EducationEditors: Matt Bishop, bishop@cs.ucdavis.eduDeborah A. Frincke, deborah.frincke@pnl.gov

54 PublishedbytheieeeComPutersoCiety■1540-7993/08/$25.00©2008ieee■ieeeseCurity&PrivaCy

teachingdigitalForensicstoundergraduatestudents

Lynn Batten and Lei Pan

Deakin University

Digital forensics isn’t commonly part of an un-

dergraduate university degree, but Deakin

University in Australia recently introduced

the subject as part of an IT security course.

As instructors, we’ve found that digital forensics complements

our other security offerings be-cause it affords insights into why and how security fails.

A basic part of this course is an ethics agreement signed by stu-dents and submitted to the unit instructor. This agreement, ap-proved by Deakin University’s legal office and consistent with Barbara Endicott-Popovsky’s ap-proach,1 requires students to maintain a professional and ethical attitude to the subject matter and its applications.

Assignments regularly cast stu-dents in the role of forensic pro-fessional. Our teaching team emphasizes throughout the course that professional conduct establish-es credibility with employers and customers as well as colleagues, and is required to perform the job effectively. This article describes our experiences with this course.

The forensic unit’s contentsThe unit takes a standard approach to investigating a single computer or laptop involved in an incident: students learn how to boot the machine into forensic mode and avoid making changes to data or timestamps while the investiga-tion is in progress. Instructors cover data-hiding techniques and

methods for recovering deleted files, the use of hash functions to identify files, and how to capture network packets and analyze traf-fic. We also cover practical issues such as working in a hazardous materials setting, using a vari-ety of forensic tools for different purposes, making and copying bitstream versions of files or discs, and working on copies while pre-serving original evidence.

The unit requires students to work individually on two assign-ments to develop their skills in identifying, preserving, analyz-ing, and presenting digital evi-dence. Each of these assignments simulates a digital forensic case in which the student plays the role of forensic investigator. After students acquire the basic investi-gative skills, we offer a more ad-vanced assignment that includes data carving, steganography, and encryption. The rest of this sec-tion reviews the advanced compo-nent in more detail.

The investigative scenarioThe scenario starts with a haz-ardous materials team called to a warehouse behind the Roma Street train station in Brisbane at 3 a.m. on 25 April. Team mem-ber Moti identifies the scene

as a drug manufacturing loca-tion—the people working there have hurriedly packaged up loose powders but have left traces on the floor and across many desk surfaces. Moti decides not to call in the forensic squad because he suspects the drug is at the top of the current most dangerous list, and he needs to analyze samples in his lab for confirmation.

However, Moti notes that a computer is in the crime-scene area, so he calls his colleague San-dra, the forensic team’s director, and asks her to walk him through a capture of computer data for fo-rensic analysis. He shuts down the laptop and removes it from the scene along with several CDs he finds in a desk drawer. Later that day, Sandra analyzes the laptop in the police forensics lab, but it doesn’t appear to store any docu-ments of interest: three of the CDs hold recent movies, and the fourth has pictures of cars. Sandra makes three forensic copies of all the data and stores two of them safely in the lab. She then gives the laptop and CDs to various staff members for analysis, distributing the third copies to them. Because most of the staff is involved in a large on-going investigation, she decides to ask for the help of an additional team member (the student) who’s vacationing overseas.

Sandra sends a secure email with an attachment containing a compressed version of the car photos from the car CD along with a request to analyze them as quickly as possible for any pertinent information. She also attaches a list of possible pass-

Education

www.computer.org/security/■ieeeseCurity&PrivaCy 55

words that investigators found in a locked drawer of the suspect’s desk. These passwords are antho-ny, artemidorus, brutus, caesar, calphurnia, and cassius.

Getting to the solutionThe provided binary file appears to consist of a single picture, regard-less of the image viewer program used, but it’s actually a concatena-tion of 12 individual pictures, each of which can be identified through a binary examination (specifically, a hex reader displays 12 obvious .gif headers). To extract each in-dividual file, most students use a hex editor program such as Hex Workshop to manually cut-and-paste the binary segments to 12 new .gif files; other students use file-carving tools such as Scalpel and Foremost. We expect the stu-dents to calculate two hash values, MD5 and SHA-1, for each ex-tracted file.

Supplied with a list of pass-words, students recover three text files by applying each given pass-word to every .gif file by using a steganographic tool (S-Tools in our lab). The three text files are located in three different picture files: we hid Who.txt in a file la-beled Bugatti EB110 1995 pro-tected by DES encryption and password caesar; Where.txt in the Aston Martin 2002 file pro-tected by DES encryption and password anthony; and How.txt in the Maserati Coupe 2004 file protected by DES encryption and password brutus. Figure 1 shows the three text files.

The How.txt and Where.txt files are readable, but the Who.txt file appears to be encrypted. The infor-mation in the How.txt file suggests a possible encryption method is the caesar cipher, which permutes the alphabet. Many of the students used an automated script they found on the Web (www.secretcodebreaker.com/caesar.html), entered the en-crypted text, and requested a shift of four positions (from “four caesars”)

back to decrypt, which gave a list of names (“Wong,” “Davidson,” and so on).

We then ask the students to write a two-page report to San-dra, listing their findings and rec-ommendations. They must also construct and complete an appro-priate evidence form as part of this report, and their detailed proce-dures should include the search for hidden files in the 12 .gif files, re-covery of the three text files, and the decrypted cipher text in the Who.txt file. The 15 numbers in the Where.txt file are Australian mobile numbers.

We’ve found that students en-joy doing this assignment and chat about it a great deal in the online unit chat space. Verbal feedback to staff is also positive, as indicated by the teaching evaluation results from the last course. We didn’t see any significant differences be-tween the results of on- and off-campus students.

Technical issuesThe text book2 we use comes with an individual license for software called DriveSpy. This tool works in DOS command mode and lets

students analyze and retrieve files from several storage media de-vices; the text focuses on floppy drives. As a traditional and cheap storage device, we’ve found that the floppy drive is a good starting point for beginners in digital fo-rensics because students can grasp the detailed structure of an entire filesystem by manually examin-ing a floppy disc sector by sector within a few hours.

However, the fact that we must use floppy discs with this software has led to some prob-lems—primarily, because almost nobody has a floppy drive on their machines at home. The on-cam-pus labs do have floppy drives, so we’ve ordered a few hundred discs for our two campuses in Burwood and Geelong. Students don’t seem to mind using these in the labs, but off-campus students or students working on their home computers wish for some additional options. Some get around this problem by using virtual floppy drives; oth-ers are Linux users who avoid the problem entirely by mounting floppy images as a loop device.

Besides the tools listed in the textbook, we’ve introduced ad-

________________________________________________

How.txt

four caesars

_________________________________________________

Who.txt

1. ASRK 2. HEZMHWSR 3. WLMZEOYQEV

4. AMPPMEQW 5. OMQ 6. IXMRSOI

7. VMGLEVHW 8. LYERK 9. IZERW

10. GVSA 11. JMWLIV 12. PMQ

13. WMRKL 14. GSLIR 15. FVYRIPPM

__________________________________________________

Where.txt

1. 0409267531 2. 0412563993 3. 0500287456

4. 0416327897 5. 040028648 6. 0486375296

7. 0500374092 8. 0483956280 9. 0484974488

10. 0429846759 11. 0500329674 12. 0492695873

13. 0402389756 14. 0423940785 15. 0478822256

Figure 1. Three recovered text files. We hid each of these files in a photograph of a car

and instructed students to recover them with a variety of techniques.

Education

56 ieeeseCurity&PrivaCy■may/June2008

ditional ones that are distributed under free licenses on the Inter-net. Some of these, such as HxD (http://mh-nexus.de/hxd/) and S-Tools (www.stegoarchive.com), have become very popular with our students, but they also use the university’s chat space to broad-cast information and ideas about new tools and facilities. We’ve also found software licenses in gen-eral to be a challenge—some of our key software is only free for a short trial period and expires half-way through the semester.

C learly, we’ve shown that uni-versities and colleges can im-

plement introductory computer forensics and achieve good teach-ing results given a tight budget, limited staff, and a requirement to provide the same experience to both on- and off-campus stu-dents. The students in our course receive hands-on, realistic experi-ence with tools and gain insight into forensic tasks performed in

the real world; they also develop an understanding of broad theo-ries about operating systems, file structures, and the behavior of high-level applications. Introduc-ing investigative scenarios in our assignments not only strongly motivates students but also im-proves their analytic, problem-solving, and communicative skills.

By teaching this unit at the second-year undergraduate level, we’ve found that

little background is needed; one year of university experience is necessary and sufficient; andstudents get to see ideas not pre-sented in any other unit.

Dealing with the ethics issues is an interesting challenge, but our approach seems to work by intro-ducing an agreement between the university and the student. Be-cause we chose a standard interna-tional agreement, the legal office is happy to sign off on it. Digital fo-rensics is now a regular annual of-

••

•

fering at Deakin and has become very popular among students.

ReferencesB. Endicott-Popovsky, “Ethics and Teaching Information As-surance,” IEEE Security & Privacy, vol. 1, no. 4, 2003, pp. 65–67. B. Nelson et al., Guide to Computer Forensics and Investigations, 2nd ed., Thomson Course Technology, 2006.

Lynn Batten is director of the Informa-

tion Security Group at Deakin University.

Her research covers a spectrum of securi-

ty areas including cryptography, wireless

network security, security and privacy is-

sues, and computer forensics. Battan is

a member of the IEEE and a fellow of the

Australian Computer Society. Contact

her at lmbatten@deakin.edu.au.

Lei Pan is a lecturer at Deakin Universi-

ty. His research interests include digital

forensics, software testing, and general

security issues. Contact him at l.pan@

deakin.edu.au.

1.

2.

Advertising Sales Representatives

Mid Atlantic (product/recruitment)Dawn BeckerPhone: +1 732 772 0160Fax: +1 732 772 0164Email: db.ieeemedia@ieee.org

New England (product)Jody EstabrookPhone: +1 978 244 0192Fax: +1 978 244 0103Email: je.ieeemedia@ieee.org

New England (recruitment)John RestchackPhone: +1 212 419 7578Fax: +1 212 419 7589Email: j.restchack@ieee.org

Connecticut (product)Stan GreenfieldPhone: +1 203 938 2418Fax: +1 203 938 3211Email: greenco@optonline.net

Midwest (product)Dave JonesPhone: +1 708 442 5633Fax: +1 708 442 7620Email: dj.ieeemedia@ieee.org

Will HamiltonPhone: +1 269 381 2156Fax: +1 269 381 2556Email: wh.ieeemedia@ieee.org

Joe DiNardoPhone: +1 440 248 2456Fax: +1 440 248 2594Email: jd.ieeemedia@ieee.org

Southeast (recruitment)Thomas M. FlynnPhone: +1 770 645 2944Fax: +1 770 993 4423Email: flynntom@mindspring.com

Southeast (product)Bill HollandPhone: +1 770 435 6549Fax: +1 770 435 0243Email: hollandwfh@yahoo.com

Midwest/Southwest (recruitment)Darcy GiovingoPhone: +1 847 498-4520Fax: +1 847 498-5911Email: dg.ieeemedia@ieee.org

Southwest (product)Steve LoerchPhone: +1 847 498 4520Fax: +1 847 498 5911

Email: steve@didierandbroderick.com

Northwest (product)Lori KehoePhone: +1 650 458 3051Fax: +1 650 458 3052Email: l.kehoe@ieee.org

Southern CA (product)Marshall RubinPhone: +1 818 888 2407Fax: +1 818 888 4907Email: mr.ieeemedia@ieee.org

Northwest/Southern CA (recruitment)Tim MattesonPhone: +1 310 836 4064Fax: +1 310 836 4067Email: tm.ieeemedia@ieee.org

JapanTim MattesonPhone: +1 310 836 4064Fax: +1 310 836 4067Email: tm.ieeemedia@ieee.org

Europe (product)Hilary TurnbullPhone: +44 1875 825700Fax: +44 1875 825701Email: impress@impressmedia.com

Advertiser IndexMay/June 2008

advertiser Pagenumber

blackhatusa2008 Cover4linuxWorld2008 Cover2usenixevt2008 Cover3

Advertising Personnel

Marion DelaneyIEEE Media, Advertising Dir.Phone: +1 415 863 4717Email: md.ieeemedia@ieee.org

Marian Anderson Advertising CoordinatorPhone: +1 714 821 8380Fax: +1 714 821 4010Email: manderson@computer.org

Sandy Brown | IEEE Computer SocietyBusiness Development Mgr.Phone: +1 714 821 8380Fax: +1 714 821 4010Email: sb.ieeemedia@ieee.org