Teaching digital forensics in a large class Teaching forensics at - - PowerPoint PPT Presentation

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Teaching digital forensics in a large class

• f students

Generating customized disk images Gašper Fele-Žorž

University of Ljubljana, Faculty of Computer and Information Science polz@fri.uni-lj.si

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Forensics in Ljubljana at FRI

◮ approx. 60 students ◮ 6 lectures by the professor (Andrej Brodnik) ◮ 4 lectures by invited speakers ◮ 15-minute student presentations instead of 2 lectures ◮ 14 lab sessions ◮ 2 lab assignments (graded practical homework)

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Problem description

◮ Everyone should be graded fairly ◮ Students are cooperative ◮ One person to grade them all

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Problem description - goals

◮ Create a disk image ◮ Access the data on a disk ◮ Search for incriminating files ◮ Check file metadata

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Image/tool repositories

◮ Computer Forensic Reference Data Sets (CFReDS) ◮ digitalcorpora.org ◮ Lance Mueller’s Practical Exercises ◮ The International Society of Forensic Computer

Examiners R

• Sample Practical Exercise

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Image/tool repositories

◮ Computer Forensic Reference Data Sets (CFReDS) ◮ digitalcorpora.org ◮ Lance Mueller’s Practical Exercises ◮ The International Society of Forensic Computer

Examiners R

• Sample Practical Exercise

◮ forensicfocus.com/images-and-challenges

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

D-FET

◮ developed by Institute Josef Stefan ◮ cloud-based ◮ individualized assignments for each pupil ◮ assignments created with input from law enforcement ◮ http://www.d-fet.eu/

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Forensic Image Generator

“All the world’s a stage, And all the men and women merely players; They have their exits and their entrances, And one man in his time plays many parts, His acts being seven ages.”

— William Shakespeare, As You Like It

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Typical assignment

Find all files containing verses from the King James edition

• f the Bible on a set of floppy disk images

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

An alternative

A little girl has lost her pet, Sylvester. We have assembled a list of suspects whose computers we have confiscated. Find the culprit!

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Cases

A case involves

◮ People ◮ Evidence ◮ Story (template)

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Persons

◮ name, surname ◮ gender ◮ address, birthdate, birthplace, description, e.t.c.

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Roles

◮ victim ◮ perpetrator ◮ accomplice ◮ female_accomplice, male_accomplice ◮ all

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Files

◮ different sets of files for each role ◮ some files are exclusive to one person, others can be

shared with others

◮ files can be "sent" to other persons

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

A "perp" file

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

An "all" file

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Metadata

◮ ODT author ◮ ODT modification time ◮ JPEG camera type ◮ JPEG modification date ◮ Other EXIF tags

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Story / Case generation

◮ pick a case ◮ assign roles ◮ prepare files ◮ generate disk images ◮ pack images

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Metadata preparation

◮ ODT: unzip, modify the XML directly, zip ◮ JPEG: pyexiv2

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Disk image generation

◮ kpartx + mount ◮ qemu-nbd ◮ libguestfs

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Student reactions

◮ So, who did it? ◮ We want to know the grading criteria in advance ◮ Did I find everything?

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Problems / downsides

◮ bus factor of 1 ◮ preparing cases is relatively time-consuming ◮ the motivational improvement is unproven ◮ current cases not based on reality

Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Future work

◮ get more users ◮ create more cases ◮ use testing automation tools for image creation