DESIGN AND IMPLEMENTATION OF DIGITAL FORENSICS LABS

A case study for teaching digital forensics to undergraduate students

Hongmei Chi, Edward L. Jones, Christy Chatmon and Deidre Evans Department of Computer and Information Science, Florida A&M University, 1333 Wahnish Way,

Tallahassee FL 32307-5100, USA hchi@cis.famu.edu ejones@cis.famu.edu cchatmon@cis.famu.edu deidre.evans@famu.edu

Keywords: Digital forensics, hands-on labs, FTK, open source, security education.

Abstract: Teaching digital forensics in a college has always been a challenge, especially when hands-on labs are basic elements of the course. Software and hardware are expensive for digital forensics. This paper addresses some of these challenges of identifying forensics tools of appropriate cost and functionality. We focus on inspiring the interest of students with diverse backgrounds, and giving students hands-on experiences that enhance their pursuit of careers in information assurance or law enforcement. We present a pragmatic approach to teaching digital forensics, motivated by the growing demand for a professional workforce.

1 INTRODUCTION

When our daily lives rely more and more on digital information, we are more susceptible to attacks. Computer crime impacts our ordinary lives deeply, creating new challenge for our law enforcement officers and forensic examiners. Ninety percent of current crimes involve computers in some way. Fortunately, when computer criminals commit crime, they also leave a lot of clues, digital evidence in forensics. We need digital forensics professionals to capture and classify digital evidence [7].

Digital forensics plays an important role in crime reconstruction. The need for computer forensic professionals and technicians is growing rapidly, leading to a radical growth in digital forensic education and training over the past ten years [6]. The core of these training programs is to develop a set of suitable hands-on digital forensic labs [5].

The main step to train students who prepare to be computer forensic professionals, lies in creating a comprehensive approach to computer forensics education. The goals of this paper work are to address how we set up a digital forensics course, and to establish a series of hands-on computer forensic labs that facilitate student entrée into the law enforcement workforce. This paper focuses on designing and implementing hands-on computer

forensic labs for undergraduate students or law enforcement professionals who take our classes. Given a well-planned approach, and despite limitation of funding, we create a series of labs that utilize easily obtained tools and open source codes.

Students entering this field face a steep learning curve. Hands-on labs help student to grasp quickly core content and topics [4]. Through this paper, we will show the example for designing labs that help the students or trainees to better understand digital forensics step by step. In addition, we manage the labs for different level students.

2 MOTIVATION

Our department has a positive track record in Information Assurance education. Since its introduction, the IA track has enjoyed the demand and throughput shown in Table 1. Additional IAS courses have been introduced to meet growing demand for digital forensics and for elective courses suitable for other majors such as criminal justice. This paper reports on our efforts to increase the capacity of the IA program to meet the demand from CIS majors, and to move towards cross-disciplinary programs with STEM and other disciplines.

Our department has an opportunity to expand to meet the needs of the university. Because computing is so pervasive, the university has the obligation to educate its faculty, its students, and the public about the risks of information technology as it relates to privacy and rights. IA is one of the first aspects of computing that impacts directly on the average U.S. citizen. The mandate to serve the community is compelling.

2.1 IA Education In August 2003, NSF awarded the CIS

Department an Information Assurance (IA) Capacity Building grant. This collaborative project with Florida State University resulted in a comprehensive three-course undergraduate information assurance and security (IAS) curriculum track that was certified by NSA and CNSS in November 2004 as having implemented two CNSS training standards, NSTISSI 4011 (Information Assurance Professional) and NSTISSI 4014 (Information Systems Security Officer – Entry Level). As shown in Table 1, the IAS track is in great demand by students and, to date, nearly 60 students have earned certificates.

Table 1. Demand for IA Courses at FAMU

IA Courses 2005 2006 2007 2008 2009

Intro to Computer Security

30 24 30 18 27

Network Security & Cryptography

17 22 11 16 11

Applied Security 38 21 40 17 15

Digital Forensics N/A N/A 12 16 17

#Certificates 5 10 29 7 6

2.2 Digital forensics

The first area of expansion for the highly successful IA program is digital forensics, for which there are large numbers of students in other disciplines such as criminal justice. There is also an opportunity to serve the local law enforcement workforce. The cross-disciplinary concentration in digital forensics prepares students for professional certification and entry into the computer/digital forensics workforce.

This paper discusses the design and implementation of hands-on labs for undergraduate students who first explore the nature of digital forensics. These labs will be designed step by step so that increased participation of minorities in digital forensics is expected, given the large number of Criminal Justice majors and the high demand for the information assurance courses at FAMU. This project is expected to populate a pipeline of students who are prepared to pursue graduate study in digital forensics or enter the digital forensics professional workforce.

Figure 1. Competencies for forensics professionals.

The skills [13] needed by a digital forensics professional fall into the areas shown in Figure 1.. This education is inter-disciplinary, combining criminal justice and computer sciences. Our introduction to digital forensics course is taken by many majors from criminal justice. It is a challenge to convey computer concepts to students with a limited knowledge of computers. We take two steps to accommodate non-CIS majors: first we introduce relevant computing concepts and terminology briefly in lectures; secondly, we design hands-on labs for students to apply these concepts directly to tasks related to digital forensics.

We utilize two types of lab assignments. The first set of labs is designed for majors in criminal justice, who have less computing knowledge and experience. These hands-on labs focus on Windows, so that students can feel comfortable using the computer in a way they probably have not done before. This step eases the transition to the next set of more highly technical labs. The second set of labs involves the use of the Windows and Linux environment, for which CIS are majors are more familiar. Lab assignments are performed by mixed

student teams, to ensure that teams have the subject matter expertise and technical knowledge to complete the assignments. Additional benefits of mixed teams are the opportunity and necessity of learning from one another.

4 HANDS-ON LABS

One of the critical steps to train students who prepare to be computer forensic professionals, lies in creating a comprehensive approach to computer forensics education [1,2]. This paper focuses on designing and implementing hands-on computer forensic labs for students or law enforcement professionals. Through this section, we address how to create labs that help the students or trainees to better understand computer forensics step by step.

4.1 Tools

Commercial tools for digital forensics are expensive for any college, with an average cost of $3,000 -$5,000 per license. With limited funds, it is unrealistic to spend $50,000 to purchase commercial tools for one course. Because new tools are being released into the market, this investment would be required on a regular basis. Fortunately, there are many open source and freeware forensics tools available. Tables 2 and 3 contain lists of tools we use, along with their major features.

Table 2. Encryption/Decryption Tools for Labs

Tool Features

Cain Abel • Password recovery for Windows

SAMinside • Password recovery for Windows

John The Ripper • Password recovery for Windows and Linux

Camouflage • Digital steganography

Because students for any major are familiar with passwords, one of the first hands-on labs involves tracking and recovering passwords. Many students are quickly surprised to know how easily their own passwords can be cracked.

4.2 Lab Assignment Design

Certain techniques and procedures have to be established in the quest of evidence identification, preservation, extraction, documentation, and interpretation. Individual lab work is designed to help students understand these procedures, learn some fundamental techniques, and practice them first hand.

Table 3. Digital Forensic Tools for Lab

Tool Features

Access Data

Forensic Toolkit

(FTK)[12]

• Imager • Registry viewer • Password recovery • Query searching • Data carving • Integrated viewers and media

player to view any set of data.

Helix[8]

• Imager • Password recovery • Cookie viewer • Internet history viewer • Registry viewer • File recovery • Protected storage viewer • Scan for pictures

Sleuth Kit[9]

• Create timeline of file activity • Sorts files based on file type,

performs extension checking and hash database lookups

• Analyze image partition structures process data units at content location

WinHex

• Disk editor • Data recovery • Analyze and compare files • Disk cloning • Drive and file wiper • Encryption

Log Parser[10]

• View event log • View the registry • Use queries to retrieve valuable

information from data

Paraben demo [11]

• cell phone forensics • email investigation

The design of these lab experiences incorporates

an understanding of the tasks a computer forensic professional may be called to do, and the

professional practices that must be followed to ensure legitimate results.

We consider the labs from four aspects of

investigations: 1. email investigation; 2. web activities investigation; 3. window registry; and 4. live and memory investigation

4.3 Sample Labs For each lab, we have to define the objectives for

the lab, such as acquiring an image for analysis or recovering passwords. The challenging part for us is to find real data for students to practice their skills after a few fake data labs. A honeynet project website (http://www.honeynet.org/challenges) is very useful. A real challenge case study is posted there every month. The purpose of these challenges is to help the security community develop the forensic and analysis skills to decode real attacks. We used the Scan24 challenge case study, which has the following introductory scenario:

Joe Jacobs, 28, was arrested yesterday on charges of selling illegal drugs to high school students. A local police officer posed as a high school student was approached by Jacobs in the parking lot of Smith Hill High School. Jacobs asked the undercover cop if he would like to buy some marijuana. Before the undercover cop could answer, Jacobs pulled some out of his pocket and showed it to the officer. Jacobs said to the officer "Look at this stuff, Colombians couldn't grow it better! My supplier not only sells it direct to me, he grows it himself." …..

Jacobs has denied selling drugs at any other school besides Smith Hill and refuses to provide the police with the name of his drug supplier/producer. The police have imaged the suspect's floppy disk and have provided you with a copy. They would like you to examine the floppy disk and provide answers to the following questions.

Retrieved from web site: http://old.honeynet.org/scans/scan24/report.txt

We designed the lab to support this case study, and used some of the case study questions for students to answer.

1. Who is Joe Jacob's supplier of marijuana, and what is the address listed for the supplier?

2. What crucial data are available within the coverpage.jpg file, and why is this data crucial?

3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

4. For each file, what processes were taken by the suspect to mask them from others?

5. What processes did you (the investigator) use to successfully examine the entire contents of each file?

Most students completed this lab unassisted, and reported that they enjoyed the assignment.

All hands-on labs can be categorized two types: Level-1 and Level-2 hands-on labs. Level-1 labs are for non-majors; those labs are designed for students to master computer terms and prepare for them to complete level-2 (major labs) hands-on labs.

One of our hands-on labs is designed to use SAMinsider to crack different levels of complexity of passwords. The purpose of this lab is to use cracking tools to discover vulnerabilities in password weakness. Understand the importance in LM Hash (Lan Manager) password weaknesses. For non-major students, there are a lot of jargons, so we design a Level-1 lab to help student to understand SAM (Security Account Manager) and LM hash and complexity of passwords. This lab work better for non-major students comparing to lecture only session. Students can master concepts easily.

In summary, the principles of those labs are designed and modified according to background and knowledge of our students. The final goal is to let students, no matter what major they are studying, to grasp the major concepts of digital forensics.

5 RESPONSES FROM STUDENTS Anecdotal feedback from students is very

positive. The last question in the final exam for this class is "Write down the most interesting topics that you have learned from this class." Several responses are presented next:

“The different tools used in all labs were the most interesting. FTK and other tool[s] allow

investigator[s] to find out evidence from many different file types including encrypted files.”

“The most interesting part was to learn how to uncover hidden information from computer.”

“The hands-on experience labs make use of FTK, Helix and Slueth Tools. Being able to act as investigator is very interesting. I would like to work as [in a] digital forensics related job.”

“The labs use these real-world cases that are from the wild, real hacks. Solving those real challenge cases are inspired me. I would like to work at digital forensics related job in [the] future.”

“The most interesting part of this class is hands-on labs. Network forensics, botnet and honeynet and malware transmission through the internet is a costly problem that can eventually become the biggest homeland security threat.”

Many students are inspired to learn more about digital forensics and would like to work as digital forensics professionals. Among those students, some of them already come from law enforcement, and some of them are non-majors. Students generally agree that hands-on labs contain the most useful materials for this course, and that the labs help them to grasp difficult concepts and procedures more easily. Among lectures, projects and hands-on labs, students rate the hands-on labs highest. In our term project, we ask students to design their own lab assignment based on one or two open source tools. It turns out that most students can complete their term project with limited supervision. This skill will be helpful when they will become a professional after they graduate.

6 CONCLUSIONS

We have discussed our principles and ideas of creating hands-on labs for different levels of students in a digital forensics course, given the constraint that the tools used come from free sources. In the future, we will continue to work with most popular forensics tools and create more labs that exploit the features of these tools to expand the design variations we want students to experience [3]. In addition, we will improve existing labs and continuously retrieve student feedback to make labs better learning tools and more student-friendly. Future work will also be focused on making certain

that the labs are adaptable to different levels of student expertise and ambition. Open-ended labs provide rich experiences for motivated students, and the results of out-of-the-box explorations extend the depth of future lab assignments. We will focus how to permeate our security education into a set of hands-on labs playing games, such as phishing education [14] and network security labs as CyberCIEGE [15]. In addition, we will design and develop in-house games to use in hands-on labs [16].

ACKNOWLEDGMENTS

The authors recognize the contribution of graduate student Jude Desti in implementing many of the hands-on labs. This work has been supported in part by U.S. Department of Education grant P120A080094, and by NSF Minority Institutions Infrastructure grant CNS-0424556.

REFERENCES [1]. Austin, R. D. 2007. Digital forensics on the cheap:

teaching forensics using open source tools. Proceedings of the 4th Annual Conference on Information Security Curriculum Development (InfoSecCD'07), September 28, 2007, Kennesaw, Georgia, ACM, New York, NY, 1-5.

[2] Batten, L. and Pan, L. Teaching Digital Forensics to Undergraduate Students. IEEE Security and Privacy 6, 3 (May. 2008), 54-56.

[3] Lawrence, K. and Chi, H. Framework for the design of web-based learning for digital forensics labs, Proceedings of the 47th Annual ACM Southeast Regional Conference, March 19-21, 2009, Clemson, SC.

[4] Manson, D., Carlin, A., Ramos, S., Gyger, A., Kaufman, M., and Treichelt, J. Is the Open Way a Better Way? Digital Forensics Using Open Source Tools. In Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS 2007), January 3-6, 2007, Waikoloa, Big Island, Hawaii, USA. IEEE Computer Society. 266.

[5] McGuire, T. J. and Murff, K. N. 2006. Issues in the development of a digital forensics curriculum. Journal of Computing Sciences in Colleges. 22, 2 (Dec. 2006), 274-280

[6] Yasinsac, A., Erbacher, R. F., Marks, D. G., Pollitt, M. M., and Sommer, P. M. Computer Forensics

Education. IEEE Security and Privacy 1, 4 (Jul. 2003), 15-23.

[7] Wassenaar, D., Woo, D., and Wu, P. 2009. A certificate program in computer forensics. Journal of Computing Sciences in Colleges 24, 4 (Apr. 2009), 158-167.

[8] Helix - Incident Response & Computer Forensics Live CD by e-fense&trade, Inc. Downloaded from http://www.e-fense.com/helix/index.php on 8/15/2008.

[9] The Sleuth Kit & Autopsy: Digital Investigation Tools for Linux and other UNIX environments. Downloaded from http://www.sleuthkit.org/sleuthkit/desc.php on 8/15/2008.

[10] LogParser 2.2 Documentation. Downloaded from http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1287 on 8/15/2008.

[11] Paraben Forensics Tools. Downloaded from http://www.paraben-forensics.com/ on 8/15/2008.

[12] AccessData - Forensic Toolkit® 2.0. Downloaded from http://www.accessdata.com/downloads/media/AccessData_Forensics_Brochure.pdf on 8/15/2008.

[13] Volonino, L., Anzaldua, R., and Godwin, J. Computer Forensics-Principles and Practices, Prentice Hall, 2006, ISBN: 0131547275.

[14] Heng, S., B. Magnien, P. Kumaraguru, A. Acquisti, L.F. Cranor, J.I. Hong, E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In the Proceedings of Symposium on Usable Privacy and Security (SOUPS 2007).

[15] Cone, B. D., Irvine, C. E., Thompson, M. F., Nguyen. A Video Game for Cyber Security Training and Awareness. Computers & Security 26, 1 (February 2007), 63-72

[16] Chi, H and Jones, E. Broadening Information Assurance Awareness by Gaming. 2nd International Conference on Computer Supported Education (CSEDU 2010), Valencia Spain, April 7-10, 2010. Submitted.