Problem Solving in Computer Forensics

1
Problem Solving in Computer Forensics
Dr John Haggerty Distributed Multimedia and
Security Group, Liverpool John Moores
University J.Haggerty_at_livjm.ac.uk http//www.cms.
livjm.ac.uk/cmpjhagg/index.htm
2
Outline of talk

• Introduction to Liverpool JMU
• Module background
• My philosophy
• Problems I have encountered
• My teaching approach
• Some examples
• Findings and conclusion

3
Background to JMU

• Lecturer in Computer Security and Forensic
  Computing
• Computer security background
• Academic research
• Practical experience
• Liverpool JMU reputation in computer security
  research (Distributed Multimedia and Security
  Group)
• Requirement for wider knowledge of security and
  forensic issues

4
Module background

• Run first time 2004/2005
• Initial expectation to complement mainstream
  Forensics programme at JMU
• Different levels of expectation and ability
• Forensic Computing
• BSc (level 3)
• Approx. 50 students (up from approx. 40
  2004/2005)
• IS, MMS, CS and SE options (2005/2006 extended to
  MMS)

5
Module aims and objectives

• Forensic Computing
• Aims
• To develop an understanding of the theory and
  practice of computer forensics.
• Objectives
• Understand the fundamental technical concepts,
  implementation, and restrictions of computer
  forensics in the organisation.
• Analyse and evaluate physical and data evidence
  in computer forensics.
• Develop practical skills in computer forensics.

6
My Forensic Computing philosophy

• Relationship between computer security and
  computer forensics related but distinct
• Same tools but different outcomes
• Computer forensics beyond the legal arena
• Application of tools and techniques within other
  areas
• e.g. businesses, public sector organisations,
  national security, etc.

7
Problems I have found

• Computer forensics as art not science
• Trying to teach analysis
• Students from across the computing spectrum
• University policies and no dedicated lab space
• No control over machines within university
• Not able to put own software on machines
• Not able to use computer forensics programs
• Creativity required to adhere to restrictions
  whilst at the same time providing practical
  learning experience for students
• Countering student fantasies
• Forensic Computing its just like CSI

8
Three strands of teaching

• Three strands of teaching used on the course
• Principles of forensic computing
• Focus on academic issues
• Traditional lecture format (summative)
• Guest lectures
• Marry what students have learnt with practitioner
  experience
• Practical applications of forensic computing
• Marrying academic issues to practical issues
  (formative)
• Tutorial-based format using PBL
• Coursework providing practical experience through
  PBL

9
Teaching practical applications

• A challenging problem as university network
  administrators are nervous about teaching
  forensics applications
• Security incidents
• More interesting for the lecturer!
• Practical teaching required
• As laid out in proforma set by PPA
• To reinforce theoretical learning
• Approached in two ways
• Tutorial-based PBL
• Coursework PBL

10
Tutorial-based PBL example 1

• What would you take tutorial computer
  forensics in law enforcement
• At the light end of PBL
• Present students with a real-world problem based
  on the subject matter discussed during the lecture

11
Tutorial-based PBL example 2

• Network diagrams tutorial computer forensics
  beyond law enforcement
• Used by organisations, national security, etc.
• Technique used in network security to track
  network connections and hosts
• Useful as analytical exercise

12
Teaching practical forensics

• Students not allowed to forensically analyse
  university computers
• Encourage use of forensic Knoppix distros on home
  machines
• Partnership with Guidance Software and their
  EnCase suite
• Limited version disk used to allow students to
  gain hands on experience with industrial standard
  software
• Runs from CD only
• Tutorial cases
• Additional relevant white papers

13
PBL-based Coursework

• Combine theoretical/practical student experience
• Build on practical labs
• Use of tools for file analysis
• Understanding of wider tools
• Restricted use/built (Knoppix) distros
• Gives students opportunity to write own job
  description for forensic computing within an
  organisation
• (Hopefully) brings course together!

14
Findings and recommendations

• Student comments having undertaken the forensic
  computing module have provided extremely positive
  responses
• Felt they have learned a real skill (PBL)
• The level of engagement in lectures was high
• Deeper level of understanding analytical
  toolkit
• Invest the time in exploring tools that can be
  used
• Guest lectures enhance learning experience
• Bridge gap between academic subject and its
  practical application
• Use techniques that demonstrate the idea or
  concept

15
Summary

• Computer forensics is increasingly used beyond
  the legal arena
• A number of problems have been encountered which
  have affected my approach
• A mix of practical and theoretical learning via
  problem setting does work
• The practical does not necessarily require
  unpleasant/ unwanted access
• For me, it has been a positive experience!