Upload
brett-shavers
View
635
Download
3
Tags:
Embed Size (px)
DESCRIPTION
A practical guide to teaching digital forensics in colleges, universities, and in vendor-based training courses written by Brett Shavers. Brett is an experienced digital forensics expert, instructor, and author of two books (Placing the Suspect Behind the Keyboard and The X-Ways Forensics Practitioner's Guide). Brett regularly teaches at conferences, colleges, and for private vendors in digital forensics topics.
Citation preview
Brett Shavers © 2013 Teaching Digital Forensics
Page 1 of 35
Brett Shavers © 2013 Teaching Digital Forensics
Page 2 of 35
Table of Contents Introduction .............................................................................................................................................. 3
Chapter 1 – The Goals and Objectives of Your Course ............................................................................. 4
Type of Program .................................................................................................................................... 4
Your students ........................................................................................................................................ 5
Topic of Instruction ............................................................................................................................... 6
Chapter 2 – Your Digital Forensics Lab ..................................................................................................... 9
Hardware Needs ................................................................................................................................... 9
Software Needs ................................................................................................................................... 10
Chapter 3 – The Curriculum .................................................................................................................... 16
Textbooks ............................................................................................................................................ 18
Reference Materials ............................................................................................................................ 19
Chapter 4 – Course Delivery ................................................................................................................... 22
Classroom Lecture ............................................................................................................................... 22
Online Lecture ..................................................................................................................................... 23
Guest Speakers.................................................................................................................................... 23
Chapter 5 - Practical Exercises ............................................................................................................... 24
Rules of Going Hands-on ..................................................................................................................... 24
Practice and Test Evidence ................................................................................................................. 24
Chapter 6 – Conclusion ........................................................................................................................... 30
Appendix I – Curriculums ........................................................................................................................ 31
Appendix II - Software Comparisons ....................................................................................................... 33
Appendix III – Test Data Sets .................................................................................................................. 34
Brett Shavers © 2013 Teaching Digital Forensics
Page 3 of 35
Introduction
This guide describes methods on how to teach digital forensics in the classroom. The reason for writing
on this topic was to create an easy method for the instructors and professors to read and get started
teaching. This guide gives enough practical advice and information that can be applied to high school
education through university as well as intensive training courses. Rather than give tons of statistics
and surveys, this guide gets down to the nuts and bolts of creating a digital forensics program.
I wrote this guide based on more than a few years of teaching digital forensics at a university, a
community college, by hire of private vendors, and by hire of companies to design and teach their
internal digital forensics staff. I base some of this also on presenting in numerous digital forensics
conferences, including arranging a digital forensics conference as a project manager. Just as important, I
base much of this guide as a student of more than two dozen forensic courses across the country and
several colleges over the past decade. However, I do not profess this guide to be the only way to teach,
but certainly, it is one way based on personal and professional experiences. As with anything, your
mileage may vary depending upon your situation and needs.
As those that have created teaching programs in this field will tell you, there are no hard set rules to
follow, other than sticking to a budget and filling the seats. Many instructors1 at colleges and
universities are adjunct instructors who work in the digital forensics field and have been asked to create
and teach a digital forensics program. Some of these practitioners may not even have a college degree,
but have years of expertise gained over years of practice. Full time college instructors may actually
primarily teach subjects other than digital forensics (such as computer science or information
technology) and might not have ever worked in the digital forensics field. However, both of these types
of instructors are capable to provide quality instruction.
One thing this booklet doesn’t provide is a digital forensics program outline. There are too many
variables to consider in being able to provide a course in digital forensics that fits everyone’s needs. But,
this booklet will give you what you need to set up your program, fit to your needs. And that is the
objective of this eBook- to get your program up and running quickly with a system that works.
1 I use the term “instructors” as a generic description of teacher, professor, or instructor without regard to the
person’s educational background or job description.
Brett Shavers © 2013 Teaching Digital Forensics
Page 4 of 35
Chapter 1 – The Goals and Objectives of Your Course
The starting place for any project is to know your goals and objectives. I will cover several different
types of programs and include methods you can use in each of these programs, but only you know what
you need based on your individual program. I recommend looking at everyone else’s digital forensics
programs, but also suggest using other programs as ideas or guides, not absolutes. Like I mentioned,
everyone has different needs, so make the program yours.
Type of Program
Since your program may be different than someone else’s, consider that your needs will also be
different from someone else. Some of the many types of programs you may be involved are below.
College/University level -Associates/Bachelor/Graduate programs -Continuing education programs -Special coursework within another program (criminal justice,etc…)
Intensive Courses -Short courses in specific subjects (1 day to several days)
Vendor-based Courses -Software focused training, using one specific software
Online Courses -Combination of any of the above
Although each type of course may have the same number of comparable hours of instruction, the
organization of the instructions hours will be different. A college level, continuing education program
may have 30 hours of instruction spread out over months where an intensive course of 30 hours may be
completed within a week. However, just because the number of hours is the same, the manner of
instruction and testing is not. Because of the differences in hours of instruction (1 hour per week for
months compared to 8 hours per day for a week), the organization of topics will be different. A college
level course can afford to spend more time on lecture and less hands on for the sole reason that
students can be given out of class assignments on a weekly basis. An intensive course does not have the
luxury of months of homework assignments.
College/University level Daily or weekly classes 1-4 hours per class More time for study, research, homework
Intensive Courses Daily classes 6+ hours per class Less time for study, research, homework
Vendor-based Courses Daily classes 6+ hours per class Less time for study, research, homework
Online Courses Self-paced Self-paced More time for study, research, homework
In each of these situations, you will need to decide on the topics to focus in class and the topics for
students to study and practice outside of class. As you can see, the time available varies greatly.
Brett Shavers © 2013 Teaching Digital Forensics
Page 5 of 35
Theoretically, courses which allow more outside time for research and assignments should result in a
better understanding of the material. However, this is dependent upon you assigning worthwhile
homework and ensuring the students are actually doing the work.
Course Restrictions
Each of these programs has its own restrictions and requirements. For example, restrictions can include
use of specific software and hardware, required textbooks, length of each instruction period and entire
course, and focus on specific content. A vendor-based course may typically use only its software for the
entirety of a course whereas another course may use a potpourri of software. An intensive course may
not provide any legal training whereas legal training may be a mandatory requirement for a college level
course. All programs are restricted by a budget, whether it is a small budget or large budget, there is
always a limit of expenditures. No matter the budget, you have to make do with what you have unless
you can increase your budget.
Your students
The types of students are a major factor in your goals and objectives. This area covers perhaps the
widest range of possibilities and unknowns in any program. Are there prerequisites for your program?
Are the experiences and training similar with all your students? If you don’t know where your students
are coming from, you will have such a diverse range of abilities that some will not be able to catch up in
the class and others will be held back.
Preferably, you have some control of entry into your program by ensuring the students meet any
prerequisite necessary. In a digital forensics program, it doesn’t make much sense to allow students to
attend who have no computer education, training, experience, or ability. Students must already be
capable of installing and uninstalling programs and be able to identify computer components at a
minimum. Any student unable to do at least this will require time teaching the basics of computer
operations. Unless the program includes computer troubleshooting (A+ as an example), include basic
computer skills as a requirement.
Frustration Saver
Have clear prerequisites for your students for entry into the program. You will be happier that the class moves along at the same pace. Your students will also be happier that they are not left behind or held back.
Brett Shavers © 2013 Teaching Digital Forensics
Page 6 of 35
Another factor regarding your students is their work or academic background. Is your class primarily IT
students or law enforcement investigators? If there is a mix of IT and law enforcement, both will receive
redundant information covered in computer technology and legal issues. A law enforcement only
program requires only minimal time discussing evidence and chain of custody while an IT experienced
only program requires a minimal time discussing computer troubleshooting. There are exceptions, but
generally, those with both a legal and computing professional background are rarer than most.
Students Positives Negatives
Law Enforcement/Legal Professionals
Usually well versed in evidence and legal procedures. Experienced in enforcing laws, testifying, writing reports.
Minimal, if any, experience or training in computer systems.
IT Professionals/IT Students Knowledgeable in computer systems, computer programming, troubleshooting
Minimal, if any, experience in the legal field.
Non-IT and Non-Legal Students NA Lacking in both legal and computer skills
Topic of Instruction
Lastly, the focus of the information affects your program. Digital forensics covers a lot of ground. In
fact, digital forensics encroaches into other areas such as electronic discovery and incident response.
Within each of these areas, there are countless sub-topics. Within digital forensics, complete courses
can be given on each operating system, such as Windows, Mac, and Linux. Entire courses can also be
given on each type of electronic storage device ranging from a computer workstation to a smartphone.
Incident response can range from intrusion to reverse engineering of malware. Even specifics of a
digital forensics exam can be the sole topic for days such as registry forensics or Internet forensics.
In the following figure, you can see where scope creep in designing your course can be overwhelming
without a clear goal and objective. In the marketing of your program, you (or your employer) should be
clearly stating the goals of the training to potential students. Unrealistically promising to teach
everything about digital forensics in a short period of time will frustrate your students once they begin
to see the reality of the scope of the field.
Brett Shavers © 2013 Teaching Digital Forensics
Page 7 of 35
Figure 1 Overlapping topics in the field of forensics/ediscovery/security and overlapping topics within digital forensics Choose wisely or you may never accomplish your course objectives
The type of program you teach may make it easy to determine what subjects you teach. In a vendor-
based program, you may be only teaching the operation of a software product. In an intensive course,
you may be teaching a specific topic such as registry forensics. If you are given latitude in creating a
program, you’ll need to consider each of the above factors to decide which topics to incorporate. Since
the field of digital forensics grows with every new discovery and method of analysis, there is not a
shortage of topics or specialty courses to develop.
Forensic imaging Registry forensics Internet forensics Data carving
Malware analysis Log files Cryptography Data hiding
File system analysis Network forensics Cloud forensics Chat forensics
P2P forensics GPS forensics Windows forensics Mac forensics
Linux forensics iPad/iPhone forensics Database forensics Timelines
Reverse engineering Testimony Anti-forensics Memory forensics
USB forensics Virtualization forensics Time Stamp forensics And more!
Brett Shavers © 2013 Teaching Digital Forensics
Page 8 of 35
In regards to the topics, it may be easier to break your program down into one of three areas: basic,
intermediate, and advanced. From there, you can tailor your topics to fit your time allowed, budget
given, and attending students. The days of a 5-day computer forensic course meeting the needs to
train a new forensic examiner are gone. Today, forensic examiners specialize in one or more areas
within the field rather than being a generalized ‘computer forensics examiner’. An entire career can be
spent solely on smartphone forensics and still never have the opportunity to know everything about
smartphones.
In summary, to design your program, you need to know your;
Type of program and budget
Type of students and their ability/education/experience
Focus of instruction
Digital forensics allows for a wealth of topics to teach but you have to tailor the topics to fit the needs of
your program within your budget and time allowed as well as accounting for the existing skills of your
students.
Brett Shavers © 2013 Teaching Digital Forensics
Page 9 of 35
Chapter 2 – Your Digital Forensics Lab
In a digital forensics program, you need computers. Slideshow presentations and lecture only go so far
without having computers for hands-on practice. However, you do not need to have the latest and
greatest, fastest and most powerful workstations available. You just need reliable computers, one for
each student, whether it is a laptop or desktop. Requiring students to bring their own systems asks for
time to be spent troubleshooting, virus issues, malfunctioning USB ports, Internet connectivity issues,
and software conflicts.
The basic computer system should have at least one USB port, a CD/DVD drive, and enough RAM to run
the applications needed for the course. The better (faster) systems will help with processing data during
class which will save time. Older computers with slower processors will restrict how much processing
can be done in class and possibly cause problems running processor intensive applications.
Internet connectivity will also be important as students will need to download software applications.
Access to a shared drive or network will be helpful for you to store software for student access. In a
best case scenario, your school or company providing the training will have a classroom configured with
one computer per student, Internet and network access preconfigured, all with the same software
installations. Having a spare system for a student to replace a failing system is better than
troubleshooting a computer during class. This will save you more time than you can imagine. Whether
you choose Windows, Mac, or Linux as the operating system depends upon your goals and budget.
Regardless of the operating system, every student should use the same OS and the same version of OS
to minimize issues during the course.
The goal for your forensic lab is not spending time to ‘run’ the lab, but have computers that can run the
forensic applications without issue. Broken or defective items can be placed aside, including entire
workstations as long as a student can be handed a new system. A digital forensics course typically is not
a computer troubleshooting course as this should be a prerequisite for students.
Hardware Needs
Hardware, other than the actual computer system, consists of adaptors, connectors, cables, write-
blockers, and imaging devices. These items add exponentially to the cost of a program especially if
every student is expected to have their own set of items to work with. These also increase the odds of
equipment failure, lost items, and unfortunately, stolen items. Some instructors choose to play
‘pretend’ with students to avoid having to hand out expensive hardware items. Playing pretend, such
Brett Shavers © 2013 Teaching Digital Forensics
Page 10 of 35
as “pretend you are using a write blocker” is perhaps the worst training to give anyone as it will lead
to mistakes in the field. There are options to playing pretend when you don’t have everything you need.
With any scenario where you may consider playing pretend, it is better to come up with an alternative
option. For example, a lack of write blocking devices does not mean students cannot image hard drives.
Using forensic boot discs, such as a Linux forensics boot disc (DEFT2, etc…) or a Windows forensics boot
disc (WinFE3), students can create valid forensic images using valid means. It is obviously necessary to
show students physical hardware write blocking devices and allow them to experiment; however, with
homework assignments and in-class assignments, the forensic boot disc is just as valid a training tool
and practical method.
Software Needs
Software is one of the main sources of conflict in digital forensic programs for the sole reason of cost.
Commercial digital forensics applications range from a few dollars to several thousand dollars, per
license. Worst still, most of these expensive commercial applications are not intuitive and require hours
of instruction in the basic operation of the software. To make things even more difficult, most of these
applications have licenses tied to a software protection device, or dongle, in that the software only
functions when the dongle is plugged into the computer’s USB port. The loss of a dongle typically means
the full cost of the software to be paid. It is easy to see in a class of twenty students, one forensic
application can cost upwards of $50,000 for the class. And that is just for one software application.
As mentioned, many commercial forensic software suites are not intuitive. Also, since these suites
provide dozens or hundreds of specific functions, the time involved to teach the software before being
able to teach forensics can be an issue. One solution is to use narrowly focused software to accomplish
specific tasks. Usually, the smaller tools are more intuitive simply because the tools have fewer options.
An example of overkill with a forensic suite would be using a commercial tool such as Encase or X-ways
to examine the Windows registry when something like RegRipper4 may be able to accomplish your task.
The price, ease of use, and speed of results of using a smaller and narrowly focused software application
may be best in this situation to avoid unnecessarily purchasing software.
2 DEFT http://www.deftlinux.net/
3 WinFE http://winfe.wordpress.com
4 RegRipper http://code.google.com/p/regripper/
Brett Shavers © 2013 Teaching Digital Forensics
Page 11 of 35
Figure 2 X-Ways Forensics, a complete forensic suite application
For a digital forensic program that is vendor-based, the software is not usually an issue as the vendor is
typically the software developer. In this instance, you may only be using that one software in the course
and have no need (or be allowed) to teach using any other tool.
Another consideration with your selection of software is that not every forensic software application will
accomplish every task you need. Most times, you will need another application. And another. And
another. This is the area where you need to be the most creative and resourceful. There is no need to
purchase every software application for every student, especially since for most instances; the
software may only be needed to demonstrate a single point.
Students may also tend to bring their own software to class, especially if they are already working in the
digital forensics field. Although this may sound cost effective, it will be a detriment to your course. All
students should use the same software in order for the lecture to match the practical exercises. This will
keep the entire class moving along at the same speed, on the same tasks, using the same tools.
Brett Shavers © 2013 Teaching Digital Forensics
Page 12 of 35
Less Expensive Solutions
In the real world of digital forensics, budgets exist in every office just as they do in the classroom. To
meet the needs of forensics beyond the budget, free and open source software (FOSS) is the solution.
FOSS is available to anyone, freely, to use, copy, study, and improve. Demo versions of programs are
also helpful in the classroom. A demo program is usually a time restricted or limited feature version of a
commercial program. For purposes to demonstrate a point and allow students hands-on experience,
demo programs may work well. The demo programs also allow the students to try a program to help
decide if it is something they would consider purchasing or requesting their employer to purchase for
their job. For the instructor, demo versions and FOSS are great ways to avoid having to purchase
expensive software for training.
Figure 3 FOSS example, RegRipper, a registry analysis tool
Examples of free and open source software that can benefit a program are seen in the following table.
Keep in mind that since these software tools are free, each tool reduces the need to purchase
commercial tools in the classroom. When planned reasonably, a commercial application (an entire
forensic suite) can be purchased with the FOSS tools filling in any gaps of functionality of that
commercial tool. Or, an entire program can be taught using FOSS tools at no cost of commercial
licenses. This is completely up to you, unless you are teaching a vendor-based course. Practically, any
software application that works, works.
Brett Shavers © 2013 Teaching Digital Forensics
Page 13 of 35
Software Purpose
FTK Imager http://www.accessdata.com
Forensic imaging
Guymager http://guymager.sourceforge.net/
Forensic imaging
Encase Forensic Imager http://www.guidancesoftware.com
Forensic imaging
ArcPST http://guymager.sourceforge.net/
Email analysis
Gmail Parser http://www.woanware.co.uk/
Email analysis
DEFT http://www.deftlinux.net/
Forensic boot disc with many forensic utilities
CAINE http://www.caine-live.net/
Forensic boot disc with many forensic utilities
analyzeMFT https://github.com/dkovar/analyzeMFT
Parses MFT records
Encryption Analyzer http://www.lostpassword.com/
Finds and reports encryption complexity
Digital Forensics Framework http://www.digital-forensic.org/
Suite of forensic tools
SANS SIFT http://computer-forensics.sans.org/
Suite of forensic tools
Free and Open Source Software solutions
To counter arguments as to the validity of FOSS tools, Brian Carrier has a terrific paper available at
http://www.digital-evidence.org/papers/opensrc_legal.pdf that addresses any legal concerns such as
court admissibility of evidence obtained using FOSS tools.
A good listing of forensic software applications can be found at: https://en.wikipedia.org/wiki/List_of_digital_forensics_tools A list of FOSS specific software can be found at: http://forensiccontrol.com/resources/free-software/ http://www2.opensourceforensics.org
Functional Needs of Software
When purchasing forensic software, it is imperative to know the functions of the software to determine
if it fits the needs of your class. A full forensic software suite will accomplish the majority of the basic
forensic exam. Software applications such as Encase5, FTK6, and X-Ways Forensics7 fill this need as an
5 Encase http://www.guidancesoftware.com
Brett Shavers © 2013 Teaching Digital Forensics
Page 14 of 35
all-in-one tool. Software that fulfills one specific need usually does only one or a few specific tasks and
will not be able to conduct a basic forensic exam.
Software applications such as the Paraben Device Seizure8 will only fulfill needs for mobile devices, not
computers. If you program focuses solely on registry forensics, there are several commercial and FOSS
tools available, developed specifically for this task, such as RegRipper. Purchasing specific tools reduces
your overall expenses. These smaller toolsets also reduce the amount of time required to present a
topic, mostly because of the ease of use of a small tool. RegRipper, as one example, has less than a
handful of features (buttons) whereas Encase Forensic has dozens upon dozens of buttons, right-click
and left-click functions, and multiple dropdown menus.
Tip
For educational institutions, it never hurts to ask a developer for any discounts, limited trials, demonstration licenses, or specials for your students.
An important note on using software is not focusing too much on the software itself. It is more
important to focus on the data and data analysis with the software being a means to that end. Teaching
students about electronic data and evidence is the goal. There are many avenues to that goal, from
examining the binary values of data through using graphical user interfaces (GUI) push button software
tools. Students that understand digital forensics can use several methods to access the electronic data.
Students that only understand a forensic software tool will face obstacles when that tool is ineffective
for their task.
Virtualization in the Classroom
Virtual machines are a time saver. They are a great teaching tool. They are inexpensive. They should be
part of nearly every digital forensics course. A virtual machine is an operating system which runs within
a software application as guest system on a host operating machine. The virtual guest can be nearly any
operating system and the host can be nearly any operating system.
6 FTK http://www.accessdata.com
7 X-Ways Forensics http://www.x-ways.net
8 Paraben Device Seizure http://www.paraben-forensics.com
Brett Shavers © 2013 Teaching Digital Forensics
Page 15 of 35
Virtual machine software includes both commercial and FOSS software, such as vmware9 and
VirtualBox10. Either of which allows an installation of an operation system to run as if it were its own
host machine. The benefits to a virtual machine are many, such as testing theories, forensic analysis
practice, imaging practice, and learning about an operating system through a virtual machine. A virtual
machine can be cloned and distributed to each student, so that each student has the exact operating
system and software for classroom exercises and demonstrations. Virtual machines reduce the amount
of time to install an operating system, rebuild a system, and teach concepts related to specific types of
operating systems.
More information on virtual machines related to forensics, to include the analysis of a virtual machine,
can be found at http://www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf.
Figure 4 A Windows OS guest virtual machine running in a Windows OS host
The EULAs
Software licenses are just that: licenses. Each use requires acceptance of the End User to agree to the
License Agreement. Commercial licenses most always do not permit copying, reverse engineering,
sharing, or multiple installations of the software. This includes commercial operating system licenses. It
is vital to ensure that you as the instructor do not violate any licensing agreement and that you reinforce
the importance of this to the students. It is risky business to violate any licensing agreement
9 Vmware http://www.vmware.com
10 VirtualBox http://www.virtualbox.org
Brett Shavers © 2013 Teaching Digital Forensics
Page 16 of 35
professionally and financially as the credibility of the future examiner (your students) are at stake with
the use of pirated software or violated license use.
Again, a solution to avoid this risk is using FOSS as much as possible. One point about FOSS to make is
that just because the software is free does not mean it is not as good as a commercial product. There
are more benefits to FOSS than the cost as some FOSS tools can accomplish tasks that commercial tools
cannot. Features change with each version of both commercial and FOSS tools, but generally, every task
in digital forensics can be done with commercial tools or FOSS tools.
Chapter 3 – The Curriculum
Like everything else covered so far, the curriculum is based on your goals and objectives. The
curriculum should be flexible and allow for updates at any time. New software releases, developments
and improvements in technology, and changes in case law affect the curriculum in real time just as it
affects the field of digital forensics in real time. Keep in mind that a digital forensics program is about
teaching data analysis as it relates to cybercrime, security issues, and policy violations. Digital forensics
does not occur in a vacuum as the examiner/analyst needs to be aware of the objective of each
examination. Data recovery by itself is only data recovery. Digital forensics involves the interpretation
of data analysis. This is not always easy to teach in a classroom.
For a generalized digital forensics curriculum, the topics are typically the same between different
programs (ex..one college compared to another college). The time spent on each topic varies with the
expertise of the instructor and the background skills of the students. The following figure is a
simplified example of how student backgrounds drastically affect a curriculum.
Figure 5 Time to be spent on varied topics, based on the type of student
Brett Shavers © 2013 Teaching Digital Forensics
Page 17 of 35
Depending upon the student, more or less time can be spent on each topic. Having a diverse mixture of
student levels of ability requires an almost equal amount of time to be spent on every topic. This most
certainly results in students losing interest in the program if redundant material is covered which they
already have experience or education. If a system of prerequisites is maintained, this issue is avoided.
Otherwise, be prepared for students to be frustrated in being behind in lecture or feeling held back in
the program. As an example, teaching basic computer operating system to IT professionals would be
time better spent teaching legal concepts. Conversely, law enforcement students would not benefit as
much with legal concepts than they would with computer technology topics.
Among the goals to determine for your program is meeting the expectations of the students. A
continuing education program may be designed to increase skills of current professionals in their job or
prepare professionals in a new career in digital forensics. An intensive course may be designed to dive
deep into a highly specialized sub-field of digital forensics in a short period of time for current digital
forensics professionals. The goals of your program’s marketing should match the goals of your students.
Two examples of curriculum differences are:
Digital Forensics Fundamentals – 24 hours Windows Registry Analysis – 24 hours
Overview of the digital forensics field Legal issues Evidence handling Report writing and testifying Types of electronic evidence Identification, preservation, and collection of data Types of electronic evidence (email, documents) Overview of forensic software and hardware
In-depth look of the Windows registry Decoding registry hives Searching for registry values Differences between Windows versions User activity analysis in the registry Malware analysis in the registry Password recovery/breaking USB data recovery
Two different courses, requiring the same number of hours, but depth and breadth are different
Both of these examples encompass a 24 hour course. Students without any forensic
education/experience would be best served in a fundamental course, even though the course would not
practically prepare the student to conduct a thorough examination. Your particular program depends
on all the factors previously mentioned.
College/university degree programs will always have coursework (math, English, etc…) required in its
programs which will not be required in non-higher educational programs to be awarded a degree.
Intensive, vendor-based, and online courses will usually only have coursework specific to the program
(only digital forensics related courses). One of the drawbacks to college/university level digital forensics
programs are the limitations in course length imposed by the school calendar of either a quarter or
Brett Shavers © 2013 Teaching Digital Forensics
Page 18 of 35
semester session. As an example, a class in “law” might be taught for an entire quarter or semester
while practically may not be necessary.
Drawbacks to vendor-based or intensive courses include not having time to teach important topics such
as legal issues and investigative methods. Students may learn the practical aspects of a forensic
analysis, but not the legal considerations or case management needed for the work in the field.
Examples of different types of curriculum are in Appendix I of this booklet.
Textbooks
Ask any student what they do not like about school and purchasing textbooks ranks in the top ten.
Mostly, this is due to the high cost of textbooks, instructors not using the textbooks for class when
requiring students to purchase the textbooks, and textbooks being outdated. However, some books are
usually needed, but which books?
The answer is, ‘it depends’. It depends on the course topic. In a program where the basics of digital
forensics is presented over the course of a week or semester, books on specific topics such as “registry
forensics” would not be reasonable. Courses on these specific topics would benefit from these
specialized books. Before requiring any books for your program, read the book. Figure out how the
book will benefit your program, the target audience of the book, and the relevance. And make sure you
use it in class; otherwise, your students will face the frustration of purchasing a book that was not
needed or used.
The following is a list of some of the many books available, shown as examples of how general
(fundamental) and specific topics can be chosen. There is certainly no shortage of books from which to
choose, based mostly on personal preference and goal of your program.
Book Target
The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics by John Sammons (Mar 9, 2012)
Fundamentals
Digital Evidence and Computer Crime, Third Edition: Forensic Science, Computers, and the Internet by Eoghan Casey BS MA (May 4, 2011)
Fundamentals
Digital Forensics Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best by David Watson and Andrew Jones (Sep 24, 2013)
Fundamentals
E-Discovery: An Introduction to Digital Evidence (with DVD) by Amelia Phillips, Ronald Godfrey, Christopher Steuart and Christine Brown (Aug 7, 2013)
Fundamentals
Brett Shavers © 2013 Teaching Digital Forensics
Page 19 of 35
Computer Forensics and Cyber Crime: An Introduction (3rd Edition) by Marjie T. Britz (May 26, 2013)
Fundamentals
Cybercrime by Gráinne Kirwan and Andrew Power (Jul 4, 2013)
Fundamentals
Computer Forensics: Cybercriminals, Laws, and Evidence by Marie-Helen Maras (Feb 1, 2011)
Fundamentals
Guide to Computer Forensics and Investigations by Bill Nelson, Amelia Phillips and Christopher Steuart (Sep 28, 2009)
Fundamentals
Crime Scene Investigation, Third Edition by Jacqueline T. Fish, Larry S. Miller, Michael C. Braswell and Edward W Wallace (Oct 9, 2013)
Fundamentals
Placing the Suspect Behind the Keyboard: Using Digital Forensics and Investigative Techniques to Identify Cybercrime... by Brett Shavers (Mar 12, 2013)
Investigation focused
X-Ways Forensics Practitioner's Guide by Brett Shavers and Eric Zimmerman (Aug 10, 2013)
Forensic tool focused
Digital Forensics with Open Source Tools by Cory Altheide and Harlan Carvey (Apr 28, 2011)
Forensic tool focused
EnCase Computer Forensics -- The Official EnCE: EnCase Certified Examiner Study Guide by Steve Bunting (Sep 11, 2012)
Forensic tool focused
Cloud Storage Forensics by Raymond Choo, Darren Quick and Ben Martini (Jan 5, 2014)
Specialty focused
Computer Incident Response and Forensics Team Management: Conducting a Successful Incident Response by Leighton Johnson (Dec 6, 2013)
Specialty focused
The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich (Aug 2, 2013)
Specialty focused
System Forensics, Investigation And Response by Chuck Easttom (Aug 16, 2013)
Specialty focused
Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides by Cameron H. Malin, Eoghan Casey and James M. Aquilina (Dec 29, 2013)
Specialty focused
Cryptography InfoSec Pro Guide (Beginner's Guide) by Sean-Philip Oriyano (Aug 16, 2013)
Specialty focused
Windows Forensic Analysis Toolkit, Third Edition: Advanced Analysis Techniques for Windows 7 by Harlan Carvey (Feb 10, 2012)
Specialty focused
Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry by Harlan Carvey (Feb 7, 2011)
Specialty focused
Reference Materials
Reference materials, many of which can supplement your textbooks, can be found online. Experts in the
field of digital forensics, both in academia and practitioners, continually write papers on every topic in
Brett Shavers © 2013 Teaching Digital Forensics
Page 20 of 35
the field. Many of these white papers are freely available, current, and relied upon by those in the field.
In fact, many digital forensics books refer to these same white papers as their source of information.
Finding any of these papers is as easy as typing “search term” filetype:pdf into Google.com. For
example, white papers published in PDF format online can be found by typing “registry forensics”
filetype:pdf in Google. The results can be narrowed to any timeframe, such as within the past year or
month, to make sure only the most current results are found.
An example of a search for “registry forensics”, in pdf format only, within the past year, is seen in the
following graphic. Replacing “pdf” with “ppt” will find slideshow presentations which may also be
beneficial in your program planning for ideas on presentation formats and information.
Figure 6 Finding current and relevant references for coursework online
Determining the validity of any online digital forensics resource is no different from any other online
information found on the Internet. Information such as the publisher/author, peer reviewers, accuracy
of information, and source must be evaluated before haphazardly relying upon any white paper.
Brett Shavers © 2013 Teaching Digital Forensics
Page 21 of 35
Promote Your Students to Investigator With every assignment, have your students understand they are the investigator in their assignment. They determine how best to handle evidence, analyze the data, and present the case. In effect, tell your students to ‘solve the case’. There is no better way to create a personally vested interest in homework (other than grades!).
An effective method of incorporating several aspects of digital forensic topics revolves around a
continuing evolving class or individual project. For example, providing students with a real life case
example, the students can work the same case from beginning to end, throughout a single course or
series of courses. A case example could be the students receiving a flash drive found on the street by a
witness. As a search warrant is not needed (reinforced with legal coursework), the students can image
the flash drive (after instruction in imaging), and begin an analysis. The data discovered on the flash
drive can lead to information supporting a search warrant, seizure of a computer system, and analysis of
the system. The entire process culminates with a report and courtroom testimony.
In this manner, the students can experience the process of developing probable cause, inferences in
data analysis, report writing, and case presentation. Students are required to handle ‘evidence’ as
evidence, to include proper documentation and packaging. Simulated crime scenes may be approached
by students to reinforce lectures. This type of integrated method of teaching will help the students
develop an inquisitive mindset which is needed in digital forensics and give the most practical hands on
experience in working a digital forensics examination. The drawback is preparation of materials and
time needed to physically conduct the exercises in evidence seizure and crime scene investigation.
Brett Shavers © 2013 Teaching Digital Forensics
Page 22 of 35
Chapter 4 – Course Delivery
Classroom Lecture
Lecturing on computer related topics is not easy on students. Merely talking about what happens to a
deleted file or the Windows registry falls on deaf ears if the student does not have experience in seeing
the data. Electronic data is abstract. It can’t be felt or held, only seen on a computer monitor using
computer software. To ensure students understand the lecture, it is helpful to provide materials on
their computers to manipulate. Unfortunately, as in any computer instruction course, it is difficult for
students to stay on track for several reasons.
The speed of instruction is one issue. As the instructor, clicking through a program to demonstrate a
point and requiring students to duplicate the clicks on their computers results in some students missing
a step and quickly falling behind. By the time the student realizes that s/he is behind, catching up is
impossible. Unless you wait until every student clicks together and stays together, you will have
students being left behind and trying to catch up. In trying to catch up, they miss even more.
One solution is to demonstrate a single task from beginning to end, without the students following along
on their computer. When finished, the students can replicate your task on their computers, at their own
speed. Once each student resolves the task to the correct resolution, you know they did it right and you
can move forward.
The Internet is another issue for students. As it is recommended to have Internet access for students to
download needed software, it also causes a distraction with social media websites. Students who feel
they are ahead may also feel they can surf the Internet during class. Again, by the time they realize
important information was missed, they risk being left behind.
Other than telling students to focus in class, you may need to station an assistant in the back of the class
to observe computer monitors. Of course, you can simply ignore the Internet surfing and let the grades
handle the problem, but that would be a disservice to your instruction and program.
Visibility is very important! Digital forensics involves extreme attention to detail, indeed, binary detail.
In a classroom, if the instructor’s desktop projection is not clear or too small, students will not be able to
see what is happening on your computer. Since most of the software applications used may be new to
the students, they will also not be able to understand where you are clicking and pushing to begin with.
Brett Shavers © 2013 Teaching Digital Forensics
Page 23 of 35
Suggesting that students with poorer vision sit up front is one solution. Another solution is having more
screens or monitors placed throughout the room for the students not in the front of the room to see.
With complicated demonstrations, creating a video capture of your screen that can be accessed later by
students is very helpful as a review and confirmation of software operations.
Online Lecture
Online courses come in all types of formats. Some require the entire class to be online at the same time,
others are self-paced, and some are a combination. Most issues will online courses are beyond your
control. Your student may be watching television, playing a video game, reading a book, talking on the
phone, or literally anything else other than paying attention to your class online. There may be
household distractions, such as little children playing in the home.
One solution is making sure all materials are available for review by your students when they have time.
Maybe before work, after work, during lunch, or anytime with fewer distractions will be beneficial for
the online student. Online forums, podcasts, videos, and social networking sites can all be used to
provide as much support to your students as needed. These can also be used in a lecture based class by
providing materials online for student references and classroom project collaboration.
Guest Speakers
Having a guest speaker does more than break up instruction for a change. A guest speaker can give
additional insight and validate your information. In every major city, there are expert forensic analysts
working at all levels of government and the private sector. Many of these analysts would enjoy speaking
to students about a recent case, take questions about the forensic field, and talk about their latest
discovery in digital forensics. This can be particularly beneficial to your program if a noted expert is
available for your class.
In summary, course delivery of a digital forensics program is not much different than the delivery of
most other classes, either in the classroom or online. A few issues revolving the specifics of keeping the
class on the same steps during demonstrations need to be considered, but overall, you as the instructor
must keep the class interest going while conveying the information.
Brett Shavers © 2013 Teaching Digital Forensics
Page 24 of 35
Chapter 5 - Practical Exercises
Rules of Going Hands-on
I imagine that every student of digital forensics can’t wait to start imaging and analyzing hard drives in
their class. I am also sure that nearly every forensic analyst student has imaged and examined their own
hard drives at home for practice and curiosity. Going hands-on with forensics is a motivation to
encourage, but to also help direct in order for students to benefit and learn. Haphazardly imaging and
running forensic software on everything students can get their hands on without rhythm or reason isn’t
productive.
An important rule of advice to give students regarding practice, even about practice on their own, is to
always practice as if it were real evidence. This means not accessing a hard drive without following the
rules and principles of protecting the data from changes. This applies to using forensic software to
examine test media. By always doing it the right way, the chances mistakes will happen in real cases will
be less.
Practice and Test Evidence
Providing test media for your students is not an easy task if you want to do it right. Creating test media
is time intensive and requires extensive documentation. I’ll address several issues with taking shortcuts
with test media as well as giving guidance on designing test media that can be reused indefinitely.
First, the wrong way
Don’t use the classroom computers11 as practice. Don’t suggest students to use their employer’s
computers either. Not even using computers that may be publicly accessible, such as library computers.
The most obvious reason to not use these systems is the risk of accessing and disclosing protected
information which does not belong to the student. This information can be in the form of personal data,
confidential data, passwords, financial data, and medical information. Even the risk of the ramifications
of disclosed confidential data is not worth using these devices as test media.
Another source of media to avoid is that of used or recycled storage devices. Certainly, purchasing a
used computer or hard drives gives the owner (your student) legal possession of the data that may be
contained on the devices, but still, this is not good test media. Personal information may still exist from
11
By computers, I mean the hard drives in the computers.
Brett Shavers © 2013 Teaching Digital Forensics
Page 25 of 35
the prior owner and be at risk of disclosure. For these types of devices, curiosity needs to be controlled
for appropriate test media.
Letting your students swap personal computers to examine is another potential nightmare of data
disclosure to avoid. A fair warning to every student in class where forensic analysis is being taught and
conducted is to warn students to maintain control of their storage devices. This will prevent the
inadvertent or intentional disclosure of a student’s personal information by other students.
Another way
There are multiple sources of test images found online. These have typically been created as test media
for specific tasks, such as validating software. Most are freely available with encouragement to
download for testing. A partial listing of these sources is in Appendix III. The problems that exist with
test images created by someone else, for some other purpose, are that the images may not fit your
needs and may not contain accurate data (who knows?). Additionally, unless substantial documentation
accompanies the images, you will have to conduct a forensic analysis of each image to determine what
data exists and how it can be used. Basically, you will need to modify your curriculum to fit these test
images.
Several digital forensics books, including textbooks, include a CD/DVD containing test images. These
test image files are typically designed to support the respective textbook. Unless you are using the same
textbook from which the test images originated, you again will need to modify your curriculum to fit the
test media. And again, how do you know these test images contain accurate data?
Lastly, using test media created by any other person does not give you factual details of the data in the
test images. For example, how can you determine the origin of a file in a pre-made test image? You can
forensically analyze it and assume the origins of a file, but you cannot say with 100% certainty that you
are correct because you did not create the original file on the original device.
A better way
Create test media, that is, personally create a plan of the test media you need, and then create it to fit
your curriculum. But first, you must know what you want to test before you create the image! Creating
a test image and not knowing the type of data you want to test beforehand will only have you make
another image…
Brett Shavers © 2013 Teaching Digital Forensics
Page 26 of 35
Creating a full disk test image is time intensive. This involves installing an operating system and
software as well as adding evidence to the system. Evidence can consist of Internet activity, email,
documents, downloads, deletions, and data hiding. Basically, any topic you have in your curriculum can
be added to a test media as evidence. It just takes time to plan and create it.
The Dreaded EULA, Again
Creating test images involves installing software. The operating system and programs you will need to
create evidence are each tied to a licensing agreement and by distributing these test images to your
students you may be violating copyright laws.
Exceptions exist under “fair use”, which includes nonprofit educational purposes, the nature of the
copyright work, and the amount or portion used. Education, research, and non-profit use may allow you
to distribute your test media to students. To ensure you are not distributing entire working versions of
software, overwrite every executable that is protected by copyright to prevent that software from
running. To save time, don’t use licensed software. There are many different types of word processors,
email clients, and other software applications available freely (FOSS), which you will be able to distribute
without worrying about copyright violations.
This is not a deal-killer for creating your own test images. It just requires a few extra steps to ensure you
are not distributing copyrighted data.
What do you want to simulate in test media?
Because of the time involved to create a working computer system and the time needed to create the
evidence needed, consider making as few test media as possible. One forensic image of a hard drive can
hold enough test evidence to last the entire course, if you create enough activity for what you need. By
having one test image to work with, students will be able to see how a real forensic examination works
on a single image, rather than using smaller datasets.
First, develop your curriculum. Note the topics and exercises needed and plan your test media to
support your curriculum. An idea is to create a storyline in which your test media will be the key
evidence in that story. This can be a combination of events such as criminal activity, corporate policy
violations, cyber stalking, or intrusions. Within this same story, multiple test media can be planned to
include flash drives and compact discs.
Brett Shavers © 2013 Teaching Digital Forensics
Page 27 of 35
Once your storyline has been created, plan for creating your test media. You have two choices in this
regard, one being using an actual physical computer and the other using a virtual machine. Both have
benefits and drawbacks, but for time saving and repetition, the virtual machine route may be best. The
following chart shows differences using a physical machine and a virtual machine.
Physical Hard Drive Virtual Hard Drive
Hard drives are rarely being found in small
sizes. Creating a system on an average
drive will have an end result of a large
image, no matter how much compression
is used. One hard drive can contain only
one system for testing. A dual boot
physical machine is still only one test
image of the physical hard drive.
Setting up the hard drive only requires disk
space on a hard drive, allocated in the
amount you need. This can be much
smaller than what new hard drives can be
found (a virtual 3GB versus a physical
250GB hard drive). One hard drive can
contain multiple virtual machines.
Imaging a physical hard forensically
requires physical steps be taken, such as
removing the hard drive to use a write
blocker, or booting to a forensic
CD/Floppy/USB to image onto another
hard drive.
Imaging a virtual machine can be done
directly onto the host machine or external
device through various software
applications.
Subsequent test images require wiping the
hard drive (or obtaining a new hard drive
to wipe), and reinstallation of an OS.
Virtual machines allow for snapshots or
backups, in which multiple virtual machines
can be created without having to reinstall
an OS. Various versions containing
different types of data sources/scenarios
can be created and saved.
A mistake in creating evidence on a physical machine requires completely starting over with a fresh installation on a wiped hard drive.
A mistake in creating evidence on a virtual machine only requires restoring the machine to a previous state or snapshot.
Once your system (physical or virtual) has been decided, start creating your evidence. Your evidence
starts from the day and time of installation of the operating system. So, as you use your test media,
note everything of value on a note pad. This means document your activity as you use the system, by
event, date, and time. Create email accounts. Create documents. Surf the Internet. Download files.
Send and reply to emails (to and from other dummy accounts using a different machine). Delete files.
Brett Shavers © 2013 Teaching Digital Forensics
Page 28 of 35
Empty the recycle bin. Uninstall programs. Search the Internet. Create folders. Move files around.
Plug in external devices like USB flash drives. Use Peer-to-Peer networking applications. Copy files to
and from USB flash drives. In effect, use the computer as if you were the violator in your storyline.
Through your documentation, you now have credible and indisputable proof of the activity that
occurred on the system. You know the answers to any questions you will have in homework
assignments or asked by students. This is the only method to ensure your test images do not contain
data you are unaware or may cause confusion in your lessons.
Suggested Dos and Don’ts
Don’t use your test media for personal use. YOUR Internet activity and emails will be discovered by your
students. Don’t create fake data by altering dates and times of files unless you will use that to teach
anti-forensics techniques. Don’t download illegal evidence, such as child pornography or pirated
software.
Do make everything as if it were a real life use of the computer system. Do plant evidence on the
media. Evidence can be emails you sent to a dummy account that are harassing or contain fake data of
stolen intellectual property. Child pornography evidence can be planted ONLY if substitute images are
used. In most child pornography training, rather than using actual (illegal) images, pictures of kangaroos
or kittens are used. A practical exercise to demonstrate a child pornography investigation simply means
telling the students that any images of kangaroos or kittens are to be treated as if the images were of
child pornography. The analysis of these images is the same as if it were a real case of child
pornography without the risk of handling/duplicating/distributing illicit images.
Creating the Images
Since you will have spent many hours over a period of days, weeks, or months on your test media, you
will want to make sure you capture a good image and not ruin your work. If you used a physical
computer, you have a physical hard drive to image using the traditional imaging method of write
protecting the hard drive. If you used a virtual machine, you only need to image the virtual machine,
not a physical hard drive. A virtual machine can be imaged using FTK Imager12 directly or other means
detailed in the aforementioned virtual forensics paper.
12
FTK Imager http://www.accessdata.com
Brett Shavers © 2013 Teaching Digital Forensics
Page 29 of 35
Once your image has been created, be sure to redact files to prevent copyright distribution violations.
Using WinHex, copyrighted executables can be overwritten directly onto the image. Alternatively, with
X-Ways Forensics, copyrighted executables can be excluded from an image during imaging. Either
method does not affect the validity of your test media work as all data remains pristine, except for those
files needed to be removed to comply with software EULAs.
After creating an image of your physical hard drive or virtual machine, you also have the ability to boot
the machine and capture the physical memory for lessons involving analysis of live memory. I suggest
capturing the memory after imaging the hard drive only for the reason of providing your students with a
pristine capture of a hard drive without the footprint of running a forensic application on the system. In
an actual case, capturing the physical memory would be done first.
A Side Benefit of Creating Your Own Test Images
Once you have documented and created your test images, you now will have perfect software validation
images. Since you documented exactly what occurred on the system, on the exact date and time, your
forensic tools should display that information accurately. If not, the forensic software may be defective
in that regard.
Providing the test images to students
If you decided to use a physical hard drive as test media, you may have an extremely large forensic
image to distribute to your students. This will involve time to copy the image as well as require storage
media to hold it. If your test media was 500GB, it must likely be impractical as a test image for your
students.
A virtual image is much easier to handle for size as you can easily configure the size of the drive when
creating the virtual machine. A small size physical hard drive is difficult, if not almost impossible to find.
It is feasible to create a 10GB or smaller test image with enough test evidence to last an entire course,
yet be small enough to fit on an inexpensive flash drive.
And although you will have gone through a lot of work to create this test image, you do not have to give
it freely to your students. Using a forensic tool like FTK Imager, your students can mount the image as a
physical drive first. Then they can image the mounted drive as if they were imaging a real, physical hard
drive. This would start their case in handling evidence with the creation (and documentation) of a
forensic image.
Brett Shavers © 2013 Teaching Digital Forensics
Page 30 of 35
Chapter 6 – Conclusion
By now, you should have a good idea of how to teach forensics in your classroom, based on your
curriculum. Information on how to teach is beyond this writing, but if you are involved with teaching
digital forensics, you most likely already have a teaching ability.
The actual topics of instruction, order of topics, and depth of instruction is dependent upon your needs,
resources, and time available. One of the revolving issues of teaching digital forensics is what to cover
first and in what order do the other topics follow. As one action made in the operating system affects
multiple areas, which gets attention to teach first? How can the registry be taught unless the Master
File Table is taught first, or would it be better the other way around? Appendix I gives simplified
examples of curriculums to spark ideas, but not as the only answer to any one program.
One of my first pieces of advice I have given to every class I’ve taught is for the class to trust me. Trust
that although a topic may not make sense today, after more pieces of the digital forensics puzzle are
explained, things start making sense. Everything is related and it takes time to build upon each topic in
order to begin understanding how data is created and manipulated.
A piece of advice I give to you is to not attempt to teach everything in one program unless you have
more time than you can imagine using. “Everything” in digital forensics means every type of operating
system, every forensic artifact in every type of operating system, every type of electronic device from
computers to servers to mobile devices, and more topics than imaginable for any one person to learn,
let alone master. In this field, it is reasonable to expect knowledge of the basic fundamentals of digital
forensics and also reasonable to focus on specialties within the field in order to build expertise. With
that, there is not a standard in digital forensics teaching, nor a standard in the topics to teach. Digital
forensics is a moving target and therefore, so is teaching it.
Brett Shavers © 2013 Teaching Digital Forensics
Page 31 of 35
Appendix I – Curriculums
College/University Level
College/University level programs have the luxury of carefully molding students through the program
with a series of prerequisite courses over a long period of time. This ensures the students have been
exposed to all required aspects of digital forensics as determined by the institution. For entry level, no
experience future examiners, the college/university system fulfills every need of topics. However, it is
time intensive, measured in years. Another benefit to the college/university level of digital forensics
education is the resources available on most campuses in terms of equipment and software.
Associates degree programs may consist of general requirements for the majority of coursework with
few courses in digital forensics in order to transfer to a 4-year university. Or, certain associate’s degree
programs may provide few general education requirements and more digital forensics courses in order
to reach a higher level of job related skills, not necessarily transfer to a 4-year institution.
Bachelor and graduate degree programs consist of general requirements in lower division units, usually
2 years of study before focusing on the major of digital forensics. Students practically will not be
employable in digital forensics, even as entry level, until completion of at least a bachelor’s degree.
Continuing education certification programs may range up to 10 months or more in coursework specific
only to digital forensics. As a continuing education program assumes a more mature student, with
expectations of prior work experience, an entry level job skill can be obtained in a short period of time.
Coursework in the degree programs usually include;
General requirements (~2 years) in foreign language, English, math, science, art, etc…
Major coursework (~2 years) in digital forensics topics such as Criminal Law, Criminal investigations,
Computer Systems, Networks, Operating Systems, Incident Response, Malware Analysis, Mobile Device
Analysis, File System Analysis, Technical Writing, Scripting, and other topics.
To benefit the student, coursework in digital forensics at this level should be focused on a specific track,
perhaps by offering different tracks to students. As an example, teaching a broad overview of digital
forensics of every operating system ensures that the student will not master any one operating system.
Conversely, focusing on one operating system with a broad overview of other operating system will
benefit the student in being competent in at least one system versus incompetent in every operating
system.
Brett Shavers © 2013 Teaching Digital Forensics
Page 32 of 35
Vendor-based Curriculum
Vendor-based curriculums are easier to design for the sole reason of being restricted to teaching one
tool. Using one tool, such as a digital forensics suite, the curriculum can simply be working through
various case type scenarios, practicing with all functions and features of the software. This type of
course can progress naturally from evidence acquisition through report creation through use of the
vendor product.
However, the difficulty of a vendor-based curriculum arises when the vendor product does not solve
certain forensic obstacles. In this type of instance, the student will not learn how to solve the obstacle,
only that ‘another tool’ will have to be used.
The benefit to vendor-based training goes to those analysts already working in the field. The time spent
attending a vendor-based training course to learn a new tool or more fully learn how to exploit a tool,
will save time on the job using that tool. As many students who attend vendor-based training usually
have a solid foundation of digital forensics education/training, those topics do not need instruction in
the training, only insofar as the vendor product is concerned.
Specifically focused training, such as a Registry Forensics course, is also an easier to design curriculum
compared to others. In this type of training where one or few aspects of digital forensics is taught, any
tool can be used to address the forensic artifact being taught. Again, the students typically have a
foundation of knowledge in digital forensics and seek these focused courses to study in-depth, advanced
techniques of analysis. Information unrelated to the course topic is generally not discussed in order to
master the topic and only that topic in the course.
Government provided curriculums
Government programs, including military services, generally have a large budget, seemingly unlimited
resources, and ability to provide long periods of time for training courses. As one example, the US
federal government provides several digital forensics programs to federal and local law enforcement
officers ranging from a day of training to several months of training courses. Many law enforcement
digital forensics examiners may spend six months or longer, five days a week, eight hours a day, going
through a regiment of digital forensics training.
Brett Shavers © 2013 Teaching Digital Forensics
Page 33 of 35
The combined number of hours in these programs can exceed that of a master’s degree program in a
shorter period of time, with coursework specific in digital forensics. The curriculum in these courses
basically can contain the vast majority of digital forensics topics, producing well-trained examiners.
Appendix II - Software Comparisons
A comparison of software would be incomplete given nearly any set of criteria. There are simply too
many software applications that accomplish to many tasks to effectively compare all of them, or even a
decent selection.
I would suggest that any discussion on the selection of software for digital forensics training include
discussion on both commercial applications and free/open source software applications. I would also
suggest that the final selection of software to be used in a program directly reflect the tasks designed in
the curriculum. In a registry forensics course, there is only a need for software specifically developed for
registry analysis. These can be both commercial and open source, but surely, these would be the only
types of software needed.
Brett Shavers © 2013 Teaching Digital Forensics
Page 34 of 35
Appendix III – Test Data Sets
The following data sets are freely available online The 2008-Nitroba corpus: http://domex.nps.edu/corp/scenarios/2008-nitroba/
The M57 Corpus http://torrent.ibiblio.org/doc/187/torrents http://domex.nps.edu/corp/scenarios/2009-m57/ (individual files)
HogFly’s Memory Dumps forensicir.blogspot.com https://cid-5694a755c9c6a175.skydrive.live.com/browse.aspx/Public
Security Sig Challenge http://www.depleted.org/~penfold/index.html
Computer Forensic Reference Data Sets (CFReDS) http://www.cfreds.nist.gov/
Digital Forensics Tool Testing Images http://dftt.sourceforge.net/ http://sourceforge.net/projects/dftt/
DigitalCorpora.org http://digitalcorpora.org/ http://digitalcorpora.org/corp/drives/nps/2010-nps-emails/
DFRWS 2010 Forensics Challenge http://www.dfrws.org/2010/challenge/index.shtml
Network Forensics Puzzle Contest http://forensicscontest.com/
http://www.forensickb.com/ http://www.forensickb.com/2008/01/forensic-practical.html http://www.forensickb.com/2008/01/forensic-practical-2.html http://www.forensickb.com/2010/01/forensic-practical-exercise-3.html
The International Society of Forensic Computer Examiners® http://www.isfce.com/sample-pe.htm
The Honeynet Project http://old.honeynet.org/scans/scan24/ http://old.honeynet.org/misc/chall.html
Enron Email Dataset http://www.cs.cmu.edu/~enron/
U.S. Cyber Challenge http://www.dc3.mil/challenge/2010/partners.php#carey
Brett Shavers © 2013 Teaching Digital Forensics
Page 35 of 35
Accessdata http://www.accessdata.com/academic.html With an email request, you can receive test images from Accessdata
WireShark Sample Captures http://wiki.wireshark.org/SampleCaptures
SANS Digital Forensics and Incident Response Challenge http://computer-forensics.sans.org/challenges/
The disktype File System Sampler http://disktype.sourceforge.net/fss/
Digital Forensics Security Treasure Hunt http://digitalforensics.securitytreasurehunt.com/
The following is NOT freely available, but available for a cost: The University of Central Florida’s (UCF) National Center for Forensic Science (NCFS) http://www.ncfs.org/dfqs/