_code=as3&tag=xwayspracguid-20



http://www.amazon.com/Richard-Bejtlich/e/B001IR3KOW/ref=sr_ntt_srch_lnk_76?qid=1378157100&sr=1-76





http://www.amazon.com/Cameron-H.-Malin/e/B002LNEWIK/ref=sr_ntt_srch_lnk_5?qid=1378156991&sr=1-5

http://www.amazon.com/Eoghan-Casey/e/B000APMIBY/ref=sr_ntt_srch_lnk_5?qid=1378156991&sr=1-5

http://www.amazon.com/James-M.-Aquilina/e/B002KRJGBU/ref=sr_ntt_srch_lnk_5?qid=1378156991&sr=1-5


http://www.amazon.com/Sean-Philip-Oriyano/e/B004U03RX8/ref=sr_ntt_srch_lnk_71?qid=1378157323&sr=1-71






Page 20 of 35

the field. Many of these white papers are freely available, current, and relied upon by those in the field.

In fact, many digital forensics books refer to these same white papers as their source of information.

Finding any of these papers is as easy as typing “search term” filetype:pdf into Google.com. For

example, white papers published in PDF format online can be found by typing “registry forensics”

filetype:pdf in Google. The results can be narrowed to any timeframe, such as within the past year or

month, to make sure only the most current results are found.

An example of a search for “registry forensics”, in pdf format only, within the past year, is seen in the

following graphic. Replacing “pdf” with “ppt” will find slideshow presentations which may also be

beneficial in your program planning for ideas on presentation formats and information.

Figure 6 Finding current and relevant references for coursework online

Determining the validity of any online digital forensics resource is no different from any other online

information found on the Internet. Information such as the publisher/author, peer reviewers, accuracy

of information, and source must be evaluated before haphazardly relying upon any white paper.


Page 21 of 35

Promote Your Students to Investigator With every assignment, have your students understand they are the investigator in their assignment. They determine how best to handle evidence, analyze the data, and present the case. In effect, tell your students to ‘solve the case’. There is no better way to create a personally vested interest in homework (other than grades!).

An effective method of incorporating several aspects of digital forensic topics revolves around a

continuing evolving class or individual project. For example, providing students with a real life case

example, the students can work the same case from beginning to end, throughout a single course or

series of courses. A case example could be the students receiving a flash drive found on the street by a

witness. As a search warrant is not needed (reinforced with legal coursework), the students can image

the flash drive (after instruction in imaging), and begin an analysis. The data discovered on the flash

drive can lead to information supporting a search warrant, seizure of a computer system, and analysis of

the system. The entire process culminates with a report and courtroom testimony.

In this manner, the students can experience the process of developing probable cause, inferences in

data analysis, report writing, and case presentation. Students are required to handle ‘evidence’ as

evidence, to include proper documentation and packaging. Simulated crime scenes may be approached

by students to reinforce lectures. This type of integrated method of teaching will help the students

develop an inquisitive mindset which is needed in digital forensics and give the most practical hands on

experience in working a digital forensics examination. The drawback is preparation of materials and

time needed to physically conduct the exercises in evidence seizure and crime scene investigation.


Page 22 of 35

Chapter 4 – Course Delivery

Classroom Lecture

Lecturing on computer related topics is not easy on students. Merely talking about what happens to a

deleted file or the Windows registry falls on deaf ears if the student does not have experience in seeing

the data. Electronic data is abstract. It can’t be felt or held, only seen on a computer monitor using

computer software. To ensure students understand the lecture, it is helpful to provide materials on

their computers to manipulate. Unfortunately, as in any computer instruction course, it is difficult for

students to stay on track for several reasons.

The speed of instruction is one issue. As the instructor, clicking through a program to demonstrate a

point and requiring students to duplicate the clicks on their computers results in some students missing

a step and quickly falling behind. By the time the student realizes that s/he is behind, catching up is

impossible. Unless you wait until every student clicks together and stays together, you will have

students being left behind and trying to catch up. In trying to catch up, they miss even more.

One solution is to demonstrate a single task from beginning to end, without the students following along

on their computer. When finished, the students can replicate your task on their computers, at their own

speed. Once each student resolves the task to the correct resolution, you know they did it right and you

can move forward.

The Internet is another issue for students. As it is recommended to have Internet access for students to

download needed software, it also causes a distraction with social media websites. Students who feel

they are ahead may also feel they can surf the Internet during class. Again, by the time they realize

important information was missed, they risk being left behind.

Other than telling students to focus in class, you may need to station an assistant in the back of the class

to observe computer monitors. Of course, you can simply ignore the Internet surfing and let the grades

handle the problem, but that would be a disservice to your instruction and program.

Visibility is very important! Digital forensics involves extreme attention to detail, indeed, binary detail.

In a classroom, if the instructor’s desktop projection is not clear or too small, students will not be able to

see what is happening on your computer. Since most of the software applications used may be new to

the students, they will also not be able to understand where you are clicking and pushing to begin with.


Page 23 of 35

Suggesting that students with poorer vision sit up front is one solution. Another solution is having more

screens or monitors placed throughout the room for the students not in the front of the room to see.

With complicated demonstrations, creating a video capture of your screen that can be accessed later by

students is very helpful as a review and confirmation of software operations.

Online Lecture

Online courses come in all types of formats. Some require the entire class to be online at the same time,

others are self-paced, and some are a combination. Most issues will online courses are beyond your

control. Your student may be watching television, playing a video game, reading a book, talking on the

phone, or literally anything else other than paying attention to your class online. There may be

household distractions, such as little children playing in the home.

One solution is making sure all materials are available for review by your students when they have time.

Maybe before work, after work, during lunch, or anytime with fewer distractions will be beneficial for

the online student. Online forums, podcasts, videos, and social networking sites can all be used to

provide as much support to your students as needed. These can also be used in a lecture based class by

providing materials online for student references and classroom project collaboration.

Guest Speakers

Having a guest speaker does more than break up instruction for a change. A guest speaker can give

additional insight and validate your information. In every major city, there are expert forensic analysts

working at all levels of government and the private sector. Many of these analysts would enjoy speaking

to students about a recent case, take questions about the forensic field, and talk about their latest

discovery in digital forensics. This can be particularly beneficial to your program if a noted expert is

available for your class.

In summary, course delivery of a digital forensics program is not much different than the delivery of

most other classes, either in the classroom or online. A few issues revolving the specifics of keeping the

class on the same steps during demonstrations need to be considered, but overall, you as the instructor

must keep the class interest going while conveying the information.


Page 24 of 35

Chapter 5 - Practical Exercises

Rules of Going Hands-on

I imagine that every student of digital forensics can’t wait to start imaging and analyzing hard drives in

their class. I am also sure that nearly every forensic analyst student has imaged and examined their own

hard drives at home for practice and curiosity. Going hands-on with forensics is a motivation to

encourage, but to also help direct in order for students to benefit and learn. Haphazardly imaging and

running forensic software on everything students can get their hands on without rhythm or reason isn’t

productive.

An important rule of advice to give students regarding practice, even about practice on their own, is to

always practice as if it were real evidence. This means not accessing a hard drive without following the

rules and principles of protecting the data from changes. This applies to using forensic software to

examine test media. By always doing it the right way, the chances mistakes will happen in real cases will

be less.

Practice and Test Evidence

Providing test media for your students is not an easy task if you want to do it right. Creating test media

is time intensive and requires extensive documentation. I’ll address several issues with taking shortcuts

with test media as well as giving guidance on designing test media that can be reused indefinitely.

First, the wrong way

Don’t use the classroom computers11 as practice. Don’t suggest students to use their employer’s

computers either. Not even using computers that may be publicly accessible, such as library computers.

The most obvious reason to not use these systems is the risk of accessing and disclosing protected

information which does not belong to the student. This information can be in the form of personal data,

confidential data, passwords, financial data, and medical information. Even the risk of the ramifications

of disclosed confidential data is not worth using these devices as test media.

Another source of media to avoid is that of used or recycled storage devices. Certainly, purchasing a

used computer or hard drives gives the owner (your student) legal possession of the data that may be

contained on the devices, but still, this is not good test media. Personal information may still exist from

11

By computers, I mean the hard drives in the computers.


Page 25 of 35

the prior owner and be at risk of disclosure. For these types of devices, curiosity needs to be controlled

for appropriate test media.

Letting your students swap personal computers to examine is another potential nightmare of data

disclosure to avoid. A fair warning to every student in class where forensic analysis is being taught and

conducted is to warn students to maintain control of their storage devices. This will prevent the

inadvertent or intentional disclosure of a student’s personal information by other students.

Another way

There are multiple sources of test images found online. These have typically been created as test media

for specific tasks, such as validating software. Most are freely available with encouragement to

download for testing. A partial listing of these sources is in Appendix III. The problems that exist with

test images created by someone else, for some other purpose, are that the images may not fit your

needs and may not contain accurate data (who knows?). Additionally, unless substantial documentation

accompanies the images, you will have to conduct a forensic analysis of each image to determine what

data exists and how it can be used. Basically, you will need to modify your curriculum to fit these test

images.

Several digital forensics books, including textbooks, include a CD/DVD containing test images. These

test image files are typically designed to support the respective textbook. Unless you are using the same

textbook from which the test images originated, you again will need to modify your curriculum to fit the

test media. And again, how do you know these test images contain accurate data?

Lastly, using test media created by any other person does not give you factual details of the data in the

test images. For example, how can you determine the origin of a file in a pre-made test image? You can

forensically analyze it and assume the origins of a file, but you cannot say with 100% certainty that you

are correct because you did not create the original file on the original device.

A better way

Create test media, that is, personally create a plan of the test media you need, and then create it to fit

your curriculum. But first, you must know what you want to test before you create the image! Creating

a test image and not knowing the type of data you want to test beforehand will only have you make

another image…


Page 26 of 35

Creating a full disk test image is time intensive. This involves installing an operating system and

software as well as adding evidence to the system. Evidence can consist of Internet activity, email,

documents, downloads, deletions, and data hiding. Basically, any topic you have in your curriculum can

be added to a test media as evidence. It just takes time to plan and create it.

The Dreaded EULA, Again

Creating test images involves installing software. The operating system and programs you will need to

create evidence are each tied to a licensing agreement and by distributing these test images to your

students you may be violating copyright laws.

Exceptions exist under “fair use”, which includes nonprofit educational purposes, the nature of the

copyright work, and the amount or portion used. Education, research, and non-profit use may allow you

to distribute your test media to students. To ensure you are not distributing entire working versions of

software, overwrite every executable that is protected by copyright to prevent that software from

running. To save time, don’t use licensed software. There are many different types of word processors,

email clients, and other software applications available freely (FOSS), which you will be able to distribute

without worrying about copyright violations.

This is not a deal-killer for creating your own test images. It just requires a few extra steps to ensure you

are not distributing copyrighted data.

What do you want to simulate in test media?

Because of the time involved to create a working computer system and the time needed to create the

evidence needed, consider making as few test media as possible. One forensic image of a hard drive can

hold enough test evidence to last the entire course, if you create enough activity for what you need. By

having one test image to work with, students will be able to see how a real forensic examination works

on a single image, rather than using smaller datasets.

First, develop your curriculum. Note the topics and exercises needed and plan your test media to

support your curriculum. An idea is to create a storyline in which your test media will be the key

evidence in that story. This can be a combination of events such as criminal activity, corporate policy

violations, cyber stalking, or intrusions. Within this same story, multiple test media can be planned to

include flash drives and compact discs.


Page 27 of 35

Once your storyline has been created, plan for creating your test media. You have two choices in this

regard, one being using an actual physical computer and the other using a virtual machine. Both have

benefits and drawbacks, but for time saving and repetition, the virtual machine route may be best. The

following chart shows differences using a physical machine and a virtual machine.

Physical Hard Drive Virtual Hard Drive

Hard drives are rarely being found in small

sizes. Creating a system on an average

drive will have an end result of a large

image, no matter how much compression

is used. One hard drive can contain only

one system for testing. A dual boot

physical machine is still only one test

image of the physical hard drive.

Setting up the hard drive only requires disk

space on a hard drive, allocated in the

amount you need. This can be much

smaller than what new hard drives can be

found (a virtual 3GB versus a physical

250GB hard drive). One hard drive can

contain multiple virtual machines.

Imaging a physical hard forensically

requires physical steps be taken, such as

removing the hard drive to use a write

blocker, or booting to a forensic

CD/Floppy/USB to image onto another

hard drive.

Imaging a virtual machine can be done

directly onto the host machine or external

device through various software

applications.

Subsequent test images require wiping the

hard drive (or obtaining a new hard drive

to wipe), and reinstallation of an OS.

Virtual machines allow for snapshots or

backups, in which multiple virtual machines

can be created without having to reinstall

an OS. Various versions containing

different types of data sources/scenarios

can be created and saved.

A mistake in creating evidence on a physical machine requires completely starting over with a fresh installation on a wiped hard drive.

A mistake in creating evidence on a virtual machine only requires restoring the machine to a previous state or snapshot.

Once your system (physical or virtual) has been decided, start creating your evidence. Your evidence

starts from the day and time of installation of the operating system. So, as you use your test media,

note everything of value on a note pad. This means document your activity as you use the system, by

event, date, and time. Create email accounts. Create documents. Surf the Internet. Download files.

Send and reply to emails (to and from other dummy accounts using a different machine). Delete files.


Page 28 of 35

Empty the recycle bin. Uninstall programs. Search the Internet. Create folders. Move files around.

Plug in external devices like USB flash drives. Use Peer-to-Peer networking applications. Copy files to

and from USB flash drives. In effect, use the computer as if you were the violator in your storyline.

Through your documentation, you now have credible and indisputable proof of the activity that

occurred on the system. You know the answers to any questions you will have in homework

assignments or asked by students. This is the only method to ensure your test images do not contain

data you are unaware or may cause confusion in your lessons.

Suggested Dos and Don’ts

Don’t use your test media for personal use. YOUR Internet activity and emails will be discovered by your

students. Don’t create fake data by altering dates and times of files unless you will use that to teach

anti-forensics techniques. Don’t download illegal evidence, such as child pornography or pirated

software.

Do make everything as if it were a real life use of the computer system. Do plant evidence on the

media. Evidence can be emails you sent to a dummy account that are harassing or contain fake data of

stolen intellectual property. Child pornography evidence can be planted ONLY if substitute images are

used. In most child pornography training, rather than using actual (illegal) images, pictures of kangaroos

or kittens are used. A practical exercise to demonstrate a child pornography investigation simply means

telling the students that any images of kangaroos or kittens are to be treated as if the images were of

child pornography. The analysis of these images is the same as if it were a real case of child

pornography without the risk of handling/duplicating/distributing illicit images.

Creating the Images

Since you will have spent many hours over a period of days, weeks, or months on your test media, you

will want to make sure you capture a good image and not ruin your work. If you used a physical

computer, you have a physical hard drive to image using the traditional imaging method of write

protecting the hard drive. If you used a virtual machine, you only need to image the virtual machine,

not a physical hard drive. A virtual machine can be imaged using FTK Imager12 directly or other means

detailed in the aforementioned virtual forensics paper.

12

FTK Imager http://www.accessdata.com


Page 29 of 35

Once your image has been created, be sure to redact files to prevent copyright distribution violations.

Using WinHex, copyrighted executables can be overwritten directly onto the image. Alternatively, with

X-Ways Forensics, copyrighted executables can be excluded from an image during imaging. Either

method does not affect the validity of your test media work as all data remains pristine, except for those

files needed to be removed to comply with software EULAs.

After creating an image of your physical hard drive or virtual machine, you also have the ability to boot

the machine and capture the physical memory for lessons involving analysis of live memory. I suggest

capturing the memory after imaging the hard drive only for the reason of providing your students with a

pristine capture of a hard drive without the footprint of running a forensic application on the system. In

an actual case, capturing the physical memory would be done first.

A Side Benefit of Creating Your Own Test Images

Once you have documented and created your test images, you now will have perfect software validation

images. Since you documented exactly what occurred on the system, on the exact date and time, your

forensic tools should display that information accurately. If not, the forensic software may be defective

in that regard.

Providing the test images to students

If you decided to use a physical hard drive as test media, you may have an extremely large forensic

image to distribute to your students. This will involve time to copy the image as well as require storage

media to hold it. If your test media was 500GB, it must likely be impractical as a test image for your

students.

A virtual image is much easier to handle for size as you can easily configure the size of the drive when

creating the virtual machine. A small size physical hard drive is difficult, if not almost impossible to find.

It is feasible to create a 10GB or smaller test image with enough test evidence to last an entire course,

yet be small enough to fit on an inexpensive flash drive.

And although you will have gone through a lot of work to create this test image, you do not have to give

it freely to your students. Using a forensic tool like FTK Imager, your students can mount the image as a

physical drive first. Then they can image the mounted drive as if they were imaging a real, physical hard

drive. This would start their case in handling evidence with the creation (and documentation) of a

forensic image.


Page 30 of 35

Chapter 6 – Conclusion

By now, you should have a good idea of how to teach forensics in your classroom, based on your

curriculum. Information on how to teach is beyond this writing, but if you are involved with teaching

digital forensics, you most likely already have a teaching ability.

The actual topics of instruction, order of topics, and depth of instruction is dependent upon your needs,

resources, and time available. One of the revolving issues of teaching digital forensics is what to cover

first and in what order do the other topics follow. As one action made in the operating system affects

multiple areas, which gets attention to teach first? How can the registry be taught unless the Master

File Table is taught first, or would it be better the other way around? Appendix I gives simplified

examples of curriculums to spark ideas, but not as the only answer to any one program.

One of my first pieces of advice I have given to every class I’ve taught is for the class to trust me. Trust

that although a topic may not make sense today, after more pieces of the digital forensics puzzle are

explained, things start making sense. Everything is related and it takes time to build upon each topic in

order to begin understanding how data is created and manipulated.

A piece of advice I give to you is to not attempt to teach everything in one program unless you have

more time than you can imagine using. “Everything” in digital forensics means every type of operating

system, every forensic artifact in every type of operating system, every type of electronic device from

computers to servers to mobile devices, and more topics than imaginable for any one person to learn,

let alone master. In this field, it is reasonable to expect knowledge of the basic fundamentals of digital

forensics and also reasonable to focus on specialties within the field in order to build expertise. With

that, there is not a standard in digital forensics teaching, nor a standard in the topics to teach. Digital

forensics is a moving target and therefore, so is teaching it.


Page 31 of 35

Appendix I – Curriculums

College/University Level

College/University level programs have the luxury of carefully molding students through the program

with a series of prerequisite courses over a long period of time. This ensures the students have been

exposed to all required aspects of digital forensics as determined by the institution. For entry level, no

experience future examiners, the college/university system fulfills every need of topics. However, it is

time intensive, measured in years. Another benefit to the college/university level of digital forensics

education is the resources available on most campuses in terms of equipment and software.

Associates degree programs may consist of general requirements for the majority of coursework with

few courses in digital forensics in order to transfer to a 4-year university. Or, certain associate’s degree

programs may provide few general education requirements and more digital forensics courses in order

to reach a higher level of job related skills, not necessarily transfer to a 4-year institution.

Bachelor and graduate degree programs consist of general requirements in lower division units, usually

2 years of study before focusing on the major of digital forensics. Students practically will not be

employable in digital forensics, even as entry level, until completion of at least a bachelor’s degree.

Continuing education certification programs may range up to 10 months or more in coursework specific

only to digital forensics. As a continuing education program assumes a more mature student, with

expectations of prior work experience, an entry level job skill can be obtained in a short period of time.

Coursework in the degree programs usually include;

General requirements (~2 years) in foreign language, English, math, science, art, etc…

Major coursework (~2 years) in digital forensics topics such as Criminal Law, Criminal investigations,

Computer Systems, Networks, Operating Systems, Incident Response, Malware Analysis, Mobile Device

Analysis, File System Analysis, Technical Writing, Scripting, and other topics.

To benefit the student, coursework in digital forensics at this level should be focused on a specific track,

perhaps by offering different tracks to students. As an example, teaching a broad overview of digital

forensics of every operating system ensures that the student will not master any one operating system.

Conversely, focusing on one operating system with a broad overview of other operating system will

benefit the student in being competent in at least one system versus incompetent in every operating

system.


Page 32 of 35

Vendor-based Curriculum

Vendor-based curriculums are easier to design for the sole reason of being restricted to teaching one

tool. Using one tool, such as a digital forensics suite, the curriculum can simply be working through

various case type scenarios, practicing with all functions and features of the software. This type of

course can progress naturally from evidence acquisition through report creation through use of the

vendor product.

However, the difficulty of a vendor-based curriculum arises when the vendor product does not solve

certain forensic obstacles. In this type of instance, the student will not learn how to solve the obstacle,

only that ‘another tool’ will have to be used.

The benefit to vendor-based training goes to those analysts already working in the field. The time spent

attending a vendor-based training course to learn a new tool or more fully learn how to exploit a tool,

will save time on the job using that tool. As many students who attend vendor-based training usually

have a solid foundation of digital forensics education/training, those topics do not need instruction in

the training, only insofar as the vendor product is concerned.

Specifically focused training, such as a Registry Forensics course, is also an easier to design curriculum

compared to others. In this type of training where one or few aspects of digital forensics is taught, any

tool can be used to address the forensic artifact being taught. Again, the students typically have a

foundation of knowledge in digital forensics and seek these focused courses to study in-depth, advanced

techniques of analysis. Information unrelated to the course topic is generally not discussed in order to

master the topic and only that topic in the course.

Government provided curriculums

Government programs, including military services, generally have a large budget, seemingly unlimited

resources, and ability to provide long periods of time for training courses. As one example, the US

federal government provides several digital forensics programs to federal and local law enforcement

officers ranging from a day of training to several months of training courses. Many law enforcement

digital forensics examiners may spend six months or longer, five days a week, eight hours a day, going

through a regiment of digital forensics training.


Page 33 of 35

The combined number of hours in these programs can exceed that of a master’s degree program in a

shorter period of time, with coursework specific in digital forensics. The curriculum in these courses

basically can contain the vast majority of digital forensics topics, producing well-trained examiners.

Appendix II - Software Comparisons

A comparison of software would be incomplete given nearly any set of criteria. There are simply too

many software applications that accomplish to many tasks to effectively compare all of them, or even a

decent selection.

I would suggest that any discussion on the selection of software for digital forensics training include

discussion on both commercial applications and free/open source software applications. I would also

suggest that the final selection of software to be used in a program directly reflect the tasks designed in

the curriculum. In a registry forensics course, there is only a need for software specifically developed for

registry analysis. These can be both commercial and open source, but surely, these would be the only

types of software needed.


Page 34 of 35

Appendix III – Test Data Sets

The following data sets are freely available online The 2008-Nitroba corpus: http://domex.nps.edu/corp/scenarios/2008-nitroba/

The M57 Corpus http://torrent.ibiblio.org/doc/187/torrents http://domex.nps.edu/corp/scenarios/2009-m57/ (individual files)

HogFly’s Memory Dumps forensicir.blogspot.com https://cid-5694a755c9c6a175.skydrive.live.com/browse.aspx/Public

Security Sig Challenge http://www.depleted.org/~penfold/index.html

Computer Forensic Reference Data Sets (CFReDS) http://www.cfreds.nist.gov/

Digital Forensics Tool Testing Images http://dftt.sourceforge.net/ http://sourceforge.net/projects/dftt/

DigitalCorpora.org http://digitalcorpora.org/ http://digitalcorpora.org/corp/drives/nps/2010-nps-emails/

DFRWS 2010 Forensics Challenge http://www.dfrws.org/2010/challenge/index.shtml

Network Forensics Puzzle Contest http://forensicscontest.com/

http://www.forensickb.com/ http://www.forensickb.com/2008/01/forensic-practical.html http://www.forensickb.com/2008/01/forensic-practical-2.html http://www.forensickb.com/2010/01/forensic-practical-exercise-3.html

The International Society of Forensic Computer Examiners® http://www.isfce.com/sample-pe.htm

The Honeynet Project http://old.honeynet.org/scans/scan24/ http://old.honeynet.org/misc/chall.html

Enron Email Dataset http://www.cs.cmu.edu/~enron/

U.S. Cyber Challenge http://www.dc3.mil/challenge/2010/partners.php#carey

http://domex.nps.edu/corp/scenarios/2008-nitroba/

http://torrent.ibiblio.org/doc/187/torrents

http://domex.nps.edu/corp/scenarios/2009-m57/

http://forensicir.blogspot.com/

https://cid-5694a755c9c6a175.skydrive.live.com/browse.aspx/Public

http://www.depleted.org/~penfold/index.html

http://www.cfreds.nist.gov/

http://dftt.sourceforge.net/

http://sourceforge.net/projects/dftt/

http://digitalcorpora.org/

http://digitalcorpora.org/corp/drives/nps/2010-nps-emails/

http://www.dfrws.org/2010/challenge/index.shtml

http://forensicscontest.com/

http://www.forensickb.com/

http://www.forensickb.com/2008/01/forensic-practical.html

http://www.forensickb.com/2008/01/forensic-practical-2.html

http://www.forensickb.com/2010/01/forensic-practical-exercise-3.html

http://www.isfce.com/sample-pe.htm

http://old.honeynet.org/scans/scan24/

http://old.honeynet.org/misc/chall.html

http://www.cs.cmu.edu/~enron/

http://www.dc3.mil/challenge/2010/partners.php#carey


Page 35 of 35

Accessdata http://www.accessdata.com/academic.html With an email request, you can receive test images from Accessdata

WireShark Sample Captures http://wiki.wireshark.org/SampleCaptures

SANS Digital Forensics and Incident Response Challenge http://computer-forensics.sans.org/challenges/

The disktype File System Sampler http://disktype.sourceforge.net/fss/

Digital Forensics Security Treasure Hunt http://digitalforensics.securitytreasurehunt.com/

The following is NOT freely available, but available for a cost: The University of Central Florida’s (UCF) National Center for Forensic Science (NCFS) http://www.ncfs.org/dfqs/

http://www.accessdata.com/academic.html

http://wiki.wireshark.org/SampleCaptures

http://computer-forensics.sans.org/challenges/

http://disktype.sourceforge.net/fss/

http://digitalforensics.securitytreasurehunt.com/

http://www.ncfs.org/dfqs/

Documents

A Practical Guide to Teaching Digital Forensics