MSU Cyber Crime Initiative A National Impact for Mississippi State University

Dave DampierDepartment of Computer Science and Engineering

National Forensics Training CenterA National Impact for Mississippi State University

What is the threat?Identity TheftTheft of Trade SecretsUsing corporate networks to launch attacks on othersFraudEmbezzlement????

History of Digital ForensicsEarliest notion of digital forensics came when the Federal Rules of evidence first started to discuss digital evidence in the 1970sReal digital forensics investigations started in the mid-to late 1980s when federal agents had to start figuring out ways to search computers for digital evidenceThis home-grown, bottom-up approach continued until the late 1990s when security researchers at universities and labs started to figure out that this problem was big enough to warrant investigation.Research groups sprung up across the country starting around 2000 or 2001. The first Digital Forensics Research Workshop (DFRWS) was held in Utica, NY in August 2001.Digital Forensics Early at MSUInitial work in digital forensics started at MSU in 2002.We managed to catch the crest of the waveLots of training and lots of research led to first class in Spring 2003.Class has been held at least once per year since.2003-2006 spent building a real capability in digital forensics.Several M.S. and Ph.D. graduates by 2006.National Forensics Training Center (NTFC) Funded by DOJ beginning in 2005. Trains state and local law enforcement in cyber crime issues and basic tools and techniques of digital forensics investigation.Introduced more advanced training starting in late 2006, and have continued to build capability ever sinceWounded Warrior Training introduced in 2008: An NSF Funded Initiative under the Cyberinfrastructure Training, Education, Advancement, and Mentoring for Our 21st Century Workforce (CI-TEAM) Program

Digital Forensics Now at MSUGraduate ResearchFive active PhD students at various stages of researchOne will graduate in December. Two more will likely graduate by next DecemberEleven active M.S. students: four doing thesis, others doing projectsClasses are always at capacityIntroductory Digital Forensics offered at least once per yearAdvanced Digital Forensics offered at least once every other yearFreshman Seminar Forensics offered each FallThis includes all aspects of forensics. Students are exposed to digital forensics for three weeks in October.6Background on Law Enforcement SupportSince 2005, MSU has managed a unique and successful Computer Crime and Digital Forensics training program to support state and local law enforcement. Feds not prohibited, but not invited either.Through varied DOJ Grants ~ $10M has been used to support our Digital Forensics Training and our ongoing partnership with Mississippi Attorney General. Funding supports an MSU coordinated Forensics Training Center that trains local and state law enforcement across the US. Provides no cost training for law enforcement officers, prosecutors, and trial judges on current technical issues associated with computer crime. About 5000 trained in 34 states.Funds a state of the art integrated Cyber Crime Fusion Center (CCFC) in Jackson MS. FBI, Secret Service, Postal Inspectors, Attorney Generals Office, MSU cooperate in a Cyber Crime Fusion Center.

Law Enforcement TrainingTraining conducted at MSU/Ole Miss/JSU/Sillers Building or at students location when enough students are guaranteed Course offerings:Computer Forensics PrimerIntroduction to Cyber Crime and Digital ForensicsPractical Training in Computer ForensicsSearch and Seizure of Computers and Electronic Evidence: Law EnforcementSearch and Seizure of Computers and Electronic Evidence: Trial JudgesIntroduction to Digital Forensics for ProsecutorsAdvanced Digital ForensicsNetwork ForensicsOpen Source Tools for ForensicsCommercial Tools for ForensicsSpecial Topics in ForensicsInvestigation PlanningFBI Image Scan ClassesCell Phone Training

NFTC StaffDirectorDave Dampier, PhDInstructorsKendall Blaylock, MS, IS (Lead)Wes McGrew, MS, CS, Pursuing PhD in CSSherita Sekul, MPA, Former AG Forensics InvestigatorApril Tanner, PhD, Jackson State UniversityResearch AssistantsDae Glendowne, PhD StudentChris Ivancic, PhD StudentContract InstructorsJohn Fretts, Retired Law Enforcement OfficerKeith Leavitt, Law Enforcement Officer, Active Forensics Examiner

We Developed University PartnersNational Forensics Training CenterSt Cloud State UniversityUniversity of Texas at TylerCalifornia Polytechnic PomonaUniversity of WashingtonUniversity of West Georgia (Relationship just beginning)For Wounded Warrior Digital Forensics TrainingMississippi State University (lead)Auburn UniversityTuskegee UniversityNational Impact

34 states have at least one trained.5 states have current training center.18 host sites have hosted training.National ImpactStates affected:Alabama, Arkansas, Alaska, California, District of Columbia , Delaware, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, New Hampshire, New York, North Carolina, North Dakota, South Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, West Virginia, WashingtonRemote Classes taught in:Alabama, Arkansas, Alaska, California, Florida, Georgia, Idaho, Indiana, Maryland, Michigan, Minnesota, Tennessee, Texas, West VirginiaCurrently in negotiation with Connecticut State Police to have a class

NoxubeeMarshallTishomingoTippahAmiteJeffersonWebsterCarrollIMPACTLabs/EquipmentLaboratoriesStrategically Placed EquipmentFuture EquipmentAdding Cell Phone capability in more places

56 of 82 counties affected.Wounded Warrior TrainingLeveraged NFTC successes Partnered with Auburn/Tuskegee$1M effort for 3 yearsPartnering with Defense Cyber Crime Center for follow-on trainingClasses have been held at WRAMC; Ft Benning, GA, Ft. Knox KY, Ft. Carson CO; Ft Lewis WA, Norfolk Naval Hosp; Redstone Arsenal, Jackson VA Hospital, Ft. Sam Houston TX, and more to come.

Wounded Warrior Training CurriculumWhen we started, we had three tracks of instruction to accommodate backgrounds Track 1: Do not have a background in computing (24 hours)Track 2: Good understanding of hardware and software basics (56 hours)Track 3: Those students that need advanced digital forensics training (40 hours)Lessons learned caused us to modify this training to two basic tracks:Track 1 + Track 2 (72 hours)Track 3 (32 hours)

Curriculum Details Introduction to Computers: This three day block will introduce the student to computer architecture, disk formatting, common software packages, operation of the computer, and an introduction to computer security concepts (firewalls, malicious code protections, spam, browsers, audit logs, and accountability). During this block of instruction, students will disassemble and reassemble both desk top and laptop computers.Introduction to Cyber Crime: This two day block of instruction is designed to teach the student proper search and seizure techniques, data hiding techniques (e.g., steganography, X-box modification, wireless external drives, etc.), proper bag and tag procedures, chain of custody, and proper procedures in conducting a forensics investigation. Digital Forensics Tools and Techniques: This is an intensive, hands on three day block of instruction that teaches students the proper operation of digital forensics hardware and software tools. The majority of hardware and software tools available to practicing digital forensics investigators will be used during this block. This includes a Forensic Recovery of Evidence Device (FRED) system, Image Masster and Logicube hardware for imaging purposes, an Airlite forensics kit, write blockers, Linux/Unix tool sets, Encase forensics software, AccessDatas Forensics ToolKit (FTK), Coroners tool kit, Autopsy, Sam Spade tool kits and others. The emphasis of this block is practical application of the digital forensics trade.

Curriculum DetailsBusiness Practices: This block is designed to train the student on the cost of entering the digital forensics business, programs offered by the US Department of Veterans Affairs that can assist in establishing a small business, return on investment, and pricing structures. The cost tradeoffs of purchasing commercial versus using freeware are discussed and advantages/disadvantages of each strategy are presented.Practical Experience Exercise: This is a one day live fire exercise where students are required to conduct a digital forensics investigation and demonstrating competency throughout the entire cycle of events from search and seizure to evidence discovery and preservation. Advanced Forensics techniques: This three to five days of additional training is necessary for those that intend to work for the government or that wish to be independent consultants. This additional week of instruction will cover cell phone forensics, PDA forensics, Windows forensics, and network forensics. Success StoriesPhD student at MSU conducted initial investigation into Electronic Tribulation Army hacker preparing for massive infrastructure attack on July 4, 2009, and as a result, FBI quickly made the arrest and prevented the attack.Columbus, MS Crime Lab up and running with provided equipment and training.Lee County, MS Sheriffs Office now has fully functional computer forensics laboratory.More than a twenty convictions on child exploitation cases as a direct result of FTC training and equipmentProviding backup forensic examinations on fraud and racketeering cases for MS AGs officeOxford, MS PD has convictions on child exploitation cases as a direct result of FTC training and equipmentAssisted MS Attorney General by:Increasing investigative staff by oneHelping prepare proposal for Internet Crimes Against Children Task ForceIncreasing capability to handle cell phones and small devicesReducing requests for outside assistance through regional labsIncreased Secret Service (Jackson office) capacity to work cases by providing the laboratory space in the CCFCSome wounded warriors are now working in digital forensics investigative agencies.Contacts at MSUDave Dampier, Director, Center for Computer Security Research and Director, National Forensics Training Center, dampier@cse.msstate.edu, 662-325-2756

National Forensics Training CenterKendall BlaylockWes McGrew662-325-2422

http://www.msu-nftc.org