Teaching digital forensics in a large class Teaching forensics at - PowerPoint PPT Presentation

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gašper Fele-Žorž University of Ljubljana, Faculty of Computer and Information Science polz@fri.uni-lj.si

Forensics in Ljubljana at FRI Teaching digital forensics in a large class of students Teaching ◮ approx. 60 students forensics at UL FRI ◮ 6 lectures by the professor (Andrej Brodnik) ◮ 4 lectures by invited speakers ◮ 15-minute student presentations instead of 2 lectures ◮ 14 lab sessions ◮ 2 lab assignments (graded practical homework)

Problem description Teaching digital forensics in a large class of students Teaching forensics at UL FRI ◮ Everyone should be graded fairly ◮ Students are cooperative ◮ One person to grade them all

Problem description - goals Teaching digital forensics in a large class of students Teaching forensics at UL FRI ◮ Create a disk image ◮ Access the data on a disk ◮ Search for incriminating files ◮ Check file metadata

Image/tool repositories Teaching digital forensics in a large class of students Teaching ◮ Computer Forensic Reference Data Sets (CFReDS) forensics at UL FRI ◮ digitalcorpora.org ◮ Lance Mueller’s Practical Exercises ◮ The International Society of Forensic Computer Examiners R � - Sample Practical Exercise

Image/tool repositories Teaching digital forensics in a large class of students Teaching ◮ Computer Forensic Reference Data Sets (CFReDS) forensics at UL FRI ◮ digitalcorpora.org ◮ Lance Mueller’s Practical Exercises ◮ The International Society of Forensic Computer Examiners R � - Sample Practical Exercise ◮ forensicfocus.com/images-and-challenges

D-FET Teaching digital forensics in a large class of students Teaching forensics at ◮ developed by Institute Josef Stefan UL FRI ◮ cloud-based ◮ individualized assignments for each pupil ◮ assignments created with input from law enforcement ◮ http://www.d-fet.eu/

Forensic Image Generator Teaching digital forensics in a large class of students Teaching forensics at UL FRI “All the world’s a stage, And all the men and women merely players; They have their exits and their entrances, And one man in his time plays many parts, His acts being seven ages.” — William Shakespeare, As You Like It

Typical assignment Teaching digital forensics in a large class of students Teaching forensics at UL FRI Find all files containing verses from the King James edition of the Bible on a set of floppy disk images

An alternative Teaching digital forensics in a large class of students Teaching forensics at UL FRI A little girl has lost her pet, Sylvester. We have assembled a list of suspects whose computers we have confiscated. Find the culprit!

Cases Teaching digital forensics in a large class of students Teaching forensics at UL FRI A case involves ◮ People ◮ Evidence ◮ Story (template)

Persons Teaching digital forensics in a large class of students Teaching forensics at UL FRI ◮ name, surname ◮ gender ◮ address, birthdate, birthplace, description, e.t.c.

Roles Teaching digital forensics in a large class of students Teaching forensics at ◮ victim UL FRI ◮ perpetrator ◮ accomplice ◮ female_accomplice, male_accomplice ◮ all

Files Teaching digital forensics in a large class of students Teaching forensics at UL FRI ◮ different sets of files for each role ◮ some files are exclusive to one person, others can be shared with others ◮ files can be "sent" to other persons

A "perp" file Teaching digital forensics in a large class of students Teaching forensics at UL FRI

An "all" file Teaching digital forensics in a large class of students Teaching forensics at UL FRI

Metadata Teaching digital forensics in a large class of students Teaching forensics at ◮ ODT author UL FRI ◮ ODT modification time ◮ JPEG camera type ◮ JPEG modification date ◮ Other EXIF tags

Story / Case generation Teaching digital forensics in a large class of students Teaching forensics at ◮ pick a case UL FRI ◮ assign roles ◮ prepare files ◮ generate disk images ◮ pack images

Metadata preparation Teaching digital forensics in a large class of students Teaching forensics at UL FRI ◮ ODT: unzip, modify the XML directly, zip ◮ JPEG: pyexiv2

Disk image generation Teaching digital forensics in a large class of students Teaching forensics at UL FRI ◮ kpartx + mount ◮ qemu-nbd ◮ libguestfs

Student reactions Teaching digital forensics in a large class of students Teaching forensics at UL FRI ◮ So, who did it? ◮ We want to know the grading criteria in advance ◮ Did I find everything?

Problems / downsides Teaching digital forensics in a large class of students Teaching forensics at UL FRI ◮ bus factor of 1 ◮ preparing cases is relatively time-consuming ◮ the motivational improvement is unproven ◮ current cases not based on reality

Future work Teaching digital forensics in a large class of students Teaching forensics at UL FRI ◮ get more users ◮ create more cases ◮ use testing automation tools for image creation