presentation_3036_27229.ppt 3006KB Jun 23 2011 12:33:30 PM
Development of Computer
Forensics Course Using EnCase
1
LUDWIG SLUSKY
CALIFORNIA STATE UNIVERSITY, LOS ANGELES, U.S.A.
LSLUSKY@EXCHANGE.CALSTATELA.EDU
PARVIZ PARTOW-NAVID
CALIFORNIA STATE UNIVERSITY, LOS ANGELES, U.S.A.
PPARTOW@EXCHANGE.CALSTATELA.EDU
E-LEARN 2009
World Conference on E-Learning in
Corporate, Government, Healthcare &
Higher Education
Vancouver, Canada: October 26-30, 2009
Best Practices Session
Tue, Oct 27; 11:55 AM
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Forensic Sciences
2
Originated in Medicine
Expanded … Arson, Chemistry, … and Digital Evidence.
Forensic Sciences is “a broad spectrum of sciences to
answer questions of interest to a legal system.”
(Wikipedia)
Computer Forensics
use of analytical and investigative techniques …
to identify, collect, examine and preserve information …
magnetically stored or encoded …
to provide digital evidence of a specific or general activity.”
(Computer Forensics World)
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Investigation of Computer Attacks
3
Investigations of computer attacks, hacker intrusion,
fraud and abuses:
Salami attack
Data Diddling
Excessive (elevation of) privileges
Password sniffing on a network
IP spoofing
Eavesdropping
Emanation
Wiretapping
http://www.ecliptic.ch/Stock/home.html
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Recovery of Computer Information
4
International principles
Recognition of evidence
Handling in various courts consistently in the same manner.
The common evidence for such investigation include:
Violations of Information Security
Penetration of Computer Access Control
Breaching Information Accountability
Penetration of Network Security
Cryptanalysis
Penetration of Operational Security of Computer Systems
Penetration of Application and Database Security
Hacking
Illegal Internet and Web Activities, and other
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Preventing Recovery - Crashed Hard Disks
5
Photo by Ludwig Slusky
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Hard Disk Destruction
6
Sensitive information on
a hard disk requires
decommissioning.
After being crushed by
the Hard Disk Crusher,
the data can never be
recovered again. It drills
through the hard disk's
spindles and physically
creates ripples in the
platters making it
impossible to recover the
data.
Reformat ting a disk or
using a degausser are
http://edrsolutions.com/solution.asp
other options, albeit
E-Learn 2009. Ludwig Slusky and Parviz Partowcould be less reliable.
Navid
Photo by Ludwig Slusky
10/27/2009 11:55am
Forensic Investigation Process
7
Phases:
Identification
Preservation
Collection
Examination
Analysis
Presentation
Decision
Computer forensics
Evidence
Best
Secondary
Direct
Conclusive
Circumstantial
Corroborative
Opinion
Hearsay
software collects data
into evidence files
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Remote Forensic Investigation
8
Forensic investigation
Traditional – physical access to a target machine
Remote – across network access - new technique
Target machine can be located anywhere
Accessible via the Internet or dedicated communication lines
EnCase Enterprise Edition supports remote investigation
Enables covert examination
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Recommendations for Remote Investigation
9
Keep system resource usage down
Disguise the remote investigative agent software
Make sure that a personal firewalls active on the target
machine is open for inbound connections
Keep Log file free from recoding any forensic activities
Start an agent on the target machine systematically when
the machine starts
Do forensics during the non-business hours or when a
large hard drive activity is expected (e.g., antivirus scans)
Be extra careful targeting laptop for investigation: a
prolong hard drive activity can be suspicious
High-speed network connection is better than slow WAN.
Source: Philipp et al (2009). Hacking Exposed Computer Forensics: Computer Forensics Secrets & Solutions.
McGraw-Hill. 2009
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Covert Collection Avoidance Techniques
10
Review Task Manager periodically - increased and
persistent hard drive activity at odd times
Identify and stop the remote agent’s system process
Enable blocking the inbound connection in a personal
firewall (to block the agent’s tool).
Be alert to performance degradation noticeable while
copying a large file over network.
Use VPN connection whenever possible.
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Computer Forensics Certifications
11
EnCase Certified Examiner (EnCE)
Certified Computer Forensic Technician (CCFT)
Certified Computer Forensic Examiner (CFCE)
GIAC Certified Forensics Analyst (GCFA)
AccessData Certified Examiner (ACE)
Certified Computer Examiner (CCE)
others
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Introductory Course: Topics
12
Computer Forensics and Investigation as a Profession
2.
Understanding Computing Investigations
3.
The Investigator's Office and Laboratory
4.
Processing Crime and Incident Scenes
5.
Computer Forensics Tools Concepts
6.
Computer Forensics Analysis and Validation
7.
Acquiring Digital Evidence
8.
Searching for and Bookmarking Data
9.
File Signature and Hash Analysis
10. Creating Reports for High-Tech Investigations
11. Expert Testimony in High-Tech Investigations
Source: Bill Nelson, Amelia Phillips, Frank Enfinger
12. Ethics for the Expert Witness
and Christopher Steuart. Guide to Computer
1.
Forensics and Investigations, 3rd Ed. Thomson
Course Technology. 2008
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Pre-Requisites for Study
13
Students must have senior standing
Pre-requisite courses by majors include:
Computer Information Systems - information architecture,
common business applications, and organizational context
of computer-based information systems.
Criminal Justice - methodologies and techniques
appropriate for application in criminal justice environments
Accounting - Accounting Information Systems including
internal controls and tools.
Pre-requisite focus - understanding of types of digital
evidence and how computers work
Large disparity in this knowledge among students
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Computer Forensic Software: EnCase
14
Guidance Software Inc.
EnCase® Forensic - makes an image of a hard drive in a
forensically-prudent EnCase evidence file format
de facto standard application for computer forensics
Used in the proposed course
EnCase® Enterprise – for remote investigation of internal and
external threats from a central console
EnCase Data Audit & Policy Enforcement - search for
information on the laptops, desktops, file servers, and email
servers … from a central location
EnCase Cybersecurity - for national information security policy
(identifying/responding to threats, remediating malware).
EnCase® eDiscovery - a pocket-sized kit to search and collect
electronically stored information across the network.
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Basic Layout of the EnCase Forensic
Guidance Software Inc.
15
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Practicing EnCase Forensic
16
Hands-on Practicum with EnCase
Understanding of Case Management, EnCase Forensics
software, and evidence file structure
Team project
Depending on major, emphasis on different phases
Information systems - emphasis on identification, preservation,
and collection of data of various types from various devices.
Accounting - emphasis on data collection, examination, and
analysis.
Criminal Justice - emphasis on data analysis, presentation, and
decision.
Computer Forensics case study in the context of a
specific major
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Hands-on Practicum with EnCase
17
Viewing FAT Entries
Navigating EnCase
Maintaining Data Integrity
Searching for Data; Bookmarking the Results
File Signature Analysis
Windows Artifacts Recovery
Partition Recovery
Email and Registry Examination
Source: Steve Bunting. EnCase Computer Forensics:
The Official EnCE: EnCase Certified Examiner Study
Guide. 2nd Edition, Wiley Higher Education, 2008
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Forensics Lab vs. Open Access Lab
18
Dedicated Computer Forensics Lab with support of
technical assistants (desirable, not required)
Online remote dedicated Computer Forensics Lab (goal)
Common-use Open Access Labs on campus (sufficient)
Computers are shared between forensics studies and other
courses and applications that use internal disk drives
Information Assurance and privacy concerns
Student can recover any information previously deleted by
another users .
Prevent access to hard drive as a target of investigation
Evidence files are isolated on student’s CDs and USB drives
Limit EnCase access to a student’s CD, USB only
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Online/Hybrid/In-Class Learning
19
E-Learning of Information Security and preparation for
certification exams (like Certified Information Systems Security
Professional [CISSP®]) is common practice.
American InterContinental University - Bachelor of Information
Technology (BIT) with a concentration in Computer Forensics.
Champlain College - BS in Computer and Digital Forensics
Other major online universities
University of Phoenix, Liberty University, DeVry University's Keller
Graduate School of Management, Strayer University Online. Etc.
A limited demo version of EnCase Forensic is included in
some professional training books
Works only with the evidence file included on the CD; prevented
from accessing any other media
Opens two opportunities: practicing EnCase at home and shifting
some of the sessions into online mode of teaching.
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Encryption for Online Studies
20
TrueCrypt (http://www.truecrypt.org/)
Powerful open-source encryption software
Windows Vista/XP, Mac OS X, and Linux
Encrypts a partition or the entire storage – hard disk
Mobile data protection - USB flash drive
Plausible deniability for a user using a hidden volume
Presence cannot be easily detected
Data cannot be distinguished from random residual data
Used to secure information transmitted in Online studies
Password/encryption cracking to reveal intentionally
hidden information (with EnCase)
Student can originate an attack on a computer; typical methods are
dictionary based attack, key based attack, or simply the brute force
attack.
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Skills, Tutorials, Teamwork
21
Emphasis on skills using Computer Forensics software
Online instructions for Computer Forensics skills are well
suited
Extensive Online EnCase tutorials to reduce the need for
F2F instructions
Hybrid learning - best option
Teamwork vs. Individual work
Teamwork in a dedicated Forensic Lab with F2F instructions
Individual work in e-learning with no dedicated Forensic Lab
Future - more forensic investigation online
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Challenges of Teaching Course Online
22
Instructional technical challenges
Responding to students’ creativity
Inappropriate use of the software by students
Multi-disciplinary audience
Dissemination of controlled knowledge and software
Risks of privacy and information security violations
Risks of instructor’s liability
Is the target computer permitted for computer investigation?
Do online participants impersonate a legitimate student?
Compliance with Laws and Regulations
InfoSec Laws, campus regulations, and ethics.
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Development of Computer Forensics Course Using
EnCase
23
THANK YOU!
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Forensics Course Using EnCase
1
LUDWIG SLUSKY
CALIFORNIA STATE UNIVERSITY, LOS ANGELES, U.S.A.
LSLUSKY@EXCHANGE.CALSTATELA.EDU
PARVIZ PARTOW-NAVID
CALIFORNIA STATE UNIVERSITY, LOS ANGELES, U.S.A.
PPARTOW@EXCHANGE.CALSTATELA.EDU
E-LEARN 2009
World Conference on E-Learning in
Corporate, Government, Healthcare &
Higher Education
Vancouver, Canada: October 26-30, 2009
Best Practices Session
Tue, Oct 27; 11:55 AM
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Forensic Sciences
2
Originated in Medicine
Expanded … Arson, Chemistry, … and Digital Evidence.
Forensic Sciences is “a broad spectrum of sciences to
answer questions of interest to a legal system.”
(Wikipedia)
Computer Forensics
use of analytical and investigative techniques …
to identify, collect, examine and preserve information …
magnetically stored or encoded …
to provide digital evidence of a specific or general activity.”
(Computer Forensics World)
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Investigation of Computer Attacks
3
Investigations of computer attacks, hacker intrusion,
fraud and abuses:
Salami attack
Data Diddling
Excessive (elevation of) privileges
Password sniffing on a network
IP spoofing
Eavesdropping
Emanation
Wiretapping
http://www.ecliptic.ch/Stock/home.html
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Recovery of Computer Information
4
International principles
Recognition of evidence
Handling in various courts consistently in the same manner.
The common evidence for such investigation include:
Violations of Information Security
Penetration of Computer Access Control
Breaching Information Accountability
Penetration of Network Security
Cryptanalysis
Penetration of Operational Security of Computer Systems
Penetration of Application and Database Security
Hacking
Illegal Internet and Web Activities, and other
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Preventing Recovery - Crashed Hard Disks
5
Photo by Ludwig Slusky
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Hard Disk Destruction
6
Sensitive information on
a hard disk requires
decommissioning.
After being crushed by
the Hard Disk Crusher,
the data can never be
recovered again. It drills
through the hard disk's
spindles and physically
creates ripples in the
platters making it
impossible to recover the
data.
Reformat ting a disk or
using a degausser are
http://edrsolutions.com/solution.asp
other options, albeit
E-Learn 2009. Ludwig Slusky and Parviz Partowcould be less reliable.
Navid
Photo by Ludwig Slusky
10/27/2009 11:55am
Forensic Investigation Process
7
Phases:
Identification
Preservation
Collection
Examination
Analysis
Presentation
Decision
Computer forensics
Evidence
Best
Secondary
Direct
Conclusive
Circumstantial
Corroborative
Opinion
Hearsay
software collects data
into evidence files
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Remote Forensic Investigation
8
Forensic investigation
Traditional – physical access to a target machine
Remote – across network access - new technique
Target machine can be located anywhere
Accessible via the Internet or dedicated communication lines
EnCase Enterprise Edition supports remote investigation
Enables covert examination
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Recommendations for Remote Investigation
9
Keep system resource usage down
Disguise the remote investigative agent software
Make sure that a personal firewalls active on the target
machine is open for inbound connections
Keep Log file free from recoding any forensic activities
Start an agent on the target machine systematically when
the machine starts
Do forensics during the non-business hours or when a
large hard drive activity is expected (e.g., antivirus scans)
Be extra careful targeting laptop for investigation: a
prolong hard drive activity can be suspicious
High-speed network connection is better than slow WAN.
Source: Philipp et al (2009). Hacking Exposed Computer Forensics: Computer Forensics Secrets & Solutions.
McGraw-Hill. 2009
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Covert Collection Avoidance Techniques
10
Review Task Manager periodically - increased and
persistent hard drive activity at odd times
Identify and stop the remote agent’s system process
Enable blocking the inbound connection in a personal
firewall (to block the agent’s tool).
Be alert to performance degradation noticeable while
copying a large file over network.
Use VPN connection whenever possible.
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Computer Forensics Certifications
11
EnCase Certified Examiner (EnCE)
Certified Computer Forensic Technician (CCFT)
Certified Computer Forensic Examiner (CFCE)
GIAC Certified Forensics Analyst (GCFA)
AccessData Certified Examiner (ACE)
Certified Computer Examiner (CCE)
others
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Introductory Course: Topics
12
Computer Forensics and Investigation as a Profession
2.
Understanding Computing Investigations
3.
The Investigator's Office and Laboratory
4.
Processing Crime and Incident Scenes
5.
Computer Forensics Tools Concepts
6.
Computer Forensics Analysis and Validation
7.
Acquiring Digital Evidence
8.
Searching for and Bookmarking Data
9.
File Signature and Hash Analysis
10. Creating Reports for High-Tech Investigations
11. Expert Testimony in High-Tech Investigations
Source: Bill Nelson, Amelia Phillips, Frank Enfinger
12. Ethics for the Expert Witness
and Christopher Steuart. Guide to Computer
1.
Forensics and Investigations, 3rd Ed. Thomson
Course Technology. 2008
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Pre-Requisites for Study
13
Students must have senior standing
Pre-requisite courses by majors include:
Computer Information Systems - information architecture,
common business applications, and organizational context
of computer-based information systems.
Criminal Justice - methodologies and techniques
appropriate for application in criminal justice environments
Accounting - Accounting Information Systems including
internal controls and tools.
Pre-requisite focus - understanding of types of digital
evidence and how computers work
Large disparity in this knowledge among students
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Computer Forensic Software: EnCase
14
Guidance Software Inc.
EnCase® Forensic - makes an image of a hard drive in a
forensically-prudent EnCase evidence file format
de facto standard application for computer forensics
Used in the proposed course
EnCase® Enterprise – for remote investigation of internal and
external threats from a central console
EnCase Data Audit & Policy Enforcement - search for
information on the laptops, desktops, file servers, and email
servers … from a central location
EnCase Cybersecurity - for national information security policy
(identifying/responding to threats, remediating malware).
EnCase® eDiscovery - a pocket-sized kit to search and collect
electronically stored information across the network.
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Basic Layout of the EnCase Forensic
Guidance Software Inc.
15
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Practicing EnCase Forensic
16
Hands-on Practicum with EnCase
Understanding of Case Management, EnCase Forensics
software, and evidence file structure
Team project
Depending on major, emphasis on different phases
Information systems - emphasis on identification, preservation,
and collection of data of various types from various devices.
Accounting - emphasis on data collection, examination, and
analysis.
Criminal Justice - emphasis on data analysis, presentation, and
decision.
Computer Forensics case study in the context of a
specific major
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Hands-on Practicum with EnCase
17
Viewing FAT Entries
Navigating EnCase
Maintaining Data Integrity
Searching for Data; Bookmarking the Results
File Signature Analysis
Windows Artifacts Recovery
Partition Recovery
Email and Registry Examination
Source: Steve Bunting. EnCase Computer Forensics:
The Official EnCE: EnCase Certified Examiner Study
Guide. 2nd Edition, Wiley Higher Education, 2008
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Forensics Lab vs. Open Access Lab
18
Dedicated Computer Forensics Lab with support of
technical assistants (desirable, not required)
Online remote dedicated Computer Forensics Lab (goal)
Common-use Open Access Labs on campus (sufficient)
Computers are shared between forensics studies and other
courses and applications that use internal disk drives
Information Assurance and privacy concerns
Student can recover any information previously deleted by
another users .
Prevent access to hard drive as a target of investigation
Evidence files are isolated on student’s CDs and USB drives
Limit EnCase access to a student’s CD, USB only
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Online/Hybrid/In-Class Learning
19
E-Learning of Information Security and preparation for
certification exams (like Certified Information Systems Security
Professional [CISSP®]) is common practice.
American InterContinental University - Bachelor of Information
Technology (BIT) with a concentration in Computer Forensics.
Champlain College - BS in Computer and Digital Forensics
Other major online universities
University of Phoenix, Liberty University, DeVry University's Keller
Graduate School of Management, Strayer University Online. Etc.
A limited demo version of EnCase Forensic is included in
some professional training books
Works only with the evidence file included on the CD; prevented
from accessing any other media
Opens two opportunities: practicing EnCase at home and shifting
some of the sessions into online mode of teaching.
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Encryption for Online Studies
20
TrueCrypt (http://www.truecrypt.org/)
Powerful open-source encryption software
Windows Vista/XP, Mac OS X, and Linux
Encrypts a partition or the entire storage – hard disk
Mobile data protection - USB flash drive
Plausible deniability for a user using a hidden volume
Presence cannot be easily detected
Data cannot be distinguished from random residual data
Used to secure information transmitted in Online studies
Password/encryption cracking to reveal intentionally
hidden information (with EnCase)
Student can originate an attack on a computer; typical methods are
dictionary based attack, key based attack, or simply the brute force
attack.
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Skills, Tutorials, Teamwork
21
Emphasis on skills using Computer Forensics software
Online instructions for Computer Forensics skills are well
suited
Extensive Online EnCase tutorials to reduce the need for
F2F instructions
Hybrid learning - best option
Teamwork vs. Individual work
Teamwork in a dedicated Forensic Lab with F2F instructions
Individual work in e-learning with no dedicated Forensic Lab
Future - more forensic investigation online
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Challenges of Teaching Course Online
22
Instructional technical challenges
Responding to students’ creativity
Inappropriate use of the software by students
Multi-disciplinary audience
Dissemination of controlled knowledge and software
Risks of privacy and information security violations
Risks of instructor’s liability
Is the target computer permitted for computer investigation?
Do online participants impersonate a legitimate student?
Compliance with Laws and Regulations
InfoSec Laws, campus regulations, and ethics.
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am
Development of Computer Forensics Course Using
EnCase
23
THANK YOU!
E-Learn 2009. Ludwig Slusky and Parviz PartowNavid
10/27/2009 11:55am